(AML-CFT Law Articles 9-10; AML-CFT Decision Articles 13, 16, 17.1, 21.2 and 5, 40-43, 46.1-4, 49.2-3)

The FIU of the UAE is established within the premises of the Central Bank, however, the FIU operates independently by legal and regulatory mandate as the central national agency with sole responsibility for performing the following functions:

Under the aegis of the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, and for the effective performance of its functions, the FIU maintains operational protocols with numerous national and international Competent Authorities.

The FIU has launched the GoAML system for the purposes of facilitating the filing of STRs by all FIs. FIs shall register themselves on the GoAML system by following the procedure manual and maintain their registration in an active status. The Compliance Officer of the company can register as the user of the system. GoAML provides a secure link of each FI to the FIU through their respective supervisory authorities. The system hosts processes for facilitating filing of STRs. It also has an .xml schema for filing batches of STRs. The guidance documents for filing of STRs are posted on the dashboard of this system. All new licensed FIs shall register themselves immediately after obtaining their financial services license so as to confirm their readiness for filing of STRs from the beginning.

The STRs are received by the FIU and processed for any required further information or documents or for further action by Law Enforcement or Supervisory Authorities. The FIU maintains a record of these STRs, performs a trend analysis to understand the prevailing trends in transactions and sectors or Institutions where possibility of ML or FT exists and this trend analysis is shared with all the registered users of GoAML through the system by means of a periodic trends and typologies report.

(AML-CFT Law Articles 9-10; AML-CFT Decision Articles 42, 43.1-3, 49.3)

A core function of the FIU is to conduct operational analysis on STRs and information received from FIs, DNFBPs, as well as from Competent Authorities, and to support the investigations of Law Enforcement Authorities. It does so by identifying specific targets (such as persons, funds, or criminal networks) and by following the trail of specific transactions in order to determine the linkages between those targets and the possible proceeds of crime, money laundering, predicate offences and terrorist financing.

Upon the receipt of STRs or information from reporting institutions or other sources, the FIU assesses the information, prioritises the risk, and performs its own analyses using a variety of information sources and analytical techniques.

In certain cases, the FIU may request additional information from the reporting entity, Competent Authorities, or even from other FIs which also have a business relationship with the subject of its analysis or investigation, through the Integrated Enquiries Management System (IEMS). Upon concluding its analysis or investigation, the FIU may disseminate information about the case to Law Enforcement Authorities or foreign FIUs, and may, at its own discretion, also provide feedback to the reporting entity in the form of instructions regarding required actions to be taken, or recommendations and guidance.

In addition to the above, the FIU also performs strategic analysis, using data aggregated from the STRs and other information it receives, including from national and international Competent Authorities and FIUs of other countries, to identify trends and patterns relating to ML/FT. As a result of this analysis, the FIU may from time to time disseminate enhanced due diligence and fraud alerts to FIs as a preventive measure, and may also disseminate information to FIs about prevalent or new and emerging ML/FT typologies, or other specific risks which FIs should take into consideration.

(AML-CFT Law Article 16; AML-CFT Decision Article 17.1)

Within the meaning of the AML-CFT Law and its implementing AML-CFT Decision, a suspicious transaction refers to any transaction, attempted transaction, or funds which an FI has reasonable grounds to suspect as constituting—in whole or in part, and regardless of the amount or the timing—any of the following:

It should be noted that the only requirement for a transaction to be considered as suspicious is “reasonable grounds” in relation to the conditions referenced above. Thus, the suspicious nature of a transaction can be inferred from certain information, including indicators, behavioural patterns, or CDD information, and it is not dependent on obtaining evidence that a predicate offence has actually occurred or on proving the illicit source of the proceeds involved. FIs do not need to have knowledge of the underlying criminal activity nor any founded suspicion that the proceeds originate from a criminal activity; reasonable grounds are sufficient.

