Skip to main content
  • AML/CFT

    • Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Laws

      • Decree Federal Law No. (20) of 2018 on Anti-money Laundering and Combating the Financing of Terrorism and Illegal Organisations

        DFL 20/2018 Effective from 23/10/2018

         

        The Decree Federal Law No. (20) of 2018 on Anti-money Laundering and Combating the Financing of Terrorism and Illegal Organisations has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. Please find the PDFs of versions on the table below.
        Version 2 (consolidated as of 13/09/2021) 
        Version 1 (effective from 23/10/2018) 
        • Article (1)

          In application of the provisions of the present Decree-Law, the following terms and expressions shall have the following meanings assigned to them unless the context requires otherwise:

          State: United Arab Emirates

          Ministry: Ministry of Finance

          Minister: Minister of Finance

          Central Bank: Central Bank of the UAE

          Governor. Governor of Central Bank

          Committee: National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organizations

          Unit: Financial intelligence Unit

          Supervisory Authority: Federal and local authorities which are entrusted by legislation to supervise financial institutions, designated non-financial businesses professions, Virtual Asset Service Providers and non-profit organizations or the competent authority in charge of approving the pursuit of an activity or a profession in case a supervisory authority is not assigned by legislations.

          Law-enforcement Authorities: Federal and local authorities which are entrusted under applicable legislation to combat, search, investigate and collect evidences on the crimes including AML/CFT crimes and financing illegal organizations.

          Competent Authorities: The competent government authorities in the State entrusted with the implementation of any provision of this Decree Law.

          Predicate Offence: Any act constituting a felony or misdemeanor under the applicable laws of the State whether this act is committed Inside or outside the State when such act is punishable In both countries.

          Money Laundering: Any of the acts mentioned in Clause (1) of Article (2) of the present Decree-Law.

          Financing of Terrorism: Any of the acts mentioned in Articles (29, 30) of Federal Law no. (7) of 2014.

          Illegal Organizations: Organizations whose establishment is criminalized or which exercise a criminalized activity.

          Financing Illegal Organizations: Any physical or legal action aiming at providing funding to an illegal organization, or any of its activities or its members.

          Crime: Money laundering crime and related predicate offences, or financing of terrorism or Illegal organizations.

          Funds: Assets, whatever the method of acquisition, type and form, tangible or intangible, movable or Immovable, electronic, digital or encrypted, Including local and foreign currencies, legal documents and instruments of whatever form, including electronic or digital form that proves ownership of such assets, shares or related rights and economic resources that are assets of any kind, including natural resources, as well as bank credits, cheaques, payment orders, shares, securities, bonds, bills of exchange, letters of credit, and any interest, profits or other incomes derived or resulting from these assets, and can be used to obtain any financing or goods or services.

          Virtual Assets: A digital representation of the value that can be digitally traded or transferred, and can be used for payment or investment purposes, and otherwise, as specified in the Executive Regulation of this Decree-Law.

          Proceeds: Funds generated directly or Indirectly from the commitment of any felony or misdemeanor including profits, privileges, and economic interests, or any similar funds converted wholly or partly into other funds.

          Means: Any means used or intended to be used to commit a felony or misdemeanor.

          Suspicious Transactions: Transactions related to funds for which there are reasonable grounds to believe that they are earned from any felony or misdemeanor or related to the financing of terrorism or of Illegal organizations, whether committed or attempted.

          Freezing or seizure: Temporary attachment over the moving, conversion, transfer, replacement or disposition of funds in any form, by an order issued by a competent authority.

          Confiscation: Permanent expropriation of private funds or proceeds or instrumentalities by a ruling issued by a competent court.

          Financial Institutions: Anyone who conducts one or several of the financial activities or transactions defined In the Executive Regulation of the present Decree Law for the account of /or on behalf of a client.

          Designated Nonfinancial Businesses and Professions: Anyone who conducts one or several of the commercial or professional activities defined in the Executive Regulation of this Decree Law.

          Non-Profit Organizations: Any organized group, of a continuing nature set for a temporary or permanent time period, comprising natural or legal persons or not for profit legal arrangements for the purpose of collecting, receiving or disbursing funds for charitable, religious, cultural, educational, social, communal or any other charitable activities.

          Legal Arrangement: A relationship established by means of a contract between two or more parties, including but not limited to trust funds or other similar arrangements.

          Client: Any person involved in or attempts to carry out any of the activities specified in the Executive Regulations of this Decree Law with one of the financial institutions or designated nonfinancial businesses and professions or Virtual Asset Service Providers

          Beneficial Owner: The natural person who owns or exercises effective ultimate control over the client or the natural person on whose behalf a transaction is being conducted or, the natural person who exercises effective ultimate control over a legal person or legal arrangement, whether directly or through a chain of ownership, control or other indirect means.

          Virtual asset service providers: Any natural or legal person, who practices any activity of commercial business, conducts one or more of the activities of virtual assets specified in the Executive Regulation of this Decree-Law, or the operations related there to for the benefit or on behalf of another natural or legal person.

          Transaction: All disposal or use of Funds or proceeds including for example: deposits, withdrawals, transfer, sale, purchase, lending, swap, mortgage, and donation.

          Registrar: The entity in charge of supervising the register of commercial names for all types of establishments registered In the State.

          Customer Due Diligance (CDD): The process of identifying or verifying the Information of a Client or Beneficial owner, whether a natural, legal person or a legal arrangement, the nature of its activity, the purpose of the business relationship, the ownership structure, control over it for the purpose of this Decree-Law and its Executive Regulation.

          Controlled Delivery: The process by which a competent authority allows the entering or transferring of illegal or suspicious funds or crime revenues to and from the State for the purpose of Investigating a crime or identifying the identity of Its perpetrators.

          Undercover Operation: The process of search and Investigation conducted by one of the judicial impoundment officer by impersonating or playing a disguised or false role in order to obtain evidence or information related to the Crime.

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          In application of the provisions of the present Decree law, the following terms and expressions shall have the following meanings assigned to them unless the context requires otherwise:

          - State: United Arab Emirates.

          - Ministry: Ministry of Finance.

          - Minister: Minister of Finance.

          - Central Bank: Central Bank of the UAE.

          - Governor: Governor of Central Bank.

          - Committee: National Committee for Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

          - FIU: Financial Intelligence Unit.

          - Supervisory Authority: Federal and local authorities which are entrusted by legislation to supervise Financial Institutions, Designated Non-Financial Businesses and Professions and Non-Profit Organisations or the Competent Authority in charge of approving the pursuit of an activity or a profession in case a supervisory authority is not assigned by legislations.

          - Law-Enforcement Authorities: Federal and local authorities, which are entrusted under applicable legislation to combat, search, investigate and collect evidences on the crimes including ML/FT and financing illegal organisations crimes.

          - Competent Authorities: The competent government authorities in the State entrusted with the implementation of any provision of this Decree law.

          - Predicate Offence: Any act constituting a felony or misdemeanour under the applicable laws of the State whether this act is committed inside or outside the State when such act is punishable in both countries.

          - Money Laundering: Any of the acts mentioned in Clause (1) of Article (2) of the present Decree law.

          - Financing of Terrorism: Any of the acts mentioned in Articles (29 and 30) of Federal Law no. (7) of 2014.

          - Illegal Organisations: Organisations whose establishment is criminalized or which pursue a criminalized activity.

          - Financing Illegal Organisations: Any physical or legal action aiming at providing funding to an illegal organisation, or any of its activities or its members.

          - Crime: Money laundering crime and related predicate offences, or financing of terrorism or financing of illegal organisations.

          - Funds: Assets in whatever form, whether tangible or intangible, movable or immovable including national currency, foreign currencies, documents or notes evidencing the ownership of those assets or associated rights in any form including electronic or digital forms or any interests, profits or income originating or earned from these assets.

          - Proceeds: Funds generated directly or indirectly from the commitment of any felony or misdemeanour including profits, privileges, and economic interests, or any similar funds converted wholly or partly into other funds.

          - Instrumentalities: Any item used or intended to be used in any way to commit a felony or misdemeanour.

          - Suspicious Transactions: Transactions related to funds for which there are reasonable grounds to suspect that they are earned from any felony or misdemeanour, related to the financing of terrorism or of illegal organisations, whether committed or attempted.

          - Freezing or seizure: Temporary restriction over the moving, conversion, transfer, replacement or disposition of funds in any form, by an order issued by a Competent Authority.

          - Confiscation: Permanent expropriation of private funds or proceeds or instrumentalities by an injunction issued by a competent court.

          - Financial institutions: Anyone who conducts one or several of the activities or operations defined in the Executive Regulation of the present Decree law for the account of /or on behalf of a customer.

          - Designated Nonfinancial Businesses and Professions: Anyone who conducts one or several of the commercial or professional activities defined in the Executive Regulation of this Decree Law.

          - Non-Profit Organisations: Any organized group, of a continuing nature set for a temporary or permanent time period, comprising natural or legal persons or not for profit legal arrangements for the purpose of collecting, receiving or disbursing funds for charitable, religious, cultural, educational, social, communal or any other charitable activities.

          - Legal Arrangement: A relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality such as trust or other similar arrangements.

          - Customer: Anyone involved in or attempts to carry out any of the activities specified in the Executive Regulations of this Decree Law with one of the Financial Institutions or Designated Nonfinancial Businesses and Professions.

          - Beneficial Owner: The natural person who owns or exercises effective ultimate control, directly or indirectly over a Customer, or the natural person on whose behalf a Transaction is being conducted or, the natural person who exercises effective ultimate control over a legal person or Legal Arrangement

          - Transaction: All disposal or use of Funds or proceeds including for example: deposits, withdrawals, conversion or transfer, sales, purchases, lending, swap, mortgage, and donation.

          - Registrar: The entity in charge of supervising the register of commercial names for all types of establishments registered in the State.

          - Customer Due Diligence (CDD): The process of identifying or verifying the information of a Customer or Beneficial Owner, whether a natural or legal person or a legal arrangement, and the nature of its activity and the purpose of the business relationship and the ownership structure and control over it for the purpose of this Decree Law and its Executive Regulation.

          - Controlled Delivery: The process by which a Competent Authority allows under its supervision the entering or transferring of illegal or suspicious funds or Crime revenues to and from the UAE for the purpose of investigating a Crime or identifying the identity of its perpetrators.

          - Undercover Operation: The process of search and investigation conducted by one of the judicial impoundment officers by impersonating or playing a disguised or false role in order to obtain evidence or information related to a crime.

           

        • Article (2)

          1. Any person, having the knowledge that the funds are the proceeds of a felony or a misdemeanour, and who wilfully commits any of the following acts, shall be considered a perpetrator of the crime of Money Laundering:
             
            1. Transferring or moving proceeds or conducting any transaction with the aim of concealing or disguising their Illegal source.
               
            2. Concealing or disguising the true nature, source or location of the proceeds as well as the method involving their disposition, movement, ownership of or rights with respect to said proceeds.
               
            3. Acquiring, possessing or using proceeds upon receipt
            4. Assisting the perpetrator of the predicate offense to escape punishment
          2. The crime of Money Laundering is considered as an independent crime. The punishment of the perpetrator for the predicate offence shall not prevent his punishment for the crime of Money Laundering
             
          3. Proving the illicit source of the proceeds should not constitute a prerequisite to sentencing the perpetrator of the predicate offence

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- Any person, having the knowledge that the Funds are the proceeds of a felony or a misdemeanour, and who wilfully commits any of the following acts, shall be considered a perpetrator of the crime of Money Laundering:

          a- Transferring or moving Proceeds or conducting any transaction with the aim of concealing or disguising their illegal source.

          b- Concealing or disguising the true nature, source or location of the Proceeds as well as the method involving their disposition, movement, ownership of or rights with respect to said Proceeds.

          c- Acquiring, possessing or using Proceeds upon receipt.

          d- Assisting the perpetrator of the Predicate Offence to escape punishment.

          2- The crime of Money Laundering is considered as an independent crime. The punishment of the perpetrator for the Predicate Offence shall not prevent his punishment for the crime of Money Laundering.

          3- A conviction with a Predicate Offence shall not be deemed as a condition to prove the illicit source of the Proceeds.

           

        • Article (3)

          Without prejudice to the provisions of Federal Law No. (3) of 1987 referred to herein, and Federal Law No. (7) of 2014 referred to herein:

          1- The crime of Financing Terrorism shall be committed by whoever intentionally commits any of the following:

          a- Any of the acts specified in Clause (1) of Article (2) of the present Decree Law, if he is aware that the Proceeds are wholly or partly owned by a terrorist organisation or terrorist person or intended to finance a terrorist organisation, a terrorist person or a terrorism crime, even if it without the intention to conceal or disguise their illegal source.

          b- Providing, collecting, preparing or obtaining Proceeds or facilitating their obtainment by others with intent to use them, or while knowing that such Proceeds will be used in whole or in part for the commitment of a terrorist offence, or if he has committed such acts on behalf of a terrorist organisation or a terrorist person while aware of their true background or purpose.

          2- A person shall be guilty of financing illegal Organisations crime if he intentionally commits any of the following:

          a- Any of the acts specified in Clause (1) of Article (2) of this Decree Law, if he is aware that the Proceeds are wholly or partly owned by an Illegal Organisation or by any person belonging to an Illegal Organisation or intended to finance such Illegal Organisation or any person belonging to it, even if it without the intention to conceal or disguise their illicit origin.

          b- Providing, collecting, preparing, obtaining Proceeds or facilitating their obtainment by others with intent to use such Proceeds, or while knowing that such Proceeds will be used in whole or in part for the benefit of an Illegal Organisation or of any of its members, with knowledge of their true identity or purpose.

        • Article (4)

          The legal person shall be criminally responsible for the Crime if it is committed in its name or for its account intentionally, without prejudice to the personal criminal responsibility of the perpetrator and the administrative penalties as prescribed by law.

        • Article (5)

          1- The Governor or his delegate shall have the right to freeze suspicious Funds deposited at financial institutions for no more than (7) seven working days, in accordance with the rules and controls stipulated in the Executive Regulation of the present Decree Law and it may be, renewed by order of the public prosecutor or his delegate.

          2- The public prosecution and the competent court, as the case may be, shall request the identification, tracking, or evaluation of suspicious Funds, Proceeds and Instrumentalities or of whatever is of equivalent value or seizing or freezing them if they are the result of, or in connection with, the Crime without pre-advising the owner and issuing a travel ban until the investigation or trial is completed.

          3- The public prosecution and the competent court, as the case may be and when necessary, shall take the necessary decision to prohibit trading or disposing of such Funds, Proceeds and Instrumentalities and take the necessary actions to prevent any act aiming at evading related freezing or seizing orders, without prejudice to the rights of bona fide third parties.

          4- All freezing orders of funds held by financial institutions licensed by the Central Bank may be only be executed through the Central Bank.

          5- Any grievance against the public prosecution's decision to freeze or seize in accordance with the provisions of the present Article shall be filed before the competent court in whose jurisdiction the public prosecution issuing the decision is located. If the grievance is rejected, a new one may be lodged only after the expiry of three months from the date of rejection of the previous one, unless there is a serious reason to do so before the expiry of that period.

          6- The grievance shall be filed by submitting a report to the competent court. The president of the court shall set a date to review the report and notify the plaintiff of the date. The public prosecution shall submit a memorandum expressing its opinion on the grievance. The court shall issue its decision on this grievance within no more than (14) fourteen business days from the date of its submission.

          7- The public prosecution and the competent court, as the case may be, shall appoint whomever they find suitable to manage the Funds, Proceeds and Instrumentalities seized, frozen or subject to confiscation, also allowing selling or disposing it, even before the issuance of a court decision if needed. The proceeds of the sale shall be transferred to the UAE treasury in case of a final judgment of conviction. These Funds shall be earmarked to any rights awarded legally to any party acting in good faith, proportionately to its value.

          8- The Executive Regulation of the present Decree Law shall define the rules and procedures for implementing the dispositions of the present Article.

        • Article (6)

          1. Without prejudice to the provisions of Article (5) of this Decree-Law, no criminal proceedings shall be Instituted against the perpetrator of money laundering, financing terrorism, or financing of illegal organizations in accordance with the provisions of this Decree-Law except by the public prosecutor or his delegate
          2. The Public prosecutor or his delegate and the competent court as the case may be shall issue a decision to take the necessary procedures to protect the intelligence Information and the means and methods of obtaining such information or Instruct the competent authorities to protect the witnesses, or the undisclosed sources, the accused or other parties involved in the case if there is a serious threat to their safety.

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- Without prejudice to the provisions of Article (5) of this Decree Law, no criminal proceedings shall be instituted against the perpetrator of Money Laundering or Financing of Terrorism, or Financing of Illegal Organisations in accordance with the provisions of this Decree Law except by the Attorney General or his delegate.

          2- The Attorney General or his delegate and the competent court as the case may be, shall issue a decision to take the necessary procedures to protect the intelligence information and the means and methods of obtaining such information or instruct the competent authorities to protect the witnesses, or the undisclosed sources, the accused or other parties involved in the case if there is a serious threat to their safety.

           

        • Article (7)

          1- The public prosecution may, sua sponte or upon the request of the Law Enforcement Authorities, should there be sufficient evidence of the occurrence of the Crime, request direct access to accounts, records and documents held by third parties and request access to the stored data in the computer system and information technology programs, memorandums, correspondences and packages, identify track and seize the Funds, monitor the accounts, issue travel bans and other procedures aiding in uncovering the Crime and its perpetrators without prejudice to the legislations applicable in the UAE.

          2- The Law Enforcement Authorities may conduct undercover operations and adopt other investigative methods and initiate the controlled delivery operation aimed at detecting the Crime or its evidence or identifying the source and destination of the Funds, Proceeds or Instrumentalities or arresting the perpetrators without prejudice to the legislation applicable in the UAE.

          3- Any person involved in an undercover operation or a controlled delivery operation by Law Enforcement Authorities shall not be held criminally responsible unless such person has instigated the perpetration of the Crime or exceeded the powers granted to him.

          4- The Competent Authorities in the UAE shall keep comprehensive statistics on the reports of Suspicious Transactions, investigations and Crime-related judgments, seized, frozen or confiscated funds, international cooperation requests and any statistics related to the efficiency and sufficiency of Crime combating procedures.

        • Article (8)

          Any person shall declare whenever he brings into the UAE or take out any currency or bearer negotiable instruments or precious metals or stones of value, in accordance with the declaration system issued by the Central Bank.

        • Article (9)

          Central Bank of the UAE shall establish an independent “Financial Intelligence Unit” to which suspicious transaction reports, Information on all financial institutions and designated nonfinancial businesses and professions Virtual Asset Service Providers shall be sent exclusively for consideration, analysis, and referral to the competent authorities, either automatically or upon request The Financial Intelligence Unit shall have competence over the following:

          1. Requesting financial Institutions and designated nonfinancial businesses and professions. Virtual Assets Service Providers and the competent authorities to submit any information or further documentation related to received reports and information and other information deemed necessary for Financial intelligence Unit to perform its duties on schedule and in the form determined by the Unit.
             
          2. Exchanging information with its counterparts in other countries, with respect to Suspicious Transactions Reports or any other information to which the Financial Intelligence Unit has exclusive access or is the exclusive recipient, whether directly or Indirectly, according to international agreements to which the State is a party or bilateral agreements signed by the Financial Intelligence Unit with its counterparts governing bilateral cooperation or conditional upon reciprocity, the financial intelligence unit may communicate to its counterparts its findings derived from the use of the information provided by its counterparts and the results of the analysis conducted based on this information. Such Information shall be used only for the purposes of combating the crime and shall not be disclosed to third parties without the Financial Intelligence Unit’s permission.
             
          3. Establishing a database or a special register to record all available information and to implement data privacy and data security procedures to protect this information including procedures for handling, archiving transferring and accessing the data, and make sure that access to its premises, its database and its technology systems is restricted.
             
          4. Any other competencies to be specified in the Executive Regulation attached to the present Decree-Law.

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          An independent “Financial Intelligence Unit” shall be established in the Central Bank, to which Suspicious Transaction reports and related information from all Financial Institutions and Designated Nonfinancial Businesses and Professions shall be sent exclusively for consideration and analysis and referral to the competent authorities, spontaneously or upon request. The FIU shall have competence over the following:

          1- Requesting Financial Institutions and Designated Nonfinancial Businesses and Professions and the competent authorities to submit any information or additional documentation related to received reports and information, and other information deemed necessary for the FIU to perform its duties, on schedule and in the form determined by the Unit.

          2- Exchanging information with its counterparts in other countries, with respect to Suspicious Transactions Reports or any other information to which the FIU has access or is the recipient, whether directly or indirectly, according to international agreements to which the State is a party or bilateral agreements signed by the FIU with its counterparts governing bilateral cooperation or conditional upon reciprocity. The FIU may communicate to its counterparts its findings derived from the use of the information provided by its counterparts and the results of the analysis conducted based on this information. Such information shall be used only for the purposes of combating the Crime and shall not be disclosed to third parties without the FIU’s permission.

          3- Establishing a database or a special register to record all available information and to implement data privacy and data security procedures to protect this information including procedures for handling, archiving and transferring and make sure that access to its premises, its database and its technology systems is restricted.

          4- Any other competences to be specified in the Executive Regulation to the present Decree Law.

           

        • Article (10)

          1- The public prosecution may seek the opinion of the FIU about incoming reports it receives related to cases of Money Laundering, Financing of Terrorism and of Illegal Organisations.

          2- Law Enforcement Authorities shall be responsible for receiving and following-up on suspicious transactions reports received from the FIU and gathering related evidence.

          3- Law Enforcement Authorities may obtain the information that it deems necessary to perform its duties from the relevant authorities as stipulated under the Executive Regulation of the present Decree Law.

        • Article (11)

          A committee chaired by the Governor, called "National Committee for Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations", shall be established by virtue of the provisions of this Decree Law. A decision on the formation of the Committee shall be issued by the Minister.

        • Article (12)

          The Committee shall have the following competences:

          1. Preparing and developing a national strategy to combat crime and proposing related regulations, policies and procedures in coordination with the competent authorities, and monitoring their implementation.
             
          2. Determining and assessing the risks of the crime on the national level.
             
          3. Coordinating with the relevant authorities and referring to related international sources of information in order to identify high-risk countries in addition to the countries that their combat systems in relation to money laundering and financing of terrorism are weak, Moreover, to identify the necessary countermeasures to be taken and other measures commensurate with the degree of risk, and instructing the supervisory authorities to ensure the adherence to the required due diligence procedures by financial institutions, designated nonfinancial businesses and professions, virtual asset service providers and non-profit organizations which are under their supervision in order to implement the said measures.
             
          4. Facilitating the exchange of information and coordination among the various bodies represented therein.
             
          5. Collecting and analyzing statistics and other information provided by the Competent Authorities to assess the effectiveness of their Regulations on combating Money laundering. Terrorism financing and financing of illegal organizations.
             
          6. Representing the State in International forums related to AML/CTF.
             
          7. Proposing the Regulation covering the work of the Committee, and submitting it to the Minister for approval.
             
          8. Any other matters referred to the Committee by Competent Authorities in the State.
             
          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          The Committee shall have the following competences:

          1- Preparing and developing a national strategy to combat Crime and proposing related regulations, policies and procedures in coordination with the competent authorities, and monitoring their implementation.

          2- Determining and assessing the risks of the Crime on the national level.

          3- Coordinating with the relevant authorities and referring to related international sources of information in order to identify high-risk countries in relation to Money Laundering and Financing of Terrorism and instructing the supervisory authorities to ensure the adherence to the required due diligence procedures by Financial Institutions, Designated Nonfinancial Businesses and Professions, and non-profit organisations which are under their supervision.

          4- Facilitating the exchange of information and coordination among the various bodies represented therein.

          5- Assess the effectiveness of the system on combating Money Laundering, Terrorism Financing and Financing of Illegal Organisations based on collecting and analysing statistics and other information provided by the Competent Authorities.

          6- Representing the State in international forums related to Anti-Money Laundering and combating Financing of Terrorism.

          7- Proposing the Executive Regulation covering the work of the Committee, and submitting it to the Minister for approval.

          8- Any other matters referred to the Committee by Competent Authorities in the UAE.

           

        • Article (13)

          The Supervisory Authorities shall, each within the scope of its competence, carry out supervision, monitoring and follow up to ensure compliance with the provisions provided for in the present Decree-Law and its executive regulation, regulatory decisions in addition to any other related decisions and shall have in particular, the following competences

          1. Conduct a risk assessment on the likelihood of the perpetration of a Crime within the financial institutions, designated nonfinancial businesses and professions, and activities of virtual assets and activities of virtual asset service providers and non-profit organizations
             
          2. Conduct Control and audit inspections over financial institutions, designated nonfinancial businesses and professions, virtual assets service providers and non-profit organizations, both remotely and on site.
             
          3. Issue the decisions related to the administrative penalties in accordance with the provisions of this Decree-Law and its Executive Regulation, the grievance mechanism, and keep statistics of measures taken and penalties Imposed.
             
          4. Any other competencies stipulated in the Executive Regulation of the present Decree-Law

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          The Supervisory Authorities shall, each within the scope of its competence, carry out supervision, monitoring and follow up to ensure compliance with the provisions provided for in the present Decree Law and its Executive Regulation and shall have in particular, the following competences:

          1- Conduct a risk assessment on the likelihood of the perpetration of a Crime within the Financial Institutions, Designated Nonfinancial Businesses and Professions and Non-Profit Organisations.

          2- Conduct supervision and examination over financial institutions, designated nonfinancial businesses and professions and non-profit organisations, both off-site and on-site.

          3- Issue the decisions related to the administrative penalties in accordance with the provisions of this Decree Law and its Executive Regulation, the grievance mechanism, and keep statistics of measures taken and penalties imposed.

          4- Any other specialized activities stipulated in the Executive Regulation of the present Decree Law.

           

        • Article (14)

          1. Without prejudice to any more severe administrative penalty provided by any other legislation, the Supervisory authority shall impose the following administrative penalties on the financial institutions, designated nonfinancial businesses and professions, and virtual assets service providers and non-profit organizations in case they violate the present Decree-Law and its Executive Regulation or regulatory decisions in addition to any other related decisions:
             
            1. Warning
               
            2. Administrative fine of no less than AED 50,000 (fifty thousand dirham) and no more than AED 5,000,000 (five million dirham) for each violation.
               
            3. Banning the violator from working in the sector related to the violation for the period determined by the supervisory authority.
               
            4. Constraining the powers of the Board members, supervisory or executive management members, managers or owners who are proven to be responsible of the violation Including the appointment of temporary supervisor.
               
            5. Arresting Managers, board members and supervisory and executive management members who are proven to be responsible of the violation for a period to be determined by the Supervisory Authority or request their removal.
               
            6. Arrest or restrict the activity or the profession for a period to be determined by the supervisory authority
               
            7. Cancel the License.
               
          2. Except for paragraph (g) of Clause (1) of this Article, The Supervisory Authority may upon imposing the administrative penalties, request regular reports on the measures taken to correct the violation.
             
          3. In any case, the Supervisory Authority shall publish the administrative penalties through various means of publication.

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- The Supervisory Authority shall impose the following administrative penalties on the Financial Institutions, Designated Nonfinancial Businesses and Professions and Non-Profit Organisations in case they violate the present Decree Law and its Executive Regulation:

          a) Warning

          b) Administrative fines of no less than AED 50,000 (fifty thousand dirham) and no more than AED 5,000,000 (five million dirham) for each violation.

          c) Banning the violator from working in the sector related to the violation for the period determined by the supervisory authority.

          d) Restricting the powers of the Board members, supervisory or executive management members, managers or owners who are proven to be responsible of the violation including the appointment of temporary inspector.

          e) Suspending managers, board members and supervisory and executive management members who are proven to be responsible of the violation for a period to be determined by the Supervisory Authority or request their removal.

          f) Suspending or restricting the practice of the activity or the profession for a period to be determined by the supervisory authority

          g) Cancelling the License.

          2- Except for paragraph (g) of Clause (1) of this Article, The Supervisory Authority may upon imposing the administrative penalties, request regular reports on the measures taken to correct the violation.

          3- In any case, the Supervisory Authority shall publish the administrative penalties through various means of publication.

           

        • Article (15)

          The Financial institutions and designated nonfinancial businesses and professions in addition to the virtual assets service providers shall, upon suspicion or if they have reasonable grounds to suspect a transaction or funds representing all or some proceeds, or suspicion of their relationship to the Crime or that they will be used regardless of their value, to inform the Unit without delay, directly and provide the Unit with a detailed report Including all the data and information available regarding that transaction and the parties involved, and to provide any additional Information required by the Unit, with no right to object under the confidentiality provisions.

          However, Lawyers, notaries, other legal professionals and independent legal auditors shall be exempted from this provision if the information related to these operations have been obtained subject to professional confidentiality

          The Executive Regulation of the present Decree-Law shall determine the rules, controls and cases of the obligation to report suspicious transactions

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          The Financial Institutions and Designated Nonfinancial Businesses and Professions shall, upon suspicion or if they have reasonable grounds to suspect a transaction or Funds representing all or some a Proceeds, or suspicion of their relationship to the Crime or that they will be used regardless of their value, to inform the FIU directly and without delay, and provide the FIU with a detailed report including all the data and information available regarding that transaction and the parties involved, and to provide any additional information required by the FIU, with no right to object under the confidentiality provisions. Lawyers, notaries, other legal professionals and independent legal auditors shall be exempted from this provision if the information related to these Transactions have been obtained subject to professional confidentiality. The Executive Regulation of the present Decree Law shall determine the rules, controls and cases of the obligation to report suspicious transactions.

           

        • Article (16)

          1- Financial Institutions and Designated Nonfinancial Businesses and Professions shall:

          a) Identify the Crime risks within its scope of work as well as continuously assess, document, and update such assessment based on the various risk factors established in the Executive Regulation of this Decree Law and maintain a risk identification and assessment analysis with its supporting data to be provided to the Supervisory Authority upon request.

          b) Take the necessary due diligence measures and procedures and define their scope, taking into account the various risk factors and the results of the national risk assessment and retain the records received during the implementation of this process. The Executive Regulation of the present Decree Law shall specify the cases in which such procedures and measures are applied, and the conditions for deferring the completion of a Customer or a Beneficial Owner identity verification.

          c) Refrain from opening or conducting any financial or commercial transaction under an anonymous or fictitious name or by pseudonym or number, and maintaining a relationship or providing any services to it.

          d) Develop internal policies, controls and procedures approved by senior management to enable them to manage the risks identified and mitigate them, and to review and update them continuously, and apply this to all subsidiaries and affiliates in which they hold a majority stake; the Executive Regulations of this Decree Law shall specify what should be included in said policies, controls and procedures.

          e) Immediate implementation of the directives issued by the Competent Authorities in the State for implementing the resolutions issued by the United Nations Security Council under Chapter (7) of UN Charter for the Prohibition and Suppression of the Financing of Terrorism, and Proliferation of weapons of mass destruction and their financing, and other related directives.

          f) Maintain all records, documents, and data for all transactions, whether local or international, and make this information available to the competent authorities promptly upon request, as stipulated in the Executive Regulation of this Decree Law.

          g) Any other obligations stipulated in the Executive Regulation of this Decree Law.

          2- For the purposes of this Decree Law, the Executive Regulation of this Decree Law shall regulates the following:

          a) The obligations of Non-Profit Organisations.

          b) Retaining information and records by the registrar, to be provided upon request and taking procedures for access by the public.

          c) Retaining information and records by the legal person and legal arrangement, and making it available upon request.

          Article (16) bis*

          1. Any natural or legal person may not engage in the activities of virtual assets service providers or any of the financial activities without a license, registration or registration, as the case may be, from the competent supervisory authorities.
             
          2. For the purposes of this Decree-Law, the Executive Regulations shall regulate the obligations of virtual assets service providers.

          *Article (16) bis has been added by Federal Decree-Law No. (26) of 2021.

        • Article (17)

          All authorities shall abide by the confidentiality of the information obtained in relation to suspicious transaction or the crimes provided for in this Decree-Law, and such information may not be disclosed except to the extent necessary for use in investigations, prosecutions or cases in violation of the provisions of this Decree-Law.

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          All entities shall abide by the confidentiality of the information obtained in relation to Suspicious Transaction or the Crimes provided for in this Decree Law, and not disclose them except to the extent necessary for use in investigations, prosecutions or cases in violation of the provisions of this Decree Law.

           

        • Article (18)

          1- The competent judicial authority shall, upon request of a judicial authority of another country bound by an enforceable agreement with the State or by virtue of the reciprocity principle, provide judicial assistance in relation to investigation, court trials or procedures relevant to the Crime and issue orders as follows:

          a) Identify, freeze, seize or confiscate any Funds, Proceeds, or Instrumentalities or their equivalent, generated from the Crime or used or intended to be used in the Crime or take any other procedures applicable under the enforceable legislation in the State, including, to provide records retained by Financial Institutions, or Designated Nonfinancial Businesses and Professions or Non-Profit Organisations, and to inspect persons and buildings, and to collect witnesses’ statements, gather evidence, and use investigative methods including undercover operations, intercepting communications, collecting electronic data and controlled delivery.

          b)Handover and handback persons and items relevant to the Crime in a prompt manner in accordance with the legislations applicable in the State.

          2- The Competent Authorities shall exchange information related to the Crime promptly with the foreign counterparts, respond to requests made by any competent entity in the foreign countries which are bound by an applicable convention with the State or in accordance with the reciprocity principle. The Competent Authorities shall gather information from the relevant authorities in the State and take the necessary action to ensure the confidentiality of the information and used it only for its intended purpose stated in the request for information and in accordance with applicable legislations in the State.

        • Article (19)

          1. Competent Authorities shall give priority to requests for international cooperation related to countering money laundering and combating terrorism financing and ensure prompt handling of those requests and take efficient measures to ensure the confidentiality of the information received
             
          2. In application of the present Decree-Law, the request for international cooperation shall not be rejected based on any of the following grounds:
             
            1. That the crime involves tax and financial affairs
               
            2. That the crime is political or related to politics.
               
            3. That the confidentiality provisions apply to financial Institutions and designated nonfinancial businesses and professions without prejudice to the legislations applicable in the State.
               
            4. That the request is connected to a crime under investigation or Judicial prosecution in the UAE unless the request win impede on the investigation or prosecution.
               
            5. Any other cases mentioned in the Executive Regulation hereof.
               
          3. The rules, controls and procedures governing international cooperation are contained in the Executive Regulation of this Decree-Law

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- Competent Authorities shall give priority to requests for international cooperation related to Anti-Money Laundering and Combating Financing of Terrorism and ensure prompt execution of those requests and take efficient measures to ensure the confidentiality of the information received.

          2- In application of the present Decree Law, the request for international cooperation shall not be rejected based on any of the following grounds:

          a) That the Crime involves tax and financial affairs

          b) That the Crime is political or related to politics.

          c) That the confidentiality provisions apply to Financial Institutions and Designated Nonfinancial Businesses and professions without prejudice to the legislation applicable in the State.

          d) That the request is connected to a Crime under investigation or judicial prosecution in the State unless the request will impede on the investigation or prosecution.

          e) Any other cases mentioned in the Executive Regulation of this Decree Law.

          3- The rules, controls and procedures governing international cooperation are contained in the Executive Regulation of this Decree Law.

           

        • Article (20)

          Any court injunction or court decision providing for the confiscation of Funds, Proceeds or Instrumentalities relating to Money-Laundering, Financing of Terrorism or Financing Illegal Organisations may be recognised if issued by a court or judicial authority of another state with which the State has entered into a ratified convention.

