Chapter 16: AML/CFT Compliance
Definitions
“AML/CFT Program” means the policies, procedures, systems, controls, etc. introduced by a Licensed Person to prevent Money Laundering and Financing of Terrorism. “AML/CFT Supervision Department” means the AML/CFT Supervision Department at the Central Bank of the UAE. “Banking Supervision Department” means the Banking Supervision Department at the Central Bank of the UAE. “Beneficial Owner (BO)” means the ‘Natural Person’ who ultimately owns or exercises effective control, directly or indirectly, over a customer or the natural person on whose behalf a transaction is being conducted, or the natural person who exercises effective ultimate control over a legal person or legal arrangement, as per Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations. “Central Bank” means the Central Bank of the United Arab Emirates. “Exchange Business” means: - Dealing in sale and purchase of foreign currencies and travelers cheques; - Executing remittance operations in local and foreign currencies; - Payment of wages through establishing a link to the operating system of “wages protection system” (WPS); and - Other products and services approved by the Central Bank. “Exchange House” means a juridical person licensed in accordance with the provisions of Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organisation of Financial Institutions and Activities to carry on money exchange activity, and conduct funds transfers within and outside the UAE, and any other businesses determined by the Central Bank. “FIU” means the Financial Intelligence Unit (FIU) of the UAE. “Instant money transfer service provider” means a money remitting institution licensed and regulated by an appropriate Regulator in its home country who will have necessary proprietary software applications and infrastructure to transfer funds instantly from an agent in one country to an agent in another country and/or domestically. “Legal Arrangement” means a relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality. Examples include trusts or other similar arrangements. Many legal arrangements allow for ownership, control, and enjoyment of funds to be divided between at least two different persons. “Legal Person” means any entities other than natural persons that can establish in their own right a permanent customer relationship with a financial institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations along with similar entities. “License” means license issued by the Central Bank for carrying out Exchange Business. “Licensed Person” means any Exchange House licensed by the Central Bank to carry out Exchange Business. “ML/FT” means the Money Laundering or Financing of Terrorism as defined in the Federal Decree Law No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations. “Natural Person” means an individual. “Politically Exposed Person” (PEP) means natural persons who are or have been entrusted with a prominent public function in the UAE or any other foreign country such as heads of states or governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties, and persons who are, or have previously been, entrusted with the management of an international organization or any prominent function within such an organization; and the definition also includes the following: 1. Direct family members (of the PEP who are spouses, children, spouses of children, parents) 2. Associates known to be close to the PEP, which include: a. Individuals having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP; b. Individuals having individual ownership rights in a legal person or arrangement established in favor of the PEP. “Purpose of transaction” means an explanation about why a customer is conducting a transaction or the reason for which the funds will be used. Examples of purpose of transaction are: family support, education, medical, tourism, debt settlement, financial investment, direct investment, or trading etc. For verification of the purpose of transaction, documents may include any documentation proving the purpose for which the money will be used. “Shell bank” means a bank that has no physical presence in the country in which it is incorporated and licensed, and which is unaffiliated with a regulated financial group that is subject to effective consolidated supervision. “Source of funds” means how the money, involved in the transaction, was originally derived or earned. Examples of source of funds are: salary, wages, inheritance, gratuity, end of service benefits, bank loan, income from businesses, sale of property, sale of land, sale of investments, etc. For verification of the source of funds, documents include but are not limited to salary slip, labor contract, court order, bank statements, etc. Introduction
This chapter provides standards that every Licensed Person must follow at all times in order to protect the Licensed Person from abuse by money launderers and/or terrorist financiers. The Licensed Person must ensure that its Anti-Money Laundering and Combating Financing of Terrorism (AML/CFT) Program is in line with applicable Laws and Regulations of the UAE regarding Money Laundering and the Financing of Terrorism (“AML/CFT Laws and Regulations”), in particular Federal Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (“the AML-CFT Law”) and its amendment (Federal Decree Law No. (26) of 2021 amending certain provisions of Federal Decree Law No. 20 for 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations) and the Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (“the AML-CFT Decision”)1. Furthermore, please refer to the Central Bank’s Guidance for Licensed Exchange Houses2.
1Available at https://www.centralbank.ae/en/cbuae-amlcft
2 Idem.16.1 AML/CFT Program
16.1.1 The Licensed Person must carefully design, document and effectively implement its AML/CFT Program based on the Standards in this Chapter at a minimum and the results of its ML/FT risks assessment in accordance with Paragraph 16.2; and
16.1.2 The Licensed Person must implement additional AML/CFT procedures, systems, controls and measures as appropriate to the risk profile of its business.
16.2 ML/FT Risk Assessment
16.2.1 The Licensed Person must identify, assess and understand the ML/FT risks associated with its business and perform this enterprise wide ML/FT risk assessment on a regular basis;
16.2.2 The Licensed Person must implement a ML/FT risk assessment methodology appropriate to the nature, size and complexity of its business;
16.2.3 Money laundering and terrorist financing risks associated with the following parameters of the Licensed Person must be assessed at a minimum:
a) Customer Risk; b) Counterparty Risk (i.e. foreign correspondent banks, financial institutions, agents, etc.); c) Product Risk; d) New Technologies Risk; e) Jurisdictional Risk or Country Risk; and f) Delivery Channel Risk or Interface Risk.
16.2.4 The Licensed Person must identify and assess ML/FT risks based on additional parameters that may be relevant to the nature, size and complexity of its business before entering into any business relationships;
16.2.5 In assessing ML/FT risks, the Licensed Person must have the following in place:
a) Documented risk assessment methodology, process and findings; b) Determine the level of overall risk, acceptable level of risk and mitigating measures to be applied to minimise the impact of risks; c) Document a written risk appetite statement that clearly identifies the acceptable level of risk, and maintain the risk appetite statement up to date through periodic reviews; d) Maintain risk assessments up-to-date through periodic reviews and annually at a minimum; and e) Establish appropriate mechanisms to provide information on risk assessments to the Central Bank and to its examiners, whenever required.
16.2.6 The Licensed Person should also be guided by the results of the National Risk Assessment in conducting its own ML/FT risk assessments which has been issued by the competent authority in the UAE, and will be updated periodically in future; and
16.2.7 The Licensed Person must identify and assess the ML/FT risks that may arise in relation to the development of new products and services including new delivery mechanisms and the use of new or developing technologies for both new and existing products, as follows:
a) Undertake the risk assessment prior to the launch or use of such products, services and technologies; b) Take appropriate measures to manage and mitigate risks; c) Notify the Banking Supervision Department via email to info.ehs@cbuae.gov.ae of the product and its risks and risk mitigation measures; and d) Obtain a Letter of No Objection from the Banking Supervision Department prior to launching the product.
16.3 AML/CFT policies and procedures
16.3.1 The Licensed Person must introduce a comprehensive and documented AML/CFT policy, based on its ML/FT risk assessment in accordance with Paragraph 16.2 of this Chapter, which must be the foundation of its compliance function;
16.3.2 The AML/CFT policy must clearly define the roles and responsibilities of the Manager in Charge, Compliance Officers, Compliance Committee and employees in relation to AML/CFT compliance. The AML/CFT policy must also provide for regular and timely reporting to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) regarding ML/FT risks and the culture/values to be adopted within the business of the Licensed Person to prevent money laundering, terrorist financing and related crimes;
16.3.3 The AML/CFT policy must affirm the roles and responsibilities of the Board of Directors (if any) and of the Owner/Partners/Shareholders in relation to implementing a robust AML/CFT Program across the business of the Licensed Person;
16.3.4 Effective AML/CFT procedures must also be implemented for employees to follow while they carry out their day to day responsibilities in order to ensure that ML/FT risks are mitigated in the day to day operations of the Licensed Person;
16.3.5 The AML/CFT policy and procedures must be based on the UAE’s existing AML/CFT Laws, Regulations, Notices and the Standards as well as international best practices and guidance notes from the FATF, MENAFATF, EGMONT Group and other similar bodies;
16.3.6 The AML/CFT policy and procedures must be approved by the Manager in Charge, the Compliance Officer and by the Board of Directors (or by the Owner/Partners where there is no Board of Directors);
16.3.7 The AML/CFT policy and procedures must be reviewed and updated, annually at a minimum, to make it consistent with all applicable Laws, Regulations, Notices, the Standards and other international best practices and to make it effective in mitigating the existing as well as emerging ML/FT risks;
16.3.8 Copies of the AML/CFT policy and procedures must be held in all Licensed Premises and be accessible to all employees at all times;
16.3.9 The AML/CFT policy and procedures must be circulated among all employees upon the completion of periodical reviews; and
16.3.10 The AML/CFT policy and procedures must apply to all branches, subsidiaries and affiliated entities in which the Licensed Person holds a majority interest (i.e, greater than 50%).
16.4 Appointment of the Compliance Officer
16.4.1 The Licensed Person must appoint a Compliance Officer who must be given the specific responsibility of managing its AML/CFT compliance function;
16.4.2 The Compliance Officer of the Licensed Person must:
a) be a member of Senior Management; b) report directly to the Board of Directors (or to the Owner/Partners where there is no Board of Directors); c) be provided with sufficient resources including time, systems, tools and support staff depending on the nature, size and complexity of its business; and d) be provided with unrestricted access to all information related to products or services, business partners, correspondent agents, remittance partners, customers and transactions.
16.4.3 The following are some of the major responsibilities of the Compliance Officer (not exhaustive):
a) Design an appropriate AML/CFT Program for the Licensed Person to remain compliant with applicable AML/CFT Laws, Regulations, Notices, the Standards and international best practice at all times; b) Develop, or oversee the development of, the institution’s AML/CFT risk assessment; c) Establish and maintain appropriate AML/CFT policies, procedures, processes and controls; d) Ensure day-to-day compliance of the business against internal AML/CFT policies and procedures; e) Act as the key contact point regarding all AML/CFT related matters/queries from the Central Bank, FIU, and any other competent authorities; f) Receive suspicious transaction or activity alerts from employees and analyze them to take appropriate decisions to report all suspicious cases to the FIU; g) On-going monitoring of transactions to identify high-risk, unusual and suspicious customers/transactions, and ensuring that transaction monitoring systems are appropriate and functioning as designed; h) Submit Suspicious Transaction Reports (STR), Suspicious Activity Reports (SAR) or other report types without any delay to the FIU ; i) Cooperate with and provide the FIU with all information it requires for fulfilling their obligations; j) Develop and execute AML/CFT training programs considering all relevant risks of ML/FT and financing illicit organizations including the ways/means for addressing them; k) Provide necessary reports to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) on all AML/CFT issues, on a quarterly basis at a minimum; l) Arrange to retain all necessary supporting documents for transactions, KYC, monitoring, Suspicious Transaction Reporting and AML training for the minimum period for record retention as per Paragraph 16.29 of this Chapter; m) Conduct regular gap analysis between the Licensed Person’s existing AML/CFT Procedures and the most current Laws, Regulations, Notices and the Standards of the UAE in order to determine the extent of the Licensed Person’s level of compliance; n) Propose actions required to address gaps, if any; and o) Prepare Bi-Annual Compliance Reports in accordance with Paragraph 16.30 of this Chapter.