FIs should also note that transactions need not be completed, in progress or pending completion in order to be considered as suspicious. Attempted transactions, transactions that are not executed and past transactions, regardless of their timing or completion status, which are found upon review to cause reasonable grounds for suspicion, must be reported in accordance with the relevant requirements.

(AML-CFT Decision 16)

FIs are obliged to put in place indicators that can be used to identify suspicious transactions, and to update those indicators on an ongoing basis in accordance with the instructions of the Supervisory Authorities or the FIU, as well as in keeping with relevant developments concerning ML/FT typologies. FIs should also consider the results of the NRA, any Topical Risk Assessment and their own ML/FT business risk assessments in this regard.

As part of their overall AML/CFT framework, and commensurate with the nature and size of their businesses, FIs should determine the internal policies, procedures and controls they apply in connection with the identification, implementation, and updating of indicators, as well as with the identification and evaluation of potentially suspicious transactions. Some factors that should be considered include, but are not limited to:

FIs should ensure that they have an adequate process and dedicated, experienced staff for the investigation of and dealing with alerts. The investigation of alerts and the conclusion of the investigation should be documented, including the decision to close the alert or to promptly report the transaction as suspicious.

Prompt reporting to the FIU is one of the key elements of the AML/CFT process. This means that FIs must report to the FIU the transaction immediately once the suspicious nature of the transaction becomes clear. This will be the case when from an objective point of view, taking the available information into account, there is a reason to believe that a transaction is suspicious. This means that FIs expeditiously investigate alerts and possible indications of ML/FT and immediately report the transaction upon determining that the transaction should be reported to the FIU. FIs therefore need to able to show that from the moment of the alert immediate and continuous action has been taken.

In this respect, FIs must have a procedure in place that defines the reporting process, and what steps to take in such cases. When investigating alerts it is important to examine the customer’s earlier and related transactions, and to reconsider the customer’s risk profile.

When identifying suspicious transactions, FIs, and their management and employees, should be aware of the facts that, in relation to ML/FT crimes, there is no minimum threshold or monetary value for reporting, and that no amount or transaction size should be considered too small for suspicion. This is of particular significance where the crimes of the financing of terrorism and of illegal organisations is concerned, since typologies related to them may often involve very small amounts of money.

Furthermore, with the exception of obligatory indicators for which reporting is required by the relevant Supervisory Authorities or the FIU, FIs should note that the presence of an indicator means that a transaction needs to be immediately investigated in order to determine whether the transaction needs to be reported. When determining whether a transaction is suspicious or whether there is reasonable ground for a suspicion, FIs should give consideration to the nature of the specific circumstances, including the products or services involved, and the details of the customer in the context of its risk profile. In some cases, patterns of activity or behaviour that might be considered as suspicious in relation to a specific customer or a particular product type, might not be suspicious in regard to another. For this reason, clear internal policies and procedures with regard to alert escalation and investigation, and internal suspicious transaction reporting are critical to an effective ML/FT risk-mitigation programme. This includes an adequate training program that will allow staff to detect possible unusual or suspicious transactions.

While it is impossible to list all the indicators of suspicion in these Guidelines, some useful links to sources of AML/CFT suspicious transaction indicators are provided in Appendix 11.2, Useful Links. A few examples of potentially suspicious transaction types that FIs should take into consideration include:

(AML-CFT Law Articles 9.1, 15, 24; AML-CFT Decision Articles 13.2, 17.1, 20.2)

FIs are obliged to report transactions to the FIU without delay when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime. There is no minimum reporting threshold; all suspicious transactions, including attempted transactions, should be reported regardless of the amount of the transaction. There is also no statute of limitations with regard to when the possible crimes or the suspicious transaction took place.

Under federal law and regulations, whether the FI operates in the mainland UAE or in a Financial or Commercial Free Zone, the designated Competent Authority for the reporting of suspicious transactions is the FIU.