        • Article (21)

          The imposition of penalties provided for in this Decree Law shall not prejudice any harsher penalty provided for in any other law.

        • Article (22)

          1. Any person who commits or attempts to commit any of the acts set forth in Clause (1) of Article 2 of this Decree-Law shall be sentenced to imprisonment for a period not exceeding ten years and to a fine of no less than (100,000) AED one hundred thousand and not exceeding (5,000,000) AED five Million or either one of these two penalties.
             
          2. A temporary imprisonment and a fine of no less than AED 300,000 (three hundred thousand dirham) and no more than AED 10,000,000 (ten million dirham) shall be applied If the perpetrator of a money laundering crime commits any of the following acts:
             
            1. If he abuses his influence or the power granted to him by his profession or professional activities
            2. If the crime is committed through a non-profit organization
            3. If the crime is committed through an organized crime group
            4. In case of Recidivism
               
          3. An attempt to commit a money laundering offense shall be punishable by the full penalty prescribed for it
             
          4. A life imprisonment sanction or temporary imprisonment of no less than (10) ten years and penalty of no less than AED 300,000 (three hundred thousand dirham) and no more than AED 10,000,000 (ten million dirham) is applied to anyone who uses Proceeds for terrorist financing.
             
          5. A temporary imprisonment sanction and a penalty of no less than AED 300,000 (three hundred thousand dirham) and no more than AED 10,000,000 (ten million dirham) shall be applicable to anyone who uses the Proceeds in financing illegal organizations.
             
          6. The Court may at the request of the Attorney General, his delegate, or on its own initiative commute or exempt from the sentence imposed on the offenders if they provide the Judicial or administrative authorities with information relating to any of the offenses punishable in this article, when this leads to the disclosure, prosecution, arrest the perpetrators or seizure Its proceeds.

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- Any person who commits any of the acts set forth in Clause (1) of Article (2) of this Decree Law shall be sentenced to imprisonment for a period not exceeding ten years and to a fine of no less than (100,000) one hundred thousand dirham and not exceeding (5,000,000) five million dirham or either one of these two penalties.

          A temporary imprisonment and a fine of no less than (300,000) three hundred thousand dirham and no more than (10,000,000) ten million dirham shall be applied if the perpetrator commits Money Laundering Crime in any of the following situations:

          a) If he abuses his influence or the power granted to him by his employment or professional activities.

          b) If the Crime is committed through a Non-Profit Organisation.

          c) If the Crime is committed through an organized crime group.

          d) In case of recidivism

          2- An attempt to commit a Money Laundering offense shall be punishable by the full penalty prescribed for it

          3- A life imprisonment sanction or temporary imprisonment of no less than (10) ten years and penalty of no less than (300,000) three hundred thousand dirham and no more than (10,000,000) ten million dirham is applied to anyone who uses Proceeds for Financing of Terrorism.

          4- A temporary imprisonment sanction and a penalty of no less than (300,000) three hundred thousand dirham and no more than (10,000,000) ten million dirham shall be applicable to anyone who uses the Proceeds in Financing Illegal Organisations.

          5- The Court may commute or exempt from the sentence imposed on the offenders if they provide the judicial or administrative authorities with information relating to any of the offenses punishable in this Article, when this leads to the disclosure of the Crime or its perpetrators, or the verification of the Crime against them or arrest of any of the perpetrators.

           

        • Article (23)

          1. A penalty of no less than AED 500,000 (five hundred thousand) and no more than AED 50,000,000 (fifty million dirham) shall apply to any legal person whose representatives or managers or agents commit for its account or its name any of the crimes mentioned In this Decree-Law
             
          2. If the legal person is convicted with terrorism financing crime or financing illegal organizations, the court will order its dissolution and closure of its offices where its activity is performed.
             
          3. Should a legal person is convicted of any of the crimes stipulated In Clause (1) of Article (2) or Article (8) of this Decree-Law, the court may prevent him from practicing his activity for a specified period, or cancel the license, restriction or registration to practice activity.
             
          4. Upon issuance of the indictment, the court shall order the publishing of a summary of the judgment by the appropriate means at the expense of condemned party
             
          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- A penalty of no less than (500,000) five hundred thousand dirham and no more than (50,000,000) fifty million dirham shall apply to any legal person whose representatives or managers or agents commit for its account or its name any of the Crimes mentioned in this Decree Law.

          2- If the legal person is convicted with crime of Financing of Terrorism, the court shall order its dissolution and closure of its offices where its activity is performed.

          3- Upon issuance of the indictment, the court shall order the publishing of a summary of the judgment by the appropriate means at the expense of condemned party.

           

        • Article (24)

          Imprisonment and a fine of no less than (100,000) one hundred thousand dirham and no more than (1,000,000) one million dirham or any of those two sanctions is applied to anyone who violates on purpose or by gross negligence the provision of Article (15) of this Decree Law.

        • Article (25)

          Imprisonment for no less than one year and a penalty of no less than AED 100,000 (one hundred thousand dirham) and no more than AED 500,000 (five hundred thousand dirham) or any of these two sanctions shall apply to anyone who notifies or warns a person or reveals any transaction under review in relation to suspicious transactions or being investigated by the Competent Authorities or to investigate them or any Information related to a violation of the provisions of Article (17) of this Decree-Law

          Article (25) bis

          Imprisonment for no less than (3) three months and a penalty of no less than AED 50,000 (fifty thousand dirham) or any of these two sanctions shall apply to whoever possesses, conceals or performs any operation of funds when there is sufficient evidence or presumption of the illegality of its source.

          Upon conviction, the court shall rule for confiscation in accordance with the provisions of Article 26 of this Decree-Law.

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          Imprisonment for no less than six months and a fine of no less than (100,000) one hundred thousand dirham and no more than (500,000) five hundred thousand dirham or any of these two sanctions shall apply to anyone who notifies or warns a person or reveals transaction under review in relation to Suspicious Transactions or being investigated by the Competent Authorities.

           

        • Article (26)

          1. The court shall, once the perpetration of the crime is verified, confiscate the following:
             
            1. Funds subject matter of the crime, proceeds and instrumentalities.
            2. Any funds owned by foe perpetrator with an equivalent value to the funds, Proceeds and instrumentalities mentioned in paragraph (a) of this clause if it fails to confiscate those funds

          If it is not possible to rule for the confiscation of funds, proceeds or instrumentalities due to their failure to seize them or because they are related to the rights of bona fide third parties, the court shall pass a fine equivalent to its value at the time of the crime.

          1. The confiscation shall be Imposed Irrespective of whether the funds, Proceeds, or Instrumentalities are owned by or in possession of the perpetrator or a third party without prejudice to the rights of third party acting in good faith
             
          2. The fact that the offender is unknown, lack of his criminal responsibility, or the criminal case for a crime punishable under the provisions of this Decree-Law is elapsed does not preclude the competent court from ruling on its own or at the request or the Public Prosecution, as the case may be, to confiscate the seized funds, proceeds and instrumentalities if it is proven mat they are related to the same.
             
          3. Without prejudice to the rights of bona fide third parties, any contract or act where the parties, or any one of them or otherwise are aware that such contract or act aims at impacting the ability of the competent authorities to enforce the seizure, freezing or the execution of the confiscation order, shall be void

          Article (16) bis

          Imprisonment for no less than six months and a penalty of no less than AED 200,000 (two hundred thousand dirham) and no more than AED 5,000,000 (five million dirham) or any of these two sanctions shall apply to anyone who violates the provisions of Article (16) bis of this Decree-Law

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- The court shall, once the perpetration of the Crime is verified, confiscate the following:

          a) Funds of the Crime, proceeds and instrumentalities used or intended to be used in the Crime.

          b) Any Funds owned by the perpetrator with an equivalent value to the Funds and Proceeds mentioned in paragraph (a) of this clause if it fails to confiscate those funds.

          2- The confiscation shall be imposed irrespective of whether the Funds, Proceeds, or Instrumentalities are owned by or in possession of the perpetrator or a third party without prejudice to the rights of third party acting in good faith.

          3- In the cases of the death of the accused in a Crime punishable under the Decree Law or the perpetrator’s identity being unknown shall not prevent the public prosecution from referring the case file to the competent court to issue an order to confiscate the seized Funds, Proceeds and Instrumentalities if it is established that they were related to the Crime.

          4- Without prejudice to the rights of bona fide third parties, any contract or act where the parties, or any one of them or otherwise are aware that such contract or act aims at impacting the ability of the competent authorities to enforce the seizure, freezing or the execution of the confiscation order, shall be void.

           

        • Article (27)

          Supervisory authorities, FIU, Law Enforcement Authorities, Financial Institutions, Designated Nonfinancial Businesses and Professions, their board members, employees and legally authorized representatives are exempted from criminal, civil or administrative responsibility in relation to their providing any requested information or violating any obligation under legislative, contractual and administrative directives aimed at securing confidentiality of information unless the disclosure is made in bad faith or with the intent of causing damages to others.

        • Article (28)

          Imprisonment of no less than a year and no more than (7) seven years, or a fine of no less than AED 50,000 (fifty thousand dirham) and no more than AED 5,000,000 (five million dirham) shall be applied to any person who violates the instruction issued by the Competent authority in the State for the implementation of the directives of UN Security Council under Chapter (7) of UN Convention for the Suppression of the Financing of Terrorism and Proliferation of Weapons of Mass Destruction and other related decisions

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          Imprisonment or a fine of no less than (50,000) fifty thousand dirham and no more than AED (5,000,000) five million dirham shall be applied to any person who violates the instruction issued by the Competent Authority in the State for the implementation of the resolutions of United Nations Security Council under Chapter (7) of UN charter for the Suppression of the Financing of Terrorism and Proliferation of Weapons of Mass Destruction and its financing and other related decisions.

           

        • Article (29)

          1. If any foreigner is convicted of a money laundering crime or any felonies mentioned in this Decree-Law, and is given a sanction restricting his freedom, he must be deported from the UAE
             
          2. Without prejudice to Clause (1) of this article, if any foreign person is convicted for other criminal offences provided hereunder this Decree-Law, and is given a sentence restricting his freedom, the court may decide to deport him from the UAE or order him to be deported instead of Imposing a sanction restricting his freedom
             
          3. The criminal case shall not be subject to the statute of limitations for money laundering or financing terrorism or illegal organizations crimes. The sanctions shall not lapse with time or with the lapse of any related civil legal cases due to statute of limitations
             
          4. This Decree Law shall not prejudice the provisions of refereed Federal Law (7) of 2014
             
          5. The Financing of Illegal organizations is considered a crime if its purpose is to undermine the internal security of the State or its vital interests thereof and terrorism financing crime and the offense punishable in Article (28) of this Decree-Law are considered as crimes Intended to undermine the internal and external security of the State

           

          This article has been amended by Federal Decree-Law No. (26) of 2021. You are viewing the latest version. To view the previous version, click the version box below.
          Version 1(effective from 23/10/2018 to 13/09/2021)

           

          1- If any foreigner is convicted of a Money Laundering Crime or any felony mentioned in this Decree Law, and is given a sanction restricting his freedom, he must be deported from the State.

          2- Without prejudice to Clause(1) of this Article, if any foreign person is convicted for other offences provided hereunder this Decree Law, and is given a sentence restricting his freedom, the court may decide to deport him from the State or order him to be deported instead of imposing a sanction restricting his freedom.

          3- The criminal case shall not be subject to the statute of limitations for Money Laundering or Financing of Terrorism or Financing Illegal Organisations Crimes. The sanctions shall not lapse with time or with the lapse of any related civil legal cases due to statute of limitations.

          4- This Decree Law shall not prejudice the provisions of refereed Federal Law no. (7) of 2014.

          5- The Financing of Illegal Organisations is considered a Crime if its purpose is to undermine the internal security of the State or its vital interests thereof and Financing of Terrorism Crimes are considered as crimes intended to undermine the internal and external security of the State.

           

        • Article (30)

          Imprisonment and a fine or one of the two penalties shall be imposed on anyone who intentionally fails to declare or refrains from providing additional information upon request, from him or deliberately conceals information that must be declared or deliberately presents incorrect information, in violation of the provisions provided for in Article (8) of this Decree Law. Upon conviction, the Court may rule on the confiscation of seized Funds without prejudice to the rights of others acting in good faith

        • Article (31)

          Imprisonment or a fine of no less than (10,000) ten thousand dirhams and no more than (100,000) one hundred thousand dirhams shall be applied to any person who violates any other provision of this Decree Law.

        • Article (32)

          Employees designated per decision issued by the Minister of Justice, in coordination with the Governor, shall, in establishing acts occurring in violation of the provisions of this Decree Law or its Executive Regulation or the decisions issued thereunder, have the capacity of judicial officers.

        • Article (33)

          The Cabinet of Ministers shall issue the Executive Regulation of this Decree Law based upon the proposal of Minister.

        • Article (34)

          1- Any provision that violates or conflicts with the provisions of this Decree Law shall be revoked.

          2- Federal Law no. (4) of 2002 on the criminalization of money laundering shall be abrogated.

        • Article (35)

          The present Decree Law shall be published in the Official Gazette and to be entered into effect one month from the date of publication.

      • Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations

        IA-BOD-RES 10/2019 Effective from 10/2/2019

        The Cabinet,

        - Pursuant to the perusal of the Constitution;

        - Federal Law No. (1) of 1972 concerning the Competencies of Ministries and Powers of the Ministers and its amendments;

        - Federal Decretal-Law No. (20) of 2018 on Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organisations; and

        Based on the proposal of the Minister of Finance and the approval of the Cabinet,

        Has issued the following:

        • Chapter 1 Definitions

          • Article (1)

            In application of the provisions of the present Decision, the following terms and expressions shall have the meanings assigned to them unless the context requires otherwise:

            State: United Arab Emirates

            Minister: Minister of Finance

            Central Bank: Central Bank of United Arab Emirates

            Governor: Governor of the Central Bank

            Committee: National Committee for Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

            FIU: Financial Intelligence Unit

            Supervisory Authority: Federal and local authorities, which are entrusted by legislation to supervise Financial Institutions, Designated Non-Financial Businesses and Professions and Non-Profit Organisations or the competent authority in charge of approving the pursuit of an activity or a profession in case a supervisory authority is not assigned by legislations.

            Law Enforcement Authorities: Federal and local authorities which are entrusted under applicable legislation to combat, search, investigate and collect evidences on the crimes including ML/FT and financing illegal organisations crimes.

            Competent Authorities: The competent government authorities entrusted with the implementation of any provision of the Decretal-Law in the State.

            Predicate Offence: Any act constituting an felony or misdemeanour under the applicable laws of the State whether this act is committed inside or outside the State when such act is punishable in both countries.

            Money Laundering: Any of the acts mentioned in Clause (1) of Article (2) of the Decretal-Law.

            Financing of Terrorism: Any of the acts mentioned in Articles (29) and (30) of Federal Law no. (7) of 2014 on combating terrorism offences.

            Illegal Organisations: Organisations whose establishment is criminalised or which pursue a criminalised activity.

            Financing of Illegal Organisations: Any physical or legal action aiming at providing funding to an illegal organisation, or any of its activities or members.

            Crime: Money laundering crime and related Predicate Offences, or Financing of Terrorism or Illegal Organisations.

            Funds: Assets in whatever form, whether tangible, intangible, movable or immovable including national currency, foreign currencies, documents or notes evidencing the ownership of those assets or associated rights in any form including electronic or digital forms or any interests, profits or income originating or earned from these assets.

            Proceeds: Funds generated directly or indirectly from the commitment of any felony or misdemeanour including profits, privileges, and economic interests, or any similar funds converted wholly or partly into other funds.

            Means: Any means used or intended to be used for the commission of an offence or felony.

            Suspicious Transactions: Transactions related to funds for which there are reasonable grounds to suspect that they are earned from any felony or misdemeanour related to the financing of terrorism or of illegal organisations, whether committed or attempted.

            Freezing or Seizure: Temporary restriction over the moving, conversion, transfer, replacement or disposition of funds in any form, by an order issued by a Competent Authority.

            Confiscation: Permanent expropriation of private funds or proceeds or instrumentalities by an injunction issued by a competent court.

            Financial Institutions: Anyone who conducts one or several of the financial activities or operations of /or on behalf of a Customer.

            Intermediary Financial Institution: The Financial Institution that receives and sends wire transfer between the Ordering Financial Institution and the Beneficiary Financial institution or another Intermediary Financial Institution.

            Beneficiary Financial Institution: The Financial Institution that receives a wire transfer from an Ordering Financial Institution directly or indirectly via an Intermediary Financial Institution and makes funds available to the beneficiary.

            Financial Transactions or Activities: Any activity or transaction defined in Article (2) of the present Decision.

            Designated Nonfinancial Businesses and Professions (DNFBPs): Anyone who conducts one or several of the commercial or professional activities defined in Article (3) of the present Decision.

            Non-Profit Organisations (NPOs): Any organised group, of a continuing nature set for a temporary or permanent time period, comprising natural or legal persons or not for profit legal arrangements for the purpose of collecting, receiving or disbursing funds for charitable, religious, cultural, educational, social, communal or any other charitable activities.

            Legal Arrangement: A relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality such as trusts or other similar arrangements.

            Trust : A legal relationship in which a settlor places funds under the control of a trustee for the interest of a beneficiary or for a specified purpose. These assets constitute funds that are independent of the trustee's own estate, and the rights to the trust assets remain in the name of the settlor or in the name of another person on behalf of the settlor.

            Settlor: A natural or legal person who transfers the control of his funds to a Trustee under a document.

            Trustee: A natural or legal person who has the rights and powers conferred to him by the Settlor or the Trust, under which he administers, uses, and acts with the funds of the Settlor in accordance with the conditions imposed on him by either the Settlor or the Trust.

            Customer: Anyone who performs or attempts to perform any of the acts defined in Articles (2) and (3) of the present Decision with any Financial Institution or Designated Non-Financial Business or Profession.

            Transaction: All disposal or use of Funds or proceeds including for example: deposit, withdrawal, conversion, sale, purchase, lending, swap, mortgage, and donation.

            Beneficial Owner: The natural person who owns or exercises effective ultimate control, directly or indirectly, over a Customer or the natural person on whose behalf a Transaction is being conducted or, the natural person who exercises effective ultimate control over a legal person or Legal Arrangement.

            Business Relationship: Any ongoing commercial or financial relationship established between financial institutions, designated non-financial businesses and professions, and their Customers in relation to activities or services provided by them.

            Correspondent Banking Relationship: Relationship between a correspondent financial institution and a respondent one through a current account or any other type of account(s) or through a service related to such an account and includes a corresponding relationship established for the purpose of securities transactions or transfer of funds.

            Intermediary Account: Corresponding account used directly by a third party to conduct a transaction on its own behalf.

            Financial Group: A group of financial institutions that consists of holding companies or other legal persons exercising the control over the rest of the group and coordinating functions for the application of supervision on the group, branch, and subsidiary level, in accordance with the international core principles for financial supervision, and AML/CFT policies and procedures.

            Core Principles for Financial Supervision: Basel Committee on Banking Supervision (BCBS) Principles 1-3, 5-9, 11-15, 26, and 29; International Association of Insurance Supervisors (IAIS) Principles 1, 3-11, 18, 21-23, and 25; and International Organisation of Securities Commission (IOSCO) Principles 24, 28, 29 and 31; and Responsibilities A, B, C and D.

            Wire Transfer: Financial transaction conducted by a financial institution or through an intermediary institution on behalf of a transferor whose funds are received by a beneficiary in another financial institution, whether or not the transferor and the beneficiary are the same person.

            Shell Bank: Bank that has no physical presence in the country in which it is incorporated and licensed, and is unaffiliated with a regulated financial group that is subject to effective consolidated supervision.

            Registrar: The entity in charge of supervising the register of commercial names for all types of establishments registered in the State.

            Customer Due Diligence (CDD): Process of identifying or verifying the information of a Customer or Beneficial Owner, whether a natural or legal person or a legal arrangement, and the nature of its activity and the purpose of the business relationship and the ownership structure and control over it for the purposes of the Decretal-Law and this Decision.

            Controlled Delivery: The process by which a competent authority allows the entering or transferring of illegal or suspicious funds or crime revenues to and from the UAE for the purpose of investigating a crime or identifying the identity of its perpetrators.

            Undercover Operation: The process of search and investigation conducted by one of the judicial impoundment officers by impersonating or playing a disguised or false role in order to obtain evidence or information related to the Crime.

            High Risk Customer: A Customer who represents a risk either in person, activity, business relationship, nature of geographical area, such as a Customer from a high-risk country or non-resident in a country in which he does not hold an identity card, or a costumer having a complex structure, performing complex operations or having unclear economic objective, or who conducts cash-intensive operations, or operations with an unknown third party, or operations without directly confronting any other high risk operations identified by financial institutions, or designated non-financial businesses and professions, or the Supervisory Authority.

            Politically Exposed Persons (PEPs): Natural persons who are or have been entrusted with prominent public functions in the State or any other foreign country such as Heads of States or Governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties and persons who are, or have previously been, entrusted with the management of an international organisation or any prominent function within such an organisation; and the definition also includes the following:

            1. Direct family members (Of the PEP, who are spouses, children, spouses of children, parents).
               
            2. Associates known to be close to the PEP, which include:
               
              1. Individuals having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP.
                 
              2. Individuals having individual ownership rights in a legal person or arrangement established in favour of the PEP.

            Decretal- Law: Federal Decretal-Law No. (20) of 2018 on Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

        • Chapter 2 Financial Institutions, DNFBPs, and Non-Profit Organisations

          • Part 1 Financial Institutions and DNFBPs

            • Section 1

              • Article (2) Activities and Transactions of Financial Institutions and DNFBPs

                The following are considered financial activities and transactions:

                1. Receiving deposits and other funds that can be paid by the public, including deposits in accordance with Islamic Sharia
                   
                2. Providing private banking services
                   
                3. Providing credit facilities of all types
                   
                4. Providing credit facilities of all types, including credit facilities in accordance with Islamic Sharia
                   
                5. Providing cash brokerage services
                   
                6. Financial transactions in securities, finance and financial leasing
                   
                7. Providing currency exchange and money transfer services
                   
                8. Issuing and managing means of payment, guarantees or obligations
                   
                9. Providing stored value services, electronic payments for retail and digital cash.
                   
                10. Providing virtual banking services
                   
                11. Trading, investing, operating or managing funds, option contracts, future contracts, exchange rate and interest rate transactions, other derivatives or negotiable financial instruments
                   
                12. Participating in issuing securities and providing financial services related to these issues
                   
                13. Managing funds and portfolios of all kinds
                   
                14. Saving funds
                   
                15. Preparing or marketing financial activities
                   
                16. Insurance transactions, in accordance with Federal Law No. (6) of 2007 concerning the Establishment of the Insurance Authority and the Organisation of its Operations
                   
                17. Any other activity or financial transaction determined by the Supervisory Authority
              • Article (3)

                Anyone who is engaged in the following trade or business activities shall be considered a DNFBP:
                 

                1. Brokers and real estate agents when they conclude operations for the benefit of their Customers with respect to the purchase and sale of real estate
                   
                2. Dealers in precious metals and precious stones in carrying out any single monetary transaction or several transactions that appear to be interrelated or equal to more than AED 55,000.
                   
                3. Lawyers, notaries, and other independent legal professionals and independent accountants, when preparing, conducting or executing financial transactions for their Customers in respect of the following activities:
                   
                  1. Purchase and sale of real estate.
                     
                  2. Management of funds owned by the Customer.
                     
                  3. Management of bank accounts, saving accounts or securities accounts.
                     
                  4. Organising contributions for the establishment, operation or management of companies.
                     
                  5. Creating, operating or managing legal persons or Legal Arrangements.
                     
                  6. Selling and buying commercial entities.

                   
                4. Providers of corporate services and trusts upon performing or executing a transaction on the behalf of their Customers in respect of the following activities:
                   
                  1. Acting as an agent in the creation or establishment of legal persons;
                     
                  2. Working as or equipping another person to serve as director or secretary of a company, as a partner or in a similar position in a legal person.
                     
                  3. Providing a registered office, work address, residence, correspondence address or administrative address of a legal person or Legal Arrangement.
                     
                  4. Performing work or equipping another person to act as a trustee for a direct Trust or to perform a similar function in favour of another form of Legal Arrangement.
                     
                  5. Working or equipping another person to act as a nominal shareholder in favour of another person.

                   
                5. Other professions and activities which shall be determined by a decision of the Minister
            • Section 2 Identification and Mitigation of Risks

              • Article (4)

                1. Financial institutions and DNFBPs are required to identify, assess, and understand their crime risks in concert with their business nature and size, and comply with the following:
                   
                  1. Considering all the relevant risk factors such as customers, countries or geographic areas; and products, services, transactions and delivery channels, before determining the level of overall risk and the appropriate level of mitigation to be applied.
                     
                  2. Documenting risk assessment operations, keeping them up to date on on-going bases and making them available upon request.
                     
                2. Financial Institutions and DNFBPs shall commit to take steps to mitigate the identified risks mentioned as per Clause (1) herein, taking into consideration the results of the National Risk Assessment, by the following:
                   
                  1. Developing internal policies, controls and procedures that are commensurate with the nature and size of their business and are approved by senior management, to enable them to manage the risks that have been identified, and if necessary, to monitor the implementation of such policies, controls and procedures and enhance them as per Article (20) of the present Decision.
                     
                  2. Applying CDD measures to enhance high risks management once identified. Examples include:
                     
                    1. Obtaining more information and investigating this information such as information relating to the Customer and Beneficial Owner identity, or information relating to the purpose of the business relationship or reasons of the transaction.
                       
                    2. Updating the CDD information of the Customer and Beneficial Owner more systematically.
                       
                    3. Taking reasonable measures to identify the source of the funds of the Customer and Beneficial Owner.
                       
                    4. Increasing the degree and level of ongoing business relationship monitoring and examination of transactions in order to identify whether they appear unusual or suspicious.
                       
                    5. Obtaining the approval of senior management to commence the business relationship with the Customer.
                       
                3. In case the requirements stipulated in Clauses (1 and 2) above are met, the Financial Institutions and DNFBPs shall be permitted to apply simplified CDD measures to manage and limit the identified low risks, unless there is suspicion of a committed Crime. The simplified CDD measures should be commensurate with the low risk factors. These include the following, as examples:
                  1. Verifying the identity of the Customer and Beneficial Owner after establishing the business relationship.
                     
                  2. Updating the Customer’s data based on less frequent intervals.
                     
                  3. Reducing the rate of ongoing monitoring and transaction checks.
                     
                  4. Concluding the purpose and nature of the business relationship based on the type of transactions or the business relationship that has been established, without the need to gather information or performing specific procedure.
            • Section 3 Customer Due Diligence (CDD)

              • Article (5)

                1. Financial Institutions and DNFBPs are required to undertake CDD measures to verify the identity of the Customer and the Beneficial Owner before or during the establishment of the business relationship or opening an account, or before executing a transaction for a Customer with whom there is no business relationship. And in the cases where there is a low crime risk, it is permitted to complete verification of Customer identity after establishment of the business relationship, under the following conditions:
                   
                  1. The verification will be conducted in a timely manner as of the commencement of business relationship or the implementation of the transaction.
                     
                  2. The delay is necessary in order not to obstruct the natural course of business.
                     
                  3. The implementation of appropriate and effective measures to control the risks of the Crime.
                     
                2. Financial Institutions and DNFBPs are required to take measures to manage the risks in regards to the circumstances where Customers are able to benefit from the business relationship prior to completion of the verification process.
                   
              • Article (6)

                Financial Institutions and DNFBPs should, as the case may be, undertake CDD measures in the following cases:

                1. Establishing the business relationship;
                   
                2. Carrying out occasional transactions in favour of a Customer for amounts equal to or exceeding AED 55,000, whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
                   
                3. Carrying out occasional transactions in the form of Wire Transfers for amounts equal to or exceeding AED 3,500.
                   
                4. Where there is a suspicion of the Crime.
                   
                5. Where there are doubts about the veracity or adequacy of previously obtained Customer's identification data.
                   
              • Article (7)

                Financial Institutions and DNFBPs should undertake CDD measures and ongoing supervision of business relationships, including:

                1. Audit transactions that are carried out throughout the period of the business relationship, to ensure that the transactions conducted are consistent with the information they have about Customer, their type of activity and the risks they pose, including - where necessary - the source of funds
                   
                2. Ensure that the documents, data or information obtained under CDD Measures are up-to-date and appropriate by reviewing the records, particularly those of high-risk customer categories
                   
              • Article (8)

                1. Financial Institutions and DNFBPs should identify the Customer’s identity, whether the Customer is permanent or walk-in, and whether the Customer is a natural or legal person or legal arrangement, and verify the Customer’s identity and the identity of the Beneficial Owner. This should be done using documents, data or information from a reliable and independent source or any other source to verify the identity verification as follows:
                   
                  1. For Natural Persons:

                    The name, as in the identification card or travel document, nationality, address, place of birth, name and address of employer, attaching a copy of the original and valid identification card or travel document, and obtain approval from the senior management, if the Customer or the Beneficial Owner is a PEP.
                     
                  2. For Legal Persons and Legal Arrangements:
                     
                    1. The name, Legal Form and Memorandum of Association
                       
                    2. Headquarter office address or the principal place of business; if the legal person or arrangement is a foreigner, it must mention the name and address of its legal representative in the State and submit the necessary documents as a proof.
                       
                    3. Articles of Association or any similar documents, attested by the competent authority within the State.
                       
                    4. Names of relevant persons holding senior management positions in the legal person or legal arrangement.
                       
                2. Financial institutions and DNFBP’s are required to verify that any person purporting to act on behalf of the Customer is so authorised, and verify the identity of that person as prescribed in Clause (1), of this Article.
                   
                3. Financial institutions and DNFBP’s are required to understand the intended purpose and nature of the business relationship, and obtain, when necessary, information related to this purpose.
                   
                4. Financial institutions and DNFBP’s are required to understand the nature of the Customer’s business as well as the Customer’s ownership and control structure.
                   
              • Article (9)

                Financial Institutions and DNFBP’s are required to take reasonable measures to verify the identity of the Beneficial Owners of legal persons and Legal Arrangements, by using information, data, or statistics acquired from a reliable source, by the following:

                1. For Customers that are legal persons:

                (a) Obtaining and verifying the identity of the natural person, who by himself or jointly with another person, has a controlling ownership interest in the legal person of 25% or more, and in case of failing or having doubt about the information acquired, the identity shall be verified by any other means.

                (b) In the event of failing to verify the identity of the natural person exercising control as per paragraph (a) of this Clause, or the person(s) with the controlling ownership interest is not the Beneficial Owner, the identity shall be verified for the relevant natural person(s) holding the position of senior management officer, whether one or more persons.

                2. For Customers that are Legal Arrangements:

                Verifying the identity of the Settlor, the Trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement, and obtaining sufficient information regarding the Beneficial Owner to enable the verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights.

              • Article (10)

                Financial Institutions and DNFBPs shall be exempted from identifying and verifying the identity of any shareholder, partner, or the Beneficial Owner, if such information is obtainable from reliable sources where the Customer or the owner holding the controlling interest are as follow:

                1. A company listed on a regulated stock exchange subject to disclosure requirements through any means that require adequate transparency requirements for the Beneficial Owner.
                   
                2. A subsidiary whose majority shares or stocks are held by the shareholders of a holding company.
                   
              • Article (11)

                1. In addition to the CDD measures required for the Customer and the Beneficial Owner, Financial Institutions shall be required to conduct CDD measures and ongoing monitoring of the beneficiary of life insurance policies and funds generating transactions, including life insurance products relating to investments and family Takaful insurance, as soon as the beneficiary is identified or designated as follows:
                   
                  1. For the beneficiary identified by name, the name of the person, whether a natural person a legal person or a legal arrangement, shall be obtained.
                     
                  2. For a beneficiary designated by characteristics or by class– such as a family relation like parent or child, or by other means such as will or estate – it shall be required to obtain sufficient information concerning the beneficiary to ensure that the Financial Institution will be able to establish the identity of the beneficiary at the time of the pay-out.
                     
                2. In all cases – the Financial Institutions should verify the identity of the beneficiary at the time of the payout as per the insurance policy or prior to exercising any rights related to the policy. If the Financial Institution identifies the beneficiary of the insurance policy to be a high-risk legal person or arrangement, then it should conduct enhanced CDD measures to identify the Beneficial Owner of that beneficiary, legal person, or legal arrangement.
                   
              • Article (12)

                Financial Institutions and DNFBPs should apply CDD measures to Customers and the ongoing business relationship on the effective date of the present Decision, within such times as deemed appropriate based on relative importance and risk priority. It should also ensure the sufficiency of data acquired, in case CDD measures were applied before the effective date of the present Decision.

              • Article (13)

                1. Financial Institutions and DNFBPs shall be prohibited from establishing or maintaining a business relationship or executing any transaction should they be unable to undertake CDD measures towards the Customer and should consider reporting a suspicious transaction to the FIU.
                   
                2. Even if they suspect the commission of a Crime, financial institutions and DNFBPs should not apply CDD measures if they have reasonable grounds to believe that undertaking such measures would tip-off the Customer and they should report a Suspicious Transaction to the FIU along with the reasons having prevented them from undertaking such measures.
                   
                • Article (14)

                  Financial Institutions and DNFBP’s shall commit to the following:

                  1. Not to deal in any way with Shell Banks, whether to open bank accounts in their names, or to accept funds or deposits from them.
                     
                  2. Not to create or keep records of bank accounts using pseudonyms, fictitious names or numbered accounts without the account holder’s name.
                     
            • Section 4 Politically Exposed Persons (PEPs)

              • Article (15)

                1. In addition to undertaking CDD measures required under Section 3, Part 1 of this Chapter, Financial Institutions and DNFBPs shall be required to carry out the following:

                  First: For Foreign PEPs:
                   
                   
                  1. Put in place suitable risk management systems to determine whether a Customer or the Beneficial Owner is considered a PEP.
                     
                  2. Obtain senior management approval before establishing a business relationship, or continuing an existing one, with a PEP.
                     
                  3. Take reasonable measures to establish the source of funds of Customers and Beneficial Owners identified as PEPs.
                     
                  4. Conduct enhanced ongoing monitoring over such relationship.
                     
                     Second: For Domestic PEPs and individuals previously entrusted with prominent functions at international organisations:
                     
                  1. Take sufficient measures to identify whether the Customer or the Beneficial Owner is considered one of those persons.
                     
                  2. Take the measures identified in Clauses (b), (c), and (d) under the first paragraph of this Article, when there is a high-risk business relationship accompanying such persons.
                     
                2. Financial Institutions shall be required to take reasonable measures to determine the beneficiary or Beneficial Owner of life insurance policies and family takaful insurance. If identified as a PEP, Financial institutions shall inform senior management before the pay-out of those policies, or prior to the exercise of any rights related to them, in addition to thoroughly examining the overall business relationship, and consider reporting to the Unit a suspicious transaction report.
                   
            • Section 5 Suspicious Transaction Reports (STRs)

              • Article (16)

                Financial Institutions and DNFBPs shall put in place indicators that can be used to identify the suspicion on the occurrence of the Crime in order to report STRs, and shall update these indicators on an ongoing basis, as required, in accordance with the development and diversity of the methods used for committing such crimes, whilst complying with what the Supervisory Authorities or FIU may issue instructions in this regard.