16.4.4 The Compliance Officer must have the following qualifications and experience at a minimum:
a) If the Licensed Person is in possession of a Category A License:
• A minimum of three (3) years of experience in AML/CFT compliance, audit or risk management within any financial institution(s).
b) If the Licensed Person is in possession of either a Category B or Category C License:
• A minimum of eight (8) years of experience in AML/CFT compliance, audit or risk management within any financial institution(s); or • A minimum of five (5) years of experience in AML/CFT compliance, audit or risk management within any financial institution(s) and possess a specific certification related to AML/CFT compliance.
c) Examples of specific certifications related to AML/CFT compliance includes ACFCS, CFE, ICA Diplomas, CAMS or any other certification associated with financial crime control or AML/CFT compliance which is acceptable to the Central Bank; and
d) The Compliance Officer, in all above cases, must possess sound knowledge of all applicable AML/CFT Laws, Regulations, Notices, the Standards and other relevant international best practices.
16.4.5 Employment Type and Residential Status of the Compliance Officer:
a) The Compliance Officer must be a full time employee of the Licensed Person; b) The Compliance Officer must not engage in any part time employment or act as a consultant outside the business of the Licensed Person; c) The Compliance Officer must be a resident in the UAE; and d) A foreign national must be under the employment visa of the Licensed Person when employed as a Compliance Officer.
16.4.6 Conflict of Interest in Multiple Roles:
The role of Compliance Officer must not be combined with any other functions of the Licensed Person and must be limited to tasks related to AML/CFT compliance.
16.4.7 Reporting Lines and Independence:
a) The Compliance Officer must directly report to the Board of Directors (or to the Owner/Partners where there is no Board of Directors); and
b) The Compliance Officer must have authority to act without any interference from the Manager in Charge or other employees of the Licensed Person.
16.4.8 Prior Approval for Appointment:
a) A Letter of No Objection must be obtained for appointing a Compliance Officer by submitting the following documents to the Banking Supervision Department via email to smp@cbuae.gov.ae (with copy to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae):
• Letter from the authorized signatory of the Licensed Person seeking the Letter of No Objection from the Central Bank; and
• Undertaking letter from an authorized signatory of the Licensed Person confirming the binding commitment of the Compliance Officer and the Licensed Person to comply with Paragraphs 16.4.5, 16.4.6 and 16.4.7 of this Chapter.
b) The duly completed Authorised Person’s Appointment Form (“APA Form”, Refer to Appendix 5 for this Form) along with all other required supporting documents must be sent to smp@cbuae.gov.ae (with copy to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae);
c) Central Bank shall conduct a fit and proper test on the proposed Compliance Officer of the Licensed Person.The Central Bank reserves the right to:
• interview the proposed Compliance Officer as part of the fit and proper test, if it deems it necessary; and
• issue or decline the approval for the proposed Compliance Officer.
d) In case the prior approval request is rejected by the Central Bank, the Licensed Person must propose a new Compliance Officer within the timeline provided by the Central Bank in the Letter of Rejection. If a specific timeline is not provided in the Letter of Rejection, then the Licensed Person must propose a new Compliance Officer within a period of ninety (90) calendar days from the date of Letter of Rejection; and
e) Once the Compliance Officer has formally commenced employment, details of the Compliance Officer must be provided to the Banking Supervision Department and the AML/CFT Supervision Department of the Central Bank via email respectively to smp@cbuae.gov.ae (with copy to info.ehs@cbuae.gov.ae) and amlcft@cbuae.gov.ae. The notification must be made within two working days from the date the Compliance Officer commences employment.
16.4.9 Resignation of the Compliance Officer and Notification to the Central Bank:
a) The Licensed Person must notify the Banking Supervision Department and the AML/CFT Supervision Department, within five (5) working days of the date of resignation of the Compliance Officer or the date upon which the position becomes vacant in any other manner with reasons thereof via email respectively to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae;
b) The Licensed Person must propose a permanent replacement, within a period of ninety (90) calendar days from the date when the position of the Compliance Officer falls vacant, by submitting a request of No Objection to the Banking Supervision Department (Refer to Paragraph 16.4.8 of this Chapter for more information); and
c) The Alternate Compliance Officer must be available to ensure the continuity of the AML/CFT compliance function during the period when the Compliance Officer’s position is vacant.
16.4.10 Outsourcing of Compliance Function:
The Licensed Person must not outsource the role of the Compliance Officer nor the entire compliance function under any circumstances. However, the Licensed Person is permitted, under certain circumstances, to outsource some specific AML compliance tasks after obtaining the Letter of No Objection from the Banking Supervision Department. Please refer to Paragraph 9.1.2 (a) of Chapter 9.
16.4.11 Removal of the Compliance Officer:
a) The Central Bank reserves the right to remove the Compliance Officer of a Licensed Person at its sole discretion; b) The Licensed Person, in such cases, must comply with Paragraph 16.4.9 (b) of this Chapter; and c) The Central Bank reserves the right to communicate or not to communicate reasons to the Licensed Person for its decision to remove the Compliance Officer.
16.5 Appointment of the Alternate Compliance Officer
16.5.1 The Licensed Person must appoint an Alternate Compliance Officer to strengthen the AML/CFT compliance function subject to the following conditions:
a) The Alternate Compliance Officer must be a full time employee of the Licensed Person; b) The Alternate Compliance Officer must not engage in any part time employment or act as a consultant outside the business of the Licensed Person; c) The Alternate Compliance Officer must be a resident in the UAE; d) A foreign national must be under the employment visa of the Licensed Person when employed as an Alternate Compliance Officer; e) The Alternate Compliance Officer must directly report to the Compliance Officer or to the Board of Directors (or to the Owner/Partners where there is no Board of Directors) during the absence of the Compliance Officer; f) The Alternate Compliance Officer must have authority to act without any interference from the Manager in Charge or other employees of the Licensed Person; g) If the Licensed Person is in possession of either a Category B or Category C License, the role of its Alternate Compliance Officer must not be combined with any other function of the Licensed Person and must be limited to tasks related to AML/CFT compliance; and h) If the Licensed Person is in possession of a Category A License, the role of its Alternate Compliance Officer may be combined with any other function of the Licensed Person which does not create any conflict of interest.
16.5.2 Prior Approval for the Appointment:
a) A Letter of No Objection must be obtained for appointing an Alternate Compliance Officer by submitting the following to the Banking Supervision Department via email to smp@cbuae.gov.ae (with copy to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae):
• Letter from the authorized signatory seeking the Letter of No Objection from the Central Bank; and
• Undertaking letter from the authorized signatory of the Licensed Person confirming the binding commitment of the Alternate Compliance Officer and the Licensed Person to comply with Paragraphs 16.5.1 (a) to (g) of this Chapter.
b) The duly completed APA Form (Refer to Appendix 5 for this Form) along with all other required supporting documents must be sent to smp@cbuae.gov.ae (with copy to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae).
c) The Central Bank shall conduct a fit and proper test on the proposed Alternate Compliance officer of the Licensed Person. The Central Bank reserves the right to:
• interview the proposed Alternate Compliance Officer as part of the fit and proper test, if it deems it necessary; and
• issue or decline the approval for the proposed Alternate Compliance Officer.
d) In case the prior approval request is rejected by the Central Bank, the Licensed Person must propose a new Alternate Compliance Officer within the timeline provided by the Central Bank in the Letter of Rejection. If a specific timeline is not provided in the Letter of Rejection, then the Licensed Person must propose a new Alternate Compliance Officer within a period of ninety (90) calendar days from the date of Letter of Rejection; and
e) Once the Alternate Compliance Officer has formally commenced employment, details of the Alternate Compliance Officer must be provided to the Banking Supervision Department and the AML/CFT Supervision Department of the Central Bank via email respectively to smp@cbuae.gov.ae (with copy to info.ehs@cbuae.gov.ae) and amlcft@cbuae.gov.ae. The notification must be made within two working days from the date the Alternate Compliance Officer commences employment .
16.5.3 Resignation of the Alternate Compliance Officer and Notification to the Central Bank:
a) The Licensed Person must notify the Banking Supervision Department and the AML/CFT Supervision Department, within five (5) working days of the date of resignation, of the Alternate Compliance Officer or the date upon which the position becomes vacant in any other manner with reasons thereof via email respectively to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae;
b) The Licensed Person must propose a permanent replacement, within a period of ninety (90) calendar days from the date when the position of the Alternate Compliance Officer falls vacant, by submitting a request of No Objection to the Banking Supervision Department (Refer to Paragraph 16.5.2 of this Chapter for more information).
16.5.4 Removal of the Alternate Compliance Officer:
a) The Central Bank reserves the right to remove the Alternate Compliance Officer of a Licensed Person at its sole discretion;
b) The Licensed Person, in such cases, must comply with Paragraph 16.5.3 (b) of this Chapter; and
c) The Central Bank reserves the right to communicate or not to communicate reasons to the Licensed Person for its decision to remove the Alternate Compliance Officer.
16.6 Continuous Professional Development Programs (CPD)
16.6.1 The Compliance Officer, Alternate Compliance Officer and other employees of the AML/CFT Compliance Department must undergo a minimum of forty eight (48) hours external training in AML/CFT compliance every 12 months, starting from the date the officer or employee has commenced employment; and
16.6.2 Participation in any one or a combination of the following is acceptable in relation to CPD programs in this context:
a) AML/CFT conferences, meetings or workshops whether inside or outside the UAE; b) face to face training by external agencies whether inside or outside the UAE; c) training by industry associations or regulatory bodies; and d) Web based training.
16.7 Know Your Customer (KYC) Process
16.7.1 The Licensed Person must carry out KYC process for its customers in order to confirm who its customers are, and to ensure that the funds involved in their transactions are originating from legitimate sources and used for legitimate purposes.
16.7.2 The Licensed Person must apply appropriate KYC Process for its customers depending on the ML/FT risks associated with each customer or transaction.