Failure to – immediately - report a suspicious transaction, whether intentionally or by gross negligence, is a federal crime. Any person, including FIs or their managers and employees, who fails to perform their statutory obligation to report a suspicion of money laundering, or the financing of terrorism or of illegal organisations, is liable to a fine of no less than AED100,000 and no more than AED1,000,000 and/or imprisonment.

There are no exemptions from the statutory reporting requirement provided for FIs under the AML-CFT Law or AML-CFT Cabinet Decision.

(AML-CFT Law Article 9; AML-CFT Decision Articles 17.1(a), 21.2)

As the designated Competent Authority for receiving and analysing STRs from all FIs, it is within the purview of the FIU to determine the procedures for the reporting of suspicious transactions. As stated in the AML-CFT Decision, FIs shall report STRs “via the electronic system of the FIU or by any other means approved by the FIU”, which is the FIU’s GoAML system.

Without prejudice to the above, it should be noted that the AML-CFT Decision provides for the reporting of STRs to be effected by the designated compliance officer of the FI. Specifically, the Cabinet Decision states that the duty of a compliance officer is to:

“Review, scrutinise and study records, receive data concerning Suspicious Transactions, and take decisions to either notify the FIU or maintain the Transaction with the reasons for maintaining while maintaining complete confidentiality.”

In this regard, as part of their overall risk-based AML/CFT framework and commensurate with the nature and size of their businesses, FIs should establish appropriate policies, procedures and controls pertaining to the internal reporting by their managers and employees of potentially suspicious transactions, including the provision of the necessary records and data, to the designated AML/CFT compliance officer for further analysis and reporting decisions, as well as to the reporting of STRs by the compliance officer to the FIU. The relevant policies, procedures and controls should take into consideration such factors as:

Such policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organisation, in keeping with the nature and size of the FI’s business.

(AML-CFT Law 9; AML-CFT Decision 17.1(a), 21.2)

FIs are obliged to report STRs to the FIU without delay. Since it is the responsibility of the designated AML/CFT compliance officer to “review, scrutinise and study records, receive data concerning suspicious transactions, and take decisions to either notify the FIU or maintain the transaction,” (see Section 8.1, Compliance Officer) it follows that the STRs should be immediately reported once the suspicious nature of the transaction becomes clear. This means that the internal reporting of suspicious transactions to the compliance officer should be done directly once the suspicion or reasonable grounds for suspicion are established, and immediately the designated AML/CFT compliance officer has confirmed that the transaction (whether pending, in progress, or past) is suspicious, it should be reported.

Without prejudice to the above, FIs should note that, with the exception of any obligatory indicators for which immediate reporting to the FIU is required by the relevant Competent Authorities, some potentially suspicious transactions or indicators of suspicion may require a degree of internal investigation before a suspicion or reasonable grounds for suspicion are established and an internal STR is reported to the designated AML/CFT compliance officer. The FI should however be able to demonstrate that this investigation is started immediately and has been ongoing continuously until the transaction is reported to the FIU. In this regard, and commensurate with the nature and size of their businesses, FIs should establish clear policies, procedures and staff training programmes pertaining to the identification, investigation and internal reporting of suspicious transactions (including attempted transactions), and the degree and extent of investigations that are appropriate prior to the internal reporting of a suspicious transaction (also see Section 7.2, Identification of Suspicious Transactions). These policies and procedures should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

(AML-CFT Law Article 25; AML-CFT Decision Articles 17.2, 21.2, 31.3, 39)

When reporting suspicious transactions to the FIU, FIs are obliged to maintain confidentiality with regard to both the information being reported and to the act of reporting itself, and to make reasonable efforts to ensure the information and data reported are protected from access by any unauthorized person.