              • Article (17)

                1. If Financial Institutions and DNFBPs have reasonable grounds to suspect that a Transaction, attempted Transaction, or funds constitute crime proceeds in whole or in part, or are related to the Crime or intended to be used in such activity, regardless of the amount, they shall adhere to the following without invoking bank secrecy or professional or contractual secrecy:
                   
                  1. Directly report STRs to the FIU without any delay, via the electronic system of the FIU or by any other means approved by the FIU
                     
                  2. Respond to all additional information requested by the FIU.
                     
                2. Lawyers, notary publics, other legal stakeholders and independent legal auditors shall be exempt from Clause (1) of this Article, if obtaining this information regarding such Transactions relates to the assessment of their Customers’ legal position, or defending or representing them before judiciary authorities or in arbitration or mediation, or providing legal opinion with regards to legal proceedings, including providing consultation concerning the initiation or avoidance of such proceedings, whether the information was obtained before or during the legal proceedings, or after their completion, or in other circumstances where such Customers are subject to professional secrecy.
                   
                3. Financial Institutions and DNFBPs, their board members, employees and authorised representatives shall not be legally liable for any administrative, civil or criminal liability for reporting when reporting to the Unit or providing information in good faith.
                   
              • Article (18)

                1. Financial Institutions and DNFBPs, their managers, officials or staff, shall not disclose, directly or indirectly, to the Customer or any other person(s) that they have reported, or are intending to report a Suspicious Transaction, nor shall they disclose the information or data contained therein, or that an investigation is being conducted in that regard.
                   
                2. When lawyers, notaries, other independent legal professionals, and legal independent auditors attempt to discourage their Customers from committing a violation, they shall not be considered to have made a disclosure.
                   
            • Section 6 Reliance on a Third Party

              • Article (19)

                1. Taking into consideration the high-risk countries identified by the Committee, the Financial Institutions and DNFBPs shall be permitted to rely on a third party to undertake the necessary CDD measures towards Customers as per Section 3 of Part 1 of this Chapter, and each of the Financial Institution and the DNFBP shall be responsible for the validity of these CDD measures, and shall do the following:
                   
                  1. Immediately obtain, from third parties, the necessary identification data and other necessary information collected through the CDD measures and ensure that copies of the necessary documents for such measures can be obtained without delay and upon request.
                     
                  2. Ensure that the third party is regulated and supervised, and adheres to the CDD measures towards Customers and record-keeping provisions of the present Decision.
                     
                2. Financial Institutions and DNFBPs, who rely on third parties that are part of the same Financial Group,shall ensure that:
                   
                  1. The Financial Group applies the CDD, PEP, and record-keeping requirements and implements programs for combating the Crime in accordance with Sections 3, 4, 11 of Part 1 of this Chapter and Article (31) of this Decision, and the Financial Group is subject to supervision in that regard.
                     
                  2. The Financial Group sufficiently mitigates any high risks linked to countries through its own policies and controls for combating the Crime.
                     
            • Section 7 Internal Supervision and Foreign Branches and Subsidiaries

              • Article (20)

                Financial Institutions and DNFBPs shall have internal policies, procedures and controls for combating the Crime, that should be commensurate with the Crime risks, and with the nature and size of their business, and to continuously update them, and to apply them to all its branches and subsidiaries in which it holds majority interest, including the following:

                1. CDD measures towards Customers as required in accordance with the Decretal-Law and the present Decision, including procedures for the risk management of business relationships prior to completing the verification process.
                   
                2. Procedures for the reporting of Suspicious Transactions.
                   
                3. Appropriate arrangements for compliance management for combating the Crime, including appointing a compliance officer
                   
                4. Screening procedures to ensure the availability of high competence and compatibility standards when hiring staff
                   
                5. Preparation of periodic programs and workshops in the field of combatting the Crime to build the capabilities of compliance officers and other competent employees.
                   
                6. An independent audit function to test the effectiveness and adequacy of internal polices, controls and procedures relating to combating the Crime.
                   
            • Section 8 Compliance Officer Tasks

              • Article (21)

                Financial Institutions and DNFBPs shall appoint a compliance officer. The compliance officer shall have the appropriate competencies and experience and under his or her own responsibility, shall perform the following tasks:

                1. Detect Transactions relating to any Crime.
                   
                2. Review, scrutinise and study records, receive data concerning Suspicious Transactions, and take decisions to either notify the FIU or maintain the Transaction with the reasons for maintaining while maintaining complete confidentiality.
                   
                3. Review the internal rules and procedures relating to combating the Crime and their consistency with the Decretal-Law and the present Decision, assess the extent to which the institution is committed to the application of these rules and procedures, propose what is needed to update and develop these rules and procedures, prepare and submit semi-annual reports on these points to senior management, and send a copy of that report to the relevant Supervisory Authority enclosed with senior management remarks and decisions.
                   
                4. Prepare, execute and document ongoing training and development programs and plans for the institution’s employees on Money Laundering and the Financing of Terrorism and Financing of Illegal Organisations, and the means to combat them.
                   
                5. Collaborate with the Supervisory Authority and FIU, provide them with all requested data, and allow their authorised employees to view the necessary records and documents that will allow them to perform their duties.
                   
            • Section 9 High-Risk Countries

              • Article (22)

                1. Financial Institutions and DNFBPs shall implement enhanced CDD measures based on the level of risk that might arise from business relationships and Transactions with natural or legal persons from high-risk countries.
                   
                2. Financial Institutions and DNFBPs shall implement CDD measures as defined by the Committee regarding High Risk Countries.
                   
            • Section 10 Requirements relating to New Technologies

              • Article (23)

                1. Financial institutions and DNFBPs shall identify and assess the risks of money laundering and terrorism financing that may arise when developing new products and new professional practices, including means of providing new services and using new or under-development techniques for both new and existing products.
                   
                2. Financial Institutions and DNFBPs shall assess risks prior to the release of products, practices or techniques, and take appropriate measures to manage and mitigate such risks
                   
            • Section 11 Record-keeping

              • Article (24)

                1. Financial Institutions and DNFBPs shall maintain all records, documents, data and statistics for all financial transactions and local or international commercial and cash transactions for a period of no less than five years from the date of completion of the transaction or termination of the business relationship with the Customer.
                   
                2. Financial institutions and DNFBPs shall keep all records and documents obtained through CDD measures, ongoing monitoring, account files and business correspondence, and copies of personal identification documents, including STRs and results of any analysis performed , For a period of no less than five years from the date of termination of the business relationship or from the closing date of the account to Customers who maintain accounts with these institutions or after the completion of a casual transaction or from the date of completion of the inspection by the Supervisory authorities, or from the date of issuance of a final judgment of the competent judicial authorities, all depending on the circumstances.
                   
                3. The records, documents and documents kept shall be organised so as to permit data analysis and tracking of financial transactions.
                   
                4. Financial Institutions and DNFBPs shall make all Customer information regarding CDD towards Customers, ongoing monitoring and results of their analysis, records, files, documents, correspondence and forms available immediately to the competent authorities upon request.
                   
          • Part 2 Requirements for Financial Institutions

            • Section 1 Correspondent Banking Relationship

              • Article (25)

                1. Before entering into correspondent banking or any other similar relationship, financial institutions shall take the following measures:
                   
                  1. Refrain from entering into or maintaining a correspondent banking relationship with Shell Banks or with an institution that allows their accounts to be used by Shell Banks.
                     
                  2. Collect sufficient information about any receiving correspondent banking institution for the purpose of identifying and achieving a full understanding of the nature of its work, and to make available, through publicly available information, its reputation and level of control, including whether it has been investigated.
                     
                  3. Evaluate anti-crime controls applied by the receiving institution.
                     
                  4. Obtain approval from senior management before establishing new correspondent banking relationships.
                     
                  5. Understand the responsibilities of each institution in the field of combatting Crime.
                     
                2. With respect to intermediate payment accounts, the financial institution should be required to ensure that the receiving institution has taken CDD measures towards Customers who have direct access to those accounts and that it is able to provide CDD information to the relevant Customers upon request of the correspondent institution.
                   
            • Section 2 Money or Value Transfer Services

              • Article (26)

                1. Providers of money or value transfer services shall be licensed by or registered with the competent Supervisory Authority. The Supervisory Authority shall take the necessary measures to punish those who provide such services without a licence or registration in accordance with their effective legislation and to ensure compliance of licensed or registered providers with the Crime combating controls.
                   
                2. Providers of money or value transfer services shall keep an up-to-date list of their agents and make them available to the relevant authorities within the country in which the money or value transfer services providers and their agents operate, and shall engage their agents in combatting the Crime control programs and monitor them for compliance with these programs.
                   
            • Section 3 Wire Transfers

              • Article (27)

                1. Financial institutions shall ensure that all international wire transfers equal to or exceeding AED (3,500) are always accompanied by the following data:
                   
                  1. The name of the originator, his or her identity number or travel document, date and place of birth, address and account number. In the absence of an account, the transfer must include a unique transaction reference number which allows the process to be tracked.
                     
                  2. The name of the beneficiary and his account number used to make the transfers. In the absence of the account, the transfer must include a unique transaction reference number which allows the process to be tracked.
                     
                2. In the event that several individual cross-border wire transfers from a single originator are bundled in a batch file for transmission to beneficiaries, the batch file shall contain required and accurate originator information, and full beneficiary information, that is fully traceable within the beneficiary country; and the financial institution shall be required to include the originator’s account number or unique transaction reference number.
                   
                3. Financial institutions shall ensure that all cross-border wire transfers less than AED 3,500 are always accompanied by the data in Clause (1) of this Article, without the need to verify the accuracy of the data referred to, unless there are suspicions about committing the Crime.
                   
                4. For domestic wire transfers, the ordering financial institution shall ensure that the information accompanying the wire transfer includes originator information as indicated in Clause (1) of this Article, unless this information can be made available to the beneficiary financial institution and competent authorities by other means.
                   
                5. Where the information accompanying the domestic wire transfer can be made available to the beneficiary financial institution and competent authorities by other means, the ordering financial institution shall be only required to include the account number or a unique transaction reference number, provided that this number or identifier will permit the transaction to be traced back to the originator or the beneficiary. The ordering financial institution shall make the information available within three business days of receiving the request either from the beneficiary financial institution or from competent authorities.
                   
                6. Financial institutions shall not carry out wire transfers if they fail to comply with the conditions set out in this article.
                   
                7. Ordering financial institutions shall keep all information about the originator and the beneficiary collected in accordance with the provisions of Article (24) of this Decision.
                   
              • Article (28)

                1. An intermediary financial institution shall ensure that all originator and beneficiary information that accompanies a wire transfer is retained with it for cross-border wire transfers.
                   
                2. Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, the Intermediary Financial Institution shall keep a record of all the information received from the ordering financial institution or another cross-border Intermediary Financial Institution, in accordance with the provisions of Article (24) of the present Decision.
                   
                3. Intermediary Financial Institutions shall take reasonable measures, which are consistent with straight-through processing, to identify cross-border wire transfers that lack required originator information or required beneficiary information and shall have risk-based policies and procedures for determining when to execute, reject, or suspend a wire transfer; and the appropriate follow-up action.
                   
              • Article (29)

                1. Beneficiary Financial Institutions shall take reasonable measures, to identify cross-border wire transfers that lack required originator information or required beneficiary information, which may include real-time monitoring where feasible or post-event monitoring.
                   
                2. For cross-border wire transfers of AED 3,500 or more, a Beneficiary Financial Institution shall verify the identity of the beneficiary, if the identity has not been previously verified.
                   
                3. Beneficiary Financial Institutions shall have risk-based policies and procedures determining when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and for determining the appropriate follow-up action.
                   
                4. Beneficiary Financial Institutions shall maintain records of all required originator and required beneficiary information collected, in accordance with the provisions of Article (24) of this Decision.
                   
              • Article (30)

                1. Providers of Money or Value Transfer Services shall comply with all of the relevant requirements of Articles (27), (28), and (29) of this Decision, whether they operate directly or through their agents.
                   
                2. In the case of a provider of money or value transfer services that controls both the ordering and the beneficiary side of a cross-border wire transfer, the provider of money or value transfer services shall:
                   
                  1. Take into account all information from both the ordering and beneficiary sides in order to determine whether an STR is to be filed; and
                     
                  2. If it is decided to file STR regarding the Transaction, the STR shall be sent to the Financial Intelligence Unit in the relevant country, attaching all relevant transaction information.
                     
            • Section 4 Financial Group

              • Article (31)

                Financial Groups shall implement group-wide programs with respect to combating the Crime. Such programs shall be applicable and appropriate to all its branches and majority-owned subsidiaries. In addition to the measures mentioned in Article (20) of this Decision, these programs should also include the following:

                1. Policies and procedures for the exchange of information required for the purposes of CDD and risk management of the Crime;
                   
                2. The provision of Customer information, accounts, and Transactions from the branches and subsidiaries to the compliance officers at a Financial Group level, whenever necessary for the purpose of combating the Crime.
                   
                3. Provision of adequate safeguards on the confidentiality and use of the information exchanged.
                   
              • Article (32)

                1. Financial Institutions should ensure that their foreign branches and majority-owned subsidiaries apply Crime-combating measures that are consistent with the requirements of the Decretal-Law and the present Decision when the minimum Crime-combating requirements of the other country are less strict than those applied in the State, to the extent permitted by that other country’s laws and regulations.
                   
                2. If the other country does not permit the appropriate implementation of measures for combating the Crime that are consistent with the requirements of the Decretal-Law and the present Decision, then Financial Institutions shall take additional measures to manage AML/CFT risks related to their operations abroad and reduce them appropriately, inform the other country of the matter, and abide by the instructions received from the Country in this regard.
                   
          • Part 3 Requirements of Non-Profitable Organisations

            • Article (33)

              Non-Profit Organisations, in collaboration with the competent Supervisory Authority, shall commit to the following:

              1. Apply best practices adopted by the competent Supervisory Authority to mitigate their vulnerabilities so that they can protect themselves from being abused for Financing of Terrorism and of Illegal Organisations.
                 
              2. Put in place clear policies to promote transparency, integrity, and public confidence in its own administration.
                 
              3. Conduct Transactions through official financial channels, taking into consideration the different capabilities of financial sectors in other countries.
                 
        • Chapter 3 Transparency and Beneficial Owner

          • Part 1 Requirements of Company Registrar and Companies

            • Article (34)

              1. The Registrar shall provide information regarding legal persons in the State and make it available to the public as follows:
                 
                1. The types, different forms and basic features of legal persons
                   
                2. The processes for the creation of those legal persons
                   
                3. The processes for obtaining its basic information as stipulated in paragraph (b), Clause (1), of Article (8) of this Decision
                   
                4. The processes for obtaining information about the Beneficial Owner.
                   
              2. The Registrar shall undertake to maintain and keep the up-to-date basic information defined in paragraph (b), Clause (1), of Article (8) of this Decision, ensure its accuracy and make it available to the public
                 
              3. Upon registering companies, the Registrar shall commit to receive the data of the Beneficial Owner of the company as stipulated in Clause (Error! Reference source not found.) of Article (9) of this Decision and make sure it remains up to date accurate, and available to the Competent Authorities.
                 
            • Article (35)

              1. Companies shall be required to maintain the information set out in paragraph (b), Clause (1) of Article (8) of this Decision and a register of all their shareholders containing the number of shares held by each shareholder and categories of shares, if any, including the voting rights and providing this register to the Registrar after ensuring its accuracy.
                 
              2. Companies shall undertake to maintain and make available the data mentioned in Clause (Error! Reference source not found.) of Article (9) of this Decision to the Registrar at all times and upon request, update such data within 15 business days upon its amendment or change and ensure to keep this information up-to-date and accurate on an ongoing basis and assist the Registrar in documenting such information if so required.
                 
              3. Companies shall have one or more natural persons residents of the State and authorised to disclose to the Registrar all information contained in Clauses (1) and (2) of this Article
                 
              4. Any company established or registered in the State shall be prohibited from issuing share warrants to bearer.
                 
              5. Companies that permit the issuance of nominee shares in the name of individuals or members of the board of directors shall be required to disclose those shares and the identities of the members of the board of directors to the Registry for the purpose of registering them.
                 
            • Article (36)

              The Registrar and the companies, or the administrators or liquidators or any other stakeholder involved in the dissolution of the company, shall maintain records and all information as mentioned in Article (34) and Article (35) for at least five years from the date in which the company is dissolved or otherwise ceased to exist.

          • Part 2 Requirements of Legal Arrangements

            • Article (37)

              1. The Trustees in Legal arrangements are required to information about the Beneficial Owner as prescribed in Clause (Error! Reference source not found.) of Article (9) of this Decision.
                 
              2. The Trustees in Legal Arrangements are required to maintain basic information relating to intermediaries, who are subject to supervision, and service providers, including consultants, investors, directors, accountants and tax advisors.
                 
              3. The information mentioned in Clauses (1) and (2) of this Article shall be maintained accurately and updated within 15 days if it is amended or changed and legal arrangement representatives shall be required to maintain this information for at least five years from the date of the end of their involvement with the legal arrangement.
                 
              4. The Competent Authorities, and in particular Law Enforcement Authorities, shall request and obtain information held by trustees, Financial Institutions, or DNFBPs, without delay, relating to the following:
                 
                1. The Beneficial Ownership of legal arrangements
                   
                2. The residence of the Trustee
                   
                3. The funds that are held or managed by the Financial Institution or DNFBP in relation to any trustees with which they have a Business Relationship, or for which they undertake an occasional Transaction.
                   
          • Part 3 Prohibition of Invocation of Banking, Professional or Contractual Secrecy

            • Article (38)

              It is prohibited to invoke banking, professional or contractual secrecy as a pretext to prevent application of the provisions of the Decretal-Law and this Decision in the following cases:

              1. Exchange of information among Financial Institutions whenever it is related to Correspondent Banking or Wire Transfers and the reliance on regulated third party relationships in accordance with Articles (19), (25), and (27) to (30) of this Decision.
                 
              2. Exchange of information among Competent Authorities at the domestic or international level in relation to the combating of the Crime.
                 
          • Part 4 Confidentiality of information

            • Article (39)

              1. Any person who obtains information related to a suspicious transaction or any of the crimes stipulated in the Decretal-Law shall be bound by its confidentiality and not disclosed except to the extent necessary for its use in investigations, prosecutions or cases in violation of the provisions of the Decretal-Law and this Decision.
                 
              2. In all cases, it is not permissible to contact the Customer directly or indirectly to notify him of the actions taken, except at the written request of the competent Supervisory Authority.
                 
        • Chapter 4 Financial Intelligence Unit

          • Section 1 Independence of the FIU

            • Article (40)

              1. The FIU shall be operationally independent in order to carry out its functions effectively, and the Central Bank shall provide it with the required technical, financial and human resources.
                 
              2. The main headquarter for the FIU shall be the capital of the State and it may open branches within the Central Bank’s branches in the Emirates of the State.
                 
              3. The FIU shall operate as national centre to receive STR’s and other information related to the Crime.
                 
          • Section 2 Powers of the FIU

            • Article (41)

              The FIU shall have the following powers:

              1. Putting in place the FIU’s departments and internal regulations for approval by the Central Bank’s Board of Directors. The internal regulations shall include procedures to ensure the competency and integrity of its employees and the awareness of their responsibilities in dealing with confidential information.
                 
              2. Establishing a database or special register to hold any information it has available and securing this information by establishing rules that govern information security and confidentiality, including procedures for processing, storing, disseminating and setting procedures to ensure limited access to the FIU’s facilities, information and technical systems and to the review or disclosure of information, except by those authorised to do so.
                 
              3. Providing courses and programs to train and develop the employees working in it and any other authority, be it inside or outside the State.
                 
              4. Preparing studies, research and statistics related to the Crime, and following up on any studies, research or statistics conducted domestically or internationally in this regard.
                 
              5. Preparing annual reports about its Crime-combatting activities that include specifically general analysis of STRs and notifications received as well as activities and trends of the Crime, and preparing a brief of this report for dissemination purposes.
                 
            • Article (42)

              The FIU shall be responsible for carrying out its duties with regards to STRs as follows:

              1. Receiving STRs relating to the Crime from Financial Institutions and DNFBPs on the FIU’s approved templates, then studying, analysing and storing them in its database.
                 
              2. Requesting Financial Institutions, DNFBPs, and Competent Authorities to provide any additional information and documents relating to the STRs and information received, and any other information that it might deem necessary to perform its duties, including information relating to customs’ disclosures, in the time and form specified by the FIU
                 
              3. Analysing available reports and information as follows:
                 
                1. Operational analysis by using available and obtainable information, to identify specific targets, such as persons, funds, or criminal networks, track activities or specific Transactions, and determine the links between those targets, activities or transactions and potential proceeds of the Crime.
                   
                2. Strategic analysis by using available and obtainable information, including data provided by Competent Authorities, to identify trends and patterns of the Crime.
                   
              4. Providing the Financial Institutions and DNFBPs with the analysis results of the information provided in the reports received by the FIU in order to enhance the effectiveness of the measures for combating the Crime and detecting STRs.
                 
              5. Cooperating and coordinating with the Supervisory Authorities by disseminating the outcomes of its own analysis, specifically with respect to the quality of STRs, to ensure the compliance of Financial Institutions and DNFBPs with the procedures for combating the Crime
                 
              6. Sending the data relating to the reports, the outcomes of its analyses and any other relevant data to Law Enforcement Authorities, when there are sufficient grounds to suspect its connection to the Crime, to take required actions in that regard.
                 
              7. Providing to judiciary authorities and Law Enforcement Authorities information related to the Crime and information it can obtain from foreign FIUs, spontaneously or upon request.
                 
            • Article (43)

              The FIU shall be responsible for carrying out its duties at the international level as follows:

              1. Exchanging information with its FIU counterparts in other countries on STRs or any other information the FIU has the power to obtain or access, whether directly or indirectly, as per the international agreements to which the State is a party or any memorandums of understanding the FIU has entered into with FIU counterparts to regulate its cooperation with them or on the condition of reciprocity.
                 
              2. Reporting to its FIU counterparts the outcomes of using the submitted information and analysis conducted based on that information.
                 
              3. The information specified in Clauses (1) and (2) of this Article may not be used except for Crime-combatting purposes and may not be disclosed to any third party without the FIU’s approval.
                 
              4. Following up on the developments relating to Money Laundering and Terrorism Financing crimes through the relevant regional and international organisations and bodies and participating in related meetings.
                 
              5. Following up with the requirements of the Egmont Group, as well as participating and attending its meetings as a member of the group.
                 
        • Chapter 5 Supervisory Authorities

          • Section 1 Supervisory Authority for Financial Institutions and DNFBPs

            • Article (44)

              The Supervisory Authorities, each in accordance with its specialisations, shall assume the functions of supervision, monitoring and follow-up to ensure compliance with the provisions of the Decretal-Law and this Decision and shall be specialised in the following:

              1. Conducting a risk assessment for any potential occurrence of the Crime in legal persons, including Financial Institutions and DNFBPs.
                 
              2. Putting in place the Crime-Combating regulations, instructions and forms for the entities subject to their supervision, when necessary.
                 
              3. Putting in place the required procedures and controls to assess the compliance of supervised institutions with the provisions of the Decretal-Law and this Decision and any other legislation related to combating the Crime in the State, as well as to request the information relating to such compliance.
                 
              4. Setting and applying the regulations, controls, standards of merit to anyone who seeks to acquire, control, participate in management or operation, whether directly or indirectly, or to be the beneficiary of Financial Institutions and DNFBPs.
                 
              5. Conducting onsite and offsite supervision and inspections over Financial Institutions and DNFBPs.
                 
              6. Determining the frequency of supervision and inspection over Financial Institutions, Financial Groups, and DNFBPs based on the following:
                 
                1. National Risk Assessment
                   
                2. Distinctive characteristics of Financial Institutions, Financial Groups and DNFBPs in terms of their diversities, numbers and the degree of discretion provided to them under the risk-based approach.
                   
                3. Risks of the Crime as well as internal policies, controls and procedures associated with Financial Institutions, Financial Groups, or DNFBPs as identified by the Supervisory Authority’s assessment of each’s risk profile.
                   
              7. Undertaking all measures to ensure full compliance of the Financial Institutions and DNFBPs in implementing Security Council Resolutions relating to the prevention and suppression of terrorism and Terrorism Financing, and the prevention and suppression of the proliferation of weapons of mass destruction and its financing, and other related decisions, by conducting onsite visits and on-going monitoring, and imposing appropriate administrative sanctions when there is a violation or shortcoming in implementing the instructions.
                 
              8. Ensuring that the prescribed measures are adopted by the supervised institutions in accordance with the provisions of the Decretal-Law and this Decision, and that these measures are implemented in their foreign branches and majority-owned subsidiaries to the extent permitted by the laws of the country, where those branches and subsidiaries exist.
                 
              9. Periodically reviewing the assessment of the Crime risk profile of a Financial Institution and Financial Group (including the risks of non-compliance), and when there are major events or developments in the management and operations of the Financial Institution or Group.
                 
              10. Ensuring the compliance of Financial Institutions and DNFBPs subject to their supervision in implementing enhanced CDD measures on Customers and ongoing monitoring of the business relationship related to High-Risk Countries.
                 
              11. Providing Financial Institutions and DNFBPs with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.
                 
              12. Maintaining an up-to-date list of the names and data of compliance officers of the institutions under their Supervision, and notifying the FIU thereof; and requiring those institutions to obtain their prior consent before appointing their compliance officers.
                 
              13. Conducting programs and outreach campaigns on combating the Crime.
                 
              14. Issuing decisions of imposing administrative sanctions in accordance with the provisions of the Decretal-Law and the present Decision, and the mechanism for submitting relevant grievance.
                 
              15. Maintaining statistics about the measures taken and sanctions imposed.
                 
          • Section 2 Supervisory Authority for Non-Profit Organisations

            • Article (45)

              The Competent Supervisory Authority for NPOs shall commit to the following:

              1. Obtaining, in a timely manner, all information available with all Competent Authorities regarding NPO activities for the purpose of determining the size, features and types of NPOs, and identifying the threats posed against them by terrorism organisations, and the extent to which they are exposed to the risk of being misused for supporting Financing of Terrorism and Financing of Illegal Organisations, and then taking all appropriate and effective measures to combat these identified risks and reviewing them on a periodic basis to ensure their adequacy.
                 
              2. Reviewing the relevance and adequacy of legislation relating to NPOs to stop their misuse for supporting the Financing of Terrorism and of Illegal Organisations, and working to improve them when necessary.
                 
              3. Periodically reassessing NPOs by reviewing updated information on their potential vulnerabilities, which may be exploited in support of Financing of Terrorism.
                 
              4. Promoting and conducting awareness outreach and educational programs in order to raise awareness of NPOs and their donators on their potential vulnerabilities, which may expose them to risks of being misused for supporting and financing of Terrorism, and measures that can be taken by NPOs to protect themselves from such risks.
                 
              5. Supervising and monitoring NPOs using a risk-based approach to prevent their misuse in the Support and Financing of Terrorism and ensure compliance with their requirements.
                 
              6. Cooperating, coordinating and exchanging information at the local level with Competent Authorities that hold relevant information on NPOs.
                 
              7. Possessing experience in the field of investigations and the ability to examine NPOs that are suspected of being misused for supporting and financing of terrorism.
                 
              8. Fully reviewing the information relating to the administration and management of any NPO, including financial information and information relating to its programs.
                 
              9. Establishing mechanisms to ensure the prompt exchange of information with Competent Authorities for the purpose of taking preventive measures or investigative action when there is suspicion or reasonable grounds to suspect that the NPO is:
                 
                1. A front for the raising of funds on behalf of a terrorist organisation.
                   
                2. Being exploited as a conduit for the Financing of Terrorism or for the evasion of asset freezing measures or any other form of terrorism support.
                   
                3. Concealing or disguising the flow of funds intended for legitimate purposes, but redirected for the benefit of terrorists or terrorist organisations.
                   
              10. Determining the appropriate points of contact and procedures required to respond to international requests for information regarding NPOs suspected of Financing of Terrorism or is being exploited for the Financing of Terrorism or other forms of terrorism support.
                 
        • Chapter 6 Provisional Measures and Investigative Procedures

          • Section 1 Provisional Measures

            • Article (46)

              1. The Governor, or whoever is acting in his place, shall order the Freezing of funds, which are suspected to be linked to the Crime, with Financial Institutions licensed by the Central Bank for a period of no more than (7) seven working days, in the case of the FIU’s requests based on its analysis of STRs and other information received.
                 
              2. The FIU shall, in the event of taking the decision mentioned in Clause (1) of this Article, do the following:
                 
                1. Notify the concerned Financial Institution to perform the Freezing order without prior notice to the owner of the funds.
                   
                2. Notify the public prosecutor, in case the Governor requests extending the Freezing order, including the justifications of such extension.
                   
              3. The FIU, after presenting to the Governor, shall notify the concerned Financial Institution of the cancelation of the Freezing order in case the public prosecutor refuses the extension or after expiry of the period specified in Clause (1) of this Article without receiving a response from the public prosecutor
                 
              4. The Financial Institution, which holds the frozen funds, shall notify the owner of the frozen funds of the Freezing order and its sources, and shall request the owner to provide the required documents that prove the legitimacy of the source of these funds and refer these documents to the FIU to take the required actions.
                 
              5. The Governor shall submit a proposal to the public prosecutor to cancel the extension of the Freezing order once there are no grounds to such freeze in order for the public prosecutor to take actions as he deems appropriate.
                 
              6. The fund freezing orders shall not be executed by Financial Institutions licensed by the Central Bank unless they are issued by it.
                 
            • Article (47)

              1. The Public Prosecution and the competent court shall, as the case may be, order the identification, tracing, and valuation of the Funds, Proceeds and Means under suspicion, or their equivalent value, or order their Seizing or Freezing, if they were the result of or linked to the Crime, and that is without prior notice to the owner, and shall issue a travel ban for the owner until the completion of the investigation or trial.
                 
              2. The Public Prosecution or the competent court shall, as the case may be and when deemed necessary, take decisions to prevent the dealing with or disposing of such Funds, Proceeds or Means, and take the necessary measures to prevent any action intended to evade the Freezing and Seizing order issued in that regard, without violating the rights of bona fide third parties.
                 
              3. Any interested party shall have the right to contest the public prosecution’s Freezing or Seizing decision before the competent court of first instance, which is located within the jurisdiction of the order public, or the competent court specialised in criminal claims.
                 
              4. The contest shall be submitted as a report to the competent court. The president of the court shall, then, schedule a hearing session with the knowledge of the defendant, and the public prosecution shall be required to lodge a memorandum with its opinion on the defendant’s grievance. The court then issues its final decision within a period of no more than 14 working days as of the date of submission of the appeal.
                 
              5. The decision to dismiss the contest request is not subject to appeal; if the contest was rejected, it is not permissible to lodge a new contest except after a duration of three months from the date of rejecting the contest, unless a serious reason occurs before the period passes.
                 
            • Article (48)

              The public prosecution and the competent court shall, as the case may be, appoint whomever they deem suitable to manage the seized and frozen Funds, Proceeds and Means or those subject to Confiscation, and permit them to dispose or sell the Funds, Proceeds and Means in public auction, even before the issuance of the verdict, if necessary, if they are concerned about their depreciation or devaluation over time. The amount of the sale shall be deposited in the State’s treasury in the event of a final verdict of conviction. Such funds shall remain within the limits of their value for any rights legitimately determined to any bona fide third parties.

          • Section 2 Investigation Procedures

            • Article (49)

              1. The public prosecution and Law Enforcement Authorities shall, when launching an investigation and collecting evidence for a Predicate Offense, when necessary, take into consideration the extent to which the financial aspects of the criminal activity are connected with Money Laundering, Financing of Terrorism, or the Financing of Illegal Organisations, in order to determine the scope of the crime, identify and track proceeds and any other funds that may be subject to confiscation and strengthen evidence of the crime.
                 
              2. The public prosecution shall request the opinion of the FIU on the notifications received in relation to Money Laundering, Financing of Terrorism or Financing of Illegal Organisations cases.
                 
              3. Law Enforcement Authorities shall be responsible for receiving, and following up on, the results of STR analysis from the FIU and for gathering the related evidence.
                 
              4. The public prosecution and Law Enforcement Authorities shall promptly identify, trace and seize Funds, Proceeds and Means that might be subject to Confiscation and linked to the Crime.
                 
              5. Law Enforcement Authorities shall obtain the information directly from Competent Authorities, even if it is subject to banking secrecy or professional confidentiality, as they deem fit so they can perform their duties in detecting the Crime or its perpetrator(s) and collecting evidence about them, and the authority, who is the recipient of the information request, shall execute the request without delay.
                 
        • Chapter 7 International Cooperation

          • Section 1 General Provisions for International Cooperation

            • Article (50)

              Competent Authorities, for the purpose of implementation of International Cooperation requests on the Crime, to conclude, negotiate and sign agreements in a timely manner with foreign counterpart authorities, in a manner that does not contradict the legislation in force in the State

            • Article (51)

              Competent authorities shall give priority to all International cooperation requests related to the Crime and implement them expeditiously through clear and secure mechanisms and channels. The confidentiality of the information received shall be subject to the request, if required. If the confidentiality of the information cannot be kept, then the requesting authority shall be informed of the matter.

            • Article (52)

              Within the scope of implementing the provisions of the Decretal-Law and this Decision, an International Cooperation request regarding the Crime shall not be rejected on the basis of any of the following:

              1. The crime involves financial, tax or customs matters.
                 
              2. Secrecy provisions are binding upon Financial Institutions and DNFBPs, providing that they do not violate the applicable laws in the State, unless the relevant information was obtained under the circumstances where professional legal privileges or professional secrecy apply.
                 
              3. The crime is political or related to a political crime.
                 
              4. The request is connected with a crime subject of an ongoing investigation or prosecution in the State, unless the request impedes the investigation or the prosecution.
                 
              5. The act, on which the assistance is based, does not constitute a crime in the State, or the act does not have similar attributes to a crime set out in the State, unless it involves constraining, coercive measures or its in accordance with the applicable laws in the State.
                 
              6. The criminal act in the State is listed under a different name or description or that its structure varies from that of the requesting country.
                 
          • Section 2 Exchange of Information between Competent Authorities and Counterparts

            • Article (53)

              In accordance with the legislation and agreements in force in the State or on the condition of reciprocity, the competent authorities shall:

              1. Execute requests received from any foreign entity and exchange information on the Crime at the appropriate speed with foreign counterparts, and obtain any other requested information on its behalf, even if such requests change in nature, whether spontaneously or upon request.
                 
              2. Provide feedback to foreign counterparts on the use of the information obtained and the extent to which it was beneficial, if requested to do so.
                 
              3. Obtain a declaration or undertaking from the foreign counterpart that international cooperation information will only be used for the intended purpose, unless prior approval has been obtained.
                 
              4. Use international cooperation information obtained for the intended purpose, unless the foreign counterpart grants its approval for use for another purpose.
                 
              5. Refuse to provide information in the event that it is not effectively protected by the foreign counterpart requesting international cooperation.
                 
            • Article (54)

              1. The Competent Authorities commit to provide the means for international cooperation with respect to the basic information and Beneficial Owners of companies and legal arrangements, whereby such cooperation shall include the following:
                 
                1. Facilitating the access of foreign competent authorities to basic information held by the registries of companies and legal arrangements;
                   
                2. Exchanging information on legal arrangements and the shareholders in companies;
                   
                3. Using their powers to obtain all the information on Beneficial Owners on behalf of foreign counterparts.
                   
              2. The Competent Authorities shall supervise the implementation quality for the international cooperation requests received from other countries in relation to basic company information and Beneficial Ownership for companies and legal arrangements, as well as the requests for international cooperation relating to determining the location of the Beneficial Owner from companies abroad.
                 
            • Article (55)

              In accordance with the legislation in force in the State, and the provisions of the agreements to which they are a party, and on the condition of reciprocity, the Supervisory Authorities of the Financial Institutions shall:

              1. Exchange information relating to the appropriate Crime that it maintains and which is available to it directly or indirectly, with foreign counterparts, regardless of their nature, and consistent with the relevant international financial control principles relevant to anti money-laundering and combating the financing of terrorism applicable to each of them, including information on:
                 
                1. The regulatory framework of the financial sectors and the general information related to them.
                   
                2. Preventive financial control measures such as information related to the activities and works of financial institutions, their real beneficiaries, their management, and information of merit and eligibility.
                   
                3. Internal policies of financial institutions in the field of combatting the Crime, CDD information of Customers, and of information related to accounts and transactions.
                   
              2. Obtaining prior approval of the foreign supervisory authority, where the information is required for transmission or use, other than for the intended purpose, and to informing it of the matter in the event of disclosure of such information whenever it is the result of a legal obligation.
                 
              3. Requesting or facilitating access to information on behalf of the foreign supervisory authority, for the purposes of enhancing supervision on the financial group.
                 
            • Article (56)

              Without prejudice to the provisions of the treaties and conventions to which the State is a party and subject to reciprocity; and without prejudice to the legislation in force in the State, Law Enforcement Authorities, in coordination with the Competent Authority, may:

              1. Exchange information held by it, either directly or indirectly, with foreign counterparts for purposes of investigation or collection of inferences relating to Crime, identification and tracking of proceeds and intermediaries.
                 
              2. Use the powers conferred upon it in accordance with the legislation in force in the State to conduct investigations and obtain information on behalf of the foreign counterpart, and coordinate the formation of bilateral or multilateral teams to conduct joint investigations.
                 
          • Section 3 International Legal Assistance

            • Article (57)

              Upon request from another judiciary authority in another country, with whom there is a valid agreement in place with the State, or on the basis of reciprocity concerning any acts that are punishable as per the applicable laws in the State, the competent judiciary authority shall provide legal assistance in investigations, trials or measures linked to the Crime and it shall order the following:

              1. Locating, Freezing, Seizing or Confiscation of Funds, Proceeds or Means that have been used, or intended for use in the Crime, or their equivalent. The death or anonymity of the suspect shall not prevent undertaking such measures.
                 
              2. Any other measures applicable in accordance with the enforceable laws in the State, including the provision of records maintained by Financial Institutions, DNFBPs or NPOs, the search of persons and buildings, gathering statements from witnesses, collecting evidence, using investigative methods such as Undercover Operations, wiretapping, communications, obtaining electronic data and information and Controlled Delivery.
                 
              3. Extradition and repatriation of persons and things related to the Crime in accordance with the laws applicable in the State.
                 
            • Article (58)

              It is permitted to recognise any judgement or judicial order that provides for the confiscation of Funds, Proceeds or Means relating to Money Laundering, the Financing of Terrorism or the Financing of Illegal Organisations issued by a competent court or judiciary authority in another country, with whom there is an attested agreement in place with the State.

            • Article (59)

              Taking into consideration the applicable laws in the State, the implementation of the judgement or judicial order mentioned in Article (58) of the present Decision shall not contradict a judgment or order previously issued by a court in the State, there shall not be an ongoing charge in the State regarding the same judgment issued from the requesting country, and the request shall also include the following documents and information:

              1. An attested copy of the judgment or judicial order for Confiscation along with the law on which it is based, and a statement of the reasons for issuing the confiscation order, if not mentioned in the judgment or the order itself.
                 
              1. A statement establishing that the sentenced person has been duly summoned and represented, and has been able to defend himself.
                 
              2. A document confirming that the judgement or judicial order is enforceable and not subject to appeal through ordinary methods.
                 
              3. Description of the Funds, Proceeds and Means for Confiscation, their estimated value, their potential location and information regarding any persons who might be holding or possessing these funds.
                 
              4. Statement of the amount to be repatriated from the funds for Confiscation.
                 
              5. Any information relating to third party rights on the Funds, Proceeds or Means.
                 
              6. Statement of the procedures undertaken in the requesting country to protect bona fide third parties.
                 
          • Section 4 Implementation of the Security Council Resolutions

            • Article (60)

              Every natural or legal person shall immediately comply with the instructions issued by the Competent Authorities in the State concerning the implementation of the resolutions issued by UN Security Council under Chapter VII of the Charter of the United Nations regarding the prevention and suppression of terrorism and Terrorism Financing, and the prevention and suppression of the proliferation of Weapons of Mass Destruction and its financing, and any other related decisions.

        • Chapter 8 Final Provisions

          • Article (61)

            Any provision that contradicts or violates the provisions of the present Decision shall be considered void.

          • Article (62)

            The present Decision shall come into force as of the date of its issuance and shall be published in the Official Gazette.

    • Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions

      Effective from 13/7/2023
      • Part I—Overview

        • 1. Introduction

          • 1.1 Purpose and Scope

            The purpose of these Anti-Money Laundering and Combating the Financing of Terrorism and the Financing of Illegal Organisations Guidelines for Financial Institutions (FIs) (Guidelines) is to provide guidance and assistance to supervised institutions that are FIs, in order to assist their better understanding and effective performance of their statutory obligations under the legal and regulatory framework in force in the United Arab Emirates (UAE or State).

            These Guidelines have been prepared as a joint effort between the Supervisory Authorities of the UAE, and set out the minimum expectations of the Supervisory Authorities regarding the factors that should be taken into consideration by each of the supervised financial institutions which fall under their respective jurisdictions, when identifying, assessing and mitigating the risks of money laundering (ML), the financing of terrorism (FT), and the financing of illegal organisations.

            Nothing in these Guidelines is intended to limit or otherwise circumscribe additional or supplementary guidance, circulars, notifications, memoranda, communications, or other forms of guidance or feedback, whether direct or indirect, which may be published on occasion by any of the Supervisory Authorities in respect of the supervised institutions which fall under their respective jurisdictions, or in respect of any specific supervised institution.

            Finally, it should be noted that, guidance on the subject of the United Nations Targeted Financial Sanctions (TFS) regime, and the related Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions On the Suppression and Combating of Terrorism, Terrorists Financing & Proliferation of Weapons of Mass Destruction, and Related Resolutions is outside of the scope of these Guidelines.

          • 1.2 Applicability

            Unless otherwise noted, these Guidelines apply to all Financial Institutions, and the members of their boards of directors, management and employees, established and/or operating in the territory of the UAE and their respective Financial and Commercial Free Zones, whether they establish or maintain a Business Relationship with a Customer, or engage in any of the financial activities and/or transactions or the trade and/or business activities outlined in Articles (2) and (3) of Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.

            Specifically, they are applicable to all such natural and legal persons in the following categories:

            Banks, finance companies, exchange houses, money service businesses (including hawaladar or other monetary value transfer services);
             
            Insurance companies, agencies, and brokers;
             
            Securities and commodities brokers, dealers, advisors, investment managers;
             
            Virtual asset service providers (VASPs);
             
            Other financial institutions not mentioned above.
             
          • 1.3 Legal Status

            Article 44.11 of Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”

            As such, these Guidelines do not constitute additional legislation or regulation, and are not intended to set legal, regulatory, or judicial precedent. They are intended rather to be read in conjunction with the relevant laws, cabinet decisions, regulations and regulatory rulings which are currently in force in the UAE and their respective Free Zones, and supervised institutions are reminded that the Guidelines do not replace or supersede any legal or regulatory requirements or statutory obligations. In the event of a discrepancy between these Guidelines and the legal or regulatory frameworks currently in force, the latter will prevail. Specifically, nothing in these Guidelines should be interpreted as providing any explicit or implicit guarantee or assurance that the Supervisory or other Competent Authorities would defer, waive, or refrain from exercising their enforcement, judicial, or punitive powers in the event of a breach of the prevailing laws, regulations, or regulatory rulings.

            These Guidelines, and any lists and/or examples provided in them, are not exhaustive and do not set limitations on the measures to be taken by supervised institutions in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, these Guidelines should not be construed as legal advice or legal interpretation. Supervised institutions should perform their own assessments of the manner in which they should meet their statutory obligations, and they should seek legal or other professional advice if they are unsure of the application of the legal or regulatory frameworks to their particular circumstances.

          • 1.4 Organisation of the Guidelines

            These Guidelines are organized into five (5) parts, roughly corresponding to the following major themes:

            Part I—Overview (including background information on the UAE’s AML/CFT legislative and strategy framework, and highlights of key provisions of the law and regulations affecting Financial Institutions);

            Part II—Identification and Assessment of ML/FT Risks;

            Part III—Mitigation of ML/FT Risks;

            Part IV—AML/CFT Compliance Administration and Reporting (including guidance on governance, suspicious transaction reporting, and record-keeping);

            Part V—Appendices.

            The various sections and sub-sections of each part are organized according to subject matter. In general, each section or subsection includes references to the articles of the AML-CFT Law and/or the AML-CFT Decision to which it pertains. While it has been kept to a minimum, users may find that there are instances of repetition of some content throughout various sections of the Guidelines. This has been done in order to ensure that each section or sub-section pertaining to a specific subject matter is comprehensive, and to minimize the need for cross-referencing between sections.

            In some cases, the requirements or provisions of specific sections of the relevant legal and regulatory frameworks are deemed sufficiently clear with regard to the statutory obligations of supervised institutions such that no additional guidance on those sections is provided for in these Guidelines. In other cases, guidance is provided with regard to subjects which are not covered explicitly in the AML-CFT Law or the AML-CFT Decision, but which are nevertheless addressed either implicitly or by reference to international best practices.

            In certain instances in which there are meaningful differences between the relevant legal and regulatory framework currently in force and previous laws or regulations, or in which there are differences in specific regulatory requirements between various Supervisory Authorities, the Guidelines may or may not highlight these differences. In the event of such differences or discrepancies, supervised institutions seeking further clarification on matters related to those sections are invited to contact their relevant Supervisory Authority through the established channels.

            It is the Supervisory Authorities’ intention to update or amend these Guidelines from time to time, as and when it is deemed appropriate. Supervised institutions are reminded that these Guidelines are not the only source of guidance on the assessment and management of ML/FT risk, and that other bodies, including international organisations such as FATF,

            MENAFATF and other FATF-style regional bodies (FSRBs), the Egmont Group, and others also publish information that may be helpful to them in carrying out their statutory obligations. It is the sole responsibility of supervised institutions to keep apprised and updated at all times regarding the ML/FT risks to which they are exposed, and to maintain appropriate risk identification, assessment, and mitigation programmes, and to ensure their responsible officers, managers and employees are adequately informed and trained on the relevant policies, processes, and procedures.

            Text from the AML-CFT and the AML-CFT Decision are quoted, or otherwise summarized or paraphrased, from time to time throughout these Guidelines. For the sake of convenience, unless specifically noted to the contrary, all references in the text to the term “financing of terrorism” also encompass the financing of illegal organisations. In general, capitalized terms in the text of these Guidelines have the meanings provided in the Glossary of Terms (see Appendix 11.1). However, in the event of any inconsistency or discrepancy between the text or definitions provided for in the Law and/or the Cabinet Decision and such quotations, summaries or paraphrases, or such defined terms, the former shall prevail.

        • 2. Overview of the AML/CFT Legal, Regulatory, and National Strategy Frameworks of the United Arab Emirates

          • 2.1 National Legislative and Regulatory Framework

            The legal and regulatory structure of the UAE is comprised of a matrix of federal civil, commercial and criminal laws and regulations, together with the various regulatory and Supervisory Authorities responsible for their implementation and enforcement, and various local civil and commercial legislative and regulatory frameworks in the Financial and Commercial Free Zones. As criminal legislation is under federal jurisdiction throughout the State, including the Financial and Commercial Free Zones, the crimes of money laundering, the financing of terrorism, and the financing of illegal organisations are covered under federal criminal statutes and the federal penal code. Likewise, federal legislation and implementing regulations on the combating of these crimes are in force throughout the UAE, including the Financial and Commercial Free Zones. Their implementation and enforcement are the responsibility of the relevant regulatory and Supervisory Authorities in either the federal or local jurisdictions.

            The principal AML/CFT legislation within the State is Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (the “AML-CFT Law” or “the Law”) and implementing regulation, Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (the “AML-CFT Decision” or “the Cabinet Decision”).

            The UAE issued Cabinet UBO Resolution No. 58 of 2020 on the Regulation of the Procedures of the Real Beneficiary (UBO Resolution) which came into effect on 28 August 2020 and replaced Cabinet Resolution No. 34 of 2020 issued earlier this year.

            The UBO Resolution introduces the requirement for a beneficial ownership register in the UAE mainland and unifies the minimum disclosure requirements for corporate entities incorporated in the UAE mainland and in the non-financial free zones. Financial free zones (Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC) and companies owned by the Federal Government and their subsidiaries are not covered by the UBO Resolution.

          • 2.2 International Legislative and Regulatory Framework

            The AML/CFT legislative and regulatory framework of the UAE is part of a larger international AML/CFT legislative and regulatory framework made up of a system of intergovernmental legislative bodies and international and regional regulatory organisations. On the basis of international treaties and conventions in relation to combating money laundering, the financing of terrorism and the prevention and suppression of the proliferation of weapons of mass destruction, intergovernmental legislative bodies create laws at the international level, which participating member countries then transpose into their national counterparts. In parallel, international and regional regulatory organisations develop policies and recommend, assess and monitor the implementation by participating member countries of international regulatory standards in respect of AML/CFT.

            Among the major intergovernmental legislative bodies, and international and regional regulatory organisations, with which the government and the Competent Authorities of the State actively collaborate within the sphere of the international AML/CFT framework are:

            The United Nations (UN): The UN is the international organization with the broadest range of membership. Founded in October of 1945, there are currently 191 member states of the UN from throughout the world. The UN actively operates a program to fight money laundering, the Global Programme against Money Laundering (GPML), which is headquartered in Vienna, Austria, is part of the UN Office of Drugs and Crime (UNODC).
             
            The Financial Action Task Force (FATF): The Financial Action Task Force (FATF) is an intergovernmental body established in 1989, which sets international standards and promotes effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. FATF also monitors the implementation of its standards, the 40 FATF Recommendations and 11 Immediate Outcomes, by its members and members of FSRBs, ensures that the ‘FATF Methodology’ for assessing technical compliance with the FATF Recommendations and the effectiveness of AML/CFT systems is properly applied.
             
            The Middle East and North Africa Financial Action Task Force (MENAFATF): Recognizing the FATF 40 Recommendations on Combating Money Laundering and the Financing of Terrorism and Proliferation, and the related UN Conventions and UN Security Council Resolutions, as the worldwide-accepted international standards in the fight against money laundering and the financing of terrorism and proliferation, MENAFATF was established in 2004 as a FATF Style Regional Body (FSRB), for the purpose of fostering co-operation and co-ordination between the countries of the MENA region in establishing an effective system of compliance with those standards. The UAE is one of the founding members of MENAFATF.
             
            The Egmont Group of Financial Intelligence Units: In 1995, a number of FIUs began working together and formed the Egmont Group of Financial Intelligence Units (Egmont Group) (named for the location of its first meeting at the Egmont-Arenberg Palace in Brussels). The purpose of the group is to provide a forum for FIUs to improve support for each of their national AML/CFT programs and to coordinate AML/CFT initiatives. This support includes expanding and systematizing the exchange of financial intelligence information, improving expertise and capabilities of personnel, and fostering better communication among FIUs through technology, and helping to develop FIUs worldwide.
             
          • 2.3 AML/CFT National Strategy Framework

            Money laundering and the financing of terrorism are crimes that threaten the security, stability and integrity of the global economic and financial system, and of society as a whole. The estimated volume of the proceeds of crime, including the financing of terrorism, that are laundered each year is between 2-5% of global GDP. Yet, by some estimates, the volume of criminal proceeds that are actually seized is in the range of only 2% of the total, while roughly only half of that amount eventually ends up being confiscated by competent judicial authorities. Combating money laundering and the financing of terrorist activities is therefore an urgent priority in the global fight against organised crime.

            The UAE is deeply committed to combating money laundering and the financing of terrorism and illegal organisations. To this end, the Competent Authorities have established the appropriate legislative, regulatory and institutional frameworks for the prevention, detection and deterrence of financial crimes, including ML/FT. They also continue to work towards reinforcing the capabilities of the resources committed to these efforts, and towards improving their effectiveness by implementing the internationally accepted AML/CFT standards recommended and promoted by FATF, MENAFATF and the other FSRBs, as well as by the United Nations, the World Bank and the International Monetary Fund (IMF).

            As part of these efforts, the Competent Authorities of the UAE have taken a number of substantive actions, including among others:

            Enhancing the federal legislative and regulatory framework, embodied by the introduction of the new AML/CFT Law and Cabinet Decision, which incorporate the FATF standards;
             
            Conducting the National Risk Assessment (NRA) to identify and assess the ML/FT threats and inherent vulnerabilities to which the country is exposed, as well as to assess its capacity in regard to combating ML/FT at the national level;
             
            Formulating a National AML/CFT Strategy and Action Plan that incorporate the results of the NRA and which are designed to ensure the effective implementation, supervision, and continuous improvement of a national framework for the combating of ML/FT, as well as to provide the necessary strategic and tactical direction to the country’s public and private sector institutions in this regard.
             

            The National Strategy on Anti-Money Laundering and Countering the Financing of Terrorism of the United Arab Emirates is based on four pillars, each of which is associated with its own strategic priorities. These strategic priorities in turn inform and shape the key initiatives of the country’s National Action Plan on AML/CFT.

            The pillars of the National Strategy, together with their strategic priorities are summarised in the table below:

            National AML/CFT Strategic PillarsStrategic Priorities
            Legislative & Regulatory MeasuresIncrease effectiveness and efficiency of legislative and regulatory policies and ensure compliance
            Transparent Analysis of IntelligenceLeverage the use of financial databases and the development of information analysis systems to enhance the transparent analysis and dissemination of financial intelligence information
            Domestic and International Cooperation & CoordinationPromote the efficiency and effectiveness of domestic and international coordination and cooperation with regard to the availability and exchange of information
            Compliance and Law EnforcementEnsure the effective investigation and prosecution of ML/FT crimes and the timely implementation of TFS

             

            The National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations has identified a number of key drivers of success in achieving the goals of the National AML/CFT Strategy. These include, among other things, ensuring:

            Effective coordination between the Financial Intelligence Unit, Law Enforcement Authorities, Public Prosecutors, Supervisory Authorities, and other Competent Authorities within the country;
             
            Effective compliance with the laws and regulations governing banking activities and other financial services;
             
            Awareness by FIs of the relevant ML/FT risks facing the UAE in general, and their sectors in particular, as informed by the results of the NRA, as well as their awareness of their statutory obligations in regard to the management and mitigation of those risks.  
             

            The present Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions are thus intended to advance the efforts of the Committee, the Supervisory Authorities, and the other Competent Authorities of the State in this direction.

        • 3. Highlights of Key Provisions Affecting Financial Institutions

          The AML-CFT Law and the AML-CFT Decision contain numerous provisions setting out the rights and obligations of supervised institutions, including Financial Institutions, as well as their senior managers and employees. This section highlights some of the key provisions affecting FIs that are of immediate concern. FIs are reminded that it is their sole responsibility to adhere to all provisions of the AML-CFT Law, the AML-CFT Decision, and all regulatory notices, rulings and circulars affecting them.

          • 3.2 Confidentiality and Data Protection

            (AML-CFT Law Article 15; AML-CFT Decision Articles 17.2, 21.2, 31.3, 39)

            Financial Institutions are obliged to report to the UAE’s Financial Intelligence Unit (FIU) when they have reasonable grounds to suspect a transaction or funds representing all or some proceeds, or suspicion of their relationship to a Crime (see Section 7, Suspicious Transaction Reporting). In reporting their suspicions, they must maintain confidentiality with regard to both the information being reported and to the act of reporting itself, and make reasonable efforts to ensure the information and data reported are protected from access by any unauthorised person.

            It should be noted that the confidentiality requirement does not pertain to communication within the FI or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention or reporting of a Crime. However, under no circumstances are FIs, or their managers or employees, permitted to inform a Customer or the representative of a Business Relationship, either directly or indirectly, that a report has been made, under penalty of sanctions (see Section 3.9, Sanctions against Persons Violating Obligations). This is the so-called “tipping off” requirement. This also extends to any related information that might be provided to the FIU or information that is being requested by the FIU.

            FIs are not permitted to object to the statutory reporting of suspicions on the grounds of Customer confidentiality or data privacy, under penalty of sanctions. Moreover, data protection laws include provisions that allow the FI to report to the authorities. (see Section 3.9, Sanctions against Persons Violating Obligations).

          • 3.3 Protection against Liability for Reporting Persons

            (AML-CFT Law Article 27; AML-CFT Decision Article 17.3)

            The AML-CFT Law and the AML-CFT Decision provide Financial Institutions, as well as their board members, employees and authorised representatives, with protection from any administrative, civil or criminal liability resulting from their good-faith performance of their statutory obligation to report suspicious activity to the FIU. This protection is also applicable if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred.

          • 3.4 Statutory Prohibitions

            (AML-CFT Law Article 16.1(c); AML-CFT Decision Articles 13.1, 14, 35.4, 38)

            Financial Institutions are prohibited from the following activities:

            Establishing or maintaining any Customer or Business Relationship, conducting any financial or commercial transactions, keeping any accounts under an anonymous or fictitious name or by pseudonym or number;
             
            Establishing or maintaining a Business Relationship or executing any transaction in the event they are unable to complete adequate risk-based CDD measures in respect of the Customer for any reason;
             
            Dealing in any way with Shell Banks, whether to open (correspondent) bank accounts in their names, or to accept funds or deposits from them;
             
            Invoking banking, professional or contractual secrecy as a pretext for refusing to perform their statutory reporting obligation in regard to suspicious activity;
             
            Issuing or dealing in bearer shares or bearer share warrants.
             
          • 3.5 Money Laundering

            (AML-CFT Law Articles 2.1-3, 4, 29.3, AML-CFT Decision Article 1)

            The AML-CFT Law defines money laundering as engaging in any of the following acts wilfully, having knowledge that the funds are the proceeds of a felony or a misdemeanour (i.e., a predicate offence):

            Transferring or moving proceeds or conducting any transaction with the aim of concealing or disguising their Illegal source;
             
            Concealing or disguising the true nature, source or location of the proceeds as well as the method involving their disposition, movement, ownership of or rights with respect to said proceeds;
             
            Acquiring, possessing or using proceeds upon receipt;
             
            Assisting the perpetrator of the predicate offense to escape punishment.
             

            Both the AML-CFT Law and the AML-CFT Decision define “funds” in a very broad sense as “assets in whatever form, whether tangible, intangible, movable or immovable including national currency, foreign currencies, documents or notes evidencing the ownership of those assets or associated rights in any forms including electronic or digital forms or any interests, profits or income originating or earned from these assets.” They likewise define “proceeds” as “funds generated directly or indirectly from the commitment of any crime or felony including profits, privileges, and economic interests, or any similar funds converted wholly or partly into other funds.”

            Therefore, in order to be considered money laundering, it is not necessary for any of the above-stipulated acts to involve only money or monetary instruments per se, but any number of tangible or intangible assets such as, but not limited to:

            Funds bank or other financial accounts, including so-called virtual or crypto currencies;
             
            Financial instruments or securities, such as shares, bonds, notes, commercial paper, promissory notes, IOUs, share warrants, options, rights (including land rights), or other transferrable securities or bearer negotiable instruments;
             
            Contracts, loan instruments, titles, claims, insurance policies, or their assignment;
             
            Intellectual property (including but not limited to patents or registered trademarks), royalties, licenses, or the rights thereto;
             
            Physical property, including but not limited to commodities, land, precious metals and stones, motor vehicles or vessels, works of art, or any other goods exchanged as payment-in-kind.
             

            The size or monetary value of the financial or commercial transaction, the timeframe during which it took place, and the nature of the funds or proceeds (whether in liquid funds or some other tangible or intangible asset) are irrelevant to the suspicion and reporting of a suspicious transaction.

            The AML-CFT Law designates money laundering as a criminal offence. Its prosecution is independent of that of any predicate offence to which it is related or from which the proceeds are derived. The suspicion of money laundering is not dependent on proving that a predicate offence has actually occurred or on proving the illicit source of the proceeds involved, but can be inferred from certain information, including indicators or behavioural patterns.

            According to the 2018 National Risk Assessment, professional third-party money laundering has been identified as one of the top ML/FT threats in the UAE.

          • 3.6 Predicate Offences

            The AML-CFT Law defines a predicate offence as “any act constituting an offence or misdemeanour under the applicable laws of the State whether this act is committed inside or outside the State when such act is punishable in both countries.” A predicate offence is therefore any crime, whether felony or misdemeanour, which is punishable in the UAE, regardless of whether it is committed within the State or in any other country in which it is also a criminal offence.

            FATF has designated 21 (twenty-one) categories of predicate offences. Each of these categories of predicate offences has been criminalised in the legislative framework of the State. FIs are reminded that this is not an exhaustive list of predicate offences, but simply a convenient categorisation, since in the UAE according to the AML-CFT Law, even crimes that do not appear on this list, whether felonies or misdemeanours, can be predicate offences to money laundering.

            Based on expert analysis of these categories conducted on behalf of the UAE’s Competent Authorities for the 2018 National Risk Assessment, the top (highest) threats to the State in relation to money laundering have been identified as: fraud, counterfeiting and piracy of products, illicit trafficking in narcotic drugs and psychotropic substances, and professional third-party money laundering.

            Similarly, other (medium-high) threats of particular concern to the UAE in relation to money laundering have been identified as the categories of: insider trading and market manipulation, robbery and theft, illicit trafficking in stolen and other goods, forgery, smuggling (including in relation to customs and excise duties and taxes), tax crimes (related to direct taxes and indirect taxes), and terrorism (including terrorist financing).

            While FIs should pay special attention to the most serious threats identified in the NRA and any topical risk assessment when performing their own ML/FT business risk assessments, they are reminded that their risk assessment operations should consider all categories of risk for applicability to their own particular circumstances.

          • 3.7 Financing of Terrorism

            (AML-CFT Law Articles 3.1, 4, 29.3, AML-CFT Decision Article 1)

            The AML-CFT Law designates the financing of terrorism as a criminal offence, which is not subject to the statute of limitations. It defines the financing of terrorism as:

            Committing any act of money laundering, being aware that the proceeds are wholly or partly owned by a terrorist organisation or terrorist person or intended to finance a terrorist organisation, a terrorist person or a terrorism crime, even if it without the intention to conceal or disguise their illicit origin; or
             
            Providing, collecting, preparing or obtaining proceeds or facilitating their obtainment by others with intent to use them, or while knowing that such proceeds will be used in whole or in part for the commitment of a terrorist offense, or committing such acts on behalf of a terrorist organisation or a terrorist person while aware of their true background or purpose.
             

            There are numerous risk factors that FIs should consider important when assessing their exposure to the risk of terrorist financing (see Section 4.1.1, Risk Factors), including geographic-, sector-, channel-, product-, service- and customer-specific risks.

            In a 2019 report by MENAFATF, an assessment of the global threat posed by the financing of terrorism stated:

             “The number, type, scope, and structure of terrorist actors and the global terrorism threat are continuing to evolve. Recently, the nature of the global terrorism threat has intensified considerably. In addition to the threat posed by terrorist organisations such as ISIL, Al-Qaeda and other groups, attacks in many cities across the globe are carried out by individual terrorists and terrorist cells ranging in size and complexity. Commensurate with the evolving nature of global terrorism, the methods used by terrorist groups and individual terrorists to fulfil their basic need to generate and manage funds is also evolving.
             
             Terrorist organisations use funds for operations (terrorist attacks and pre-operational surveillance); propaganda and recruitment; training; salaries and member compensation; and social services. These financial requirements are usually high for large terrorist organisations, particularly those that aim to, or do, control territory. In contrast, the financial requirements of individual terrorists or small cells are much lower with funds primarily used to carry out attacks. Irrespective of the differences between terrorist groups or individual terrorists, since funds are directly linked to operational capability, all terrorist groups and individual terrorists seek to ensure adequate funds generation and management.”1
             

            1 Social Media and Terrorism Financing: A joint project by Asia/Pacific Group on Money Laundering & Middle East and North Africa Financial Action Task Force, APG/MENAFATF, January 2019, p.4.

          • 3.8 Financing of Illegal Organisations

            (AML-CFT Law Articles 3.2, 4, 29.3, AML-CFT Decision Article 1)

            Like the financing of terrorism, the AML-CFT Law designates the financing of illegal organisations as a criminal offence that is not subject to the statute of limitations. The Law defines the financing of illegal organisations as:

            Committing any act of money laundering, being aware that the proceeds are wholly or partly owned by an illegal organisation or by any person belonging to an illegal organisation or intended to finance such illegal organisation or any person belonging to it, even if without the intention to conceal or disguise their illicit origin.
             
            Providing, collecting, preparing, obtaining proceeds or facilitating their obtainment by others with intent to use such proceeds, or while knowing that such proceeds will be used in whole or in part for the benefit of an Illegal organisation or of any of its members, with knowledge of its true identity or purpose.
             
            When assessing their risk exposure to the financing of illegal organisations, FIs should pay special attention to the regulatory disclosure, accounting, financial reporting and audit requirements of organisations with which they conduct Business Relationships or transactions. This is particularly important where non-profit, community/social, or religious/cultural organisations are involved, especially when those organisations are based, or have significant operations, in jurisdictions that are unfamiliar or in which transparency or access to information may be limited for any reason.
             
          • 3.9 The ML Phases

            To identify, understand and accurately assess the ML/FT risks to which FIs are exposed at both the enterprise and business relationship levels, FIs should be aware of the three phases of money laundering. By determining for which ML/FT phase a certain product can be misused or the FI itself can be misused, will help the FI understand its specific inherent ML/FT risks. The paragraphs below describe the crime of money laundering as consisting of three distinct (though sometimes overlapping) phases:

            Placement. In this phase, criminals attempt to introduce Funds or the Proceeds of Crime into the financial system using a variety of techniques or typologies (see Section 3.10, ML/FT Typologies).

             Examples of placement transactions include the following:
             
            Blending of funds: Commingling of illegitimate funds with legitimate funds, such as placing the cash from illegal narcotics sales into cash-intensive, locally owned businesses.
            Foreign exchange: Purchasing of foreign exchange with illegal funds.
            Breaking up amounts: Placing cash in small amounts and depositing them into numerous bank accounts in an attempt to evade attention or reporting requirements.
            Currency smuggling: Cross-border physical movement of cash or monetary instruments.
            Loans: Repayment of legitimate loans using laundered cash.
             

            Layering. Once the Funds or Proceeds are introduced, or placed, into the financial system, they can proceed to the next phase of the process; often, this is accomplished by placing the funds into circulation through formal financial institutions, and other legitimate businesses, both domestic and international.” In this layering phase, criminals attempt to disguise the illicit nature of the Funds or Proceeds of Crime by engaging in transactions, or layers of transactions, which aim to conceal their origin.

            Examples of layering transactions include:

             
              
            Electronically moving funds from one country to another and dividing them into advanced financial options and/or markets;
            Moving funds from one financial institution to another or within accounts at the same institution;
            Converting the cash placed into monetary instruments;
            Reselling high-value goods and prepaid access/stored value products;
            Investing in real estate and other legitimate businesses;
            Placing money in stocks, bonds or life insurance products; and
            Using shell companies to obscure the ultimate beneficial owner and assets.
             

            Integration. In this phase, criminals attempt to return, or integrate, their “laundered” Funds or the Proceeds of Crime back into the economy, or to use it to commit new criminal offences, through transactions or activities that appear to be legitimate.

            A key objective for criminals engaged in money laundering—and therefore a key generic risk underlying the specific risks faced by FIs—is the exploitation of situations and factors (including products, services, structures, transactions, and geographic locations) which favour anonymity and complexity, thereby facilitating a break in the “paper trail” and concealment of the illicit source of the Funds.

            Although the sizes of transactions related to the financing of terrorism and illegal organisations can be (much) smaller than those involved in money laundering operations, and some of the typologies and specific techniques used may differ, the overall principles and generic risks are the same. The terrorists and criminals involved in these acts attempt to exploit situations and factors favouring anonymity and complexity, in order to obscure and conceal the illicit source of the Funds, or the illicit destination or purpose for which they are intended, or both. FIs should remain careful that their services are not being used either directly or indirectly to facilitate Money Laundering or the Financing of Terrorism or Illegal Organisations in any of the three stages described above.

          • 3.10 ML/FT Typologies

            The methods used by criminals for money laundering, the financing of terrorism, and the financing of illegal organisations are continually evolving and becoming more sophisticated. It is therefore critical in combating these crimes for FIs to ensure that their personnel are kept up-to-date on the latest ML/FT trends and typologies.

            There are numerous useful sources of research and information related to ML/FT typologies, including by the Supervisory Authorities, the FATF, MENAFATF and other FSRBs, the Egmont Group, and others. FIs should incorporate the regular review of ML/FT trends and typologies into their compliance training programmes (see Section 8.2, Staff Screening and Training), as well as into their risk identification and assessment procedures.