16.7.3 There are three different types of KYC Processes that must be applied based on the ML/FT risk associated with a customer. These are:
a) Customer Identification (CID) Process; b) Customer Due Diligence (CDD) Process; and c) Enhanced Due Diligence (EDD) Process.
16.7.4 The transaction thresholds at which CID, CDD, and EDD are required are specified in paragraphs 16.8.1, 16.9.1, 16.10.2, and 16.11.1 below.
16.7.5 The Licensed Person must understand the purpose and intended nature of the business relationship and obtain, when necessary, information related to this purpose. The Licensed Person must understand the nature of the customer’s business as well as the customer’s ownership and control structure.
16.7.6 Where the Licensed Person is unable to carry out CID/CDD/EDD in accordance with the requirements of this Standards and UAE laws and regulations, the Licensed Person must not onboard the customer, must immediately terminate any relationship with the customer, must not execute any transaction, and should consider filing a STR, SAR or other reports with the FIU.
Customer Type Customer Activity Value of Transaction Preventive Measure Required Paragraph Natural Persons Currency Exchange Equal to or greater than AED 3,500 and less than AED 35,000 CID 16.8 Equal to or greater than AED 35,000 and less than AED 55,000 within a 90-day period CID and
CDD16.8
16.9Equal to or greater than AED 55,000 within a 90-day period CID,
CDD, and
EDD16.8
16.9
16.10Natural Persons Money Transfer Any value less than AED 55,000 CID and
CDD16.8
16.9Equal to or greater than AED 55,000 within a 45-day period CID,
CDD, and
EDD16.8
16.9
16.10All Legal Persons or Arrangements Any Activity Any Value CDD and
EDD16.11 Counterparty Relationships Any Activity Any Value CDD and
EDD16.11.8 to
16.11.12
16.11.2PEPs Any Activity Any Value CID,
CDD, and
EDD16.13 DNFBPs/DPMS Any Activity Any Value CID (if the customer is a natural person), CDD, and
EDD16.14/16.15 High-Risk Natural Persons Any Activity Any Value CID,
CDD, and
EDD16.16
16.8,
16.9
16.10High-Risk circumstances Any Activity Any Value CID (if the customer is a natural person), CDD, and
EDD16.16
16.8,
16.9
16.10/11Third Party Transactions Any Activity Any Value CID (if the customer is a natural person), CDD and
EDD16.20
16.8,
16.9
16.10/1116.8 Customer Identification (CID) Process for Natural Persons
16.8.1 The CID process, in accordance with Paragraphs 16.8.2 to 16.8.6 of this Chapter, must be applied for natural persons who carry out “foreign currency exchange” transactions of value between AED 3,500 and AED 34,999.75. Please refer to Paragraph 16.16.3 of this Chapter for KYC process to be applied for natural persons who repeatedly exchange foreign currency of value below AED 3,500 per transaction;
16.8.2 The CID process is the verification of the original identification documents (IDs) of the customer who is a natural person and systematically recording basic customer information in the Point of Sale system;
16.8.3 The Licensed Person must not accept any ID other than one from the below list (in the order of preference) with an exception provided under Paragraph 16.16.4 of this Chapter:
a) Emirates ID; or b) Passport with valid visa; or c) GCC National ID for GCC nationals.
16.8.4 Customer’s full legal name, residential status, mobile number, nationality, date of birth, country of birth, ID type (whether Emirates ID, Passport or GCC national ID) and ID number must be recorded in the Point of Sale system.
16.8.5 The Licensed Person must use all information collected under Paragraph 16.9.4 for sanctions screening, as discussed in Paragraph 16.25.
16.8.6 The following customer information must be printed on the transaction receipt:
a) Full legal name; b) Residential status (whether UAE Resident or UAE Non-Resident); c) Mobile number; d) Nationality; e) Country of birth; f) ID type (whether Emirates ID or Passport or GCC national ID); and g) ID number.
16.9 Customer Due Diligence (CDD) for Natural Persons
16.9.1 The CDD process, in accordance with Paragraphs 16.9.2 to 16.9.14 of this Chapter, must be applied for a natural person who carries out the following transactions:
a) Foreign currency exchange transactions, either one off or multiple in ninety (90) calendar days, of value between AED 35,000 and AED 54,999.75; and
b) Money transfers, whether inward or outward, of value between AED 1 and AED 54,999.75.
16.9.2 CDD is the process where additional information about the customer, who is a natural person, is collected via a customer onboarding process in accordance with Paragraph 16.9.3 of this Chapter;
16.9.3 The Licensed Person must create a customer profile by recording the customer information in its Point of Sale system and then provide a permanent “Unique Identification Number (UIN)” to the customer. The customer must be allowed to carry out transactions at the branch(es) of the Licensed Person only by using the UIN. The Licensed Person must also comply with Paragraph 16.16.6 of this Chapter at all times;
16.9.4 The following customer information, at a minimum, must be captured in the Point of Sale System in addition to the verification of the original ID in accordance with Paragraph 16.8.3 of this Chapter. Items (a) through (n) must be used to support sanctions screening, as required by Paragraph 16.25 of this Chapter.
a) Full legal name; b) Residential status (whether UAE Resident or UAE Non-Resident); c) Address in the UAE (for UAE Residents); d) Temporary address in the UAE and the permanent address in the home country (for UAE Non-Residents); e) Mobile number; f) Email, if available; g) Date of Birth; h) Nationality; i) Country of Birth; j) ID type (whether Emirates ID or Passport or GCC national ID); k) ID number; l) ID place of issue; m) ID issue date; n) ID expiry date; o) Profession; and p) Expected annual activity (i.e. expected annual value and number of transactions for future transaction monitoring).
16.9.5 Area or district, city, Emirate or state or province and country must be recorded in the Point of Sale system as part of the address. The Licensed Person is expected to record the P.O Box number, house number/name, apartment or room number, building number/name, street name in the system wherever practically possible;
16.9.6 When verifying the Emirates ID card either physically, by way of digital or e-KYC solutions, the Licensed Person must use the online validation gateway of the Federal Authority for Identity & Citizenship, the UAE-Pass Application or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record;
16.9.7 Where acceptable IDs, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original ID which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.
16.9.8 The UIN given to a customer by a Licensed Person must be unique in nature and the same UIN must not be assigned to more than one customer. The same customer must not be given more than one UIN by a Licensed Person. Appropriate validation rules must be implemented in the system to comply with this requirement;
16.9.9 If the customer is represented by a third person, the Licensed Person must follow the procedures in Paragraph 16.20 of this Chapter.
16.9.10 Subject the customer to PEP checks, as required by Paragraph 16.13.3 of this Chapter. Where the customer is a PEP, the Licensed Person must follow the procedures in Paragraph 16.13 of this Chapter.
16.9.11 The customer profile must be reviewed and updated either annually or upon the expiry of the ID whichever comes first. At this time, the Licensed Person must conduct ongoing monitoring on the customer which must consist of the following:
a) The original ID as per Paragraph 16.8.3 of this Chapter must be verified in accordance with Paragraphs 16.9.6 and 16.9.7 and its copy must be held in the records during the review of a customer profile; b) CDD (and, where appropriate, EDD) must be repeated and the customer profile updated, including the information required under Paragraph 16.9.4 of this Chapter. c) CDD and EDD must also be repeated whenever there is a change in the profile of the customer; d) The Licensed Person must scrutinize the transactions concluded by a customer to ensure that transactions are consistent with the Licensed Person’s knowledge of the customer, the customer’s business, risk profile, the source of funds and where necessary, source of the customer’s wealth; and e) The Licensed Person must review transaction monitoring results for the customer to determine whether any STR, SARs or other reports have been filed or whether the customer’s behavior has generated alerts.
16.9.12 Information on the “source of funds” and “purpose of transaction” must be captured in the Point of Sale system for each transaction that undergoes the CDD process;
16.9.13 The below customer information must be printed on the transaction receipt, at a minimum:
a) UIN of the customer; b) Full legal name of the customer; c) Address in the UAE (required when the customer is a UAE Resident) - P.O Box number and street (if available), city, Emirate; d) Permanent address in the home country (required only when the customer is a UAE Non- Resident) - P.O Box number and street (if available), city, state or province, country; e) Mobile number; f) Nationality; g) ID type (whether Emirates ID or Passport or GCC national ID); h) ID number; i) ID place of issue; j) ID issue date; k) Method of payment (whether cash or cheque, etc.); l) Source of funds; m) Purpose of transaction; and n) Beneficiary’s name and bank account details (wherever applicable).
16.9.14 The receipt must be signed by the customer and must be retained in the records along with all KYC supporting documents in accordance with Paragraph 16.29 of this Chapter.
16.10 Enhanced Due Diligence (EDD) Process for Natural Persons
16.10.1 EDD for natural persons requires the Licensed Person to obtain additional information regarding the customer, including additional information regarding the customer’s source of funds, the nature of the customer’s business, and the purpose of transaction, in order to better understand the customer and manage the risk associated with the transaction. EDD also requires the Licensed Person to subject the customer to more intense or intrusive monitoring or imposing other controls on customer activity and customer acceptance. Where EDD is appropriate or required, Licensed Persons must conduct EDD in addition to CDD as per Paragraph 16.9 of this Chapter.
16.10.2 Below are the thresholds for the EDD for natural persons:
a) Foreign currency exchange transactions of value equal to or above AED 55,000, either one off or multiple in ninety (90) calendar days:- Evidence for the source of funds (example: bank statements) must be collected for verification in case the customer pays cash. Complete information of the purpose of the transaction must be collected. Appropriate evidence must be collected for the verification of the purpose of transaction in case there is any doubt or suspicion about the information provided by the customer;
b) Outward money transfers of value equal to or above AED 55,000, either one off or multiple in forty-five (45) calendar days:- Evidence for the source of funds (example: bank statements) must be collected for verification if the customer pays cash. Complete information on the purpose of the transaction must be collected. Appropriate evidence must be collected for the verification of the purpose of transaction in case there is any doubt or suspicion about the information provided by the customer; and
c) Inward money transfers of value equal to or above AED 55,000, either one off or multiple in forty-five (45) calendar days:- Information on the source of funds and the purpose of transaction must be collected and recorded. Appropriate evidences must be collected for the verification of the purpose of transaction in case there is any doubt or suspicion about the information provided by the customer.
16.10.3 The Licensed Person must give special attention to transactions by natural persons who are visitors in the UAE. The Licensed Person may decide to perform EDD on such customers regardless of their transaction value in case there is any doubt or suspicion about the information provided by such customers.