As part of their risk-based AML/CFT framework, and in keeping with the nature and size of their businesses, FIs, and their foreign branches or group affiliates where applicable, should establish adequate policies, procedures and controls to ensure the confidentiality and protection of information and data related to STRs. These policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

FIs must ensure that all relevant information relating to STRs is kept confidential, with due regard to the conditions and exceptions provided for in the law, and the guiding principles for this must be established in policies and procedures. FIs need to ensure that policy and procedures are reflected in for example, appropriate access rights with regard to core systems used for case management and notifications, secure information flows and guidance/training to all staff members involved. This guidance and training is primarily important for the first-line staff who have contact with customers. It is essential that these staff know when there may be cases of suspicious transactions, what questions they have to ask the customer and which information they must not under any circumstances disclose to the customer.

It should be noted that the confidentiality requirement does not pertain to communication within the FI or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention or reporting of suspicious transactions and/or crimes related to ML/FT.

It is a federal crime for FIs or their managers, employees or representatives, to inform a customer or any other person, whether directly or indirectly, that a report has been made or will be made, or of the information or data contained in the report, or that an investigation is under way concerning the transaction. Any person violating this prohibition is liable to a penalty of no less than AED100,000 and no more than AED500,000 and imprisonment for a term of not less than six months.

(AML-CFT Law Article 27; AML-CFT Decision Article 17.3)

FIs, as well as their board members, employees and authorised representatives, are protected by the relevant articles of the AML-CFT Law and AML-CFT Decision from any administrative, civil or criminal liability resulting from their good-faith performance of their statutory obligation to report suspicious activity to the FIU. This is also the case even if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred. However, it should be noted that such protections do not extend to the unlawful disclosure to the customer or any other person, whether directly or indirectly, that they have reported or intend to report a suspicious transaction, or of the information or data the report contains, or that an investigation is being conducted in relation to the transaction.

Once a Suspicious Transaction or other suspicious information related to a Customer or Business Relationship has been reported to the FIU, there are two immediate consequences:

Further guidance on both of these topics is provided below.

FIU Instructions

After receiving an STR from an FI, the FIU may or may not revert to the reporting institution with specific instructions, requests for additional information, feedback or further guidance related to the STR or to the business relationship in general. In such cases, these communications will generally be directed to the designated AML/CFT compliance officer of the FI.

Confidentiality of FIU’s Instructions

The responsibility for coordinating the FI’s prompt compliance with the FIU’s instructions or requests lies with the designated AML/CFT compliance officer. It should be noted that, depending on the nature of the case, the FIU may require the compliance officer to maintain certain information related to its instructions or requests privileged and/or confidential within the FI’s organisation. In other words, in some cases, the compliance officer could be restricted from divulging information about a transaction or business relationship to anyone other than certain members of senior management or the board of directors of the FI. Regardless of the circumstances surrounding the FIU’s instructions or requests, including whether or not the compliance officer is permitted to provide explanations to the staff of the FI, the FI is obliged at all times to follow the compliance officer’s instructions in regard to any follow-up actions required in relation to an STR.

Timing of FIU’s Instructions

Whether or not the FIU issues instructions or requests for additional information to a reporting institution, or how quickly this may occur after the STR is initially reported, both depend on numerous factors. These may include the prioritisation of the incoming STR among all of the STRs received by the FIU, the results of the ensuing analysis, or the possible need for information to be exchanged with other Competent Authorities or international FIUs, as well as the timing and the results of such exchanges.

When an STR involves an anticipated, pending, or already in-progress transaction, FIs should use their best efforts to delay the execution or completion of the transaction, in order to allow for a reasonable amount of time in which to receive feedback, instructions, or additional information requests from the FIU. In taking such measures, FIs should take the necessary steps to avoid “tipping off” or arousing the customer’s suspicion that the transaction is being investigated or reported. Examples of some of the measures FIs may consider taking, either singly or in combination, in order to delay the execution or completion of transactions include but are not limited to:

During the time interval during which an anticipated, pending, or in-progress STR that has already been reported to the FIU is being delayed by the FI, any additional suspicions that may arise should also be immediately reported to the FIU as a follow-up to the original STR. Examples of such additional suspicions may include, but are not limited to:

If a reasonable amount of time has not yet elapsed before the receipt of feedback, instructions, or requests for additional information from the FIU in regard to an STR, and it becomes impossible for the FI to delay the execution or completion of the reported transaction any longer without arousing the customer’s suspicion that the transaction is being investigated or reported, then the FI should request specific instructions or permission from the FIU in regard to executing or rejecting the transaction.

No Instructions, Feedback or Additional Information Requests from the FIU

Due to the factors previously mentioned, FIs may not receive instructions, additional information requests, or other feedback from the FIU in regard to STRs that have been filed; or the receipt of such communications may be delayed beyond what they consider to be a reasonable time period. In such instances, FIs should determine the appropriate handling of the STR and of the business relationship in general, taking into consideration all of the risk factors involved.

In particular, FIs are reminded that, unless they are specifically instructed by the FIU to do so, they are under no obligation to carry out transactions they suspect, or have reasonable grounds to suspect, of being related to a Crime. Furthermore, unless they are specifically instructed by the FIU to maintain the business relationship (for example, so that the Competent Authorities may monitor the customer’s activity), FIs should take appropriate steps in order to decide whether or not to maintain the business relationship. These steps may include, but are not limited to:

FIs should be aware that filing an STR does not automatically mean that the relationship with the customer needs to be terminated. However, when deciding to terminate a business relationship for which an STR has been filed and no feedback has been received from the FIU after a reasonable time period, FIs should formally advise the FIU of their intention to do so unless there is an official objection.

Reasonable Time Period for Receiving Feedback from the FIU

FIs should note that there are no pre-established processing times, and no statute of limitations, in regard to the time interval during which the FIU may provide feedback, including instructions or requests for additional information in response to an STR. Furthermore, the time period that may be considered reasonable in relation to such feedback depends on numerous factors, including but not limited to the:

The time period considered to be reasonable could thus vary widely from one case to another.

As a general guideline, the reasonable time periods for feedback from the FIU concerning transaction types that are less complex, more routine, and have faster average processing times (such as account-to-account or wire transfers, the exchange of currencies, or over-the-counter purchases of precious metals or stones, for example) would normally be expected to be shorter than those for more complex, less routine transaction types (such as, for example, purchases of real estate or other complex assets, trade finance transactions, or various forms of loan or credit agreements). FIs that require further assistance in determining reasonable time periods should consult with the FIU or the relevant Supervisory Authorities.

High-Risk Classification of Reported Business Relationships

When a transaction or other information about a business relationship is reported to the FIU as suspicious, it means that, by definition, the customer or business relationship to which it pertains should be classified as high risk (in case the business relationship has not yet been classified as such). In situations in which no feedback or instructions have been received from the FIU, FIs that determine to maintain the business relationship should, commensurate with the nature and size of their businesses:

In such cases, beyond the EDD measures described in previous sections (see Sections 6.4, Enhanced Due Diligence (EDD) Measures and 6.3.5, Ongoing Monitoring of the Business Relationship), FIs should also implement additional control measures such as, but not limited to:

FIs should also document the specific EDD, ongoing monitoring, and additional control measures to be taken. In this regard, FIs should obtain senior management approval for the plan, including its specific conditions, duration and any requirements for its removal, as well as the roles and responsibilities for its implementation, monitoring and reporting, commensurate with the nature and degree of the ML/FT risks associated with the business relationship.

(AML-CFT Decision Articles 20.3, 21 and 44.12)

(AML-CFT Decision Articles 20.4-5, 21.4)

In order for their ML/FT risk assessment and AML/CFT mitigation measures to be effective, FIs should ensure that their employees have a clear understanding of the ML/FT risks that the FI is exposed to and can exercise sound judgment, both when adhering to the FI’s AML/CFT risk mitigation measures and when identifying suspicious transactions. Furthermore, due to the ever-evolving nature of ML/FT risks, FIs should ensure that their employees are kept up to date on an ongoing basis in relation to emerging ML/FT typologies and new internal and external risks. . Depending on the nature, size and level of complexity of an FI, an FI should also screen staff to ensure high standards when hiring employees.

Thus, to ensure a high level of competence and AML/CFT programme effectiveness, FIs should formulate and implement appropriate policies, procedures and controls with regard to staff screening and training. An effective training program should not only explain the relevant AML/CFT laws and regulations, but also cover the institutions’ policies and procedures used to mitigate ML/FT risks, scope of target employees such as but not limited:

These measures should be applied across organisations and financial groups, including their foreign branches and majority-owned subsidiaries. Examples of some of the factors that should be considered when determining appropriate staff screening and training measures include, but are not limited to:

(AML-CFT Decision Articles 20, 31, 32)

When an FI is part of a group, the FI is obliged to implement appropriate group-wide AML/CFT programmes, and to apply them in relation to all branches and majority-owned subsidiaries of the financial group. The specific requirements that must be met by FIs with respect to their foreign branches and majority-owned subsidiaries are set out in the relevant provisions of the AML-CFT Decision, and reflect those to which FIs are subject within the State.

In meeting these obligations with regard to their branches and majority-owned subsidiaries in foreign countries, FIs, and in particular FIs that are members of financial groups, should ensure that the measures they apply are consistent with the requirements of the AML-CFT Law and AML-CFT Decision. In this regard, FIs should establish appropriate policies and procedures for the exchange and sharing of data and information, including those required for the purposes of CDD and ML/FT risk management, between the foreign branches and subsidiaries and the head office, for the purpose of combating the crimes of money laundering and the financing of terrorism and of illegal organisations, and for reporting suspicious transactions.

In situations where these measures are not possible due to legislative or regulatory restrictions in the foreign countries in which their branches and majority-owned subsidiaries operate, FIs (including those which are members of Financial Groups) should implement the necessary additional measures, commensurate with the nature and size of their businesses, that will enable them to manage and mitigate appropriately the ML/FT risks that relate to their foreign operations. Examples of some of the measures that should be considered include but are not limited to:

In particular, in cases in which the minimum AML/CFT requirements of host countries in which FIs maintain foreign operations are less strict than those of the State, FIs should take the necessary measures to ensure that their foreign branches and/or majority-owned subsidiaries in those countries implement requirements consistent with those of the State, to the extent permitted by the laws and regulations of the host countries. If such host countries do not permit the proper implementation of the AML/CFT requirements consistent with those of the State, FIs should apply appropriate additional measures to manage and mitigate the ML/FT risks (including but not limited to those described above). They should also inform the relevant Supervisory Authorities of the circumstances and comply with any additional supervisory actions, controls, or requirements of the Competent Authorities of the State (up to and including, if requested, terminating their operations in the host countries).

(AML-CFT Decision Article 20.6)

A robust and independent audit function is a key component to a well-functioning governance structure and an effective AML/CFT framework. FIs are obliged to have in place an independent audit function to test the effectiveness and adequacy of their internal polices, controls and procedures relating to combating the crimes of money laundering and the financing of terrorism and of illegal organisations. In this regard, FIs should ensure that their independent audit function is appropriately staffed and organized, and that it has the requisite competencies and experience to carry out its responsibilities effectively, commensurate with the ML/FT risks to which the FIs are exposed, and with the nature and size of their businesses.

It should be noted that, while most FIs are expected to have the capacity to meet these requirements internally, depending on the nature and size of their businesses, some FIs (particularly smaller ones) may not necessarily have the resources to maintain a fully functioning and effective internal audit unit. In such cases, those FIs should ensure that they take adequate measures to obtain the necessary capabilities from qualified external sources. They should also ensure that they have in place adequate internal capabilities to provide sufficient coordination with and oversight of any external resources they may utilise, and that such external resources are adequately regulated and supervised by relevant Competent Authorities.

