Under Article 4 of the AML-CFT Decision, LFIs are required to identify, assess, and understand the ML/FT risks to which they are exposed and how they may be affected by those risks, in order to determine the nature and extent of AML/CFT resources necessary to mitigate and manage those risks. In addition, under Article 23 of the Decision, LFIs are required to identify and assess the ML/FT risks of that may arise when developing new products and new professional practices, including means of providing new services and using new or under-development techniques for both new and existing products. An appropriate risk assessment should consider all the PPS that an LFI provides, and the LFI’s direct relationships to Payment Sector participants, both domestic and foreign.
When assessing its direct exposure to the Payment Sector, whether in the form of PPS it offers, or relationships it maintains with other participants, the LFI should consider the risk factors discussed in section 2 above. The risk assessment should take into consideration:
•
Movement of Funds. What are the financial flows through the PPS and through the LFI’s accounts? What is the speed of transactions? Is there a cap on transaction value? Is there a daily, weekly, or monthly cap on the volume of transactions? Is the payment service in question closed loop or open loop? Can single users open multiple accounts?
•
Mode of Funding: How do users fund their accounts and make withdrawals, and is funding permitted prior to customer verification?
•
Peer-to-Peer Payments. Does the PPS allow users to conduct peer-to-peer transfers, or can they only send transfers to merchants/from customers? How is this restriction implemented and enforced?
•
Cross-Border Movement. Does the PPS permit funds to move across borders and to high-risk countries through relationships with foreign financial institutions? Can users access the PPS when they are outside the UAE? Does the service support multiple currencies?
•
Regulatory Status. Is the PPS that the LFI provides a regulated activity in the UAE and in all jurisdictions where it is provided?
•
Use of Agents and Affiliates. How many entities are involved in delivering the PPS? How open is the network supporting the PPS? Does it include entities that are not regulated as LFIs—for example convenience stores that accept cash in return for topping up account balance? What is the role of each player in the system, and are responsibilities clearly defined in governance documents?
•
Intermediation. How much visibility does the LFI have into payment activity taking place through the PPS? Can the LFI identify the ultimate payer and payee for all transactions? How many entities are in the payment chain?
•
Controls. Does the PPS integrate appropriate features that contribute to managing the risk created by the factors listed above, such as by performing a robust customer verification process? These can include both the AML/CFT-specific features discussed in section 3.3 below and measures related to cybersecurity and counter-fraud.
Where LFIs, particularly banks, provide services such as deposit accounts to Payment Sector participants, they should also consider the following in assessing the risk of the relationship:
•
Nature of the Relationship: What products or services does the LFI provide to the participant? Does the relationship involve direct exposure to the funds of the participant’s customers? Is the sector participant using the relationship to facilitate activity by other Payment Sector participants?
•
Regulatory Status: Is the participant required to be licensed in the UAE, its home jurisdiction, and all jurisdictions where it operates? Is it subject to AML/CFT requirements in all jurisdictions that are at least as stringent as those imposed in the UAE?
•
Relationship Governance: Are AML/CFT responsibilities within the relationship clearly defined? Does the LFI outsource some aspects of AML/CFT program implementation to the Payment Sector participant?
The risk assessment should also consider the LFI’s indirect exposure to the Payment Sector through its customers, who may connect their account with an LFI to a variety of PPS, or may fund their account by using such PPS. Because many payment service providers use existing domestic or international payment systems to execute transfers on behalf of their customers, an LFI may not be aware that its customers are using such services nor able to prohibit their use or detect payments activity in customer’s accounts. LFIs should therefore consider a variety of tools to assess their indirect exposure to this sector. These may include:
•
applying appropriate level of due diligence and asking questions during the CDD process to obtain all relevant information;
•
administering customer surveys to better understand customer’s interest in and use of payment services; and
•
utilizing watchlist-based screening over a sample period.
When LFIs have a sense of the most common PPS their customers use, they should assess the risk these services and products pose, considering the factors discussed above, including the involvement of high-risk countries and the extent of exposure. These assessments should in turn be reflected in the LFI’s inherent risk rating. In addition, the LFI’s controls risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed.