Purpose of this Guidance | Purpose | The purpose of this Guidance is to assist the understanding and effective performance by Licensed Financial Institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE. |
Applicability | This Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies, stored value facilities, retail payment service providers, and card schemes. |
Understanding Risks | ML/FT Risks of the Payment Sector | Characteristics of the Movement of Funds: Products and Services (PPS) and New Payment Products and Services (NPPS)in particular are extremely attractive to illicit actors because of the rapid movement of funds between Payment Sector participants and across borders. The risks vary based on transaction speed, transaction limits, closed vs. open loop system, methods of funding and access to cash, payment transparency, ability for one person to create multiple accounts, non-face-to-face relationships, and use of virtual assets (the latter is addressed in a separate guidance to be issued by CBUAE). |
Peer-to-Peer Payments: NPPS allow participants to send money that will be instantly available to the beneficiary, reducing the need for trust in the relationship. The use of PPS for peer-to-peer payments creates risk for financial institutions because transactions can flow through third parties that may not be subject to AML/CFT requirements. |
Cross-Border Movement: Many NPPS can be used globally for making payments or transferring funds, thus introducing banks to new geographical exposure. Unlike cross-border wires, which carry full identifying information, banks will frequently only see the customer's transactions with the payment network itself, rather than their location or ultimate destination. |
Global Regulatory Gaps: Countries take a variety of approaches to regulating the Payment Sector and there is no one widely accepted classification of participants. And participants, as relatively new market entrants, may lack the experience, expertise, or commitment to apply fully effective preventive measures. |
Intermediation: A number of participants potentially involved in a single transaction. Intermediated transactions create risk because no regulated entity participating in the transaction has the visibility necessary to fully understand the transaction and the participants. |
Nesting: Nesting is a form of intermediation that presents specific risks. In most Correspondent Banking Relationships that involve nesting, the respondent financial institution is not aware of individual transactions ordered by the ultimate customer. |
Use of Agents and Affiliates: Payment Sector participants often interact in a dense web of agency and affiliate relationships. A large number of entities involved in the NPPS, in particular when involving several countries, may increase the ML/FT risk. The interplay between different entities can lead to risks from intermediation and also when the participating entities have not assigned clear responsibility for compliance with AML/CFT requirements. |
Merchant Risks: Globally, Payment Sector participants including providers of NPPS have been abused by or directly complicit with merchants who offer fraudulent or illegal goods or services, or whose business models pose reputational risks to financial institutions. Relying on third parties to conduct customer due diligence (CDD) on merchants can also increase risk if the relationship is not well-governed. |
ML/FT Risks for LFIs Providing Services to Payment Sector Participants | Correspondent and Correspondent-Type Risk: Correspondent Banking Relationships in which the correspondenfs customers' funds flow through an account held at the respondent financial institution are particularly high risk, because they expose the respondent institution directly to any potentially illicit activity in which the correspondent's customers are engaged. Because banks that offer services to correspondents have limited information on these transactions, they are reliant on the correspondent to implement an effective AML/CFT program. |
Other Risks Related to Intermediation: Even banks that view themselves as having limited to no exposure to NPPS may have indirect exposure through customers who link their bank accounts to payment apps, or use their bank accounts to fund stored value facilities (SVF) accounts or wallets, or withdraw funds as cash and use it to purchase other prepaid instruments. |
Risks Related to Outsourcing: Banks often serve as the backbones of PPS such as credit, debit, and prepaid schemes without serving as the administrator or governing body of the scheme. Banks involved in these schemes often outsource CDD and other elements of the AML/CFT program to the program operators who have more direct contact with customers and insight to movement of funds. But Banks remain responsible for implementing an effective and compliant AML/CFT program. |
Mitigating Risks | AML/CFT obligations under CBUAE Regulations | In addition to this guidance, LFIs including non-bank payment service providers should carefully review all the relevant regulations issued by the CBUAE, which provide a comprehensive coverage of all payment products, services, and systems that are issued, provided and/or operated in the UAE, to ensure they fully understand and comply with their AML/CFT obligations. In 2020-2021 the CBUAE issued the SVF Regulation, the Retail Payment Services and Card Schemes Regulation, the Large Value Payment Systems Regulation, and the Retail Payment Systems Regulation. |
Risk Assessment | An appropriate risk assessment should consider all the PPS that an LFI provides, and the LFI's direct relationships to Payment Sector participants, both domestic and foreign. When assessing an LFI's direct exposure to the Payment Sector, the LFI should consider the risk factors discussed in section 2 of the Guidance, such as the movement of funds, mode offunding, and peer-to-peer payments among others. Where LFIs provide services to Payment Sector participants, they should also assess the risk of the relationship as well as their indirect exposure to the Payment Sector through their customers. |
Preventive Measures for LFIs Providing Products and Services directly to Customers | Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring: LFIs must perform all the elements of CDD, which include customer identification and verification, beneficial owner identification, understanding of the nature of the customer's business and purpose of the relationship, and ongoing monitoring. In addition to these mandatory elements, LFIs should consider the following elements that are particularly important in the context of NPPS: user identification and verification, use of IP addresses and geographical (spatial and temporal) locators, and SVF and merchant due diligence. |
Controls: LFIs should develop controls that are commensurate with the nature and size of their business to manage the risks identified. LFIs should in particular consider geographical limits, transaction limits, funding constraints, and multi-factor authentication to minimize or eliminate those aspects of the PPS and NPPS that make them most attractive to illicit actors. |
Wire Transfers Requirements: The AML-CFT Decision contain specific requirements with regard to information that LFIs must collect, and transmit with the wire transfer, when conducting an international wire transfers as well as specific obligations related to domestic wire transfers (the Guidelines further contain CDD measures). Since many Payment Sector participants qualify as financial institutions, the applicability of these requirements is wide-ranging. |
Preventive Measures for LFIs Providing Services to other Payment Sector Participants | Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring: LFIs must conduct appropriate ODD on all customers, regardless of their type or sector (the majority, if not all, of Payment Sector participant customers will be legal persons). In this context, the LFIs should also consider a determination of whether nesting will take place. In addition to the standard required ODD elements, LFIs should collect all the information necessary to risk-rate the Payment Sector participant customer and evaluate whether aspects of the customer profile require EDD. All customers must also be subject to ongoing monitoring throughout the business relationship. |
Correspondent Due Diligence: In the context of Correspondent Banking Relationships with Payment Sector participants, LFIs should conduct correspondent due diligence that reflects the unique risks and features of those relationships. In the case of extended, intermediated transaction chains such as those frequently seen in the Payment Sector, each LFI involved is ultimately responsible for monitoring all transactions processed or conducted through the LFI, using the information available to it. LFIs should in particular consider regulatory status, merchant due diligence, controls relating to nesting, and testing and auditing of the correspondents AML/CFT program. |
Targeted Financial Sanctions | LFIs are required to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council under Chapter VII of the Charter of the United Nations and the requirements set by Cabinet Decision 74 of 2020 regarding Targeted Financial Sanctions. LFIs should be aware that, for all PPS they offer, they should have in place operational systems that ensure they can appropriately screen transactions related to those products or services. In intermediated correspondent relationships, LFIs should ensure that they fully understand their correspondents' sanctions screening approaches, and should not process any payments for a correspondent unless they are entirely confident that the correspondent conducts appropriate screening. |
Transaction Monitoring and Suspicious Transaction Reporting | LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (STR), a Suspicious Activity report (SAR), or other report types. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of ODD. As discussed above, in the case of extended, intermediated transaction chains such as those frequently seen in the Payment Sector, each LFI involved is ultimately responsible for monitoring all transactions processed or conducted through the LFI, using the information available to it. Any LFI that outsources any elements of transaction monitoring retains ultimate responsibility for identifying and reporting suspicious transactions. |
Governance and Training | Payment Sector participants and LFIs providing them services should endeavor to incorporate the following considerations into the design of their governance frameworks and their training programs: clear allocation of AML/CFT responsibilities among LFIs, agent governance and training, and employee training. When a network of Payment Sector participants combine to deliver a payment service and execute transactions, risks arise when they do not have a clear understanding of each participant's AML/CFT responsibilities. Any LFI that provides payment services as part of a network should assume full responsibility for CDD. When a LFI provides services to a Payment Sector participant as part of a Correspondent Banking Relationship, they should also understand each party's AML/CFT responsibilities and document them in the contract or other program documents. |