16.10.4 The following customer information must be printed on the transaction receipt, at a minimum:
a) UIN of the customer; b) Full legal name of the customer; c) Address in the UAE (required when the customer is a UAE Resident) - P.O Box number and street (if available), city, Emirate; d) Permanent address in the home country (required only when the customer is a UAE Non- Resident) - P.O Box number and street (if available), city, state or province, country; e) Mobile number; f) Nationality; g) ID type (whether Emirates ID or Passport or GCC national ID); h) ID number; i) ID place of issue; j) ID issue date; k) Method of payment (whether cash or cheque, etc.); l) Source of funds; m) Purpose of transaction; and n) Beneficiary’s name and bank account details (wherever applicable).
16.10.5 The receipt must be signed by the customer and must be retained in the records along with all KYC supporting documents in accordance with Paragraph 16.29 of this Chapter.
16.11 CDD and EDD for Legal Persons and Legal Arrangements
16.11.1 The CDD and the EDD processes, in accordance with Paragraphs 16.11.2 to 16.11.12 of this Chapter, must be applied for a customer at the time of onboarding (i.e. prior to entering into any business relationship), if it is a legal person, such as a company, or a legal arrangement, such as a trust. CDD must include verification of the identity of the legal person or arrangement (i.e. its licenses, incorporation documents, etc.) and identification of its Beneficial Owners (BOs). The Licensed Person, having completed CDD, must then perform EDD as discussed in this section.
16.11.2 The following process must be followed at a minimum while onboarding a legal person or arrangement as a customer. The Licensed Person must verify appropriate documents and retain copies to confirm information under Paragraph 16.11.4 of this Chapter.
a) Required CDD: Unless otherwise provided, all documents must be certified as “Original Sighted and Verified” by the employee of the Licensed Person who carries out the KYC process after the verification of originals.
1. An appropriate KYC Questionnaire of the Licensed Person must be completed and signed by the legal person or legal arrangement; 2. Ownership structure of the legal person or legal arrangement must be collected including the purpose and nature of the intended business relationship; 3. Record the legal person or legal arrangement’s legal form (e.g., limited liability corporation, limited liability partnership, trust, waqf, etc.) and collect a copy of the legal person or legal arrangement’s proof of existence (such as, for legal persons, its proof of incorporation or partnership agreement; for legal arrangements, the trust or waqf deed, or an equivalent document); 4. Collect copies of the powers that regulate and bind the legal person or legal arrangement (e.g., the customer’s founding documents, such as the memorandum of association, the articles of incorporation, or other similar documents for legal persons; the trust or waqf deed for legal arrangements); 5. Verify names of relevant persons holding senior management positions in the legal person or legal arrangement; 6. Collect copies of valid permissions/licenses of the legal person or legal arrangement from competent authorities to carry out the business (examples: certificate of incorporation, trading license or equivalent, license issued by the Central Bank or other competent authorities where applicable, etc.). The Licensed Person must ensure that copies of valid licenses are available in the records at all times. 7. Original IDs of BOs must be verified (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of this Chapter) and copies retained. Where the BO resides outside the UAE, original copies of IDs must be appropriately notarized or attested by relevant authorities in the respective foreign country and in the UAE; 8. Where no individual meets the definition of BO, the Licensed Person must verify the original IDs (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of this Chapter) for the natural person exercising control of the legal person or legal arrangement customer through other means, such as by virtue of their position as CEO or Managing Director; 9. Collect the list of authorized signatories and verify their original IDs and retain the copies; 10. Authorization letter must be taken for representatives of the legal person or legal arrangement who carry out transactions on its behalf; 11. Verify original IDs of representatives, who have authorization to carry out transactions, (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of this Chapter). Such representatives must be UAE residents. The relationship of such representative with the legal person or legal arrangement must be established; 12. Assess and record the expected annual activity (annual value and number of transactions for future ongoing and transaction monitoring); 13. Apply sanction checks (as required by Paragraph 16.25 of this chapter) and conduct internet searches on the name of the legal person or legal arrangement, BO, group companies, subsidiaries and the names of representatives of the legal person or legal arrangement who are authorized to carry out transactions on its behalf; 14. Apply PEP checks on BOs, as required by Paragraph 16.13.3 of this Chapter. Where the BO is a PEP, the Licensed Person must follow the procedures in Paragraph 16.13 of this Chapter.
b) The Licensed Person must in addition carry out the following required EDD steps:
1. The Licensed Person must carry out a ML/FT risk assessment on business activities of the legal person or legal arrangement including by visiting its business location (where relevant) and carrying out a risk assessment of its customers; and Both the Manager in Charge and the Compliance Officer must approve the business relationship with legal persons or arrangements. 2. Where a Beneficial Owner is a PEP, the business relationship with such legal person or legal arrangement must be established only after obtaining approval of the Board of Directors (or of the Owner/Partners where there is no Board of Directors).
16.11.3 The following information about the customer, which is a legal person or legal arrangement, must be recorded in the Point of Sale system, at a minimum, to create the customer profile and the UIN after completing the EDD process under Paragraphs 16.11.1 and 16.11.2 of this Chapter:
a) Full legal name of the legal person or legal arrangement; b) Residential status (whether incorporated/operating within the UAE or outside the UAE); c) Address (P.O Box, Shop No., Building name, Street, City, Emirate, Country); d) Phone numbers; e) Fax number; f) Email; g) Date of establishment; h) ID type (whether trade license or the equivalent); i) Trade license (or the equivalent) number; j) Trade license (or the equivalent) place of issue; k) Trade license (or the equivalent) issue date; l) Trade license (or the equivalent) expiry date; m) Type of business of the legal person or legal arrangement; n) Names and ID details, such as ID types and ID numbers, of BOs of the legal person or legal arrangement; o) Names and ID details, such as ID types and ID numbers, of persons authorized to carry out transaction on behalf of the legal person or legal arrangement; and p) Expected annual activity (i.e. expected annual value and number of transactions for future transaction monitoring).
16.11.4 The Licensed Person must collect appropriate documents to verify and confirm the source of funds, purpose of transaction and the commercial/economic reason for each transaction by a legal person or legal arrangement;
16.11.5 The following customer information must be printed on the transaction receipt, at a minimum:
a) UIN assigned to the legal person or legal arrangement; b) Full legal name of the legal person or legal arrangement; c) Address (P.O Box, Shop No., Building name, Street, City, Emirate, Country); d) Phone number; e) Name and ID number of the person representing the legal person or legal arrangement to carry out transactions on its behalf; f) Country of incorporation; g) ID type (whether trade license or the equivalent); h) Trade license (or the equivalent) number; i) Trade license (or the equivalent) place of issue; j) Trade license (or the equivalent) issue date; k) Trade license (or the equivalent) expiry date; l) Method of payment (whether cash or cheque, etc.); m) Source of funds; n) Purpose of transaction; and o) Beneficiary name and bank account details (wherever applicable).
16.11.6 The receipt must be signed by the representative of the legal person or legal arrangement who carries out the transaction on its behalf and must be retained in the records along with all KYC supporting documents in accordance with Paragraph 16.29 of this Chapter;
16.11.7 The customer profile must be reviewed and updated either annually or upon the expiry of the trade license or the IDs of any person authorized to make transactions on behalf of the customer, whichever comes first. At this time, the Licensed Person must conduct ongoing monitoring on the customer which must consist of the following:
a) The original ID (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of this Chapter) and its certified copy must be held in the records during the review of a customer profile; b) CDD and EDD must be repeated and the customer profile, including the supporting evidence as per Paragraph 16.11.2 of this Chapter, must be updated annually at a minimum. The Licensed Person must ensure that copies of valid licenses are available in the records at all times. c) CDD and EDD must also be repeated whenever there is a change in the profile of the customer, such as any change in the ownership of a legal person or legal arrangement; d) The Licensed Person must scrutinize the transactions concluded by a customer to ensure that transactions are consistent with the Licensed Person’s knowledge of the customer, the customer’s business, risk profile, the source of funds and where necessary, source of the customer’s wealth; and e) The Licensed Person must review transaction monitoring results for the customer to determine whether any STRs or SARs have been filed or whether the customer’s behavior has generated alerts.
16.11.8 CDD and EDD in accordance with Paragraph 16.11.2 of this Chapter must also be undertaken before entering into below types of business relationships:
a) Foreign correspondent banking arrangements, such as those with banks, exchange houses or any other financial institutions, for the purpose of money transfer services; b) Money transfer arrangements with instant money transfer service providers; c) Hedging arrangements with local or foreign institutions; d) Arrangements to import or export banknotes from/to foreign institutions, such as Banks, exchange houses or other financial institutions outside the UAE; and e) Arrangements with local or foreign entities to offer special products/services.
16.11.9 All business relationships under Paragraph 16.11.8 of this Chapter must be approved by the Compliance Committee of the Licensed Person and by the Banking Supervision Department of the CBUAE prior to establishment of the business relationship.;
16.11.10 For all business relationships under Paragraph 16.11.8.a) of this Chapter, LEH must collect sufficient information about any receiving correspondent institution for the purpose of identifying and achieving a full understanding of the nature of its business, and to determine, through publicly available information, its reputation and level of AML/CFT controls, including whether it has been subject to a ML/FT investigation or regulatory action. LEH must also evaluate the AML/CFT controls applied by the receiving correspondent institution and understand the responsibilities of each institution in the field of AML/CFT.
16.11.11 While undertaking EDD as per Paragraph 16.11.8 of this Chapter on entities located outside the UAE, the Licensed Person may:
a) visit the business locations of entities which are located in countries assessed as High Risk in order to carry out risk assessment as per Paragraph 16.11.2 (b).1 of this Chapter where it is practical and otherwise safe to do so (i.e. no site visit is required when such entities are located in low or medium risk countries); b) Identify the BOs and collect copies of the IDs of BOs on a risk sensitive basis by the Compliance Officer of such foreign entities (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of the Standards), in case the verification of original documents by the Licensed Person is practically impossible. Where the BO resides outside the UAE, original copies of IDs must be appropriately notarized or attested by relevant authorities in the respective foreign country and in the UAE;
16.11.12 The Licensed Person must not enter into any business relationship with a Shell bank or company .
16.12 Transactions by Non-Profit Organisations
16.12.1 The Licensed Person must not accept non-profit organisations such as Co-operative Societies, Charitable Societies, Social or Professional Societies as customers unless they provide an original signed letter from the Ministry of Community Development confirming their identities and permitting them to collect donations and an authorization from the UAE Red Crescent for conducting financial transfers out of the UAE;
16.12.2 CDD and EDD in line with Paragraph 16.11 of this Chapter must be carried out before entering into any business relationship with non-profit organisations; and
16.12.3 Business relationships with non-profit organisations must be approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors) of the Licensed Person.