            Examples of some of the key ML/FT typologies with which FIs should be familiar include (but are not limited to):

             
              
            Currency exchanges / cash conversion: used to assist with smuggling to another jurisdiction or to exploit low reporting requirements on currency exchange houses to minimize risk of detection – e.g., purchasing of travellers cheques to transport value to another jurisdiction.
            Cash couriers / currency smuggling: concealed movement of currency to avoid transaction / cash reporting measures.
            Structuring (smurfing): A method involving numerous transactions (deposits, withdrawals, transfers), often various people, high volumes of small transactions and sometimes numerous accounts to avoid detection threshold reporting obligations.
            Use of credit cards, cheques, promissory notes, etc.: Used as instruments to access funds held in a financial institution, often in another jurisdiction.
            Purchase of portable valuable commodities (gems, precious metals, etc.): A technique to purchase instruments to conceal ownership or move value without detection and avoid AML/CFT measures – e.g., movement of diamonds or gold to another jurisdiction.
            Purchase of valuable assets (real estate, race horses, vehicles, etc.): Criminal proceeds are invested in high-value negotiable goods to take advantage of reduced reporting requirements to obscure the source of proceeds of crime.
            Commodity exchanges (barter): Avoiding the use of money or financial instruments in value transactions to avoid AML/CFT measures - e.g., a direct exchange of heroin for gold bullion.
            Use of wire transfers: to electronically transfer funds between financial institutions and often to another jurisdiction to avoid detection and confiscation.
            Underground banking / unlicensed remittance services: Illegal mechanisms based on networks of trust used to remit monies, without the proper license or registration. Often work in parallel with the traditional banking sector and exploited by money launderers and terrorist financiers to move value without detection and to obscure the identity of those controlling funds.
            Trade-based money laundering and terrorist financing: usually involves invoice manipulation and uses trade finance routes and commodities to avoid financial transparency laws and regulations.
            Abuse of non-profit organizations (NPOs): May be used to raise terrorist funds, obscure the source and nature of funds and to distribute funds for terrorist activities.
            Investment in capital markets: to obscure the source of proceeds of crime to purchase negotiable instruments, often exploiting relatively low reporting requirements.
            Mingling (business investment): A key step in money laundering involves combining proceeds of crime with legitimate business monies to obscure the illegal source of the funds.
            Use of shell companies/corporations: a technique to obscure the identity of persons controlling funds and exploit relatively low reporting requirements.
            Use of offshore banks/businesses, including trust company service providers: to obscure the identity of persons controlling funds and to move monies away from interdiction by domestic authorities.
            Use of nominees, trusts, family members or third parties, etc: to obscure the identity of persons controlling illicit funds.
            Use of foreign bank accounts: to move funds away from interdiction by domestic authorities and obscure the identity of persons controlling illicit funds.
            Identity fraud / false identification: used to obscure the identity of those involved in many methods of money laundering and terrorist financing.
            Use “gatekeepers” professional services (lawyers, accountants, brokers, etc.): to obscure the identity of beneficiaries and the illicit source of funds. May also include corrupt professionals who offer ‘specialist’ money laundering services to criminals.
            New Payment technologies: use of emerging payment technologies for money laundering and terrorist financing. Examples include cell phone-based remittance and payment systems.
            Virtual assets: (VA) and related services have the potential to spur financial innovation and efficiency, but their distinct features also create new opportunities for money launderers, terrorist financiers, and other criminals to launder their proceeds or finance their illicit activities. FIs may refer to the FATF Recommendations that place AML/CFT requirements on Virtual Assets (VA) and Virtual Asset Service Providers (VASPs). The FATF has also issued a document on Guidance on Risk Based Approach to VAs and VASPs. FIs should be familiar with the AML/CFT risks of dealing with VAs and VASPs in accordance with the FATF guidance.
            Life insurance products can be for instance be used for money laundering when they have saving or investment features which may include the options for full or partial withdrawals or early surrenders.
            General insurance product: there are several cases where the early cancellation of policies with return of premium has been used to launder money.
             A number of policies entered into by the same insurer/intermediary for small amounts and then cancelled at the same time;
             Return premium being credited to an account different from the original account;
             Requests for return premiums in currencies different from the original premium;
             Regular purchase and cancellation of policies.
            Overpayment of premiums: arranging for excessive numbers or excessively high values of insurance reimbursements by cheque or wire transfer to be made, in this method, the launderer may arrange for insurance of the legitimate assets and ‘accidentally’ but on a recurring basis, significantly overpay his premiums and request a refund for the excess.
             

            The UAE FIU releases reports on Trends and Typologies of Money Laundering which is an analysis based on the information extracted from the suspicious transaction reports (STRs) filed by reporting entities. This is a very useful resource for FIs for understanding the prevalent typologies of ML and FT crimes as well as getting information on the latest trends on these crimes in the country. This report is released on the FIU’s GoAML System for STR reporting and therefore, is accessible to registered users of this system.

            Links to some other official sources, which may be useful in keeping up-to-date with regard to ML/FT typologies, may be found in Appendix 11.2.

          • 3.11 Sanctions against Persons Violating Reporting Obligations

            (AML-CFT Law Articles 15, 24, 25)

            The AML-CFT Law provides for the following sanctions against any Financial Institutions, their managers or their employees, who fail to perform, whether purposely or through gross negligence, their statutory obligation to report a suspicion of money laundering or the financing of terrorism or of illegal organisations:

            Imprisonment and fine of no less than AED100,000 and no more than AED1,000,000; or
             
            Any of these two sanctions.
             

            According to Article 15 of the AML-CFT Law, the requirement to report is in the case of suspicion or reasonable grounds to suspect a Crime. It should also be noted that the transactions or funds that are the subject of the suspicion may represent only part of the proceeds of the criminal offence, regardless of their value.

            Likewise, the AML-CFT Law provides for sanctions against anyone who warns or notifies a person of a suspicious transaction report or reveals that a transaction is under review or investigation by the Competent Authorities, as follows:

            Imprisonment for no less than six months and a penalty of no less than AED100,000 and no more than AED500,000; or
             
            Any of these two sanctions.
             
      • Part II—Identification and Assessment of ML/FT Risks

        • 4. Identification and Assessment of ML/FT Risks

          (AML-CFT Law Article 16.1; AML-CFT Decision Article 4.1)

          Both the AML-CFT Law and the AML-CFT Decision provide that FIs may utilize a risk-based approach with respect to the identification and assessment of ML/FT risks.

          FIs are obliged to assess and to understand the ML/FT risks to which they are exposed, and how they may be affected by those risks. Specifically, the AML-CFT Law provides that they shall:

           “…continuously assess, document, and update such assessment based on the various risk factors established in the Implementing Regulation of this Decree-Law and maintain a risk identification and assessment analysis with its supporting data to be provided to the Supervisory Authority upon request.”
           

          Furthermore, the AML-CFT Decision charges supervised institutions with:

           “…Documenting risk assessment operations, keeping them up to date on on-going bases and making them available upon request.”
           

          Guidance on these subjects is provided in the following sections.

          • 4.1 Risk-Based Approach (RBA)

            A risk-based approach (RBA) is central to the effective implementation of the AML/CFT legislation. It means that FIs identify, assess, and understand the ML/TF risks to which they are exposed, and implement the most appropriate mitigation measures. An RBA requires financial institutions to have systems and controls that are commensurate with the specific risks of money laundering and terrorist financing facing them. Assessing this risk is, therefore, one of the most important steps in creating a good AML/CFT compliance program and will enable FIs to focus their resources where the risks are higher. In this regard, FIs can take into account their business nature, size and complexity.

            (AML-CFT Law Article 16.1; AML-CFT Decision Article 4.1-3)

            Implicit in both the AML-CFT Law and the AML-CFT Decision is the well-established concept of a risk-based approach (RBA) to the identification and assessment of ML/FT risks. Specifically, the AML-CFT Law states that FIs should “identify crime risks within (their) scope of work” and should update their risk assessments on the basis of the various risk factors set out in the AML-CFT Decision. Likewise, the AML-CFT Decision states that FIs’ identification, assessment and understanding of the risks should be carried out “in concert with their business nature and size,” and that various risk factors should be considered in determining the level of mitigation required. The AML-CFT Decision further provides that enhanced due diligence should be performed in cases where high risks are identified, while simplified due diligence may be performed in certain cases where low risk is identified, unless there is a suspicion of ML/FT.

            An RBA to AML/CFT means that FIs should identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively. This will require an understanding of the ML/TF risk faced by UAE (national risks), risks by the sector and the FI as well as specific products and services, customer base, the capacity in which customers are operating, jurisdictions in which they operate , the delivery channel and the effectiveness of risk controls put in place.

            The use of an RBA thus allows FIs to allocate their resources more efficiently and effectively, within the scope of the national AML/CFT legislative and regulatory framework, by adopting and applying preventative measures that are targeted at and commensurate with the nature of risks they face.

            While there are limits to any risk-management approach, and no RBA can be considered as completely failsafe; there may be occasions where an FI has taken all reasonable measures to identify and mitigate ML/TF risks, but it is still used for ML/TF in isolated instances. FIs should nevertheless understand that a risk-based approach is not a justification for ignoring certain ML/FT risks, nor does it exempt them from taking reasonable and proportionate mitigation measures, even for risks that are assessed as low. Their statutory obligations require them to identify, assess and understand the level of (inherent) risks presented by their (types of) customers, products and services, transactions, geographic areas and delivery channels, and to be in a position to apply sufficient AML/CFT mitigation measures on a risk-appropriate basis at all times.

            In order to do so, they should identify and assess their exposure to ML/FT risks on the basis of a variety of risk factors (see Section 4.1, Risk Factors), some of which are related to the nature, size, complexity and operational environment of their businesses, and others of which are customer- or relationship-specific. Furthermore, they should take reasonable and proportionate risk mitigation measures based on the severity of the risks identified.

            Conducting an ML/TF business risk assessments can assist FIs to understand their risk exposure and the areas they should give priority in combating ML/FT. The extent of business-wide risks to which an FI is exposed may require different levels of AML/CFT resources and mitigation strategies.

            The following picture is a schematic overview of the RBA process from an ML/TF business risk assessments to developing policies, procedures and measures to CDD and the reporting of suspicious transactions.

            1

            • 4.1.1 Assessing Business-wide Risks

              (AML-CFT Law Article 16.1; AML-CFT Decision Article 4.1)

              An important first step in applying an RBA is to identify, assess and understand the ML/FT risks by way of an ML/FT risk assessment of the entire business. The purpose of such an ML/FT business risk assessment is to improve the effectiveness of ML/FT risk management, by identifying the inherent ML/FT risks faced by the enterprise as a whole, determining how these risks are effectively mitigated through internal policies, procedures and controls, and establishing the residual ML/FT risks and any gaps in the controls that should be addressed.

              Thus, an effective ML/TF business risk assessment can allow FIs to identify gaps and opportunities for improvement in their framework of internal AML/CFT policies, procedures and controls, as well as to make informed management decisions about risk appetite, allocation of AML/CFT resources, and ML/FT risk-mitigation strategies that are appropriately aligned with residual risks.

              The first step of conducting an ML/TF business risk assessment for FIs is to identify, assess and understand the inherent ML/FT risks (i.e., the risks that an FI is exposed to if there were no control measures in place to mitigate them) across all business lines and processes with respect to the following risk factors: customers, products, services and transactions, delivery channels, geographic locations, and any other risk factors.

              With the inherent risks as a basis, the FI can determine the nature and intensity of risk mitigating controls to apply to the inherent risks. The level of inherent ML/FT risks influence the kinds and levels of AML/CFT resources and mitigation strategies which FIs require to put in place. The assessment of inherent ML/FT risks and of the effectiveness of the risk mitigation measures will result in a residual risk assessment, i.e., the risks that remain when effective control measures are in place. In case the residual risk falls outside the risk appetite of the FI, additional control measures will need to be implemented to ensure that the level of ML/FT risk is acceptable to the FI.

              FIs may utilise a variety of models or methodologies to analyse their risks, in keeping with the nature and size of their businesses. FIs should decide on both the frequency and methodology of an ML/FT business risk assessment, including baseline and follow-up assessments, that are appropriate to their particular circumstances, taking into consideration the nature of the inherent and residual ML/FT risks to which they are exposed, as well as the results of the NRA and Topical Risk Assessments. In most cases, FIs should consider performing the ML/FT business risk assessment at least annually; however assessments that are more frequent or less frequent may be justified, depending on the particular circumstances. They should also decide on policies and procedures related to the periodic review of their ML/TF business risk assessment methodology, taking into consideration changes in internal or external factors. These decisions should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

              As part of the model or methodology, FIs should consider including in their ML/FT risk assessment the following elements:

              Likelihood or probability of occurrence of identified inherent risks;
               
              Timing of identified inherent risks;
               
              Impact on the organisation of identified inherent risks.
               

              The result of an effective ML/FT business risk assessment will be the classification of identified risks into different categories, such as high, medium, low, or some combination of those categories (such as medium-high, medium-low). Such classifications may assist FIs to prioritise their ML/FT risk exposures more effectively, so that they may determine the appropriate types and levels of AML/CFT resources needed, and adopt and apply reasonable and risk-proportionate mitigation measures.

            • 4.1.2 Risk Factors

              As part of the business-wide ML/TF risk assessment, a proper identification of risk factors is crucial to the effective assessment of ML/FT risk. Risks will often occur as combinations of these risk factors. A risk can for instance occur because of the interrelationship between a customer and the jurisdictions where the customer is from or is active, or because of the connection between a product and the delivery channel.

              Identified risk factors are used for the accurate categorisation of inherent risks, as well as for the application of appropriate mitigation measures. At the enterprise level, this includes adopting and applying adequate policies, procedures, and controls to business processes (see Section 5.1, Internal Policies, Controls and Procedures). The policies, procedures, and controls will in turn address the risks at the individual customer level, including assigning appropriate risk classifications to customers and applying due diligence measures that are commensurate with the identified risks (see Section 6, Customer Due Diligence).

              The AML-CFT Decision outlines several risk factors which FIs must consider, when identifying and assessing their ML/FT risk exposure. FIs may also consider a wide array of additional risk factors, utilising various sources, such as:

              ML/FT red-flag indicators;
               
              Input and information from relevant internal sources, including the designated AML/CFT compliance officer;
               
              Information from national sources, including the results of the NRA or any Topical Risk Assessment with regard to ML/FT trends and sectoral threats and notices or circulars from the relevant Supervisory Authorities;
               
              Information from publications of relevant international organisations, such as FATF, MENAFATF and other FSRBs, the Egmont Group, UNODC, and others. (Links to some of these sources may be found in Appendix 11.2.)
               

              In keeping with the ever-evolving nature of ML/FT risks, and in order to ensure that FIs implement a model for conducting the ML/TF business risk assessment that is appropriate to the nature and size of their businesses, FIs should continuously update the risk factors which they consider, in order to reflect new and emerging ML/FT risks and typologies.

              A good practice to assess the inherent risk factors, is for FIs to formulate risk scenarios and assess the likelihood that a scenario occurs and the impact should a scenario materialize. The likelihood can be assessed based on the number of times per year that a risk scenario can occur. The impact can be assessed based on the possible financial and reputational effects that can result if a scenario indeed occurs. In this way, the FI can determine the inherent risks of a risk factor.

              When assessing the inherent risks, an FI should make an inventory of the customers it services, the products and services it offers, define the scope of business areas to assess, including business units, legal entities, divisions, countries and regions. For this, an FI should make use of up-to-date quantitative and qualitative information on for instance, the types and number of customers, the volume of operations for the types of customers, volume of business per product and services and geographic locations.

              Examples with regard to some of the major risk factors that should be taken into account by FIs when conducting the ML/TF business risk assessment are provided in the sections below. Even though some of these risk factors will also be relevant for the risk assessment of an individual Customer or Business Relationship, for the ML/TF business risk assessment, FIs are reminded that they should take a holistic view when evaluating exposure to these categories of customers.

            • 4.1.3 Customer Risk

              The customer risk factors relate to types or categories of customers. Certain customer or business relationship categories pose a risk that should be taken into account when assessing the overall level of inherent customer risk. When identifying certain categories of customers as inherently high risk, FIs should also consider the results of the NRA or any Topical Risk Assessment, as well as information from official sources, including the Supervisory Authorities, the FIU, the FATF, MENAFATF and other FSRBs, the Egmont Group, etc.

              When assessing the customer risk factors with respect to the business-wide ML/FT risk assessment, an FI can take into account:

              Type of customers: The risks related to retail customers in combination with their product/service needs may be different from those related to high net worth or corporate customers and their respective product/service needs. Likewise, the risks associated with resident customers may be different from those associated with non-resident customers.
               
              Customer base. FIs with small, homogenous customer bases may face different risks from those with larger, more diverse customer bases. Similarly, FIs targeting growing or emerging markets may face different customer risks than those with more established customer bases.
               
              Maturity of relationship. FIs that rely on more transactional, occasional, or one-off interactions with their customers may be exposed to different risks from institutions with more repetitive or long-term business relationships.
               

              The specific customer risk factors that FIs should consider, include:

              Categories of business relationships with complex legal, ownership, or direct or indirect group or network structures, or with less transparency with regard to Beneficial Ownership, effective control, or tax residency, may pose different ML/FT risks than those with simpler legal/ownership structures or with greater transparency.
               
              Categories of Customers involved in highly regulated and supervised activities and those involved in activities that are unregulated.
               
              Customers associated with higher-risk persons or professions (for example, foreign PEPs and/or their companies), or those linked to sectors associated with higher ML/FT risks.
               
              Non-resident entities particularly those with connections to offshore and high risk jurisdictions.
               
              Professionals (e.g., lawyers, accountants and TCSPs) acting as introducer or intermediary on behalf of customers or groups of customers (whereby there is no direct contact with the customer).
               
              High net worth individuals.
               
              Respondent banks from high risk countries.
               

              Some of these customer risk factors are also relevant when determining the customer risk classification of an individual customer and the type and extent of customer due diligence to be performed (see Section 6, Customer Due Diligence).

            • 4.1.4 Geographic Risk

              FIs should consider geographic ML/FT risk factors both from domestically and cross-border sources. These risks arise from: (i) the locations where the FI has offices, branches and subsidiaries and (ii) locations in which the customers reside or conduct their activities. Examples of some of these factors include:

              Regulatory/supervisory framework. Countries with stronger AML/CFT controls present a different level of risk than countries with weaker regulatory and supervisory frameworks, for instance countries identified by the FATF as jurisdictions with weak AML/CFT measures.
               
              International Sanctions. FIs should consider whether the countries or jurisdictions they deal with are the subject of international sanctions, such as targeted financial sanctions (TFS), UAE, OFAC, UN and EU restrictive measures, that could impact their ML/FT risk exposure and mitigation requirements.
               
              Reputation. FIs should consider whether the countries or jurisdictions they deal with are associated with higher or lower levels of ML/FT, corruption, and (lack of) transparency (particularly as regards financial and fiscal reporting, criminal and legal matters, and Beneficial Ownership, but also including such factors as freedom of information and the press).
               
              Combination with customers’ inherent risk factors. FIs should consider the countries risk in combination with customers risks, including principal residential or operating locations of customers.
               
            • 4.1.5 Product-, Service-, Transaction-Related Risk

              When assessing the inherent ML/FT risks associated with product, service, and transaction types, an FI should take stock of its lines of business, products and services that are more vulnerable to ML/FT abuse. FIs should assess the inherent ML/FT risks of abuse of the products and services by their customers taking into account a number of factors such as their ease for holding and transferring value or their complexity and transparency. Some of the risk factors that FIs should consider, among others, are:

              Typology. FIs should consider whether the product, service, or transaction type is associated with any established ML/FT typologies (see Section 3.10, ML/FT Typologies).
               
              Complexity. Products, services, or transaction types that favour complexity, especially when that complexity is excessive or unnecessary, can often be exploited for the purpose of money laundering and/or the financing of terrorism or illegal organisations. FIs should consider the conceptual, operational, legal, technological and other complexities of the product, service, or transaction type. Those with higher complexity or greater dependencies on the interactions between multiple systems and/or market participants may expose FIs to different types and levels of ML/FT risk than those with lower complexity or with fewer dependencies on multiple systems and/or market participants.
               
              Transparency and transferability. Situations that favour anonymity can often be exploited for the purpose of ML/FT. FIs should consider the level of transparency and transferability of ownership or control of products, services, or transaction types, particularly in respect of the ability to monitor the identities and the roles/responsibilities of all parties involved at each stage. Special attention should be given to products, services, or transaction types in which funds can be pooled or co-mingled, or in which multiple or anonymous parties can have authority over the disposition of funds, or for which the transferability of Beneficial Ownership or control can be accomplished with relative ease and/or with limited disclosure of information.
               
              Size/value. Products, services, or transaction types with different size or value parameters or limits may pose different levels of ML/FT risk.
               
            • 4.1.6 Delivery Channel-Related Risk

              Different delivery channels for the acquisition and management of customers and business relationships, as well as for the delivery of products and services, entail different types and levels of ML/FT risk.

              When evaluating delivery channel-related risk, FIs should pay particular attention to those channels, whether related to customer acquisition and/or relationship management, or to product or service delivery, which have the potential to favour anonymity. Among others, these may include non-face-to-face channels (especially in cases where there are no safeguards in place such as electronic identification means), such as internet-, phone-, or other remote-access services or technologies; the use of third-party business introducers, intermediaries, agents or distributors; and the use of third-party payment, or other transaction intermediaries.

            • 4.1.7 Other Risk Factors

              Given the ever-evolving nature of ML/FT risks, new risks are constantly emerging, while existing ones may change in their relative importance due to legal or regulatory developments, changes in the marketplace, or as a result of new or disruptive products or technologies. For this reason, no list of risks can ever be considered as exhaustive.

              Nevertheless, additional factors that may present specific risks are, e.g., the introduction of new products or services, new technologies or delivery processes or the establishment of new branches and subsidiaries locally and abroad.

              In order to ensure, therefore, that FIs are in a position to review and update the ML/TF business risk assessment as well as mitigation measures, FIs should take into consideration the results of the NRA or any Topical Risk Assessment. They should also consult publications from official sources on a regular basis, including those of the relevant Supervisory Authorities, the FIU, the FATF, MENAFATF and other FSRBs, the Egmont Group, and others. Links to some of these sources may be found in Appendix 11.2.

              Examples of some of the types of additional risk factors which FIs may consider in identifying and assessing their ML/FT risk exposure include:

              Novelty/innovation. FIs should consider the depth of experience with and knowledge of the product, service, transaction, or channel type. Products, services, transaction, or delivery channel types that are new to the market or to the enterprise may not be as well understood as, and may therefore pose a different level of ML/FT risk than, more established ones. Likewise, products, services, transaction, or delivery channel types which are unexpected or unusual with respect to a particular type of customer may indicate a different level of potential ML/FT risk exposure than would more traditional or expected product, service, transaction, or channel types in regard to that same type of customer.
               
              Cyber security/distributed networks. FIs may consider evaluating the degree to which their operational processes and/or their customers expose them to the risk of exploitation for the purpose of professional third-party money laundering and/or the financing of terrorism or of illegal organisations, through cyber-attacks or through other means, such as the use of distributed technology or social networks. An example of such a risk is the recent dramatic increase in the global incidence of so-called CEO fraud, in which fraudsters troll companies with phishing e-mails that are purportedly from the CEO or other senior executives, and attempt to conduct fraudulent transactions or obtain sensitive data that can be used for criminal purposes.
               
            • 4.1.8 Assessing New Product and New Technologies Risks

              (AML-CFT Decision Article 23)

              As part of their obligation to update their ML/FT risk assessments on an ongoing basis, the AML-CFT Decision specifically requires FIs to “identify and assess the risks of money laundering and terrorism financing that may arise when developing new products and new professional practices, including means of providing new services and using new or under-development techniques for both new and existing products.”

              FIs must complete the assessment of such risks, and take the appropriate risk management measures, prior to launching new products and services, practices or techniques, or technologies. In general, they should integrate these ML/FT risk assessment and mitigation requirements into their new product, service, channel, or technology development processes.

              For the purpose of assessing the ML/FT risks associated with new products, services, practices, techniques, or technologies, FIs may consider utilising the same or similar risk assessment models or methodologies as those utilised for their ML/FT business risk assessments, updated as necessary for the particular circumstances. They should also document the new product, service, practice, technique, or technology risk assessments, in keeping with the nature and size of their businesses (see Section 4.6.1, Documentation, Updating and Analysis).

          • 4.2 Risk Assessment Methodology and Documentation

            (AML-CFT Law Article 16.1(a) and AML-CFT Decision Article 4.1)

            A well-documented assessment of the identified inherent risk factors (see Section 4.1, Risk Factors) is fundamental to the adoption and effective application of reasonable and proportionate ML/FT risk-mitigation measures. Thus, the result of such an ML/TF business risk assessment allows for a systematic categorisation and prioritization of inherent and residual ML/FT risks, which in turn allows FIs to determine the types and appropriate levels of AML/CFT resources needed for mitigation purposes.

            An effective ML/TF business risk assessment is not necessarily a complex one. The principle of a risk-based approach means that FIs’ risk assessments should be commensurate with the nature and size of their businesses. FIs with smaller or less complex business models may have simpler risk assessments than those of institutions with larger or more complex business models, which may require more sophisticated risk assessments.

            • 4.2.1 Risk Assessment Methodology

              (AML-CFT Decision Article 4.1(b))

              The AML-CFT Decision obliges FIs to document their risk assessment operations. FIs may utilise a variety of models or methodologies in assessing their ML/FT risk. FIs should determine the type and extent of the risk assessment methodology that they consider to be appropriate for the size and nature of their businesses, and should document the rationale for these decisions.

              To be effective, a risk assessment should be based on a methodology that:

              Is based on quantitative and qualitative data and information and makes use of internal meetings or interviews; internal questionnaires concerning risk identification and controls; review of internal audit reports;
               
              Reflects the FI’s management-approved AML/CFT risk appetite and strategy;
               
              Takes into consideration input from relevant internal sources, including input and views from the designated AML/CFT compliance officer and other relevant units like risk management and internal control;
               
              Takes into consideration relevant information (such as ML/FT trends and sectoral risks) from external sources, including the NRA or any Topical Risk Assessment, Supervisory and other Competent Authorities, and the FATF, MENAFATF and other FSRBs, the Egmont Group, and others where appropriate;
               
              Describes the weighting of risk factors, the classification of risks into different categories, and the prioritisation of risks.
               
              Evaluates the likelihood or probability of occurrence of identified ML/FT risks, and determining their timing and impact on the organization.
               
              Takes into account whether the AML/CFT controls are effective, specifically whether there are adequate controls to mitigate risks concerning customers, products, services, or transactions.
               
              Determines the effectiveness of the AML/CFT risk mitigating measures in place by using information such as audit and compliance reports or management information reports.
               
              Determines the residual risk as a result of the inherent risks and the effectiveness of the AML/CFT risk mitigating measures.
               
              Establishes based on the residual risk and the risk appetite, whether additional AML/CFT controls have to be put in place.
               
              Determines the rationale and circumstances for approving and performing manual interventions or exceptions to model-based risk weightings or classifications.
               
              Is properly documented and maintained, regularly evaluated and updated, and communicated to management and relevant personnel within the organisation.
               
              Is tested and audited for the effectiveness and consistency of the risk methodology and its output with regard to statutory obligations.
               
            • 4.2.2 Documentation and Updating

              (AML-CFT Law Article 16.1(a) and AML-CFT Decision Article 4.1(a)-(b))

              Documentation

              FIs are obliged to document their ML/TF business risk assessment, including methodology, analysis, and supporting data, and to make them available to the Supervisory Authorities upon request. FIs should incorporate into their documentation, the information used to conduct the ML/TF business risk assessment in order to demonstrate the effectiveness of their risk assessment processes. Examples of such information include, but are not limited to:

              Organization’s overall risk policies (for example, risk appetite statement, customer acceptance policy, and others, where applicable).
               
              ML/FT risk assessment model, methodology and procedures, including such information as organizational roles and responsibilities; process flows, timing and frequency; internal reporting requirements; and review, testing, and updating requirements.
               
              Risk factors identified, and input received from relevant internal sources, including the designated AML/CFT compliance officer.
               
              Details of the inherent and residual risk-factor analysis that constitutes the risk assessment.
               

              The documentation measures taken by FIs should be reasonable and commensurate with the nature and size of their businesses.

              Updating

              FIs are obliged to keep their ML/TF business risk assessment up-to-date on an ongoing basis. In fulfilling this obligation, they should review and evaluate their ML/FT business risk assessment processes, models, and methodologies periodically, in keeping with the nature and size of their businesses. FIs should also update their ML/TF business risk assessment whenever they become aware of any internal or external events or developments which could affect their accuracy or effectiveness.

              Such developments may include, among other things, changes in business strategies or objectives, technological developments, legislative or regulatory developments, or the identification of material new ML/FT threats or risk factors. In this regard, FIs should take into consideration the results of the most recent NRA or any Topical Risk Assessment, as well as circulars, notifications and occasional published information from official sources, such as the Supervisory Authorities; other national Competent Authorities; or relevant international organisations, such as FATF, MENAFATF and other FSRBs, the Egmont Group, and others. Links to some of these sources may be found in Appendix 11.2.

      • Part III—Mitigation of ML/FT Risks

        The Elements of an AML/CFT Program

        Commonly referred to as the three lines of defense, the basic elements that must be addressed in an AML/ CFT program are

         
          
        A system of internal policies, procedures and controls, including an ongoing employee training program (first line of defense);
         
        A designated compliance function with a compliance officer or money laundering reporting officer (second line of defense); and
         
        An independent audit function to test the overall effectiveness of the AML program (third line of defense).
         

        In setting up these three lines of defense, FIs can take into account their business nature, size and complexity.

        (AML-CFT Law Article 16.1(b), 16.1(d); AML-CFT Decision Articles 4.2 , 4.3)

        FIs are obliged to take the necessary measures to manage and mitigate the ML/FT risks to which they are exposed. Both the AML-CFT Law and the AML-CFT Decision provide that FIs may utilize a risk-based approach with respect to mitigation of ML/FT risks.

        • 5. Internal Policies, Controls and Procedures

          Policies:

          Clear and simple high-level statements that are uniform across the entire organization (sets the tone from the top).

          Procedures:

          Translates the AML/CFT policies into an acceptable and workable practice, tasking the stakeholders with their respective responsibilities.

          Controls:

          The internal technology or tools the financial institution utilizes to ensure the AML/CFT program is functioning as intended and within predefined parameters.

          (AML-CFT Law Article 16.1(d); AML-CFT Decision Articles 4.2(a), 20)

          The AML-CFT Law and the AML-CFT Decision require FIs to implement internal policies, controls and procedures that enable them to manage and mitigate the ML/FT risks they have identified in their ML/TF business risk assessment, in keeping with the nature and size of their businesses. Such policies, controls and procedures must be approved by senior management, reviewed for effectiveness and continuously updated, and must apply to all branches, subsidiaries and affiliated entities in which FIs hold a majority interest (see Section 8.3, Group Oversight for more guidance). They must also take into consideration the results of the NRA and Topical Risk Assessments.

          Additionally, FIs should ensure that the policies, controls and procedures they implement to manage and mitigate ML/FT risks are reasonable, proportionate to the risks involved, and consistent with the results of their ML/TF business risk assessments.

          Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, FIs should consider the results of the NRA and any Topical Risk Assessment as well as their own ML/FT business risk assessment. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.

          In developing the internal AML/CFT control systems, FIs should also take into account their IT infrastructure and management information systems capabilities. FIs should consider how well their technical infrastructure, including their data management and management information reporting capabilities, are suited to the ML/FT risk mitigation requirements of the types of customers they deal with, particularly in respect of the size and growth dynamics of their customer base.

          The internal policies, controls and procedures that FIs design to prevent, detect and deter ML/FT risks can be categorised broadly as those related to:

          The identification and assessment of ML/FT risks (see Section 4.5, Business-wide Risk Assessment).
           
          Customer due diligence (CDD), including enhance due diligence (EDD), and simplified due diligence (SDD) (see Section 6, Customer Due Diligence), including its review and updating, and reliance on third parties in regard to it.
           
          Customer and transaction monitoring, and the reporting of suspicious transactions (see Section 7, Suspicious Transaction Reporting).
           
          AML/CFT governance, including compliance staffing and training, senior management responsibilities, and the independent auditing of risk mitigation measures (see Section 8, Governance).
           
          Record-keeping requirements (see Section 9, Record Keeping).
           

          Guidance in relation to these categories is provided in the above-referenced sections.

        • 6. Customer Due Diligence (CDD)

          MAIN ELEMENTS OF A CUSTOMER DUE DILIGENCE PROGRAM

           -Customer Identification;
           -Profiles;
           -Customer Acceptance;
           -Risk rating;
           -Monitoring;
           -Investigation; and
           -Documentation
           

          (AML-CFT Law Article 16.1(b); AML-CFT Decision Articles 4.2(b), 4.3, 5-13, 14, 15, 19, 20.1, 22, 24.2-4, 25, 27, 29.2, 30, 31.1, 35.1-2 and 5, 37.1-2, 44.10, 55.1)

          • 6.1 Risk-Based Application of CDD Measures

            The AML-CFT Law implicitly recognises the need for an RBA to customer due diligence measures, by obliging FIs to “take the necessary due diligence measures and procedures and define their scope, taking into account the various risk factors and the results of the national risk assessment….” This principle is further emphasised by the AML-CFT Decision, which explicitly provides for the application of enhanced due diligence (EDD) measures to manage identified high risks (see Section 6.4, Enhanced Due Diligence (EDD) Measures), and of simplified due diligence (SDD) to manage identified low risks in the absence of a suspicion of ML/FT (see Section 6.5, Simplified Due Diligence (SDD) Measures).

            FIs are reminded, that each customer’s ML/FT risk profile is dynamic and subject to change depending on numerous factors, including (but not limited to) the discovery of new information or a change in behaviour, and the appropriate level of due diligence should be applied in keeping with the specific situation and risk indicators identified. In that regard, FIs should always be prepared to increase the type and level of due diligence exercised on a customer of any ML/FT risk category whenever the circumstances require, including situations in which there are any doubts as to the accuracy or appropriateness of the customer’s originally designated ML/FT risk category. This means that the CDD measures are not to be taken as a static formula but that depending on the risk of a customer the intensity and depth of the CDD measures should vary.

            • 6.1.1. Assessing Customer and Business Relationship Risk

              (AML-CFT Law Article 16.1; AML-CFT Decision Article 4.1)

              A customer can be anyone who performs a one-off or occasional financial activity or transaction or anyone who establishes an ongoing commercial or financial relationship with the FI.

              The accurate assessment of customer or business relationship risk is fundamental to the risk classification of customers and the effective application of appropriate risk-based customer due diligence measures. FIs should take the necessary steps to ensure that their customer or business relationship risk assessment processes are robust and reliable, and that they incorporate the results of the NRA, any Topical Risk Assessment and their own ML/TF business risk assessment, as well as the input of relevant internal stakeholders, including the designated AML/CFT compliance officer.

              In assessing customer or business relationship risk, FIs should analyse customers on the basis of the identified risk factors in order to arrive at a risk classification. FIs may utilize different methodologies to accomplish their risk classification, depending on the nature and size of their businesses, and of the risks involved. For example, some entities with smaller or less complex businesses, or with more homogenous customer bases, may elect to assess business relationship risk and assign customer risk classifications on the basis of generic profiles for customers of the same type. Other larger or more complex FIs may elect to assess business relationship risk and assign customer risk classifications using more sophisticated models or scorecards based on weightings of various risk factors.

              Regardless of the methodologies they choose, FIs should ensure that their business relationship risk assessment processes and the rationale for their methodologies are well-documented, approved by senior management, and communicated at the appropriate levels of the organisation. They should also decide on policies and procedures related to both the periodic review of their business relationship risk assessment processes, and to the frequency for updating the individual business relationship risk assessments and customer risk classifications produced by them, taking into consideration changes in internal or external factors.

            • 6.1.2 Establishing a Customer Risk Profile

              (AML-CFT Decision Articles 7.1, 8.3-4)

              FIs should establish a risk profile for their customers, commensurate with the types and levels of risk involved. Such risk profiles allow FIs to compare a customer’s actual activity with the expected activity more effectively, and thus contribute to their capacity to discover unusual circumstances or potentially suspicious transactions.

              Where legal persons or legal arrangements are concerned, FIs are obliged to identify any natural person who owns or controls an interest of 25% or more. In order to achieve an effective understanding of the ownership and control structure of a customer that is a legal person or arrangement, FIs should obtain from the customer and including in the risk profile a detailed explanation or a company structure chart providing the details of any ownership interests of 25% or more, and tracing them through any intermediate entities (whether legal persons or arrangements, or natural persons who are nominee stakeholders) to the natural persons who ultimately own or control them.

              Furthermore, in order to understand the nature of the business of a legal person or Legal Arrangement, FIs should obtain and include in the profile a detailed explanation or company structure chart showing the entity’s internal management structure, identifying the persons holding senior management positions, or other positions of control. They should also obtain information about the legal person’s or arrangement’s majority-owned or controlled operating subsidiaries, including the nature of the business and the operating locations of those subsidiaries.

              FIs are also required to understand the intended purpose and nature of the Business Relationship, and, for legal persons or arrangements, the nature of the customer’s business and its ownership and control structure.

              Based on the risk profile, FIs should carry out ongoing due diligence of their Business Relationships, so as to be able to ensure that the transactions conducted are consistent with the information they have about the customer, the type of activity they are engaged in, the risks they entail, and, where necessary, their source of funds.

              When dealing with higher-risk or more complex customers, in addition to the type of information referred to above, FIs may obtain and include in the customer’s risk profile more detailed information about their customers’ activities, such as:

              Anticipated size and/or turnover of account balances or transactional activity;
               
              Expected types and volumes of transactions;
               
              Known or expected counterparties or third-party intermediaries with whom the customer conducts transactions;
               
              Known or expected locations related to transactional activity;
               
              Anticipated timing or seasonality of transactional activity.
               

              Where lower-risk customers are concerned, FIs may consider applying more generic risk profiles in order to compare actual and expected types and levels of activity.

          • 6.2 Circumstances and Timing for Undertaking CDD Measures

            (AML-CFT Decision Article 5.1)

            Under normal circumstances, FIs are obliged to undertake CDD measures (including verifying the identity of customers, Beneficial Owners, beneficiaries, and controlling persons) either prior to or during the establishment of a Business Relationship or the opening of an account, or prior to the execution of a transaction for a customer with whom there is no Business Relationship. Guidance in regard to these requirements and certain exceptional circumstances provided for in the AML-CFT Decision is provided in the sub-sections below.

            • 6.2.1 Establishment of a Business Relationship

              FIs establish a Business Relationship with a customer when they perform any act for, on behalf of, or at the direction or request of the customer, with the anticipation that it will be of an ongoing or recurring nature, whether permanent or temporary. Such acts may include, but are not limited to:

              Assigning an account number or opening an account in the customer’s name;
               
              Effecting any transaction in the customer’s name or on their behalf, or at the customer’s direction or request for the benefit of someone else;
               
              Providing any form of tangible or intangible product or service (including but not limited to granting credits, guarantees, or other forms of value) to or on behalf of the customer, or at the customer’s direction or request for the benefit of someone else;
               
              Signing any form of contract, agreement, letter of intent, memorandum of understanding, or other document with the customer in relation to the performance of a transaction or series of transactions, or to the provision of any form of tangible or intangible product or service as described above;
               
              Accepting any form of compensation or remuneration (including a promise of future payment) for the provision of tangible or intangible products or services, as described above, from or on behalf of the customer;
               
              Receiving funds or proceeds of any kind (including those held on a fiduciary basis, for safekeeping, or in escrow) from or on behalf of the customer, whether for their account or for the benefit of someone else;
               
              Any other act performed by FIs in the course of conducting their ordinary business, when done on behalf of, or at the request or direction of, a customer.
               

              In such cases, and other than in the exceptional circumstances described below (see Section 6.2.3, Exceptional Circumstances), FIs are required to undertake appropriate risk-based CDD measures (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures for further guidance).

              In addition, CDD also needs to be conducted when

              there is a ML/FT suspicion (see Section 7.2, Identification of Suspicious Transactions);
               
              there are doubts about the veracity or adequacy of identification data previously obtained with regard to the customer.
               

              Among other things, the CDD measures should include verifying the identity of the customer as well as the Beneficial Owners, beneficiaries, and controlling persons, and understanding the nature of their business and the purpose of the Business Relationship.

            • 6.2.2 Occasional Transactions

              During the course of business, FIs may be called upon to perform occasional or non-recurring transactions for customers with whom there is no ongoing account or Business Relationship. Examples of such transactions include, but are not limited to:

              Exchange of currencies;
               
              Issue or cashing/redemption of traveler’s cheques;
               
              Transfer of money or other value for a walk-in customer;
               

              On such occasions, and other than in the exceptional circumstances described below (see Section 6.2.3, Exceptional Circumstances), FIs are required to identify the customer and verify the customer’s identity as well as that of the Beneficial Owners, beneficiaries, and controlling persons. Furthermore, FIs are required to undertake appropriate risk-based CDD measures (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures for further guidance), including among other things understanding the nature of the customer’s business and the purpose of the transaction, in the cases specified in Article 6 of the AML-CFT Decision, as follows:

              When carrying out occasional transactions in favour of a Customer for amounts equal to or exceeding AED 55,000 (or equivalent in any other currency), whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
               
              When carrying out occasional transactions in the form of Wire Transfers for amounts equal to or exceeding AED 3,500 (or equivalent in any other currency) (see Section 6.3.2, CDD Requirements Concerning Wire Transfers);
               
              When there is a ML/FT suspicion (see Section 7.2, Identification of Suspicious Transactions);
               
              When there are doubts about the veracity or adequacy of identification data previously obtained with regard to the customer.
               

              Some of the indicators of transactions that may appear to be linked include, but are not limited to the following:

              -Multiple transactions with the same or similar customer reference codes;
              -Transactions executed sequentially or in close time proximity, and involving the same or related counterparties;
              -Multiple transactions attempted by a customer with whom there is no Business Relationship at different branches of the same FI on the same day.
               
            • 6.2.3 Exceptional Circumstances

              (AML-CFT Decision Articles 4.3, 5.1(a)-(c), 10, 11.1(b), 13.2)

              From time to time, certain situations may arise which fall outside of the normal course of CDD processes. Under these circumstances, described below, FIs are permitted to handle the timing, customer identification, and other aspects of customer due diligence procedures exceptionally. Specifically:

              When there is no ML/FT suspicion, and the ML/FT risks are identified as low, FIs may complete the verification of the customer’s identity after establishing the Business Relationship under the conditions specified in the relevant provisions of the AML-CFT Decision. In such circumstances, the verification of the identity must be conducted in a timely fashion, and FIs must ensure that they implement appropriate and effective measures to manage and mitigate the risks of crime and of the customer benefiting from the Business Relationship prior to the completion of the verification process. Examples of such measures which FIs may consider taking in this regard are, among others:
               
              -Holding funds in suspense or in escrow until the verification of the identity is completed;
              -Making the completion of the verification of the identity a condition precedent to the closing of a transaction.
               
              In the case of Legal Arrangements, such as Trusts or foundations, or of life insurance policies (including funds-generating transactions, such as life insurance products relating to investments and family Takaful insurance) in which there are beneficiaries who are not named, but instead belong to a designated class of future or contingent beneficiaries, FIs are required to obtain sufficient information about the details of the class of beneficiaries so as to be in a position to establish the identity of each beneficiary at the time of the settlement, pay-out, or exercise of their legally acquired rights. Furthermore, FIs must verify the identity of the beneficiaries at the time of settlement or pay-out and prior to the exercise of any related legally acquired rights. They should also ensure that they implement appropriate and effective measures to manage and mitigate the risks of crime and of the customer benefiting from the Business Relationship prior to the completion of the verification process. Examples of such measures which FIs may consider taking in this regard are, among others:
               
              -Holding funds in suspense or in escrow until the verification of the identity is completed;
              -Making the completion of the verification of the identity a condition precedent to the closing of a transaction.
               
              When a legal entity customer or its controlling stakeholder meets the conditions specified in Article 10.1-2 of the AML-CFT Decision with regard to publicly listed companies (including the condition that information concerning the identity of the shareholders, partners, or Beneficial Owners with an interest of 25% or more is available from reliable sources), FIs are exempted from taking the normally required identity verification measures. In this regard, FIs should ensure that the disclosure and transparency requirements of the regulated stock exchange are at least equivalent to those of the State, and should document the evidence they obtain concerning the relevant disclosure and transparency requirements.
               
               It is important to note that, while FIs are exempted in such situations from identifying and verifying the identity of the shareholders, partners or Beneficial Owners (or in the event that no such person can be identified, of the relevant senior management officers), they are not exempted from ascertaining the identity of senior management.
               
               Examples of reliable information sources in this regard include, but are not limited to:
               
              -Stock exchange disclosure reports or websites;
              -Corporate annual reports, websites, or other forms of official public disclosure;
              -Official or public registries;
              -Credit reporting agencies;
              -Recognized, well-established media outlets.
               
              When FIs suspect that a customer or Beneficial Owner is involved in the commitment of a crime related to money laundering, the financing of terrorism, or the financing of illegal organisations, and they have reasonable grounds to believe that undertaking customer due diligence measures would tip off the customer, then they should not apply CDD measures, but should instead report their suspicion to the FIU along with the reasons that prevented them from carrying out the CDD measures.
               
          • 6.3 Customer Due Diligence (CDD) Measures

            The application of risk-based CDD measures is comprised of several components, in keeping with the customer’s ML/FT risk classification and the specific risk indicators that are identified. Generally, these components include, but are not limited to, the following categories:

            Identification of the customer, Beneficial Owners, beneficiaries, and controlling persons; and the verification of their identity on the basis of documents, data or information from reliable and independent sources (see Section 6.3.1, Customer and Beneficial Owner Identification/Verification).
             
            Screening of the customer, Beneficial Owners, beneficiaries, and controlling persons, to screen for the applicability of targeted or other international financial sanctions, and, particularly in higher risk situations, to identify any potentially adverse information such as criminal history (see Section 6.4, Enhanced Due Diligence (EDD) Measures).
             
            Obtaining an understanding of the intended purpose and nature of the Business Relationship, as well as, in the case of legal persons or arrangements, of the nature of the customer’s business and its ownership and control structure (see Section 6.3.3, Establishing a Customer Due Diligence Profile).
             
            Monitoring and supervision of the Business Relationship, to ensure consistency between the transactions or activities conducted and the information that has been gathered about the customer and their expected behaviour (see Section 6.3.4, Ongoing Monitoring of the Business Relationship).
             
            Scrutinising transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the FI’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds.
             
            Ensuring that documents, data or information collected under the CDD process is kept up-to-date and relevant, by undertaking reviews of existing records, particularly for higher risk categories of customers.
             

            In cases involving higher levels of risk, FIs are generally required to exercise enhanced levels of customer due diligence, such as identifying and/or verifying the customer’s source of funds and taking other appropriate risk-mitigation measures (see Section 6.4, Enhanced Due Diligence (EDD) Measures).

            As part of their overall AML/CFT framework, FIs should take a risk-based approach in developing the internal CDD policies, procedures and controls. Factors to take into account, include:

            The outcomes of the ML/TF business risk assessment;
             
            Circumstances, timing, and composition in regard to the application of CDD measures;
             
            Frequency of reviews and updates in relation to CDD information;
             
            Extent and frequency of ongoing supervision of the Business Relationship and monitoring of transactions in relation to customers to which CDD measures are applied.
             

            Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, supervised institutions should consider the results of both the NRA and any Topical Risk Assessment. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.

            Additional guidance related to these and other key aspects of risk-based CDD measures is provided in the following sub-sections.

            • 6.3.1 Customer and Beneficial Owner Identification and Verification of the Identity

              (AML-CFT Decision Articles 4.2(b), 3(a), 5.1, 8.1, 9, 10, 11.2, 13.1, 14.2)

              Grounded on the principles of “Know Your Customer” and risk-based CDD, the identification and verification of the identity of customers is a fundamental component of an effective ML/FT risk management and mitigation programme. In accordance with Cabinet Resolution no. 58 of 2020 regulating the Beneficial Owner Procedures (the UBO Resolution), FIs are obliged to identify customers, including the Beneficial Owners, beneficiaries, and controlling persons, whether permanent or walk-in, and whether a natural or legal person or Legal Arrangement, and to verify their identity using documents, data or information obtained from reliable and independent sources.

              The specific requirements concerning the timing, extent, and methods of identifying and verifying the identity of customers and Beneficial Owners depend in part on the type of customer (whether a natural or legal person) and on the level of risk involved (also see Sections 6.4, Enhanced Due Diligence (EDD) Measures, and 6.5, Simplified Due Diligence (SDD) Measures). Thus, the type and nature of the customer (including Beneficial Owners, beneficiaries, and controlling persons) should be considered as risk factors in determining the type of CDD that should be applied, whether standard CDD, EDD or SDD. However, the core components of a customer’s identification generally remain the same in all cases. They are:

              Personal data, including details such as the name, passport or identity card number, country of issuance, date issuance and expiry date of the identity card or passport, nationality, date and place of birth (or date and place of establishment or incorporation, in the case of a legal person or arrangement); and
               
              Principal address, including evidence of the permanent residential address of a natural person, or the registered address of a legal person or arrangement.
               

              In taking adequate CDD measures, FIs are obliged at a minimum to identify and verify the identity of the customer as specified in the relevant articles of the AML-CFT Decision. In fulfilling these requirements, FIs should use a risk-based approach to determine the internal policies, procedures and controls they implement in relation to the identification and verification of customers (including the Beneficial Owners, beneficiaries, and controlling persons). The CDD policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and, in formulating them, entities should consider the following guiding principles.

              In relation to natural persons:

              The verification of a customer’s identity, including their address, should be based on original, official (i.e. government-issued) documents whenever possible. When that is not possible, FIs should augment the number of verifying documents or the amount of information they obtain from different independent sources. In particular, when verifying the UAE ID card, FIs licensed by the Central Bank must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the UAE ID and its digital verification.They should also identify the lack of official documents and the use of alternative means of verification as risk factors when assessing the customer’s ML/FT risk classification.
               
               An example of alternative verification means is verification by way of digital identification systems. Such a digital identification systems should rely upon technology, adequate governance, processes and procedures that provide appropriate levels of confidence that the system produces accurate results. The FATF Guidance on Digital Identity of March 2020 provides further information on how to making a risk-based determination of whether a particular digital ID system provides an appropriate level of reliability and independence.
               
              The identification data should include the name, nationality, date of birth and place of birth, and national identification number of a natural person.
               
              With regard to the identification and verification of the identity of foreign nationals, whether customers or Beneficial Owners, beneficiaries or controlling persons, FIs should take steps to understand and request only those types of identification documents that are legally valid in the relevant jurisdictions. Furthermore, when verifying the identity of foreign nationals associated with high-risk factors, FIs should validate the authenticity of customer identification documents obtained. Some of the methods that FIs may consider in order to do so, commensurate with the nature and size of their businesses, include but are not limited to:
               
              -Relying on information from the relevant foreign embassy or consulate, or the relevant issuing authority;
              -Using commercially available applications to validate the information in machine-readable zones (MRZs) or biometric data chips of foreign identification documents.
               
              The types of address verification that may generally be considered acceptable include, but are not limited to, the following categories of documents issued in the name of the customer:
               
              -Bills or account statements from public utilities, including electricity, water, gas, or telephone line providers;
              -Local and national government-issued documents, including municipal tax records;
              -Registered property purchase, lease or rental agreements;
              -Documents from supervised third-party financial institutions, such as bank statements, credit or debit card statements, or insurance policies.
               

              In situations where natural persons do not have this documentation in their own name, for instance because they share accommodation or do not (yet) have a permanent or own residence, other evidence of address may be used as long as this evidence gives the FI reasonable confidence. Where the FI has determined that an individual has a valid reason for being unable to produce the usual documentation to verify the address and who would otherwise be excluded from establishing a business relationship with the FI, the address can be verified by other means, provided the FI is satisfied that the method employed adequately verifies the address of the natural person and any additional risk has been appropriately mitigated.

              This can for instance be evidence of entitlement to a state or local authority-funded benefit, pension, educational or other grant, or a letter from a reputable employer or school stating the address.

              In relation to legal persons and legal arrangements:

              In addition to the identifying and verifying the identity of customers, Beneficial Owners, beneficiaries, and controlling persons, FIs should verify the identity of any person legally empowered to act or transact business on behalf of the customer, whether the customer is a legal or natural person. Such persons may include:
               
              -Signatories or other authorized persons, or persons with authorised remote access credentials to an account, such as internet or phone banking users;
              -Parents or legal guardians of a minor child, or legal guardians of a physically or mentally disabled or incapacitated person;
              -Attorneys or other legal representatives, including liquidators or official receivers of a legal person or arrangement.
               
               In the event that a legally empowered representative is also a legal person or Legal Arrangement, the normal CDD procedures for such entities should be applied.
               
              When verifying that a person purporting to act on behalf of a customer is so authorised, the following types of documents may generally be considered to be acceptable:
               
              -A legally valid power-of-attorney;
              -A properly executed resolution of a legal person’s or Legal Arrangement’s governing board or committee;
              -A document from an official registry or other official source, evidencing ownership or the person’s status as an authorised legal representative;
              -A court order or other official decision.
               
              As part of their procedures for identifying and verifying the identity of customers, and for authenticating the original documents upon which the verification is based, FIs should include procedures for the certification of the customer identification and address documentation they obtain. Such procedures may encompass certification by employees of the FI (for example, by including the name, title of position, date and signature of the verifying employee(s) on the copies of documents maintained on file), as well as by reputable third parties (for example, by including the name, organization, title of position, date and signature of the verifying person, along with a statement representing that the copy of the document is a “true copy of the original”). In cases where documents are obtained from foreign sources in countries which are members of The Hague Apostille Convention, consideration should be given to requesting documents certified by Apostille seal.
               
              Whenever possible, FIs should incorporate a “four-eyes” principle (review by at least two people) into their procedures with regard to the verification of customer identification documentation and other CDD information, as well as with regard to the entry of the relevant data into their information systems.
               
            • 6.3.2 CDD Measures Concerning Wire Transfers

              (AML-CFT Decision Articles 27-30)

              Financial institutions are obliged to undertake certain CDD measures concerning wire transfers, as laid out in detail in the above-referenced articles of the AML-CFT Decision. In particular, these measures relate to the identification of the originators and beneficiaries; the maintenance of information in regard to the same; and the implementation of risk-based policies and procedures for handling the disposition of wire transfers and for taking appropriate follow-up action.

              The purpose of these measures are to ensure that information on the originator and the beneficiary shall accompany (meaning sent at the same time but not necessarily in the same message) cross-border wire transfers at all stages of its execution in case the amount of the transfer of funds equals or exceeds AED 3,500 or equivalent in any other currency.

              The FI of the originator (or payer) shall ensure that the transfer of funds is accompanied by the information on the originator and beneficiary (or payee) as follows:

              Information on the originator:

               
                
              The name of the originator (in case of natural person – the name and surname);
               
              The originator’s account number (or in absence thereof the transfer shall be accompanied by a unique transaction reference number);
               
              The originator’s address, identification document number or customer identification number, and date and place of birth.
               

              Information on the beneficiary:

               
                
              The name of the beneficiary (in case of natural person – the name and surname);
              The beneficiary’s account number (or in absence thereof, a unique transaction reference number).
               

              In case of cross-border wire transfers of less than AED 3,500 or equivalent it not required to verify the accuracy of the above-mentioned information, unless there are suspicions of ML or TF.

              Also for domestic wire transfers, the FI of the originator shall ensure that above-mentioned information is included, unless this information can be made available to the FI of the and by other means.

              The FI of the originator shall not execute the transfer if it has not verified the identity of the originator. The FI of the beneficiary shall not credit the beneficiary’s account or make the funds available for the beneficiary if it has not conducted verification of the beneficiary’s identity.

              The FI of the beneficiary is required to implement effective procedures to identify the received transfers that lack information about the originator and the beneficiary, in real-time or as part of the post-event monitoring process. This will include risk-based procedures whether transactions that lack the required information are to be executed, returned, suspended or transferred to the account of the beneficiary, as well as procedures related to the follow-up actions regarding these transfers, including to request the information on the originator and the beneficiary.

              An intermediary FI ensures that all information about the originator and the beneficiary accompanied with the cross-border wire transfer is transferred to the beneficiary or other intermediary provider. Should there be technical limitations that prevent the required information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, the intermediary FI shall keep a record of all the information received from the ordering FI or another cross-border intermediary FI.

              The intermediary FI is required to implement effective risk-based procedures to identify the received transfers that lack information about the originator and the beneficiary, in real-time or as part of the post-event monitoring process.

              The procedures can include defining and documenting specific AML/CFT system parameters (such as transaction value, aggregate transaction amounts at the customer level, customer risk classification, or others) which would trigger an exception to straight-through processing and require manual review and intervention. This will also include procedures for determining when to execute, reject, or suspend a wire transfer lacking required information and the appropriate follow-up action.

              Where an FI repeatedly fails to provide the required information on the originator and the beneficiary, the beneficiary’s or intermediary FI, taking into consideration the risks and frequency of the violations by the FI of the originator, shall take steps, which may initially include the issuing of warnings and setting deadlines. These steps can ultimately consist of rejecting any future transactions from the FI or restricting or terminating its business relationship with that FI.

              Similar requirements apply to VASPs. Originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to the beneficiary VASP or FI (if any) immediately and securely. Beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers. For the purposes of applying the wire transfer requirements to VASPs, all virtual asset transfers are to be treated as cross-border.

              In addition to the above, as part of their ongoing account monitoring procedures, FIs should also review the purpose of wire transfers, as indicated in their description fields, for potential red-flag indicators (see Section 7.2, Identification of Suspicious Transactions).

            • 6.3.3 CDD Measures Concerning Legal Persons and Arrangements

              (AML-CFT Decision Articles 8, 9, 37.1-3)

              FIs are obliged to undertake CDD measures concerning legal persons and Legal Arrangements, including identification and verification of the identity of the Beneficial Owners, beneficiaries, and other controlling persons, in accordance with the provisions of the AML-CFT Decision. In fulfilling these requirements, they should take the following guidance into consideration:

              Without prejudice to the provisions of Article 9.1(b) of the AML-CFT Decision, when customers that are legal persons are owned or controlled by other legal persons or Legal Arrangements (for example, when customers are subsidiaries of a parent company or a Trust), FIs should make reasonable efforts to identify and verify the Beneficial Owners by looking through each layer of legal persons or Legal Arrangements (intermediate entities) until the natural persons with owning or controlling interests of 25% or more in aggregate are identified. Furthermore, in the event of multiple legal persons or arrangements with ownership or controlling interests, even where each legal person or Legal Arrangement owns or controls less than 25%, FIs should consider whether there are indications that the entities may be related by common ownership, which could reach or surpass the Beneficial Ownership threshold level of 25% in aggregate.
               
              When undertaking CDD measures on Legal Arrangements which allow funds or other forms of assets to be added or contributed to the arrangement after the initial settlement and by any persons other than the identified settlor(s), FIs should take the necessary steps to ascertain and verify the identity of the Beneficial Owners, and to understand the nature of their relationship with the Legal Arrangement. For customers that are trusts or other legal arrangements, the FI should verify the identity of beneficial owners, being the settlor, the trustee(s), the protector (if any), the beneficiaries or class of beneficiaries, and any other natural person exercising ultimate effective control over the trust (including through a chain of control/ownership), or equivalent or similar positions for other legal arrangements. For beneficiaries of trusts or other legal arrangements that are designated by characteristics or by class, the FI should obtain sufficient information concerning the beneficiary to satisfy the FI that it will be able to establish the identity of the beneficiary at the time of the payout or when the beneficiary intends to exercise vested rights.
               
              The AML-CFT Decision obliges trustees in Legal Arrangements to maintain basic information relating to intermediaries, who are subject to supervision, and service providers, including consultants, investors or investment advisors, directors, accountants and tax advisors, who have responsibilities in relation to its management. In order to understand the control structure of a customer that is a Legal Arrangement, FIs should obtain this information from the trustees, representatives, or governing or managing officials and including it in the customer’s CDD profile. They should also give the same consideration to other forms of Legal Arrangements and their controlling persons (such as, for example, foundations, membership clubs, religious institutions, or others, along with their founders, representatives and other governing or managing officials).
               
            • 6.3.4 CDD Measures for Life Insurance Activities

              (AML-CFT Decision Article 11)

              For life or other investment-related insurance business, FIs should, in addition to the CDD measures required for the customer and the beneficial owner, conduct the following CDD measures on the beneficiary(ies) of life insurance and other investment related insurance policies, as soon as the beneficiary(ies) are identified/designated:

              (a) For beneficiary(ies) that are identified as specifically named natural or legal persons or legal arrangements – taking the name of the person;

              (b) For beneficiary(ies) that are designated by characteristics or by class (e.g. spouse or children at the time that the insured event occurs) or by other means (e.g. under a will) – obtaining sufficient information concerning the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout. The information collected under (a) and/or (b) should be recorded and maintained.

              For both the cases referred to above, the verification of the identity of the beneficiary(ies) should occur at the time of the payout.

              In determining whether enhanced CDD measures are applicable, an FI should take into account as a factor the beneficiary of a life insurance policy. If an FI determines that a beneficiary who is a legal person or a Legal Arrangement presents a higher risk, then the enhanced CDD measures should include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of payout.

              In case an FI cannot comply with this, the FI should consider filing an STR with the FIU.

            • 6.3.5 Ongoing Monitoring of the Business Relationship

              (AML-CFT Decision Article 4.2(b), Article 4.3(c), 7.1)

              With regard to established Business Relationships, FIs are obliged to undertake ongoing supervision of customers’ activity, including monitoring of transactions executed throughout the course of the relationship to ensure that they are consistent with the information, types of activity, and the risk profiles of the customers. FIs should use a risk-based approach to determine the policies, methods, procedures and controls they implement in relation to monitoring customers’ transactions and activities, as well as in regard to the extent of monitoring for specific customers or categories of customers.

              As part of a risk-based approach to AML/CFT, in the case of customers or Business Relationships identified as high risk, FIs are expected to investigate and obtain more information about the purpose of transactions, and to enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities. In the case of customers or Business Relationships that are identified as low risk, FIs may consider monitoring and reviewing transactions at a reduced frequency.

              Thus, in keeping with the level of risk involved, FIs should monitor and examine transactions in relation to the CDD information and risk profile of the customer (see Section 6.3, Customer Due Diligence (CDD) Measures, Section 6.4, Enhanced Due Diligence (EDD) Measures, and Section 6.5, Simplified Due Diligence (SDD) Measures). Where necessary, FIs should also obtain sufficient information on the counterparties and/or other parties involved (including but not limited to information from public sources, such as internet searches), in order to determine whether the transactions appear to be:

              Normal (consideration should be given as to whether the transactions are typical for the customer, for the other parties involved, and for similar types of customers);
               
              Reasonable (consideration should be given as to whether the transactions have a clear rationale and are compatible with the types of activities that the customer and the counterparties are usually engaged in);
               
              Legitimate (consideration should be given as to whether the customer and the counterparties are permitted to engage in such transactions, such as when specific licenses, permits, or official authorisations are required).
               

              Examples of some of the methods that may be employed for the ongoing monitoring of transactions include, but are not limited to:

              Threshold-based rules, in which transactions above certain pre-determined values, numerical volumes, or aggregate amounts are examined;
               
              Transaction-based rules, in which the transactions of a certain type are examined;
               
              Location-based rules, in which the transactions involving a specific location (either as origin or destination) are examined;
               
              Customer-based rules, in which the transactions of particular customers are examined.
               

              FIs may use all or any combination of the above methods, or any others that are appropriate to their particular circumstances, to effect ongoing monitoring of the Business Relationship. Furthermore, monitoring systems and methods may be automated, semi-automated, or manual, depending on the nature and size of their businesses. Whichever methods FIs elect to use, however, FIs should document them (see Section 9, Record Keeping), obtain senior management approval for them, and periodically review and update them to ensure their effectiveness. FIs should also establish specific monitoring procedures for customers and business relationships which have been reported as suspicious to the FIU (see Section 7.11, Handling of Transactions and Business Relationships after Filing of STRs).

            • 6.3.6 Reviewing and Updating the Customer Due Diligence Information

              (AML-CFT Decision Articles 4.2(b), 4.3(b), 7.2, 12)

              The timely review and update of CDD information is a fundamental component of an effective ML/FT risk management and mitigation programme. FIs are obliged to maintain the CDD documents, data and information obtained on customers, and their Beneficial Owners or beneficiaries in the case of legal persons or arrangements, up to date. The AML-CFT Decision provides that FIs should update the CDD information on High Risk Customers more frequently, and that, in the absence of a ML/FT suspicion, FIs may update the CDD information of identified low-risk customers less frequently.

              In order to be able to update the CDD information of customer in a risk-based manner, FIs should develop internal policies, procedures and controls in relation to the periodic or event-driven review and updating of CDD information. These policies and procedures should be reasonable and proportionate to the risks involved, and, in formulating them, FIs are advised to consider parameters such as:

              Circumstances, timing and frequency of reviews and updates. Generally, FIs should establish clear rules per customer risk category with respect to the maximum period of time that should be allowed to elapse between CDD reviews and updates of customer records. The expiry of a customer’s or Beneficial Owner’s identification documents is a circumstance that call for updating the customer information. Changes in legislation or internal procedures are also a cause for reviewing and updating customer files.
               
              Additionally, FIs should also establish clear rules with respect to circumstances that would trigger an interim or event-driven review, or the acceleration of a particular customer’s review cycle. Circumstances or events that might trigger an interim review include:
               
              -Discovery of information about a customer that is either contradictory or otherwise puts in doubt the appropriateness of the customer’s existing risk classification or the accuracy of previously gathered CDD information;
              -Material change in ownership, legal structure, or other relevant data (such as name, registered address, purpose, capital structure) of a legal person or arrangement;
              -Initiation of legal or judicial proceedings against a customer or Beneficial Owner;
              -Finding materially adverse information about a customer or Beneficial Owner, such as media reports about allegations or investigations of fraud, corruption or other crimes;
              -Qualified opinion from an independent auditor on the financial statements of a legal entity customer;
              -Transactions that indicate potentially unusual or suspicious transactions or activities.
               
              Components and extent of reviews and updates. In keeping with the nature and size of their businesses, FIs should clearly define the moments, contents and extent of CDD reviews for Business Relationships in different risk categories, including which data elements, documents, or information should be examined and updated if necessary. In this regard, FIs are advised that tools such as checklists and procedural manuals will help to enhance the effectiveness of CDD reviews and updates. Examples of procedures might include, but are not necessarily limited to:
               
              -When the source of wealth or the source funds of a customer should be verified;
              -When additional inquiries or investigations should be made pertaining to the nature of a customer’s business, the purpose of a Business Relationship, or the reasons for a transaction;
              -How much of a customer’s transactional history, including how many and which specific transactions or transaction types, should be reviewed as part of a periodic or an interim review.
               
              Organisational responsibilities. In keeping with the nature and size of their businesses, FIs should consider clearly defining the relevant organisational arrangements in relation to the CDD review and update process. Examples of such responsibilities might include, but are not necessarily limited to:
               
              -Carrying out reviews and updates;
              -Escalating and/or reporting situations in which risk classifications should be changed, Business Relationships should be suspended or terminated, or potentially unusual or suspicious activities should be further investigated;
              -Approving or rejecting reviews of Business Relationships (including senior management involvement with regard to PEPs and other High Risk Customers);
              -Undertaking CDD file remediation measures when necessary;
              -Auditing the quality of CDD reviews and updates;
              -Maintaining records with regard to CDD reviews and updates, in accordance with statutory record-keeping requirements (see Section 9, Record Keeping).
               
          • 6.4 Enhanced Due Diligence (EDD) Measures

            (AML-CFT Decision Articles 4.2(b), 7.2, 15, 22, 25)

            In keeping with a risk-based approach to CDD, FIs are obliged to enhance their CDD measures with regard to customers identified as high-risk, including the specific categories of customers as provided for in the relevant articles of the AML-CFT Decision, such as politically exposed persons (PEPs) (see Section 6.4.1, Requirements for Politically Exposed Persons), customers associated with high-risk countries (see Section 6.4.3, Requirements for High-Risk Countries), and correspondent relationships (see Section 6.4.4, Requirements for Correspondent Relationships).

            Generally speaking, EDD involves a more rigorous application of CDD measures, including elements such as:

            Increased scrutiny and higher standards of verification and documentation from reliable and independent sources with regard to customer identity;
             
            More detailed inquiry and evaluation of reasonableness in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds and source of wealth, and the purpose of individual transactions;
             
            Increased supervision of the Business Relationship, including the requirement for higher levels of management approval, more frequent monitoring of transactions, and more frequent review and updating of customer due diligence information.
             

            EDD means that FIs should intensify their measures, specifically by obtaining further evidence and supporting documentation. FIs should obtain additional information and evidence from high-risk customers such as:

             
              
            Source of funds (revenue) and source of wealth;
            Identifying information on individuals with control over the customer (legal person or arrangement) or account, such as signatories or guarantors;
            Occupation or type of business;
            Financial statements;
            Banking references;
            Domicile;
            Proximity of the customer’s residence, place of employment or place of business to the FI;
            Description of the customer’s primary trade area and whether international transactions are expected to be routine;
            Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers; and
            Explanations for changes in account activity.
             

            In addition, FIs should also apply specific EDD measures in case there are doubts about the accuracy or appropriateness of a customer’s ML/FT risk classification in order to determine the appropriate risk classification. EDD should also be applied when there are red-flag indicators of potentially unusual or suspicious transactions or activities. In all cases in which EDD is applied, FIs should ensure that they take reasonable measures to obtain adequate, substantiated, information about the customer, commensurate with the level of the risks identified.

            As part of their overall AML/CFT framework, FIs should develop risk-based internal policies, procedures and controls in connection with the application of EDD measures. Examples of the some of the factors they should consider when developing the risk-based policies include:

            the ML/FT risks identified in the ML/TF business risk assessment;
             
            Circumstances, timing, and composition regarding the application of EDD measures;
             
            Frequency of reviews and updates in relation to information on high-risk customers;
             
            Extent and frequency of ongoing monitoring of the Business Relationship and monitoring of transactions in relation to high-risk customers.
             

            Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, FIs should consider the results of the NRA, any Topical Risk Assessment and their own ML/FT business risk assessments. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.

            Additional guidance regarding the application of EDD measures to statutory high-risk Business Relationship categories is provided in the following sub-sections.

            • 6.4.1 Requirements for Politically Exposed Persons (PEPs)

              (AML-CFT Decision Article 15)

              Due to their potential ability to influence government policies, determine the outcome of public funding or procurement decisions, or obtain access to public funds, politically exposed persons (PEPs) are classified as high-risk individuals from an AML/CFT perspective. The AML-CFT Law and the AML-CFT Decision define PEPs as:

               “Natural persons who are or have been entrusted with prominent public functions in the State or any other foreign country such as Heads of States or Governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties and persons who are, or have previously been, entrusted with the management of an international organisation or any prominent function within such an organisation; and the definition also includes the following:
               
              Direct family members (of the PEP, who are spouses, children, spouses of children, parents).
               
              Associates known to be close to the PEP, which include:
               
              -Individuals having joint ownership rights in a legal person or arrangement or any other close Business Relationship with the PEP.
              -Individuals having individual ownership rights in a legal person or arrangement established in favour of the PEP.
               

              FIs are obliged to put in place appropriate risk management systems to determine whether a customer, Beneficial Owner, beneficiary, or controlling person is a PEP. In addition to undertaking standard CDD procedures, FIs are also required to take reasonable measures to establish the source of funds and the source of wealth of customers and Beneficial Owners identified as PEPs. In this regard, and commensurate with the nature and size of their businesses, FIs should take measures that include:

              Implementing automated screening systems which screen customer and transaction information for matches with known PEPs;
               
              Incorporating thorough background searches into their CDD procedures, using tools such as:
               
              -Manual internet search protocols;
              -Public or private databases;
              -Publicly accessible or subscription information aggregation services;
              -Commercially available background investigation services.
               

              If a customer, Beneficial Owner, beneficiary, or controlling person is identified as a PEP, FIs are required to take reasonable measures to establish the PEP’s source of funds and source of wealth. In this regard, they should also evaluate the legitimacy of the source of funds and source of wealth, including making reasonable investigations into the individual’s professional and financial background.

              Furthermore, FIs are also required to obtain senior management approval before establishing a Business Relationship with a PEP, or before continuing an existing one. In regard to the latter, senior management should be notified and their approval should be obtained for the continuance of a PEP relationship each time any of the following situations occur:

              An existing customer, Beneficial Owner, beneficiary, or controlling person becomes, or is newly identified as, a PEP;
               
              An existing PEP Business Relationship is reviewed and the CDD information is updated, either on a periodic or an interim basis, according to the organisation’s internal policies and procedures;
               
              A material transaction that appears unusual or illogical for the PEP Business Relationship is identified;
               
              The beneficiary or Beneficial Owner of a life insurance policy or family takaful insurance policy is identified as a PEP, and in case higher risks are identified, the overall Business Relationship should also be thoroughly examined and consideration given to filing an STR. Senior management should be informed before the payout of the policy proceeds.
               

              With regard to identified Domestic PEPs and individuals who were previously (but are no longer) entrusted with prominent functions at international organisations, the AML-CFT Decision provides that FIs should implement the measures described above when, apart from their PEP status, the Business Relationships associated with such persons could be classified as high-risk for any other reason.

              The handling of a customer who is no longer entrusted with a prominent public function should be based on an assessment of risk. This risk based approach requires that FIs assess the ML/FT risk of a PEP who is no longer entrusted with a prominent public function, and take effective action to mitigate this risk. Possible risk factors are the level of (informal) influence that the individual could still exercise; the seniority of the position that the individual held as a PEP; or whether the individual’s previous and current function are linked in any way (e.g., formally by appointment of the PEPs successor, or informally by the fact that the PEP continues to deal with the same substantive matters).

            • 6.4.2 EDD Measures for High-Risk Customers or Transactions

              (AML-CFT Decision Article 4.2(b))

              FIs are obliged to apply EDD measures to manage and mitigate the risks associated with identified High Risk Customers and/or transactions. The AML-CFT Decision defines a High Risk Customers as including those who represent a risk:

               “…either in person, activity, Business Relationship, nature or geographical area, such as a customer from a high-risk country or non-resident in a country that does not hold an identity card, or a customer having a complex structure, performing complex operations or having unclear economic objective, or who conducts cash-intensive operations, or operations with an unknown third party...”
               

              Examples of the EDD measures that should be taken by FIs are laid out in the relevant article of the AML-CFT Decision. When carrying out such measures (especially as regards obtaining and investigating more information about the nature of the customer’s business, purpose of the Business Relationship, or reason for the transaction), FIs should pay particular attention to the reasonableness of the information obtained, and should evaluate it for possible inconsistencies and for potentially unusual or suspicious circumstances. Examples of factors that FIs should take into consideration in this regard include, but are not limited to:

              An illogical reason for a foreign customer’s or Beneficial Owner’s presence, or establishment of a Business Relationship, in the UAE;
               
              Consistency between the nature of the customer’s business and transactions and the customer’s or Beneficial Owner’s professional background and employment history, in regard to which FIs may find it helpful to obtain background information from reliable and independent sources, as well as from internet and social media searches, and from the customer’s or Beneficial Owner’s CV;
               
              The level of complexity and transparency of the customer’s transactions, especially in comparison with the customer’s or Beneficial Owner’s educational and professional background;
               
              The level of complexity and transparency of the customer’s legal structure of legal persons or arrangements;
               
              The nature of any other business interests of the customer or Beneficial Owner, including any other legal persons or arrangements owned or controlled;
               
              Consistency between the customer’s line of business and that of the counterparty to the customer’s transactions (as identified, for example, through internet searches).
               

              Additionally, and commensurate with the nature and size of their businesses, when carrying out EDD measures in respect of High Risk Customers or Beneficial Owners, FIs should take appropriate risk-mitigation measures such as, but not limited to:

              Performing background checks (among other via internet searches, public databases, or subscription information aggregation services) to screen for possible matches with targeted and other international financial sanctions lists, indications of criminal activity (including financial crime), or other adverse information;
               
              Using more rigorous methods for the verification of the customer’s or Beneficial Owner’s identity in regard to High Risk Customers (see Section 6.3.1, Customer and Beneficial Owner Identification/Verification for more information).
               
            • 6.4.3 Requirements for High-Risk Countries

              (AML-CFT Law Article 16.1(e); AML-CFT Decision Article 22, 44.7, 60)

              FIs are obliged to implement EDD measures commensurate with the ML/FT risks associated with Business Relationships and transactions with customers from high-risk countries subject to a Call for Action and Jurisdictions under Increased Monitoring and the countries identified by NAMLCFTFC. In the case of legal persons and arrangements, their Beneficial Owners, beneficiaries and other controlling persons from high-risk countries.

              FIs can obtain guidance on high risk countries from NAMLCFTFC, from the FATF list of High-Risk Jurisdictions subject to a Call for Action and Jurisdictions under Increased Monitoring, and from NRA report. In addition, reference can also be made to the Organisation for Economic Cooperation and Development (OECD) list of jurisdictions classified as tax havens. The Basel AML index can be a useful source to determine the risk of a country.

              Examples of some of the measures FIs should apply in this regard include:

              Increased scrutiny and higher standards of verification and documentation from reliable and independent sources with regard to the identity of customers, Beneficial Owners, beneficiaries and other controlling persons;
               
              More detailed inquiry and evaluation of reasonableness in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the purpose of individual transactions;
               
              Increased investigation to ascertain whether the customers or related persons (Beneficial Owners, beneficiaries and other controlling persons, in the case of legal persons and arrangements) are foreign PEPs;
               
              Increased supervision of the Business Relationship, including the requirement for higher levels of internal reporting and management approval, more frequent monitoring of transactions, and more frequent review/ updating of customer due diligence information.
               

              Additionally, FIs are obliged to implement all specific CDD measures and countermeasures regarding High Risk Countries as defined by the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, including those related to the implementation of the decisions of the UN Security Council under Chapter VII of the Charter of the United Nations, the International Convention for the Suppression of the Financing of Terrorism and the Treaty on the Non-Proliferation of Nuclear Weapons, and other related directives, and those called for by the Financial Action Task Force (FATF) and/or other FSRBs.

              In order to fulfil these obligations, and commensurate with the nature and size of their businesses and the risks involved, FIs should establish adequate internal policies, procedures and controls in relation to the application of EDD measures and risk-proportionate effective countermeasures to customers and Business Relationships associated with high-risk countries. Some of the factors to which FIs should give consideration when formulating such policies, procedures and controls, include but are not limited to the following:

              The organisation’s risk appetite with respect to Business Relationships involving high-risk countries;
               
              Methodologies and procedures for assessing and categorising country risk, and identifying high-risk countries, including the statutorily defined High Risk Countries as established by the NAMLCFTC, and taking into consideration advice or notifications of concerns about weaknesses in the AML/CFT system of other countries issued by the relevant Supervisory Authorities and/or Competent Authorities;
               
              Determination and implementation of appropriate risk-based controls (for example, certain product or service restrictions, transaction limits, or others) with regard to customers and Business Relationships associated with high-risk countries;
               
              Organisational roles and responsibilities in relation to the monitoring, management reporting, and risk management of high-risk country Business Relationships;
               
              Appropriate procedures for the enhanced investigation of Business Relationships involving high-risk countries in relation to their assessment for possible PEP associations;
               
              Independent audit policies in respect of EDD procedures pertaining to customers/Business Relationships involving high-risk countries and the business units that deal with them.
               

              For all countries identified as high-risk, the FATF calls on all members and urges all jurisdictions to apply EDD, and in the most serious cases, countries are called upon to apply countermeasures to protect the international financial system from the ongoing money laundering, terrorist financing, and proliferation financing risks emanating from the country. However, specific countermeasures which need to be applied by FIs shall be advised by the corresponding supervisory authorities, the FIU or the NAMLCFTC.

            • 6.4.4 Requirements for Correspondent Relationships

              (AML-CFT Decision 25)

              Financial Institutions are obliged to fulfil certain due diligence requirements with regard to the correspondent banking relationships and other similar relationships they maintain, regardless of whether these involve foreign or domestic financial institutions. Additional guidance in respect of the measures specified in the relevant article of the AML-CFT Decision is provided below. Similar relationships to which FIs should apply the guidance below include, for example those established for securities transactions or funds transfers.

              FIs are prohibited from entering into or maintaining correspondent relationships with shell banks, or with institutions that allow their accounts to be used by shell banks. The AML-CFT Decision defines a shell bank as a “bank that has no physical presence in the country in which it is incorporated and licensed, and is unaffiliated with a regulated financial group that is subject to effective consolidated supervision.”

              FIs are required to collect sufficient information about any receiving correspondent institution for the purpose of identifying and achieving a full understanding of the nature of its business, and to determine, through publicly available information, its reputation and level of AML/CFT controls, including whether it has been subject to a ML/FT investigation or regulatory action.
               
              FIs are obliged to evaluate the AML/CFT controls applied by the receiving correspondent institution.
               
              FIs are required to obtain approval from senior management before establishing new correspondent relationships.
               
              FIs are obliged to understand the responsibilities of each institution in the field of combating the crimes of money laundering, the financing of terrorism and of illegal organisations.
               

              Regulatory and supervisory environments governing the operation of financial institutions around the world vary greatly. Thus, not all foreign financial institutions are subject to the same AML/CFT requirements as FIs in the UAE; and as a consequence, some of these foreign institutions may pose a higher ML/FT risk. To mitigate against these risks, FIs that maintain correspondent relationships with foreign financial institutions should consider implementing adequate procedures to assess and periodically review the relevant regulatory and supervisory frameworks of the countries concerned.

              Furthermore, when gathering information about financial institutions with which they maintain correspondent relationships, whether foreign or domestic, FIs should take appropriate steps to assess the nature, size and extent of their businesses in the countries where they are incorporated and licensed, as well as their ownership and management structures (taking into consideration the nature and extent of any PEP involvement), in order to evaluate whether they exhibit the characteristics of shell banks, and whether they offer downstream correspondent services (also known as “nested accounts”) to other banks. If they do offer downstream correspondent services, FIs should also take reasonable steps to understand the types of services offered, the number and types of financial institutions they are offered to, the types of customers those institutions serve, and to identify the associated ML/FT risk issues.

              In order to collect sufficient information about the nature of a financial institution and the AML/CFT controls it applies, and to assess the ML/FT risks associated with it, FIs should take appropriate measures such as implementing a suitable correspondent relationships questionnaire and, when necessary, conducting follow-up interviews. (FIs may find the correspondent banking questionnaire which has been developed by the Wolfsberg Group, as well as the Wolfsberg Anti-Money Laundering Principles for Correspondent Banking, instructive in this regard. See Appendix 11.2, Useful Links.)

              In addition to obtaining senior management approval prior to establishing new correspondent relationships, FIs should also periodically review and update their due diligence information in relation to the financial institutions with which they maintain correspondent relationships, commensurate with the risks involved (see 6.3.6 Reviewing and Updating the Customer Due Diligence Information). In the event of a deterioration in the risk profile of a financial institution with which a correspondent relationship is maintained, including the discovery of material adverse information concerning the institution, FIs should ensure that senior management is informed and appropriate risk-based measures are taken to assess and mitigate the ML/FT risks involved.

              FIs should also maintain agreements or contracts with financial institutions with which they maintain correspondent relationships. In addition to operational details concerning the products and services covered, these agreements should clearly describe each party’s responsibilities in regard to ML/FT risk mitigation, due diligence procedures, and the detailed conditions related to any permitted third-party usage of the correspondent account.

            • 6.4.5 Requirements for Money or Value Transfer Services

              (AML-CFT Decision Articles 26, 30)

              As part of a risk-based AML/CFT approach, FIs that enter into or maintain Business Relationships with Money or Value Transfer Services (MVTSs) should take adequate CDD measures that are commensurate with the risks involved (see Sections 6.3, Customer Due Diligence (CDD) Measures and 6.4, Enhanced Due Diligence (EDD) Measures). Examples of measures that FIs should consider in this regard include, but are not limited to:

              Ensuring that the MVTS is properly licensed or registered; in particular, when opening any accounts for Hawala Providers, FIs licensed by the Central Bank must physically check the original Hawala Provider registration certificate issued by the Central Bank and keep a copy thereof;
               
              Obtaining information about and assessing the adequacy of the MVTS’s AML/CFT policies, procedures and controls, including those related to Wire Transfers as stipulated in the relevant provisions of the AML-CFT Decision;
               
              Obtaining the MVTS’s list of agents, and identifying and assessing the associated ML/FT risks, especially with regard to high-risk countries or other identified high-risk factors;
               
              Obtaining sufficient information about the MVTS’s ownership and management structure (including taking into consideration the possibility of PEP involvement), the nature and scope of its business, the nature of its customer base, and the geographic areas in which it operates, so as to be in a position to identify, assess, and manage or mitigate the associated ML/FT risks.
               

              FIs that enter into or maintain relationships with MTVSs should also use a risk-based approach to determine the appropriate internal AML/CFT policies, procedures and controls FIs implement in relation to the risk assessment, risk classification, and the type and extent of CDD they perform on the MVTSs. The policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and should be adequately documented, senior management approved, and communicated to the relevant employees of the organisation.

            • 6.4.6 Requirements for Non-Profit Organisations

              Non-Profit Organisations (NPOs) can often pose increased risks in regard to money laundering, the financing of terrorism, and the financing of illegal organisations. As part of an effective risk-based approach to AML/CFT, FIs that enter into or maintain Business Relationships with NPOs should take adequate CDD measures that are commensurate with the risks involved (see Sections 6.3, Customer Due Diligence (CDD) Measures and 6.4, Enhanced Due Diligence (EDD) Measures). Examples of measures that FIs should consider include, but are not limited to:

              Ensuring that the NPO is properly licensed or registered; in particular, when opening any accounts for Non-Profit Organisations, FIs licensed by the Central Bank must obtain an original signed letter from the Ministry of Community Development for opening accounts to collect donations and an authorization from the UAE Red Crescent for conducting financial transfers out of the UAE through some of these accounts;
               
              Obtaining information about and assessing the adequacy of the NPO’s AML/CFT policies, procedures and controls;
               
              Obtaining sufficient information about the NPO’s legal, regulatory and supervisory status, including requirements relating to regulatory disclosure, accounting, financial reporting and audit (especially where community/social or religious/cultural organisations are involved, and when those organisations are based, or have significant operations, in jurisdictions that are unfamiliar or in which transparency or access to information may be limited for any reason);
               
              Obtaining sufficient information about the NPO’s ownership and management structure (including taking into consideration the possibility of PEP involvement); the nature and scope of its activities; the nature of its donor base, as well as of that of the beneficiaries of its activities and programmes; and the geographic areas in which it operates, so as to be in a position to identify, assess, and manage or mitigate the associated ML/FT risks;
               
              Performing thorough background checks (including but not limited to the use of internet searches, public databases, or subscription information aggregation services) on the NPO’s key persons, such as senior management, branch or field managers, major donors and major beneficiaries, to screen for possible matches with targeted and other international financial sanctions lists, indications of criminal activity (including financial crime), or other adverse information.
               

              FIs that enter into or maintain relationships with NPOs should also use a risk-based approach to determine the appropriate internal AML/CFT policies, procedures and controls the FIs implement in relation to the risk assessment, risk classification, and the type and extent of CDD they perform on NPOs. The policies and procedures that FIs apply should be reasonable and proportionate to the risks involved, and should be adequately documented, senior management approved, and communicated to the relevant employees of the organisation.

          • 6.5 Simplified Due Diligence (SDD) Measures

            (AML-CFT Decision Articles 4.3, 5, 10)

            In keeping with a risk-based approach to CDD, under certain circumstances and in the absence of a ML/FT suspicion, FIs are only permitted to exercise simplified customer due diligence measures (SDD) with regard to customers identified as low-risk through an adequate analysis of risks.

            SDD generally involves a more lenient application of certain aspects of CDD measures, including elements as:

            A reduction in verification requirements with regard to customer or Beneficial Owner identification;
             
            Fewer and less detailed inquiries in regard to the purpose of the Business Relationship, the nature of the customer’s business, the customer’s source of funds, and the purpose of individual transactions;
             
            More limited supervision of the Business Relationship, including less frequent monitoring of transactions, and less frequent review/updating of customer due diligence information.
             

            Specifically, the AML-CFT Decision permits the application of SDD in the following circumstances:

            Identified low-risk customers. When the customer or Beneficial Owner is identified as posing a low risk of ML/FT, FIs are permitted to complete the verification of their identity after the establishment of a Business Relationship under the conditions specified in the relevant provisions of the AML-CFT Decision. In this regard, FIs are required to implement appropriate and effective measures to control the risks of ML/FT, including the risks in regard to the customer or Beneficial Owner benefitting from the Business Relationship prior to the completion of the verification process. Examples of such measures which FIs may consider taking in this regard are, among others:
             
            -Holding funds in suspense or in escrow until the verification of the identity is completed;
            -Making the completion of verification of the identity a condition precedent to the closing of a transaction.
             
             It should be noted that the provision allowing a relaxation of the timing for the completion of the identity verification procedures does not imply that FIs are permitted to establish a Business Relationship without any customer identification at all. On the contrary, in all cases, the basic identification information in relation to the customer (whether a natural or legal person or arrangement) should be obtained; however under the specified conditions, FIs are permitted to establish the Business Relationship prior to the completion of the verification process, which may include such steps as: obtaining appropriate supporting documentation, certifications or attestations, when necessary (for example, as regards the corporate documents of a legal person); or obtaining all the necessary information related to the relevant parties of a legal person or Legal Arrangement, such as Beneficial Owners, settlors, trustees or executors, protectors, beneficiaries, or other controlling persons.
             
            Listed companies. FIs are exempted from identifying and verifying the identity of any shareholder, partner or Beneficial Owner of a legal person under the conditions specified in the relevant provisions of the AML-CFT Decision. Namely:
             
            -When the relevant information on the shareholder, partner or Beneficial Owner is obtained from reliable sources; and
            -When the customer, or the owner holding the controlling interest of the customer, is a company listed on a regulated stock exchange subject to adequate disclosure and transparency requirements related to Beneficial Ownership; or when the customer, or the owner holding the controlling interest of a legal entity customer, is the majority-held subsidiary of such a listed company.
             

            Without prejudice to the above, in the case of foreign stock exchanges, FIs should take steps to adequately assess and document the relevant disclosure and transparency requirements related to Beneficial Ownership, and to ensure that they are at least equivalent to those of the UAE.

            In addition, FIs should be aware that, regardless of the exemption mentioned above, FIs are required with respect to listed companies to verify that any person purporting to act on behalf of the customer is so authorised, and verify the identity of that person.

            As part of their overall AML/CFT framework, FIs should use a risk-based approach to determine the internal policies, procedures and controls they implement in connection with the application of SDD procedures. Examples of some of the factors they should consider when developing their risk-based policies include:

            the ML/FT risks identified in the ML/TF business risk assessment, especially with regard to low-risk categories of customers;
             
            Circumstances, timing, and composition in regard to the application of SDD measures;
             
            Frequency of reviews and updates in relation to customer SDD information;
             
            Extent and frequency of ongoing supervision of the Business Relationship and monitoring of transactions in relation to customers to which SDD measures are applied.
             

            Such policies, procedures and methodologies should be reasonable and proportionate to the risks involved, and, in formulating them, FIs should consider the results of both the NRA and any Topical Risk Assessment and their own ML/FT business risk assessments. Commensurate with the nature and size of the FIs’ businesses, the policies, procedures and methodologies should also be documented, approved by senior management, and communicated at the appropriate levels of the organisation.

          • 6.6 Reliance on a Third Party

            (AML-CFT Decision Articles 19)

            Under certain conditions, the AML-CFT Decision permits FIs to rely on third parties to undertake the required CDD measures, including those measures specifically laid out in regard to identified high-risk countries (see Section 6.4.3, Requirements for High-Risk Countries), with the responsibility for the validity of the measures resting directly with the FIs. Among the conditions set forth in the AML-CFT Decision concerning the reliance on third parties, it is stipulated that FIs shall:

             “Ensure that the third party is regulated and supervised, and adheres to the CDD measures towards Customers and record-keeping provisions of the present Decision.”
             

            In order to fulfil this obligation, FIs that rely on third parties to undertake CDD measures on their behalf should implement adequate measures, in keeping with the nature and size of their businesses, to ensure the third party’s adherence to the requirements of the AML-CFT Law and the AML-CFT Decision in relation to CDD measures. Examples of such measures include:

            Clearly defined procedures for determining the adequacy of a third-party’s CDD and record-keeping measures, including the evaluation of such factors as the comprehensiveness and quality of its AML/CFT policies, procedures and controls; the number of personnel dedicated to CDD; and its audit and/or quality assurance policies in regard to CDD. In this regard, FIs are advised that tools such as questionnaires, scorecards, and on-site visits may be useful in evaluating the adequacy of a third party’s adherence.
             
            Service-level agreements, clearly setting out the roles and responsibilities of the FI and the third party and specifying the nature of the CDD and record-keeping requirements to be fulfilled.
             
            Procedures for the certification by third parties of documents and other records pertaining to the CDD measures undertaken.
             

            In addition to the above, when relying on foreign third parties for the undertaking of CDD measures, FIs should take steps to ensure that the AML/CFT regulatory and supervisory framework under which the third party operates is at least equivalent to that of the State. This means that FIs should ensure that the third party is regulated and supervised for AML/CFT purposes, and adheres to the equivalent CDD and record-keeping measures.

            Whichever methods are utilized to ensure the adherence of third parties to the statutory CDD and record-keeping requirements, FIs should document and periodically review them for effectiveness.

            Reliance on a third party refers to an FI’s reliance on a third party of the entire or part of the CDD process as well as reliance on a third party when to introducing business. FIs should therefore take adequate steps to satisfy themselves that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay. This includes the identification and verification of the identity of customers and Beneficial Owners, beneficiaries or controlling persons of legal entities or arrangements, as well as the investigation and assembly of other relevant customer documents, information and data, as per the statutory CDD and record-keeping requirements. Nevertheless, FIs remain ultimately responsible for the outcome of the CDD process. Furthermore, FIs should themselves assess the risks of the customer, including the customer’s risk profile. FIs should thus document their rationale for the assignment of relevant customer risk classifications, as well as their analysis of the CDD information obtained from the third parties. Moreover, FIs remain themselves responsible for conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship.

            For the purpose of this guidance, it is important to note that FIs are expected to use documents, data or information from reliable and independent sources in carrying out their CDD obligations, which include, among other things, verifying the identity of customers and Beneficial Owners, beneficiaries or controlling persons of legal entities or arrangements.

            Reliable and independent sources may include, but are not necessarily limited to, official bodies such as Competent Authorities, governmental departments or agencies, governmental or state-sponsored business registries, public utilities or similar official enterprises; as well as non-official organisations, such as publicly accessible free or subscription information aggregation services, credit reporting agencies, and others.

            FIs are reminded that simply obtaining CDD documents and supporting information from reliable and independent sources during the course of performing their own CDD procedures is not necessarily considered as reliance on a third party. On occasion that FIs during the course of carrying out their own CDD procedures, receive certain documents, information or data from a third-party, FIs should obtain evidence of the third party’s regulatory and supervisory status and good standing, and they should also consider obtaining the third party’s certification that any CDD documents provided by them (such as identification documents, proof of address, or documents corroborating a customer’s source of funds) are true copies of the originals.

      • Part IV—AML/CFT Administration and Reporting

        • 7. Suspicious Transaction Reporting

          (AML-CFT Law Articles 9.1, 15, 30; AML-CFT Decision Articles 16-18)

          Under the AML/CFT legal and regulatory framework of the UAE, all FIs are obliged to promptly report to the Financial Intelligence Unit (FIU) suspicious transactions and any additional information required in relation to them, when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime. FIs are required to put in place and update indicators that can be used to identify possible suspicious transactions.

          In order to fulfil these obligations, FIs should implement adequate internal policies, procedures and controls in relation to the identification and the immediate reporting of suspicious transactions. The following sub-sections provide additional guidance in this regard.

          • 7.1 Role of the Financial Intelligence Unit

            (AML-CFT Law Articles 9-10; AML-CFT Decision Articles 13, 16, 17.1, 21.2 and 5, 40-43, 46.1-4, 49.2-3)

            The FIU of the UAE is established within the premises of the Central Bank, however, the FIU operates independently by legal and regulatory mandate as the central national agency with sole responsibility for performing the following functions:

            Receiving and analysing STRs from FIs and DNFBPs, and disseminating the results of its analysis to the Competent Authorities of the State;
             
            Receiving and analysing reports of suspicious cases from the Federal Customs Authority;
             
            Requesting additional information and documents relating to STRs, or any other data or information it deems necessary to perform its duties, from FIs, DNFBPs, and Competent Authorities, including information relating to customs disclosures;
             
            Cooperating and coordinating with Supervisory Authorities by disseminating the outcomes of its analysis, specifically with respect to the quality of STRs, to ensure the compliance of FIs and DNFBPs with their statutory AML/CFT obligations;
             
            Sending data relating to STRs and the outcomes of its analyses and other relevant data, including information obtained from foreign FIUs, to national Law Enforcement Authorities, prosecutorial authorities and judiciary authorities when actions are required by those authorities in relation to a suspected crime;
             
            Exchanging information with its counterparts in other countries, with respect to STRs or any other information to which it has access.
             

            Under the aegis of the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, and for the effective performance of its functions, the FIU maintains operational protocols with numerous national and international Competent Authorities.

            The FIU has launched the GoAML system for the purposes of facilitating the filing of STRs by all FIs. FIs shall register themselves on the GoAML system by following the procedure manual and maintain their registration in an active status. The Compliance Officer of the company can register as the user of the system. GoAML provides a secure link of each FI to the FIU through their respective supervisory authorities. The system hosts processes for facilitating filing of STRs. It also has an .xml schema for filing batches of STRs. The guidance documents for filing of STRs are posted on the dashboard of this system. All new licensed FIs shall register themselves immediately after obtaining their financial services license so as to confirm their readiness for filing of STRs from the beginning.

            The STRs are received by the FIU and processed for any required further information or documents or for further action by Law Enforcement or Supervisory Authorities. The FIU maintains a record of these STRs, performs a trend analysis to understand the prevailing trends in transactions and sectors or Institutions where possibility of ML or FT exists and this trend analysis is shared with all the registered users of GoAML through the system by means of a periodic trends and typologies report.

          • 7.2 Processing of STRs by the FIU

            (AML-CFT Law Articles 9-10; AML-CFT Decision Articles 42, 43.1-3, 49.3)

            A core function of the FIU is to conduct operational analysis on STRs and information received from FIs, DNFBPs, as well as from Competent Authorities, and to support the investigations of Law Enforcement Authorities. It does so by identifying specific targets (such as persons, funds, or criminal networks) and by following the trail of specific transactions in order to determine the linkages between those targets and the possible proceeds of crime, money laundering, predicate offences and terrorist financing.

            Upon the receipt of STRs or information from reporting institutions or other sources, the FIU assesses the information, prioritises the risk, and performs its own analyses using a variety of information sources and analytical techniques.

            In certain cases, the FIU may request additional information from the reporting entity, Competent Authorities, or even from other FIs which also have a business relationship with the subject of its analysis or investigation, through the Integrated Enquiries Management System (IEMS). Upon concluding its analysis or investigation, the FIU may disseminate information about the case to Law Enforcement Authorities or foreign FIUs, and may, at its own discretion, also provide feedback to the reporting entity in the form of instructions regarding required actions to be taken, or recommendations and guidance.

            In addition to the above, the FIU also performs strategic analysis, using data aggregated from the STRs and other information it receives, including from national and international Competent Authorities and FIUs of other countries, to identify trends and patterns relating to ML/FT. As a result of this analysis, the FIU may from time to time disseminate enhanced due diligence and fraud alerts to FIs as a preventive measure, and may also disseminate information to FIs about prevalent or new and emerging ML/FT typologies, or other specific risks which FIs should take into consideration.

          • 7.3 Meaning of Suspicious Transaction

            (AML-CFT Law Article 16; AML-CFT Decision Article 17.1)

            Within the meaning of the AML-CFT Law and its implementing AML-CFT Decision, a suspicious transaction refers to any transaction, attempted transaction, or funds which an FI has reasonable grounds to suspect as constituting—in whole or in part, and regardless of the amount or the timing—any of the following:

            The proceeds of crime (whether designated as a misdemeanour or felony, and whether committed within the State or in another country in which it is also a crime);
             
            Being related to the crimes of money laundering, the financing of terrorism, or the financing of illegal organisations;
             
            Being intended to be used in an activity related to such crimes.
             

            It should be noted that the only requirement for a transaction to be considered as suspicious is “reasonable grounds” in relation to the conditions referenced above. Thus, the suspicious nature of a transaction can be inferred from certain information, including indicators, behavioural patterns, or CDD information, and it is not dependent on obtaining evidence that a predicate offence has actually occurred or on proving the illicit source of the proceeds involved. FIs do not need to have knowledge of the underlying criminal activity nor any founded suspicion that the proceeds originate from a criminal activity; reasonable grounds are sufficient.

            FIs should also note that transactions need not be completed, in progress or pending completion in order to be considered as suspicious. Attempted transactions, transactions that are not executed and past transactions, regardless of their timing or completion status, which are found upon review to cause reasonable grounds for suspicion, must be reported in accordance with the relevant requirements.

          • 7.4 Identification of Suspicious Transactions

            (AML-CFT Decision 16)

            FIs are obliged to put in place indicators that can be used to identify suspicious transactions, and to update those indicators on an ongoing basis in accordance with the instructions of the Supervisory Authorities or the FIU, as well as in keeping with relevant developments concerning ML/FT typologies. FIs should also consider the results of the NRA, any Topical Risk Assessment and their own ML/FT business risk assessments in this regard.

            As part of their overall AML/CFT framework, and commensurate with the nature and size of their businesses, FIs should determine the internal policies, procedures and controls they apply in connection with the identification, implementation, and updating of indicators, as well as with the identification and evaluation of potentially suspicious transactions. Some factors that should be considered include, but are not limited to:

            Organisational roles and responsibilities with respect to the implementation and review/updating of the relevant indicators, especially in relation to obligatory indicators required by the Supervisory Authorities or the FIU;
             
            Operational and IT systems procedures and controls in connection with the application of relevant indicators to processes such as transaction handling and monitoring, customer due diligence measures and review, and alert escalation;
             
            Staff training in relation to the identification and reporting of suspicious transactions (including attempted transactions), the appropriate use and assessment of the relevant indicators, and the degree and extent of internal investigation that is appropriate prior to the reporting of a suspicious transaction.
             

            FIs should ensure that they have an adequate process and dedicated, experienced staff for the investigation of and dealing with alerts. The investigation of alerts and the conclusion of the investigation should be documented, including the decision to close the alert or to promptly report the transaction as suspicious.

            Prompt reporting to the FIU is one of the key elements of the AML/CFT process. This means that FIs must report to the FIU the transaction immediately once the suspicious nature of the transaction becomes clear. This will be the case when from an objective point of view, taking the available information into account, there is a reason to believe that a transaction is suspicious. This means that FIs expeditiously investigate alerts and possible indications of ML/FT and immediately report the transaction upon determining that the transaction should be reported to the FIU. FIs therefore need to able to show that from the moment of the alert immediate and continuous action has been taken.

            In this respect, FIs must have a procedure in place that defines the reporting process, and what steps to take in such cases. When investigating alerts it is important to examine the customer’s earlier and related transactions, and to reconsider the customer’s risk profile.

            When identifying suspicious transactions, FIs, and their management and employees, should be aware of the facts that, in relation to ML/FT crimes, there is no minimum threshold or monetary value for reporting, and that no amount or transaction size should be considered too small for suspicion. This is of particular significance where the crimes of the financing of terrorism and of illegal organisations is concerned, since typologies related to them may often involve very small amounts of money.

            Furthermore, with the exception of obligatory indicators for which reporting is required by the relevant Supervisory Authorities or the FIU, FIs should note that the presence of an indicator means that a transaction needs to be immediately investigated in order to determine whether the transaction needs to be reported. When determining whether a transaction is suspicious or whether there is reasonable ground for a suspicion, FIs should give consideration to the nature of the specific circumstances, including the products or services involved, and the details of the customer in the context of its risk profile. In some cases, patterns of activity or behaviour that might be considered as suspicious in relation to a specific customer or a particular product type, might not be suspicious in regard to another. For this reason, clear internal policies and procedures with regard to alert escalation and investigation, and internal suspicious transaction reporting are critical to an effective ML/FT risk-mitigation programme. This includes an adequate training program that will allow staff to detect possible unusual or suspicious transactions.

            While it is impossible to list all the indicators of suspicion in these Guidelines, some useful links to sources of AML/CFT suspicious transaction indicators are provided in Appendix 11.2, Useful Links. A few examples of potentially suspicious transaction types that FIs should take into consideration include:

            Transactions or series of transactions that appear to be unnecessarily complex, that make it difficult to identify the Beneficial Owner, or that do not appear to have an economic or commercial rationale;
             
            Numbers, sizes, or types of transactions that appear to be inconsistent with the customer’s expected activity and/or previous activity;
             
            Transactions that appear to be exceptionally large in relation to a customer’s declared income or turnover;
             
            Large unexplained cash deposits and/or withdrawals, especially when they are inconsistent with the nature of the customer’s business;
             
            Loan repayments that appear to be inconsistent with a customer’s declared income or turnover;
             
            Early repayment of a loan followed by an application for another loan;
             
            Third-party loan agreements, especially when there are amendments to or assignments of the loan agreement;
             
            Requests for third-party payments, including those involving transactions related to loans, investments, or insurance policies;
             
            Transactions involving high-risk countries, including those involving “own funds” transfers, particularly in circumstances in which there are no clear reasons for the specific transaction routing;
             
            Frequent or unexplained changes in ownership or management of Business Relationships;
             
            Illogical changes in business activities, especially where high-risk activities are involved;
             
            Situations in which CDD measures cannot be performed, such as when the customers or Beneficial Owners refuse to provide CDD documentation, or provide documentation that is false, misleading, fraudulent or forged.
             
             When reporting an STR in the GoAML system, the user is required to select the most appropriate reason for reporting available from the menu selection provided. More than one reason may also be provided, if deemed necessary. In order to select the appropriate indicator, click ‘Add’ to select the appropriate reason for the report.
             
             Select the reason(s) applicable and then press ‘Close’. Alternatively, the user may search for reasons using the search bar available on the top left when expanding the form. It is imperative that a minimum of one reason for reporting must be selected to avoid rejection of the report by the GoAML system.
             
          • 7.5 Requirement to Report

            (AML-CFT Law Articles 9.1, 15, 24; AML-CFT Decision Articles 13.2, 17.1, 20.2)

            FIs are obliged to report transactions to the FIU without delay when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime. There is no minimum reporting threshold; all suspicious transactions, including attempted transactions, should be reported regardless of the amount of the transaction. There is also no statute of limitations with regard to when the possible crimes or the suspicious transaction took place.

            Under federal law and regulations, whether the FI operates in the mainland UAE or in a Financial or Commercial Free Zone, the designated Competent Authority for the reporting of suspicious transactions is the FIU.

            Failure to – immediately - report a suspicious transaction, whether intentionally or by gross negligence, is a federal crime. Any person, including FIs or their managers and employees, who fails to perform their statutory obligation to report a suspicion of money laundering, or the financing of terrorism or of illegal organisations, is liable to a fine of no less than AED100,000 and no more than AED1,000,000 and/or imprisonment.

            There are no exemptions from the statutory reporting requirement provided for FIs under the AML-CFT Law or AML-CFT Cabinet Decision.