FIs should ensure that the periodic inspection and testing of all aspects of their AML/CFT compliance programmes, including ML/FT business risk assessment and AML/CFT mitigation measures, and CDD policies, procedures and controls, is incorporated into their regular audit plans. They should also ensure that all their branches and the subsidiaries in which they hold a majority interest, whether domestic or foreign, are part of an independent audit testing programme that covers the effectiveness and adequacy of their internal AML/CFT polices, controls and procedures.

Some of the factors FIs should consider in determining the appropriate frequency and extent of audit testing of their AML/CFT programmes by their independent audit functions include but are not limited to:

The scope of such audits should include but not be limited to:

(AML-CFT Decision Articles 4.2(a), 4.2(b)(5), 8.1(a), 15.1(b) and 15.2, 17.3, 21.3, 25.1(d))

A cornerstone of any sound governance structure, including those related to AML/CFT compliance, is senior management involvement and accountability. The members of an FI’s senior management (together with the members of the board of directors in those organisations that have one) are ultimately responsible for the quality, strength and effectiveness of the FI’s AML/CFT framework, as well as for the robustness of its compliance culture. In this regard, an FI’s senior management should set the ML/FT risk appetite and a proper “tone at the top,” by demonstrating their commitment to ensuring an effective AML/CFT compliance programme is in place, and by clearly articulating their expectations with regard to the responsibilities and accountability of all staff members in relation to it.

Under the AML/CFT legal and regulatory framework of the UAE, the senior management of all FIs are responsible for performing certain functions related to the assessment, management and mitigation of the ML/FT risks to which their organisations are exposed. These responsibilities can be grouped broadly into categories which include:

Some FIs may operate as small or mid-sized businesses, without large staff organisations or sophisticated IT infrastructures. In such cases, individual managers and employees may often be called upon to undertake multiple roles and responsibilities in the course of day-today business activities, and it may be difficult at times to maintain a clear separation of duties or functions. While an FI’s small size does not in any way exempt it from fulfilling its obligations under the AML-CFT Law and AML-CFT Decision, and without prejudice to guidance provided in the previous sections, the following additional considerations are of particular importance to small and mid-sized FIs.

(AML-CFT Law Articles 16.1(a),(f); AML-CFT Decision Articles 7.2, 24, 36, 37.3)

FIs are obliged to maintain detailed records, documents, data and statistics for all transactions, all records obtained through CDD measures, account files and business correspondence, and results of any analysis undertaken, as well as a variety of record types and documents associated with their ML/FT risk assessment and mitigation measures, as specified in the relevant provisions of the AML-CFT Decision (see Section 9.2, Required Record Types). FIs are required to maintain the records in an organized fashion so as to permit data analysis and the tracking of financial transactions, and to make the records available to the Competent Authorities immediately upon request. They should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. All CDD information and transaction records should be available swiftly to Competent Authorities upon appropriate authority.

The statutory retention period for all records is at least five (5) years, depending on the circumstances, from the date of the most recent of any of the following events:

Without prejudice to the above, FIs should note that it is the prerogative of the Competent Authorities to require the retention of the records of any FI, whether data, statistics, or records pertaining to a specific customer or transaction or to general categories of customers or transactions which they deemed to be of interest, for a longer period of time at their own discretion.

In order to fulfil their record-keeping obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Examples of the factors which FIs should give consideration to when formulating the relevant policies, procedures and controls, include but are not limited to:

(AML-CFT Law Articles 16.1(a),(b),(f); AML-CFT Decision Articles 7.2, 24)

The AML-CFT Law and AML-CFT Decision oblige FIs to retain several types of records, which can be classified broadly into the following categories:

Additional guidance related to these record types is provided in the following sub-sections.