16.13 Politically Exposed Persons (PEP) Checks
16.13.1 All PEPs, whether natural person customers or the BOs of legal persons or legal arrangements, are required to undergo EDD as defined in Paragraph 16.13.4, no matter the transaction in which they seek to engage. It is not acceptable to conduct only CID and CDD on a PEP customer.
16.13.2 Licensed Persons should note that the definition of PEPs includes their direct family members and close business associates. A legal person or legal arrangement qualifies as a PEP when its BO(s) meets the definition of a PEP.
16.13.3 The Licensed Person must implement appropriate systems and tools to determine whether a customer, who is a natural person or the BO of a legal person or arrangement customer, is a PEP. Where the Licensed Person has established a customer profile for a customer, the Licensed Person must repeat this check at least once every 12 months, or prior to carrying out the first transaction following the expiration of the 12-month period;
16.13.4 Where a natural person, a legal person or legal arrangement customer or a BO of a legal person or legal arrangement customer is found to be a PEP, the Licensed Person must perform the following mandatory steps:
a) Take reasonable measures to identify the source of funds and the source of wealth of the customer or the BO(s);
b) Obtain approval from the Compliance Officer and the Manager in Charge before processing any transaction in the Point of Sale system. If the BO of a legal person or legal arrangement customer is an PEP, the Board of Directors (or of the Owner/Partners where there is no Board of Directors) must approve the relationship or the processing of a transaction; and
c) Perform any other EDD as necessary to manage the risk of the customer.
16.13.5 The Licensed Person must refer to Paragraphs 16.11.2 (a).14 and (b).2 of this Chapter for requirements while entering into business relationships with a legal person or legal arrangement owned by PEP;
16.13.6 All transactions by a PEP or by a legal person or legal arrangement customer where the BO is a PEP must be closely monitored by the Compliance Officer. The transaction monitoring systems employed by Licensed Person must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts.
16.14 Designated Non-Financial Businesses and Professions (DNFBPs)
16.14.1 EDD is required before entering into any business relationship with, or processing any transactions for, DNFBPs as defined under the AML-CFT Decision. DNFBPs may be natural or legal persons.
16.14.2 The Licensed Person must implement appropriate, procedures, systems and tools to determine whether a customer is a DNFBP.
16.14.3 Where a customer is determined to be a DNFBP, the Licensed Person must carry out the following required steps, in addition to the CDD and EDD required by Paragraph 16.11 of these Standards and any other EDD appropriate to manage the risk of the customer:
a) Verify that the customer is supervised as a DNFBP by the appropriate supervisor; b) Obtaining information sufficient to determine that the customer is compliant with the AML/CFT preventive measures required under AML-CFT Decision; c) Take additional steps to understand the customer’s business and its customer base; and d) Obtain approval from the Compliance Officer and the Manager in Charge of the Licensed Person before establishing the business relationship or processing any transactions.
16.15 Dealers in Precious Metals and Stones (DPMS)
16.15.1 EDD is required before entering into any business relationship with, or processing any transactions for, DPMS, whether or not they qualify as DNFBPs under AML-CFT Decision. DPMS may be natural or legal persons.
16.15.2 The Licensed Person must implement appropriate procedures, systems and tools to determine whether a customer is a DPMS.
16.15.3 Where a customer is determined to be a DPMS, the Licensed Person must carry out the following required steps, in addition to the CDD and EDD required by Paragraph 16.11 of these Standards and any other EDD appropriate to manage the risk of the customer:
a) Verifying that the customer has the required licenses; b) Obtaining information sufficient to determine that the customer is compliant with the AML/CFT preventive measures required under AML-CFT Decision; c) Take additional steps to understand the customer’s business, including the products and services it offers, its geographic footprint, and its customer base; and d) Obtain approval from the Compliance Officer and the Manager in Charge of the Licensed Person before establishing the business relationship or processing any transactions.
16.16 Additional Provisions on CID, CDD and EDD
16.16.1 The Licensed Person must be able to demonstrate to the Central Bank Examiners that the KYC Process that has been applied is appropriate in view of its risks related to the money laundering, terrorist financing or related financial crimes.
16.16.2 The Licensed Person must comply with the instructions and conditions that are stated in the Letter of No Objection issued by the Banking Supervision Department for special products or services.
16.16.3 The Licensed Person must apply the CID process in accordance with Paragraph 16.8 of this Chapter for a natural person who repeatedly exchanges foreign currency (for example, once in a week) of value below AED 3,500 per transaction;
16.16.4 The Licensed Person may accept a Seaman’s Pass/ID in order to complete the KYC Process, instead of acceptable IDs listed under Paragraph 16.8.3 of this Chapter, from natural persons who carry out the following transactions:
a) Foreign currency exchange transactions of aggregate value up to AED 34,999.75 per week; and b) Money transfer transactions of aggregate value up to AED 27,000 per week.
16.16.5 The Licensed Person, while accepting transactions under Paragraph 16.16.4 of this Chapter, must apply the CID process in accordance with Paragraph 16.8 of this Chapter for foreign currency exchange transactions and the CDD process in accordance with Paragraph 16.9 of this Chapter for money transfer transactions (except Paragraph 16.8.3 of this Chapter) at a minimum;
16.16.6 The Licensed Person must carry out the CDD process for every pre-paid card customer (for legal person or arrangement prepaid card customers, CDD and EDD) in addition to introducing appropriate velocity controls to monitor the activity of the customer based on the number of cards purchased (whether non-reloadable or reloadable) or number of times reloaded (where it is a reloadable card). These transactions must be closely monitored by the Compliance Officer. The systems must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts.
16.16.7 The customer using automated machines (i.e. Kiosks) for executing transactions must visit a branch to complete CID or CID/EDD as appropriate and have the UIN issued by the Licensed Person. In such cases, the Licensed Person must ensure that the customer is only be permitted to add, modify or disable beneficiary details via kiosks upon authentication via a mobile OTP sent to the customer’s registered mobile number obtained during on-boarding as part of the KYC Process. The Licensed Person must also set a maximum limit, which shall not exceed AED 3,500 per transaction for money transfers via such machines. In any case, the total value of money transfers by a customer via such machines shall not exceed AED 10,000 per month. All such transactions must be closely monitored by the Compliance Officer. The systems must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts.
16.16.8 The Licensed Person must implement appropriate measures/controls to ensure that the UIN issued to a customer is being used only by that customer at all times. The Licensed Person may consider the following to comply with this requirement:
a) Verification of the original ID as per Paragraph 16.8.3 of this Chapter prior to accepting transactions from a customer; or b) Issue ID/Membership/Loyalty Cards that contain the basic customer details (such as name, date of birth, nationality, UIN etc.) including a recent photograph and such original cards must be verified prior to accepting transactions from customers; or c) Introduce appropriate biometric systems.
16.16.9 Natural persons, who do not have a valid visa to stay in the UAE, must not be permitted to carry out transactions unless they are in the grace period upon cancellation or expiry of the residence permit or on amnesty.
16.16.10 The Licensed Person must apply the following KYC process for a customer who exchanges low denomination currency notes to larger ones:
a) CDD process, in accordance with Paragraph 16.9 of this Chapter, must be applied for a natural person when the value of such transaction is between AED 35,000 and AED 54,999.75; b) EDD process, in accordance with Paragraph 16.10 of this Chapter, must be applied for a natural person when the value of such transaction is equal to or above AED 55,000; c) CDD and EDD process, in accordance with Paragraph 16.11 of this Chapter, must be applied in case the customer is a legal person or legal arrangement irrespective of the value of such transaction; and d) If there are any reasonable grounds to suspect ML/FT, the Licensed Person must file a STR, SAR or any other report with the FIU irrespective of the value of such transaction. Please refer to Paragraph 16.26 of this Chapter for more information on Suspicious Transaction Reporting.
16.16.11 The Licensed Person must apply the EDD process that is effective and proportionate to the ML/FT risks, including obtaining the approval of the Manager in Charge and the Compliance Officer, for establishing business relationships or one-off transactions with:
a) PEP (Refer to Paragraph 16.13 of this Chapter); b) Customers from high-risk jurisdictions; c) Unusually complex transactions or those which have no clear economic or legal purpose; and d) Transactions that the Licensed Person considers as high risk.
16.16.12 The Licensed Person must conduct the EDD process for a customer, irrespective of the value of transaction, if it suspects that the customer is engaging in money laundering or terrorist financing (ML/FT). If reasonable grounds are established to suspect money laundering, terrorist financing and/or financing of illicit organizations, such transactions must be reported, without any delay, to the FIU. Please refer to paragraph 16.26 of this Chapter for further information.
16.16.13 The Licensed Person must also conduct the EDD on its existing customers, if there is:
a) a material change in the nature or ownership of a customer who is a legal person or legal arrangement; b) doubt about the veracity or adequacy of information previously obtained in relation to the customer; or c) any other reason that the Licensed Person deems appropriate.
16.17 Special Requirements When Conducting Money Transfers: Requirements for Ordering Institutions
16.17.1 In addition to all other requirements discussed in this Chapter, the ordering Licensed Person must ensure that all international wire transfers, whether inward or outward, are always accompanied by the following data:
a) the name of the originator, b) his or her identity number or travel document, c) date and country of birth, d) address, e) UIN; and f) the name of the beneficiary and his account number used to make the transfers. In the absence of the account, the transfer must include a unique transaction reference number, which allows the process to be tracked.
16.17.2 The Licensed Person must verify the accuracy of the data listed in paragraph 16.17.1(a-f). The transfer must include a unique transaction reference number which allows the process to be tracked.
16.17.3 In the event that several individual cross-border wire transfers from a single originator are bundled in a batch file for transmission to beneficiaries, the batch file must contain required and accurate originator information, and full beneficiary information, that is fully traceable within the beneficiary country; and the Licensed Person must include the originator’s account number or unique transaction reference number.
16.17.4 For domestic wire transfers, the ordering Licensed Person must ensure that the information accompanying the wire transfer includes originator information as indicated above, unless this information can be made available to the beneficiary financial institution and competent authorities by other means.
16.17.5 Where the information accompanying the domestic wire transfer can be made available to the beneficiary financial institution and competent authorities by other means, the ordering Licensed Person must be only required to include the account number or a unique transaction reference number, provided that this number or identifier will permit the transaction to be traced back to the originator or the beneficiary. The ordering financial institution must make the information available within three business days of receiving the request either from the beneficiary financial institution or from competent authorities.
16.17.6 Ordering Licensed Persons must not carry out wire transfers if they fail to comply with the above conditions.
16.17.7 Ordering Licensed Persons must keep all information about the originator and the beneficiary collected, in accordance with Paragraph 16.29 of this Chapter.
16.18 Special Requirements When Conducting Money Transfers: Requirements for Intermediary Licensed Persons
16.18.1 When acting as an intermediary financial institution, the Licensed Person must ensure that all originator and beneficiary information that accompanies a cross-border wire transfer is retained in the corresponding domestic wire transfer.
16.18.2 Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, the Licensed Person shall keep a record of all the information received from the ordering financial institution or another cross-border intermediary financial institution, and retain this information in keeping with Paragraph 16.29 of this Chapter.
16.18.3 When acting as an intermediary financial institution, the Licensed Person must take reasonable measures, which are consistent with straight-through processing, to identify cross-border wire transfers that lack required originator information or required beneficiary information, and must have risk-based policies and procedures for determining when to execute, reject, or suspend a wire transfer; and the appropriate follow-up action.
16.19 Special Requirements When Conducting Money Transfers: Requirements for Beneficiary Licensed Persons
16.19.1 Beneficiary Licensed Person must take reasonable measures to identify cross-border wire transfers that lack required originator information or required beneficiary information, which may include real-time monitoring where feasible or post-event monitoring.
16.19.2 For cross-border wire transfers, a Beneficiary Licensed Person must verify the identity of the customer, if the customer has not already been subject to CID/CDD as appropriate given the value of the transaction.
16.19.3 The Beneficiary Licensed Person must have risk-based policies and procedures for determining when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and for determining the appropriate follow-up action.
16.19.4 Beneficiary Licensed Persons must maintain records of all required originator and required beneficiary information collected, in accordance with Paragraph 16.29 of this Chapter.
16.20 Third Party Transactions
16.20.1 A transaction is treated as a third party transaction when it is carried out by a person (hereafter known as ‘the representative’) on behalf of another natural person or a legal person or legal arrangement (hereafter known as ‘the beneficial owner of funds’). The Licensed Person must not accept third party transactions except in cases that are mentioned under Paragraphs 16.20.2 to 16.20.7 of this Chapter.
16.20.2 The Licensed Person may accept the transaction by a natural person on behalf of another natural person subject to the following conditions:
a) The representative must produce a duly executed Power of Attorney (PoA) from the beneficial owner of funds to carry out such transactions. Where there is no PoA, the beneficial owner of funds must issue a letter authorizing the representative to carry out transactions on his/her behalf. The beneficial owner of funds must visit the Licensed Person to sign such letter of authority, the validity of which shall not exceed two (2) years from the date of issue;
b) The letter of authority must refer to the type of transactions (whether currency exchange or money transfer) which the representative is authorized to carry out on behalf of the beneficial owner of funds as well as the identification details of both parties. The letter must also include the beneficiary details in the case of a money transfer transaction;
c) The signature of the beneficial owner of funds in the letter of authority must be verified against that in the passport or the Emirates ID;
d) The representative and the beneficial owner of funds must both be resident in the UAE;
e) Original IDs of both parties must be collected and verified in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of this Chapter;
f) The beneficial owner of funds and the representative must undergo the CDD process in accordance with Paragraph 16.9 of this Chapter. The EDD process must be applied, when applicable, in accordance with Paragraph 16.10 of this chapter;
g) All transactions must be recorded in the system against the UIN of the beneficial owner of funds. Name and ID details of the representative must also be recorded in the Point of Sale system;
h) The names of both parties must be subjected to the sanctions/PEP screening. In the case of money transfer transactions, the beneficiary’s name as well as the name of beneficiary bank must also be appropriately screened; The name of the representative must be printed separately on the transaction receipt in addition to the information of the beneficial owner of funds in accordance with Paragraph 16.9.13 or 16.10.4 of this Chapter, whichever is applicable; and
i) All such transactions must be closely monitored by the Compliance Officer. The systems must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts.
16.20.3 The Requirement under Paragraph 16.20.2 of this Chapter is not applicable, where the transaction is carried out by a natural person on behalf of another natural person who is either working as domestic helper (examples are: house maid, cook, servant, cleaner, etc.) or unable to visit the Licensed Premises due to the inherent nature of their work/living conditions, subject to the following conditions:
a) The representative must produce a letter signed by the beneficial owner of the funds authorizing the representative to carry out transactions. This letter of authority must refer to the type of transactions (whether currency exchange or money transfer) which the representative is authorized to carry out on behalf of the beneficial owner of funds as well as the identification details of both parties. The letter must also include the beneficiary details in the case of a money transfer transaction;
b) The total value of transactions, whether foreign currency exchange or inward/outward remittance, shall not exceed AED 24,000 during a rolling three hundred and sixty five (365) days from the date of the first transaction for each beneficial owner of funds;
c) The representative and the beneficial owner of funds must both be resident in the UAE;
d) Original IDs of both parties must be collected and verified in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7 of this Chapter;
e) The representative and the [beneficial owner]/customer must undergo the CDD process in accordance with Paragraph 16.9 of this Chapter. The EDD process must be applied, when applicable, in accordance with Paragraph 16.10 of this Chapter. The Licensed Person is expected to take all measures practically possible to confirm that such transactions are genuine without leaving any chance for doubt or confusion for misuse of this arrangement;
f) All such transactions must be recorded in the system against the UIN of the representative. The name and ID details of the beneficial owner of funds must also be recorded in the Point of Sale system. The SMS notifications in accordance with Paragraph 4.9 of Chapter 4 must go directly to the beneficial owner of funds;
g) The names of both parties must be subjected to sanctions/PEP screening. In the case of money transfer transactions, the beneficiary’s name as well as the name of beneficiary bank must also be appropriately screened;
h) The name of the beneficial owner of funds must be printed separately on the transaction receipt in addition to the information of the representative in accordance with Paragraph 16.9.13 or 16.10.4 of this Chapter, whichever is applicable;
i) All such transactions must be closely monitored by the Compliance Officer. The systems must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts; and
j) In case of any doubt or confusion regarding the documents submitted or information provided by the representative, the Licensed Person must insist that the beneficial owner of funds to personally visit the Licensed Person to complete the KYC process. If the beneficial owner of the funds refuses to visit the Licensed Person, the relationship must be terminated and the case must be reported to the FIU immediately where necessary.
16.20.4 Transactions by a natural person on behalf of another legal person or legal arrangement in the UAE falls under the scope of the EDD Process under Paragraph 16.11 of this Chapter. The conditions under Paragraph 16.20.5 of this Chapter must be applied where the remittance transactions are for importing goods or payment for services.
16.20.5 Remittance transactions from legal entities in the UAE for importing goods or payment for services (i.e. trade related transactions), must only be accepted subject to the below conditions:
a) EDD (refer to Paragraph 16.11 of this Chapter) must be completed for each legal person or legal arrangement before onboarding the customer; b) The Licensed Person must establish the commercial/economic reason for each remittance transaction; c) The Licensed Person must ensure that supporting documents, such as Invoices, are in the name of the legal person or legal arrangement in the UAE and the goods are destined for the UAE; d) The names of all parties involved in the transaction such as names of remitter (i.e. legal person or legal arrangement ), its Owner/Partners/Shareholders, authorized person who carries out the transaction (i.e. the representative) and beneficiary must undergo sanctions screening for each transaction; e) The names of the remitter (i.e. legal person or legal arrangement), its Owner/Partners/Shareholders, the authorized person who carries out the transaction (i.e. the representative) must undergo PEP screening for each transaction; f) Preference must be given to settle such transactions through a bank, either by cheque or via bank transfer, instead of accepting cash; g) The Licensed Person must collect the original Bill of Lading/Airway Bill for the post transaction (i.e. after executing such transactions) verification, whenever the same is issued. A copy of the original Bill of Lading/Airway Bill certified as “Original Sighted and Verified” under the signature of the employee who carries out the KYC Process must be retained; h) The Licensed Person must also track the movement of such goods using an appropriate container/vessel tracking system when the settlement of the underlying transaction is in cash. Appropriate logs and evidences must be maintained by the Licensed Person for such tracking; i) All such transactions must be closely monitored by the Compliance Officer. The systems must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts; and j) The authorized person who carries out the transaction (i.e. the representative) on behalf of the legal person or legal arrangement must be a resident in the UAE.
16.20.6 Where a legal person or legal arrangement in the UAE (i.e. the remitter) which remits on behalf of another legal person or legal arrangement outside the UAE (i.e. beneficial owner of funds) who imports goods or pays for services, the Licensed Person must accept such transactions subject to the below conditions:
a) The Licensed Person must undertake the EDD on the remitter which must be in accordance with Paragraph 16.11 of this Chapter; b) The Licensed Person must also undertake the EDD on the beneficial owner of funds; c) There must be at least one shareholder or partner common to both entities (i.e. legal person or legal arrangement in the UAE and the legal person or legal arrangement outside the UAE); d) In case, there is no shareholder or partner common to both entities, then there must be a legally valid agreement between the remitter and the beneficial owner of funds, authorizing the remitter to carry out such transaction; e) All documents related to the incorporation or formation of the legal person or legal arrangement outside the UAE (i.e. beneficial owner of funds) and the agreement between both the parties must be appropriately notarized or attested by relevant authorities in the respective foreign country and in the UAE; f) The name of the beneficial owner of the funds and its Owner/Partners/Shareholders must be captured in the Point of Sale system in addition to the required information of the remitter as per Paragraph 16.11.3 of this Chapter. Names of all parties involved in the transaction such as names of the remitter, beneficial owner of funds, Owner/Partners/Shareholders of both entities, authorized person who carries out the transaction (i.e. the representative) and beneficiary must undergo sanctions screening for each transaction; g) The names of the remitter (i.e. legal person or legal arrangement), its Owner/Partners/Shareholders, the authorized person who carries out the transaction (i.e. the representative) must undergo PEP screening for each transaction; h) The Licensed Person must establish the commercial/economic reasons for each remittance transaction; i) The Licensed Person must ensure that supporting documents, such as invoices, are in the name of the beneficial owner of funds and the goods are destined for the home country of the beneficial owner of the funds; j) Preference must be given to settle such transactions through bank, either by cheque or via bank transfer, instead of accepting cash; k) The name of beneficial owner of funds must be printed on the receipt in addition to the information of the remitter as per Paragraph 16.11.5 of this Chapter; l) After conducting the remittance transaction, the Licensed Person must collect the original Bill of Lading/Airway Bill for post transaction verification in a timely fashion after it is issued. The Licensed Person must introduce their own policies and procedures, based on an appropriate risk assessment, regarding the grace period (up to a maximum of 21 calendar days after conducting the remittance transaction) that can be granted to a customer in order to produce the Bill of Lading/Airway Bill. In case a customer fails to produce a copy of the Bill of Lading/Airway Bill within the given grace period, then the Licensed Person must not conduct further remittance transactions for that customer. A copy of the original Bill of Lading/Airway Bill certified as “Original Sighted and Verified” under the signature of the employee who carries out the KYC Process must be retained; m) The Licensed Person must track the movement of goods via an appropriate container/vessel tracking system in all cases of such remittance transactions. Appropriate logs and evidences must be maintained by the Licensed Person for such tracking; n) All such transactions must be closely monitored by the Compliance Officer. The systems must have the capability to support monitoring of such transactions and must generate necessary exception reports and alerts; o) In case of any doubt or confusion regarding the documents submitted or information provided by the beneficial owner of funds, remitter or representative, then the Licensed Person must exit the relationship and the case must be reported to the FIU immediately; and p) The authorized person who carries out the transaction (i.e. the representative) on behalf of the legal person or legal arrangement in the UAE must be a resident in the UAE.
16.20.7 The Licensed Person must not accept any transactions from a natural person, who is acting in personal capacity, on behalf of any foreign legal person or legal arrangement or a natural person who is a UAE Non-Resident.
16.21 Customs Declaration Forms (CDF)
16.21.1 The Licensed Person should be aware of the Regulation on the Declaration of Currencies, Bearer Negotiable Instruments, and Precious Metals and Stones in Possession of Travelers Entering or Leaving the UAE (issued in the Official Gazette No 703 dated 31/05/2021). These Regulation set requirements for individuals entering or departing the UAE carrying currencies, precious metals or stones, or bearer negotiable instruments with a value above AED 60,000. Such persons must declare these goods by completing the Customs Declaration Form (CDF);
16.21.2 The Licensed Person must collect and retain the original CDF if the customer exchanges currency, if the customer declares that the source of funds is related to the proceeds of purchase/sale of precious metals or stones brought into or to be taken out of the country, or of bearer negotiable instruments to the full value as stated in the CDF;
16.21.3 In case the customer exchanges only part of the total amount stated in the CDF, then the actual amount of currency, or of funds related to the proceeds of purchase/sale of precious metals or stones brought into or to be taken out of the country, or of bearer negotiable instruments exchanged by the Licensed Person must be endorsed on the original CDF under the signature of the employee who carries out the KYC process and under the official stamp of the Licensed Person. In such cases, the original CDF can be returned to the customer, but its copy after endorsement must be retained with the Licensed Person;
16.21.4 In case the amount of any partial exchange is endorsed on a CDF, the Licensed Person who accepts such CDF must exchange only the balance of the amount of currencies to ensure that the total amount of currency exchanged by the customer using the same CDF does not exceed the total value stated in the CDF; and
16.21.5 The CDF form collected from a customer must not be treated as evidence for the source of funds or the purpose of a transaction. Appropriate due diligence procedures must be conducted and supporting documents as evidence for the source of funds or purpose of transaction must be collected whenever and wherever necessary.
16.22 Recruitment and Know Your Employee (KYE) Process
16.22.1 The Licensed Person must implement an appropriate recruitment and Know Your Employee process for hiring employees in accordance with Paragraph 8.2 of Chapter 8.
16.23 AML Training
16.23.1 The Licensed Person must provide comprehensive AML/CFT compliance training to all employees including its Manager in Charge, functional heads, Directors of the Board and Owner/Partners/Shareholders.
16.23.2 The AML/CFT compliance training must be provided to all new joiners within thirty (30) calendar days from the date of joining. The new joiners must not be allowed to serve any customer independently until they have successfully completed such training. Refresher training must be provided to all employees at regular intervals.
16.23.3 The frequency of refresher AML/CFT compliance training may be determined based on the ML/FT risk exposure of each employee. Employees who deal directly with customers, products or services must be trained at least annually at a minimum.
16.23.4 Refresher training must also be provided whenever there are changes in the AML Laws, Regulations, Notices, the Standards or the Licensed Person’s AML policy/procedures.
16.23.5 Appropriate processes must be implemented to periodically assess the AML/CFT awareness of employees and repeat training must be planned based on the result of such assessment process.
16.23.6 Appropriate AML/CFT training registers must be maintained in order for the Central Bank Examiners to verify the training history of each employee.
16.23.7 Evidence for all trainings conducted such as, the training policy, training materials, training register, training plan, training schedules, assessment sheets, training certificates, etc. must be retained for the verification by the Central Bank Examiners.
16.23.8 The AML/CFT training materials must be reviewed and updated at regular intervals or whenever there are changes in the AML Laws, Regulations, Notices, the Standards and the Licensed Person’s AML policy/ procedures.
16.23.9 The AML/CFT training materials must cover at least the following topics. These topics should be covered in greater depth, and additional topics should be covered as appropriate, on a risk sensitive basis depending on the role of each employee:
a) Money laundering and terrorist financing, definitions, typologies as well as recent trends; b) ML/FT risks associated with the products and services offered by the Licensed Person; c) AML/CFT policies and procedures including the highlights on recent changes; d) The regulatory responsibilities and obligations of employees under AML/CFT Laws, Regulations, Notices and the Standards; e) Description of Know Your Customer process and its importance; f) Due Diligence measures and procedures for monitoring transactions; g) Sanction screening and PEP screening procedures; h) Red flags to identify unusual transactions or transaction patterns or customer behaviours; i) Processes and procedures of making internal disclosures of unusual transactions; j) Roles of the Compliance Officer and Alternate Compliance Officer including their full contact details; k) Tipping off; l) Record retention policy; m) Reference to industry guidance and other sources of information; n) Emerging ML/FT risks and measures to mitigate such risks; o) Penalties for non-compliance with the AML/CFT Laws, Regulations, Notices and the Standards; and p) Disciplinary procedures to be applied on employees for not adhering to the AML policy and procedures.
16.24 Transaction Monitoring
16.24.1 The Licensed Person must introduce automated systems and tools to support transaction monitoring, that are risk-based and appropriate to the nature, size and complexity of its business.
16.24.2 The monitoring systems must be configured to identify abnormal/unusual transactions, patterns of activities or behaviours of customers by defining sufficient number of rules and parameters within the system. Rules and parameters must take account of ML/FT typologies in the Exchange Business sector. Special attention must be given to third party transactions while defining rules and parameters.
16.24.3 Information related to the expected annual activity collected at the time of customer onboarding process must be used to assess any deviations or unusual behaviours/patterns.
16.24.4 All abnormal/unusual transactions must be investigated and supporting records must be retained for the minimum retention period as per Paragraph 16.29 of this Chapter.
16.24.5 After investigation of abnormal/unusual transactions, if reasonable grounds are established to suspect money laundering, terrorist financing and/or financing of illicit organizations, such transactions must be reported, without any delay, to the FIU. Please refer to paragraph 16.26 of this Chapter for further information.
16.24.6 Where a report is made to the FIU, it must be considered as part of the ongoing monitoring of the customer as required by paragraphs 16.9.11 and 16.11.7 of this Chapter.
16.25 Sanctions Screening
16.25.1 Appropriate systems must be introduced for real time screening, as part of the KYC process, on all parties involved in a transaction against all applicable sanction lists (i.e. the UN sanction lists (“UN Consolidated List’), the UAE Cabinet local list (“Local Terrorist List”)). Screening must be conducted prior to the execution of any transaction.
16.25.2 The Licensed Person must have appropriate procedures in place to test and fine-tune the system used for real-time screening on an ongoing basis.
16.25.3 Written processes and procedures for the escalation and clearing of potential sanction matches must be introduced;
16.25.4 The logs/records related to the clearing of potential sanction matches must be available in the system for a minimum period of five (5) years from the date of receipt of the transaction.
16.25.5 The UN Consolidated List and the Local Terrorist List must be regularly updated and immediately updated within the Point of Sale/computer systems of the Licensed Person, preferably without any manual intervention. Appropriate logs must be maintained in the system to confirm such updates.
a) The Licensed Person should rely on the official website of the UN Security Council for the most updated UN Consolidated List:
• https://www.un.org/securitycouncil/content/un-sc-consolidated-list (English) • https://www.un.org/securitycouncil/ar/content/un-sc-consolidated-list (Arabic)
b) The Licensed Person should rely on the official website of the Executive Office of the Committee for Goods & Materials Subjected to Import & Export Control (“Executive Office”) to obtain the most recent publication of the Local Terrorist List issued by the UAE Cabinet:
• UN page | Committee for goods & material subjected to import & export (uaeiec.gov.ae) (English) • UN page | لجنة السلع والمواد الخاضعة للاستيراد والتصدير (uaeiec.gov.ae) (Arabic)
c) The Licensed Person must register on the Executive Office’s website in order to receive automated email notifications with updated and timely information about the listing and de-listing of individuals or entities in the Local Terrorist List and in the UN Consolidated List.
16.25.6 When a match is found through the screening, the Licensed Person must immediately, without delay and without prior notice, freeze all funds. “Without delay” means within 24 hours of the listing decision being issued by the UN Security Council or the UAE Cabinet, as the case may be.
16.25.7 The Licensed Person must not make funds available or provide financial or other related services, whether in whole or in part, directly or indirectly, to any of the persons or entities identified according to the above.
16.25.8 Sanction screening must be applied in the below cases as follow:
a) In the case of foreign currency exchange transactions, the customer’s name must be screened against the sanction lists; b) In the case of money transfer transactions, the Remitter’s name and Beneficiary’s name as well as the name of beneficiary bank must be screened against sanction lists; c) Where the transactions are conducted by a legal person or legal arrangement, the name of the authorised person who carries out the transaction (i.e. the representative) must be screened against sanctions lists in addition to the name of the legal person or legal arrangement and its BOs. The Licensed Person, where applicable, must also comply with Paragraph 16.25.8 (b) of this Chapter; and d) The Licensed Person must also comply with the sanction screening requirements, in the case of third party transactions, as required by Paragraph 16.20 of this Chapter.
16.25.9 The Licensed Person should notify the Central Bank and the Executive Office as follow:
a) In case of any confirmed match to a listing of names of individuals or legal persons to the Local Terrorist List or the UN Consolidated List is identified, the Licensed Person is required to report any freezing measures, prohibition to provide funds or services or any attempted transactions via the goAML platform within two business days by selecting the Fund Freeze Report (FFR). The Licensed Person must also ensure all the necessary information and documents regarding the confirmed match are submitted.
b) In case of any potential match to a listing of names of individuals or legal persons to the Local Terrorist List or UN Consolidated List is identified (i.e. any match between data in the sanctions lists with any information in the Licensed Person’s databases), the Licensed Person is required to report the potential match via the goAML platform by selecting the Partial Name Match Report (PMNR). The Licensed Person must also ensure all the necessary information and documents regarding the potential match are submitted. In addition, the Licensed Person must uphold suspension measures related to the “potential match” until further instructions are received via the goAML platform on whether to cancel the suspension or implement freezing measures.
c) The TFS related reports (FFR or PMNR) submitted via the goAML platform will be received simultaneously by the Central Bank and the Executive Office. The Licensed Person should also consult the Central Bank and the Executive Office’s websites respectively as updated from time to time.
16.25.10 The Licensed Person should consider their need to comply with other sanctions programs where applicable, including due to correspondent relationships, such as those administered by the United States of America and the European Union.
16.25.11 The Licensed Person must also sign up for the Integrated Enquiries Management System (IEMS) introduced by the FIU to automate and facilitate the execution process of requests for information, implementing decisions of public prosecutions and any other type of ML/FT requests.
16.26 Suspicious Transaction Reporting
16.26.1 Internal disclosure requirements:
a) The Licensed Person must implement procedures, controls, systems and tools for its employees to internally disclose all suspected cases of ML/FT directly to the Compliance Officer or to an appropriate member of the compliance department without any interference from the Manager in Charge or any other employee of the Licensed Person;
b) All internal disclosures must be thoroughly investigated to confirm if there are reasonable grounds for suspicion;
c) If the investigation of an internal disclosure does not reveal reasonable grounds for suspicion, then the Compliance Officer may decide either to close the case or keep it open for future monitoring; and
d) The Compliance Officer must retain documentary evidence regarding all internal disclosures, details of investigations undertaken and reasons for closing a case or keeping the case open for future monitoring under watch list or for reporting to the FIU.
16.26.2 External Reporting to the FIU:
a) The Licensed Person must file without any delay an STR or SAR or other report types with the FIU using the “goAML” portal when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime.
b) The Licensed Person must take into account all information from both the ordering and beneficiary sides in order to determine whether an STR or SAR is to be filed.
c) Procedures and controls must be implemented to ensure timely reporting of suspected cases to the FIU;
d) The Licensed Person must comply with all directions of the FIU in relation to STRs and SARs submitted to them;
e) The Licensed Person must keep appropriate records of STRs and SARs reported to the FIU; as required by paragraph 16.29.6 of this Chapter and
f) As stated in Paragraph 16.25.6 of this Chapter, where a transaction is subject to the UN or UAE sanctions, the Licensed Person must immediately and without prior notice freeze the funds. Where a Licensed Person suspects that a transaction is related to the financing of terrorism and illegal organisations, the Licensed Person must report the transaction to the FIU within 24 hours.
16.27 Tipping Off
16.27.1 Tipping off is prohibited and is a punishable criminal offence. The Licensed Person or its employees must not inform customers or any persons or third parties, either directly or indirectly, that their transactions are subject to monitoring, are under investigation or have been reported to the FIU as suspicious transactions.
16.27.2 The Compliance Officer must ensure that all employees of the Licensed Person are aware of the consequences of tipping off such as penalties and imprisonment. Sufficient AML/CFT training must be provided to all employees to avoid tipping off.
16.28 Employee Behaviour
16.28.1 The Licensed Person must watch out for its employee’s behaviour, such as, an employee whose lifestyle cannot be supported by his/her salary or an employee who is reluctant to take a vacation or is associated with unusually large numbers of transactions, etc.
16.29 Record Retention
16.29.1 All records, documents, data and statistics related to transactions such as transaction receipts, KYC, CDD and EDD, ongoing monitoring, business correspondence and copies of personal identification documents must be retained for a minimum period of five (5) years from the date of completion of the transaction, termination of the business relationship or from the closing date of the account.
16.29.2 Records, in the context of Paragraph 16.29.1 of this Chapter, include electronic communication and documentation as well as physical, hard copy communication and documentation.
16.29.3 Records retained by the Licensed Person must be sufficient to permit the reconstruction of individual transactions.
16.29.4 AML training registers, training plans, AML training materials and other evidence for providing AML training must be retained for a period of five (5) years from the date of training.
16.29.5 Supporting documents for the transaction monitoring and investigations carried out on unusual transactions must be retained for a minimum period of five (5) years.
16.29.6 All documents related to STRs, SARs or other report types, including internal disclosures by employees and results of any analysis performed, must be retained for a minimum period of five (5) years from the date the STR, SAR or other report was reported. In case the matter is subject to litigation in a court or under investigation by an enforcement agency, the supporting documents related to such transactions or STR, SAR or other report must be retained for a minimum period of five (5) years from the date of issuance of a final decision of the competent judicial authority or from the date of completion of the investigation.
16.29.7 Any other records to demonstrate compliance with the AML/CFT Laws, Regulations, Notices and the Standards must also be retained.
16.30 Bi-Annual Compliance Report
16.30.1 The Compliance Officer must prepare Bi-Annual Compliance Reports (i.e. reports for the six (6) month periods ending on 30th June and 31st December of the respective financial year) in order to assess the effectiveness of the Licensed Person’s AML/CFT policies, procedures, systems and controls to prevent M//TF.
16.30.2 Bi-Annual Compliance Reports must be submitted within one (1) month from the end of each reporting period to:
a) the Compliance Committee; and b) the Board of Directors (or the Owner/Partners where there is no Board of Directors).
16.30.3 Bi-Annual Compliance Reports must cover at least the following:
a) Assessment of ML/FT risks associated with the business of the Licensed Person and the effectiveness of its policies, procedures, systems and controls;
b) Summary of the gap analysis between the AML/CFT Program of the Licensed Person and existing AML Laws, Regulations, Notices and the Standards as well as the actions taken by the Compliance Officer to bridge or resolve such gaps;
c) Details of AML/CFT breaches highlighted in the most recent Central Bank examination report and the reports by Internal/External Auditors;
d) The number of internal suspicious disclosures made by employees and the number of cases investigated, closed, kept open for future monitoring or reported to the FIU as STRs during the reporting period;
e) The number of suspicious transactions detected and reported to the FIU via independent transaction monitoring by the Compliance Officer during the reporting period;
f) Changes in the AML/CFT policies and procedures reviewed and the details of any AML/CFT policy or procedures newly introduced during the reporting period;
g) Statistics on total employees, new joiners during the reporting period, number of employees trained and the number of employees not trained (if any) including reasons for not training employees;
h) Areas where the AML/CFT training programme must be improved and proposals made to enhance the training;
i) Recommendations to the Manager in Charge and the Board of Directors (or to the Owner/Partners where there is no Board of Directors) for the improvement of the AML/CFT function of the Licensed Person;
j) Details of Compliance Officer’s requests for additional human resources, systems, controls, tools and technology changes for the attention of the Board of Directors (or of the Owner/Partners where there is no Board of Directors);
k) An action plan to improve the AML/CFT compliance function for the next six (6) months along with the current status of similar action plan for previous six (6) months; and
l) The conclusion of the Compliance Officer about the effectiveness of the existing AML/CFT function of the Licensed Person.
16.30.4 The Bi-Annual Compliance Report must be approved by the Board of Directors (or by the Owner/Partners where there is no Board of Directors).
16.30.5 A copy of the Bi-Annual Compliance Report must be submitted to the Banking Supervision Department and the AML/CFT Supervision Department via email respectively to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae along with comments from the Board of Directors (or from the Owner/Partners where there is no Board of Directors) within four (4) months from the end of each reporting period.
16.31 Independent Audit/Agreed-Upon Procedures on AML/CFT Compliance Function
16.31.1 The Compliance Officer’s function must undergo regular audit by the Internal Audit Department. Internal audit findings must be reported to the Board of Directors (or to the Owner/Partners where there is no Board of Directors).
16.31.2 External Auditors must perform Agreed-Upon Procedures on the AML/CFT Compliance function annually which cover all the requirements of the AML/CFT Laws and Regulations, in particular this Chapter, and report their findings directly to the Board of Directors (or to the Owner/Partners where there is no Board of Directors). The Licensed Person must submit a copy of this report to the Banking Supervision Department and the AML/CFT Supervision Department via email respectively to info.ehs@cbuae.gov.ae and amlcft@cbuae.gov.ae within four (4) months from the end of each financial year.
16.31.3 The Board of Directors (or the Owner/Partners where there is no Board of Directors) must ensure that appropriate actions are taken by the Compliance Officer, Manager in Charge and other functional heads to resolve findings of internal and external auditors in a timely manner. The Board must have in place procedures that are reasonably designed to ensure timely remediation of findings which may include time bound action plans, periodical review, follow ups.
16.32 Uploading of Remittance Data and Responding to Central Bank Queries
16.32.1 The Licensed Person must upload remittance data to the Central Bank Remittances Reporting System on a daily basis or at the latest by the end of the next business day.
16.32.2 The Licensed Person must also introduce appropriate procedures, systems and tools to enable immediate responses to the enquiries received from the Central Bank, the FIU (example: Search or Freeze notices) and other competent authorities in the UAE.
16.33 Role of the Compliance Committee
16.33.1 Please refer to Paragraph 6.9.3 of Chapter 6 for the roles and responsibilities of the Compliance Committee.
16.34 Scope of the Standards
16.34.1 The Standards under this Chapter shall apply to all Licensed Persons and their branches, offices and subsidiaries operating in the UAE as well as their employees, Board of Directors, Owner/Partners/Shareholders.
16.34.2 The Standards under this Chapter also apply to all branches and subsidiaries of the Licensed Person operating in foreign jurisdictions where the AML/CFT compliance requirements are less stringent than that contained in this Chapter.
16.35 Relationship with Other Documents3
This Chapter must be read, in particular, in conjunction with the following Laws and Regulations of the UAE:a) Federal Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations and its amendment (Decree Federal Law No. (26) of 2021 amending certain provisions of Federal Decree Law No. 20 for 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations);
b) Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations;
c) Central Bank’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations (issued by Notice No. 74/2019 dated 19/06/2019);
d) Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof; and
e) Central Bank’s Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidance for Licensed Exchange Houses and other AML/CFT related Guidances.
3 Available at https://www.centralbank.ae/en/cbuae-amlcft