          • 7.6 Procedures for the Reporting of Suspicious Transactions

            (AML-CFT Law Article 9; AML-CFT Decision Articles 17.1(a), 21.2)

            As the designated Competent Authority for receiving and analysing STRs from all FIs, it is within the purview of the FIU to determine the procedures for the reporting of suspicious transactions. As stated in the AML-CFT Decision, FIs shall report STRs “via the electronic system of the FIU or by any other means approved by the FIU”, which is the FIU’s GoAML system.

            Without prejudice to the above, it should be noted that the AML-CFT Decision provides for the reporting of STRs to be effected by the designated compliance officer of the FI. Specifically, the Cabinet Decision states that the duty of a compliance officer is to:

            “Review, scrutinise and study records, receive data concerning Suspicious Transactions, and take decisions to either notify the FIU or maintain the Transaction with the reasons for maintaining while maintaining complete confidentiality.”

            In this regard, as part of their overall risk-based AML/CFT framework and commensurate with the nature and size of their businesses, FIs should establish appropriate policies, procedures and controls pertaining to the internal reporting by their managers and employees of potentially suspicious transactions, including the provision of the necessary records and data, to the designated AML/CFT compliance officer for further analysis and reporting decisions, as well as to the reporting of STRs by the compliance officer to the FIU. The relevant policies, procedures and controls should take into consideration such factors as:

            Policies and procedures for the internal investigation of potentially suspicious transactions prior to the reporting of STRs;
             
            Conditions, timing, and methods for filing internal potentially suspicious transactions;
             
            Content requirements and format of internal potentially suspicious transactions;
             
            Appropriate controls for ensuring confidentiality and the protection of data from unauthorized access (also see Section 7.8, Confidentiality and Prohibition against “Tipping Off”);
             
            Procedures related to the provision of additional information, follow-up actions pertaining to the transactions, and the handling of Business Relationships after the filing of STRs;
             
            Policies and procedures for the analysis and decision-making of suspicious transactions by the compliance officer in regard to reporting to the FIU;
             
            Other conditions deemed appropriate by the AML/CFT compliance officer.
             

            Such policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organisation, in keeping with the nature and size of the FI’s business.

          • 7.7 Timing of Suspicious Transaction Reports (STRs)

            (AML-CFT Law 9; AML-CFT Decision 17.1(a), 21.2)

            FIs are obliged to report STRs to the FIU without delay. Since it is the responsibility of the designated AML/CFT compliance officer to “review, scrutinise and study records, receive data concerning suspicious transactions, and take decisions to either notify the FIU or maintain the transaction,” (see Section 8.1, Compliance Officer) it follows that the STRs should be immediately reported once the suspicious nature of the transaction becomes clear. This means that the internal reporting of suspicious transactions to the compliance officer should be done directly once the suspicion or reasonable grounds for suspicion are established, and immediately the designated AML/CFT compliance officer has confirmed that the transaction (whether pending, in progress, or past) is suspicious, it should be reported.

            Without prejudice to the above, FIs should note that, with the exception of any obligatory indicators for which immediate reporting to the FIU is required by the relevant Competent Authorities, some potentially suspicious transactions or indicators of suspicion may require a degree of internal investigation before a suspicion or reasonable grounds for suspicion are established and an internal STR is reported to the designated AML/CFT compliance officer. The FI should however be able to demonstrate that this investigation is started immediately and has been ongoing continuously until the transaction is reported to the FIU. In this regard, and commensurate with the nature and size of their businesses, FIs should establish clear policies, procedures and staff training programmes pertaining to the identification, investigation and internal reporting of suspicious transactions (including attempted transactions), and the degree and extent of investigations that are appropriate prior to the internal reporting of a suspicious transaction (also see Section 7.2, Identification of Suspicious Transactions). These policies and procedures should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

          • 7.8 Confidentiality and Prohibition against “Tipping Off”

            (AML-CFT Law Article 25; AML-CFT Decision Articles 17.2, 21.2, 31.3, 39)

            When reporting suspicious transactions to the FIU, FIs are obliged to maintain confidentiality with regard to both the information being reported and to the act of reporting itself, and to make reasonable efforts to ensure the information and data reported are protected from access by any unauthorized person.

            As part of their risk-based AML/CFT framework, and in keeping with the nature and size of their businesses, FIs, and their foreign branches or group affiliates where applicable, should establish adequate policies, procedures and controls to ensure the confidentiality and protection of information and data related to STRs. These policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organisation.

            FIs must ensure that all relevant information relating to STRs is kept confidential, with due regard to the conditions and exceptions provided for in the law, and the guiding principles for this must be established in policies and procedures. FIs need to ensure that policy and procedures are reflected in for example, appropriate access rights with regard to core systems used for case management and notifications, secure information flows and guidance/training to all staff members involved. This guidance and training is primarily important for the first-line staff who have contact with customers. It is essential that these staff know when there may be cases of suspicious transactions, what questions they have to ask the customer and which information they must not under any circumstances disclose to the customer.

            It should be noted that the confidentiality requirement does not pertain to communication within the FI or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention or reporting of suspicious transactions and/or crimes related to ML/FT.

            It is a federal crime for FIs or their managers, employees or representatives, to inform a customer or any other person, whether directly or indirectly, that a report has been made or will be made, or of the information or data contained in the report, or that an investigation is under way concerning the transaction. Any person violating this prohibition is liable to a penalty of no less than AED100,000 and no more than AED500,000 and imprisonment for a term of not less than six months.

          • 7.9 Protection against Liability for Reporting Persons

            (AML-CFT Law Article 27; AML-CFT Decision Article 17.3)

            FIs, as well as their board members, employees and authorised representatives, are protected by the relevant articles of the AML-CFT Law and AML-CFT Decision from any administrative, civil or criminal liability resulting from their good-faith performance of their statutory obligation to report suspicious activity to the FIU. This is also the case even if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred. However, it should be noted that such protections do not extend to the unlawful disclosure to the customer or any other person, whether directly or indirectly, that they have reported or intend to report a suspicious transaction, or of the information or data the report contains, or that an investigation is being conducted in relation to the transaction.

          • 7.10 Handling of Transactions and Business Relationships after Filing of STRs

            Once a Suspicious Transaction or other suspicious information related to a Customer or Business Relationship has been reported to the FIU, there are two immediate consequences:

            FIs are obliged to follow the instructions, if any, of the FIU in relation to both the specific transaction and to the business relationship in general.
             
            The Customer or Business Relationship should immediately be classified as a High Risk Customer and appropriate risk-based enhanced due diligence and ongoing monitoring procedures should be implemented in order to mitigate the associated ML/FT risks (see Sections 6.4, Enhanced Due Diligence (EDD) Measures, especially 6.4.2, EDD Measures for High-Risk Customers or Transactions, and 6.3.5 Ongoing Monitoring of the Business Relationship). It is however not required to terminated the relationship.
             

            Further guidance on both of these topics is provided below.

            FIU Instructions

            After receiving an STR from an FI, the FIU may or may not revert to the reporting institution with specific instructions, requests for additional information, feedback or further guidance related to the STR or to the business relationship in general. In such cases, these communications will generally be directed to the designated AML/CFT compliance officer of the FI.

            Confidentiality of FIU’s Instructions

            The responsibility for coordinating the FI’s prompt compliance with the FIU’s instructions or requests lies with the designated AML/CFT compliance officer. It should be noted that, depending on the nature of the case, the FIU may require the compliance officer to maintain certain information related to its instructions or requests privileged and/or confidential within the FI’s organisation. In other words, in some cases, the compliance officer could be restricted from divulging information about a transaction or business relationship to anyone other than certain members of senior management or the board of directors of the FI. Regardless of the circumstances surrounding the FIU’s instructions or requests, including whether or not the compliance officer is permitted to provide explanations to the staff of the FI, the FI is obliged at all times to follow the compliance officer’s instructions in regard to any follow-up actions required in relation to an STR.

            Timing of FIU’s Instructions

            Whether or not the FIU issues instructions or requests for additional information to a reporting institution, or how quickly this may occur after the STR is initially reported, both depend on numerous factors. These may include the prioritisation of the incoming STR among all of the STRs received by the FIU, the results of the ensuing analysis, or the possible need for information to be exchanged with other Competent Authorities or international FIUs, as well as the timing and the results of such exchanges.

            When an STR involves an anticipated, pending, or already in-progress transaction, FIs should use their best efforts to delay the execution or completion of the transaction, in order to allow for a reasonable amount of time in which to receive feedback, instructions, or additional information requests from the FIU. In taking such measures, FIs should take the necessary steps to avoid “tipping off” or arousing the customer’s suspicion that the transaction is being investigated or reported. Examples of some of the measures FIs may consider taking, either singly or in combination, in order to delay the execution or completion of transactions include but are not limited to:

            Delaying processing of the transaction without explanation for as long as possible;
             
            Advising the customer that the transaction has been delayed due to an unspecified operational, technical or other problem, and that efforts are underway to resolve it;
             
            Requesting additional information and/or supporting documentation (for example, evidence of relevant licences or authorisations, shipping or customs documents, additional identification documents, bank or other references) relating to the transaction, the customer, or the counterparty;
             
            Advising the customer that paperwork related to the transaction has been lost and requesting that it be resubmitted;
             
            Advising the customer that the transaction is pending an internal approval process;
             
            Any other reasonable delaying tactics, bearing in mind the obligation to avoid “tipping off” the customer.
             

            During the time interval during which an anticipated, pending, or in-progress STR that has already been reported to the FIU is being delayed by the FI, any additional suspicions that may arise should also be immediately reported to the FIU as a follow-up to the original STR. Examples of such additional suspicions may include, but are not limited to:

            New adverse information obtained in relation to the transaction, the business relationship, or the counterparty to the transaction;
             
            Unusual behaviour of the customer as a result of the transaction being delayed, such as but not limited to:
             
            -Sudden material amendments or changes to the circumstances or details of the transaction;
            -Excessive pressure, intimidation, displays of anger (beyond what would normally be expected) or threats of any kind, aimed at forcing the FI or its employees to complete the transaction;
            -Abrupt cancellation of the transaction, termination of the business relationship, or sudden attempts to close out the customer’s account and/or withdraw the balance of funds or other assets held by the FI;
            -Any other indication or reasonable grounds to suspect that the customer has become aware that the transaction is being investigated or reported as suspicious.
             

            If a reasonable amount of time has not yet elapsed before the receipt of feedback, instructions, or requests for additional information from the FIU in regard to an STR, and it becomes impossible for the FI to delay the execution or completion of the reported transaction any longer without arousing the customer’s suspicion that the transaction is being investigated or reported, then the FI should request specific instructions or permission from the FIU in regard to executing or rejecting the transaction.

            No Instructions, Feedback or Additional Information Requests from the FIU

            Due to the factors previously mentioned, FIs may not receive instructions, additional information requests, or other feedback from the FIU in regard to STRs that have been filed; or the receipt of such communications may be delayed beyond what they consider to be a reasonable time period. In such instances, FIs should determine the appropriate handling of the STR and of the business relationship in general, taking into consideration all of the risk factors involved.

            In particular, FIs are reminded that, unless they are specifically instructed by the FIU to do so, they are under no obligation to carry out transactions they suspect, or have reasonable grounds to suspect, of being related to a Crime. Furthermore, unless they are specifically instructed by the FIU to maintain the business relationship (for example, so that the Competent Authorities may monitor the customer’s activity), FIs should take appropriate steps in order to decide whether or not to maintain the business relationship. These steps may include, but are not limited to:

            Reassessing the business relationship risk and re-evaluate the customer’s risk profile, where necessary;
             
            Initiating an enhanced customer due diligence review;
             
            Considering the performance of an enhanced background investigation (including, if appropriate, the use of a third-party investigation service);
             
            Any other reasonable steps, commensurate with the nature and size of their businesses, and bearing in mind the obligation to avoid “tipping off” the customer.
             

            FIs should be aware that filing an STR does not automatically mean that the relationship with the customer needs to be terminated. However, when deciding to terminate a business relationship for which an STR has been filed and no feedback has been received from the FIU after a reasonable time period, FIs should formally advise the FIU of their intention to do so unless there is an official objection.

            Reasonable Time Period for Receiving Feedback from the FIU

            FIs should note that there are no pre-established processing times, and no statute of limitations, in regard to the time interval during which the FIU may provide feedback, including instructions or requests for additional information in response to an STR. Furthermore, the time period that may be considered reasonable in relation to such feedback depends on numerous factors, including but not limited to the:

            Type, size and circumstances of the transaction;
             
            Normal average processing times for the specific transaction type;
             
            Type of customer or business relationship;
             
            Nature and size of the FI’s business;
             
            Precise nature of the suspicion.
             

            The time period considered to be reasonable could thus vary widely from one case to another.

            As a general guideline, the reasonable time periods for feedback from the FIU concerning transaction types that are less complex, more routine, and have faster average processing times (such as account-to-account or wire transfers, the exchange of currencies, or over-the-counter purchases of precious metals or stones, for example) would normally be expected to be shorter than those for more complex, less routine transaction types (such as, for example, purchases of real estate or other complex assets, trade finance transactions, or various forms of loan or credit agreements). FIs that require further assistance in determining reasonable time periods should consult with the FIU or the relevant Supervisory Authorities.

            High-Risk Classification of Reported Business Relationships

            When a transaction or other information about a business relationship is reported to the FIU as suspicious, it means that, by definition, the customer or business relationship to which it pertains should be classified as high risk (in case the business relationship has not yet been classified as such). In situations in which no feedback or instructions have been received from the FIU, FIs that determine to maintain the business relationship should, commensurate with the nature and size of their businesses:

            Document the process by which the decision was made to maintain the business relationship, along with the rationale for, and any conditions related to, the decision;
             
            Implement adequate EDD measures to manage and mitigate the ML/FT risks associated with the business relationship.
             

            In such cases, beyond the EDD measures described in previous sections (see Sections 6.4, Enhanced Due Diligence (EDD) Measures and 6.3.5, Ongoing Monitoring of the Business Relationship), FIs should also implement additional control measures such as, but not limited to:

            Requiring additional data, information or documents from the customer in order to carry out transactions (for example, evidence of relevant licenses or authorisations, customs documents, additional identification documents, bank or other references);
             
            Restricting the customer’s use of certain products or services;
             
            Placing restrictions and/or additional approval requirements on the processing of the customer’s transactions (for example, transaction size and/or volume limits, or limits to the number of transactions of certain types that can be executed during a given time period).
             

            FIs should also document the specific EDD, ongoing monitoring, and additional control measures to be taken. In this regard, FIs should obtain senior management approval for the plan, including its specific conditions, duration and any requirements for its removal, as well as the roles and responsibilities for its implementation, monitoring and reporting, commensurate with the nature and degree of the ML/FT risks associated with the business relationship.

        • 8. Governance

          (AML-CFT Law Article 16.1(d); AML-CFT Decision Articles 4.2(a), 20, 21, 44.4)

          In order for the AML/CFT framework of any organisation to be effective, it must be based on the foundation of a sound governance structure, and held together by a strong compliance culture.

          The governance structure should take the following into consideration:

          Establish clear accountability lines and responsibilities to ensure that there is appropriate and effective oversight of staff who engage in activities which may pose a greater AML/CFT risk.
          Have the mechanism to inform the board of directors (or a committee of the board) and senior management of compliance initiatives, compliance deficiencies, STRs filed and corrective actions taken;
          Develop and maintain a system of reporting that provides accurate and timely information on the status of the AML/CFT program, including statistics on key elements of the program, such as the number of transactions monitored, alerts generated, cases created and STRs filed;
          Develop and implement quality assurance testing programs to assess the effectiveness of the AML/CFT program’s implementation and execution of its requirements.
           

          FIs should also make sure to have management structures which are accountable for clear ML/FT risk management and mitigation measures, as well as appropriate independent control functions. Implicit in both the AML-CFT Law and the AML-CFT Decision are the elements of both, concerning which additional guidance is provided in the sections below.

          • 8.1 Compliance Officer

            (AML-CFT Decision Articles 20.3, 21 and 44.12)

            • 8.1.1 Appointment and Approval

              FIs are obliged to appoint a compliance officer (CO) with the appropriate competencies and experience to perform the statutory duties and responsibilities associated with this role. The AML-CFT Decision stipulates that the CO performs these duties “under his or her own responsibility”, referring to the independent nature of the function and from which it should be understood that the position should be at a management level.

              FIs must take all appropriate steps to identify and to prevent or manage confilicts of interests between:

              The FI, its’ personnel including its CO, or any other representatives, including any person who is directly or indirectly associated with the organization and who has control to make decisions, and the FI’s customer.
              The CO and senior management of the organization including the Board of Directors. The CO must be independent and must hold a position of sufficient seniority within the organization, to ensure informed decisions are made without undue pressure to challenge decisions that are considered ill-suited, to protect the organization from possible ML/TF abuse. The MLRO’s independence of judgement is required to be free from conflicts of interest, whether it is pecuniary or otherwise.
               

              The AML-CFT Decision further provides that the appointment of a person to the position of CO requires the prior consent of the relevant Supervisory Authority. Some FIs might also have appointed a Money Laundering Reporting Officer (MLRO).

              In determining the competencies, level of experience, and organizational reporting structures that are appropriate for their COs, FIs should take several factors into consideration, including but not limited to:

              The results of the NRA and any topical risk assessment
               
              The nature, size, complexity, and risk profile of their industries and businesses, as well as those associated with the products and services they offer and the markets and customer segments they serve;
               
              The organisation’s governance framework and management structure, with particular consideration given to the independent nature of compliance as a control function;
               
              The specific duties and responsibilities of the CO’s role (described below).
               

              Where appropriate, FIs may also consider engaging in dialogue with Supervisory Authorities, professional associations in their sectors, and industry peers, in relation to the competencies, experience, and governance structures that make for an effective compliance officer and an effective AML/CFT programme.

            • 8.1.2 Responsibilities

              (AML-CFT Decision Article 21.1-5)

              The specific tasks of the CO are detailed in the relevant provisions of the AML-CFT Decision. In general, the CO will collaborate with the relevant Supervisory Authority and the FIU to ensure that these can perform their respective duties. The CO’s tasks can be grouped broadly into the following categories:

              ML/FT Reporting. The compliance officer is FI’s officer in charge of reviewing, scrutinizing and reporting STRs. In this capacity, the CO is ultimately responsible for the detection of transactions related to the crimes of money laundering and the financing of terrorism and of illegal organisations, for reporting suspicions to the FIU, and for cooperating with the Competent Authorities in relation to the performance of their duties in regard to AML/CFT.
               
              AML/CFT Programme Management. The CO should ensure the quality, strength and effectiveness of the FI’s AML/CFT programme. As such, the CO should be a stakeholder with respect to the FI’s ML/FT business risk assessment, and the overarching AML/CFT risk mitigation framework, including its AML/CFT policies, controls and CDD measures. The CO is in charge of informing and reporting to senior management on the level of compliance and report on that to the relevant Supervisory Authority.
               
              AML/CFT Training and Development. The CO is responsible for helping to establish and maintain a strong and effective AML/CFT compliance culture within the FI. This duty includes working with senior management and other internal and external stakeholders to ensure that the FI’s staff are well-qualified, well-trained, well-equipped, and well-aware of their responsibility to combat the threat posed by ML/FT.
               
          • 8.2 Staff Screening and Training

            (AML-CFT Decision Articles 20.4-5, 21.4)

            In order for their ML/FT risk assessment and AML/CFT mitigation measures to be effective, FIs should ensure that their employees have a clear understanding of the ML/FT risks that the FI is exposed to and can exercise sound judgment, both when adhering to the FI’s AML/CFT risk mitigation measures and when identifying suspicious transactions. Furthermore, due to the ever-evolving nature of ML/FT risks, FIs should ensure that their employees are kept up to date on an ongoing basis in relation to emerging ML/FT typologies and new internal and external risks. . Depending on the nature, size and level of complexity of an FI, an FI should also screen staff to ensure high standards when hiring employees.

            Thus, to ensure a high level of competence and AML/CFT programme effectiveness, FIs should formulate and implement appropriate policies, procedures and controls with regard to staff screening and training. An effective training program should not only explain the relevant AML/CFT laws and regulations, but also cover the institutions’ policies and procedures used to mitigate ML/FT risks, scope of target employees such as but not limited:

             
              
            Customer-facing staff.
            AML/CFT compliance staff.
            Senior management and board of directors
             

            These measures should be applied across organisations and financial groups, including their foreign branches and majority-owned subsidiaries. Examples of some of the factors that should be considered when determining appropriate staff screening and training measures include, but are not limited to:

            The results of the NRA and any topical risk assessment
             
            The nature, size, complexity, and risk profile of FIs’ sectors and businesses, as well as those associated with the products and services they offer and the markets and customer segments they serve;
             
            Effective screening and selection methods in relation the AML/CFT cultural compatibility of their employment candidates;
             
            Assessment of staff AML/CFT competency in relation to training and development needs;
             
            The type, frequency, structure, content, and delivery channels of AML/CFT training programmes and development opportunities;
             
            The effective identification, deployment and management of both internal and external training resources;
             
            Appropriate methods and tools for assessing the effectiveness of staff hiring, training, and development programmes, including screening procedures to ensure high standards when hiring employees.
             
          • 8.3 Group Oversight

            (AML-CFT Decision Articles 20, 31, 32)

            When an FI is part of a group, the FI is obliged to implement appropriate group-wide AML/CFT programmes, and to apply them in relation to all branches and majority-owned subsidiaries of the financial group. The specific requirements that must be met by FIs with respect to their foreign branches and majority-owned subsidiaries are set out in the relevant provisions of the AML-CFT Decision, and reflect those to which FIs are subject within the State.

            In meeting these obligations with regard to their branches and majority-owned subsidiaries in foreign countries, FIs, and in particular FIs that are members of financial groups, should ensure that the measures they apply are consistent with the requirements of the AML-CFT Law and AML-CFT Decision. In this regard, FIs should establish appropriate policies and procedures for the exchange and sharing of data and information, including those required for the purposes of CDD and ML/FT risk management, between the foreign branches and subsidiaries and the head office, for the purpose of combating the crimes of money laundering and the financing of terrorism and of illegal organisations, and for reporting suspicious transactions.

            In situations where these measures are not possible due to legislative or regulatory restrictions in the foreign countries in which their branches and majority-owned subsidiaries operate, FIs (including those which are members of Financial Groups) should implement the necessary additional measures, commensurate with the nature and size of their businesses, that will enable them to manage and mitigate appropriately the ML/FT risks that relate to their foreign operations. Examples of some of the measures that should be considered include but are not limited to:

            Assessing the effectiveness of foreign branches and majority-owned subsidiaries’ AML/CFT measures, including evaluating such factors as the comprehensiveness and quality of their policies, procedures and controls, and performing gap analyses in relation to the requirements of the AML-CFT Law and AML-CFT Decision;
             
            Establishing clear policies, procedures and controls in relation to the type and extent of access which managers and employees of foreign branches and majority-owned subsidiaries have to the FIs’ IT and operational systems, including CDD and transaction processing systems;
             
            Establishing clear policies, procedures and controls in relation to the type and extent of access which customers and Business Relationships of foreign branches and majority-owned subsidiaries have to the FIs’ products, services and transactional processing capabilities;
             
            Establishing clear policies, procedures and controls in relation to the type of CDD and transaction-related information, data, and analysis FIs accept from their foreign branches and majority-owned subsidiaries in relation to customer or Business Relationship referrals, and the extent of their reliance on such information (see Section 6.6, Reliance on a Third Party);
             
            Implementing service-level agreements, clearly setting out the roles and responsibilities of the parties and specifying the nature of the CDD and record-keeping requirements to be fulfilled in relation to customer or Business Relationship referrals;
             
            Establishing protocols for the certification by the foreign branches and subsidiaries of documents and other records pertaining to the CDD measures undertaken in relation to customer or Business Relationship referrals.
             

            In particular, in cases in which the minimum AML/CFT requirements of host countries in which FIs maintain foreign operations are less strict than those of the State, FIs should take the necessary measures to ensure that their foreign branches and/or majority-owned subsidiaries in those countries implement requirements consistent with those of the State, to the extent permitted by the laws and regulations of the host countries. If such host countries do not permit the proper implementation of the AML/CFT requirements consistent with those of the State, FIs should apply appropriate additional measures to manage and mitigate the ML/FT risks (including but not limited to those described above). They should also inform the relevant Supervisory Authorities of the circumstances and comply with any additional supervisory actions, controls, or requirements of the Competent Authorities of the State (up to and including, if requested, terminating their operations in the host countries).

          • 8.4 Independent Audit Function

            (AML-CFT Decision Article 20.6)

            A robust and independent audit function is a key component to a well-functioning governance structure and an effective AML/CFT framework. FIs are obliged to have in place an independent audit function to test the effectiveness and adequacy of their internal polices, controls and procedures relating to combating the crimes of money laundering and the financing of terrorism and of illegal organisations. In this regard, FIs should ensure that their independent audit function is appropriately staffed and organized, and that it has the requisite competencies and experience to carry out its responsibilities effectively, commensurate with the ML/FT risks to which the FIs are exposed, and with the nature and size of their businesses.

            It should be noted that, while most FIs are expected to have the capacity to meet these requirements internally, depending on the nature and size of their businesses, some FIs (particularly smaller ones) may not necessarily have the resources to maintain a fully functioning and effective internal audit unit. In such cases, those FIs should ensure that they take adequate measures to obtain the necessary capabilities from qualified external sources. They should also ensure that they have in place adequate internal capabilities to provide sufficient coordination with and oversight of any external resources they may utilise, and that such external resources are adequately regulated and supervised by relevant Competent Authorities.

            FIs should ensure that the periodic inspection and testing of all aspects of their AML/CFT compliance programmes, including ML/FT business risk assessment and AML/CFT mitigation measures, and CDD policies, procedures and controls, is incorporated into their regular audit plans. They should also ensure that all their branches and the subsidiaries in which they hold a majority interest, whether domestic or foreign, are part of an independent audit testing programme that covers the effectiveness and adequacy of their internal AML/CFT polices, controls and procedures.

            Some of the factors FIs should consider in determining the appropriate frequency and extent of audit testing of their AML/CFT programmes by their independent audit functions include but are not limited to:

            The results of the NRA and any topical risk assessment;
             
            The nature, size, complexity, and geographic scope of the FIs’ businesses, and the results of their ML/TF business risk assessments;
             
            The risk profile associated with the products and services they offer and the markets and customer segments they serve;
             
            The frequency of supervision and inspection by, and the nature of the feedback (including the imposition of administrative sanctions) they receive from, Supervisory Authorities, relative to enhancing the effectiveness of their AML/CFT measures;
             
            Internal and external developments in relation to ML/FT risks, as well as developments pertaining to the management and operations of the FIs.
             

            The scope of such audits should include but not be limited to:

            Examine the adequacy of AML/CFT and CDD policies, procedures and processes, and whether they comply with regulatory requirements.
             
            Assess training adequacy, including its comprehensiveness, accuracy of materials, training schedule, attendance tracking and escalation procedures for lack of attendance.
             
            Review all the aspects of any AML/CFT compliance function that have been outsourced to third parties, including the qualifications of the personnel, the contract and the performance and reputation of the company.
             
            Review case management and STR systems, including an evaluation of the research and referral of unusual transactions, and a review of policies, procedures and processes for referring unusual or suspicious activity from all business lines to the personnel responsible for investigating unusual activity
             
          • 8.5 Responsibilities of Senior Management

            (AML-CFT Decision Articles 4.2(a), 4.2(b)(5), 8.1(a), 15.1(b) and 15.2, 17.3, 21.3, 25.1(d))

            A cornerstone of any sound governance structure, including those related to AML/CFT compliance, is senior management involvement and accountability. The members of an FI’s senior management (together with the members of the board of directors in those organisations that have one) are ultimately responsible for the quality, strength and effectiveness of the FI’s AML/CFT framework, as well as for the robustness of its compliance culture. In this regard, an FI’s senior management should set the ML/FT risk appetite and a proper “tone at the top,” by demonstrating their commitment to ensuring an effective AML/CFT compliance programme is in place, and by clearly articulating their expectations with regard to the responsibilities and accountability of all staff members in relation to it.

            Under the AML/CFT legal and regulatory framework of the UAE, the senior management of all FIs are responsible for performing certain functions related to the assessment, management and mitigation of the ML/FT risks to which their organisations are exposed. These responsibilities can be grouped broadly into categories which include:

            Implementation of governance, control, and operating systems. These include such elements as:
             
            -Appointing a qualified compliance officer in line with the requirements of the relevant Supervisory Authority;
            -Ensuring a robust and effective independent audit function is in place;
            -Putting in place and monitoring the implementation of adequate management and information systems, internal controls, and policies, procedures to mitigate risks.
             
            Approval of internal policies, procedures and controls. These include such elements as the FI’s overall ML/FT risk appetite as well as the framework of AML/CFT policies, procedures and controls related to areas such as:
             
            -Identification, assessment, understanding, management and mitigation of ML/FT risks;
            -Performance, review and updating of CDD (including EDD and SDD) measures;
            -Identification and implementation of indictors to identify suspicious transactions;
            -Record retention and data protection;
            -Staff screening, training and development.
             
            Oversight of the AML/CFT compliance programme. This includes such elements as:
             
            -Reviewing and providing comments in relation to the compliance officer’s semi-annual reports to the relevant Supervisory Authority;
            -Approving the establishment and continuance of High Risk Customer Business Relationships and their associated transactions, including those with PEPs;
            -Approving the establishment and continuance of Business Relationships involving high-risk countries;
            -Approving the establishment and continuance of relationships with correspondent institutions;
            -Ensuring the adequate application of the appropriate components of the AML/CFT compliance programme to all branches and majority-owned subsidiaries, including those operating in foreign jurisdictions.
             
            Application of the directives of Competent Authorities. This includes such elements as:
             
            -Applying the directives of Competent Authorities for implementing UN Security Council decisions under Chapter VII of the Charter of the United Nations, and other related directives, including Cabinet Decision (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions On the Suppression and Combating of Terrorism, Terrorists Financing & Proliferation of Weapons of Mass Destruction, and Related Resolutions;
            -Implementing CDD measures defined by the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations, regarding High Risk Countries.
             
          • 8.6 Governance Issues of Small Organisations

            Some FIs may operate as small or mid-sized businesses, without large staff organisations or sophisticated IT infrastructures. In such cases, individual managers and employees may often be called upon to undertake multiple roles and responsibilities in the course of day-today business activities, and it may be difficult at times to maintain a clear separation of duties or functions. While an FI’s small size does not in any way exempt it from fulfilling its obligations under the AML-CFT Law and AML-CFT Decision, and without prejudice to guidance provided in the previous sections, the following additional considerations are of particular importance to small and mid-sized FIs.

            In situations in which the responsibilities of the AML/CFT compliance officer are delegated to a manager or staff member who also has other responsibilities, FIs should undertake their best efforts to ensure that the designated AML/CFT compliance officer does not have day-to-day responsibility for sales and/or customer business relationship management.
             
            When an adequate separation of responsibilities is not possible due to the small size of an FI’s organisation, FIs should take the necessary steps to ensure that operational and AML/CFT policies and procedures (particularly those pertaining to CDD, the identification and reporting of Suspicious Transactions, and the monitoring and updating of required High Risk Country CDD measures, and Local and Sanctions Lists—see Sections 6, Customer Due Diligence (CDD), 6.4.3 Requirements for High-Risk Countries, and 10, International Financial Sanctions) are clearly formulated, documented, and adhered to during the establishment and ongoing monitoring of business relationships and the carrying out of transactions.
             
            In such cases, FIs should ensure that they clearly document the rationale for any policy and/or procedural exceptions they make, along with any additional AML/CFT risk mitigation measures they implement, and that these records are properly retained in accordance with the statutory record-keeping requirements (see Section 9, Record Keeping). FIs should also consider referring to any significant policy or procedural exceptions, along with their rationale, associated additional AML/CFT risk mitigation measures, and senior management comments, in the AML/CFT compliance officer’s required semi-annual reports to the relevant Supervisory Authorities.
             
            FIs that are unable to ensure a clear and effective separation of AML/CFT responsibilities from those related to the day-to-day management of their businesses, including but not limited to sales and customer business relationship management functions, due to the small size of their organisation should also consider taking additional measures to enhance the application of their independent audit controls (see Section 8.4, Independent Audit Function). Examples of such measures include but are not limited to:
             
            -Incorporating the audit of policies, procedures (particularly those pertaining to CDD, the identification of Suspicious Transactions, and the monitoring and updating of required High Risk Country CDD measures, and Local and Sanctions Lists), and records related to exceptions made to them, as part of their audit plans and/or their service-level agreements with their external providers of independent audit services;
            -Increasing the frequency of independent audits and random audit inspections;
            -Applying stricter criteria with regard to the review of past transactions, such as increasing the number of transactions reviewed for a given time period, reducing size threshold limits for transactions to be reviewed, or taking other reasonable measures in this regard.
             
        • 9. Record Keeping

          • 9.1 Obligations and Timeframe for the Retention and Availability of Records

            (AML-CFT Law Articles 16.1(a),(f); AML-CFT Decision Articles 7.2, 24, 36, 37.3)

            FIs are obliged to maintain detailed records, documents, data and statistics for all transactions, all records obtained through CDD measures, account files and business correspondence, and results of any analysis undertaken, as well as a variety of record types and documents associated with their ML/FT risk assessment and mitigation measures, as specified in the relevant provisions of the AML-CFT Decision (see Section 9.2, Required Record Types). FIs are required to maintain the records in an organized fashion so as to permit data analysis and the tracking of financial transactions, and to make the records available to the Competent Authorities immediately upon request. They should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. All CDD information and transaction records should be available swiftly to Competent Authorities upon appropriate authority.

            The statutory retention period for all records is at least five (5) years, depending on the circumstances, from the date of the most recent of any of the following events:

            Termination of the Business Relationship or the closing of a customer’s account with the FI;
             
            Completion of an occasional transaction (in respect of a customer with whom no Business Relationship is established);
             
            Completion of an inspection of the records by the Supervisory Authorities;
             
            The issue date of a final judgment by the competent judicial authorities;
             
            Liquidation, dissolution, or other form of termination of a legal person or arrangement.
             

            Without prejudice to the above, FIs should note that it is the prerogative of the Competent Authorities to require the retention of the records of any FI, whether data, statistics, or records pertaining to a specific customer or transaction or to general categories of customers or transactions which they deemed to be of interest, for a longer period of time at their own discretion.

            In order to fulfil their record-keeping obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Examples of the factors which FIs should give consideration to when formulating the relevant policies, procedures and controls, include but are not limited to:

            Organisational roles and responsibilities in regard to the ML/TF business risk assessment, implementation, review and updating of AML/CFT policies, procedures and controls related to record-keeping and data protection, including appropriate business contingency and escalation procedures;
             
            Organisational roles and responsibilities in relation to record-keeping (including logging, cataloguing and organisation, archiving, handling and transferring of records and documents, as well as of the destruction of expired records) of CDD information and transactions;
             
            Physical and cyber security, and the protection of active and archived data and records from unauthorised access;
             
            Appropriate audit and quality assurance testing policies.
             
          • 9.2 Required Record Types

            (AML-CFT Law Articles 16.1(a),(b),(f); AML-CFT Decision Articles 7.2, 24)

            The AML-CFT Law and AML-CFT Decision oblige FIs to retain several types of records, which can be classified broadly into the following categories:

            Transaction Records. This category relates to operational and statistical records, documents and information concerning all transactions executed or processed by the FI, whether domestic or international in nature.
             
            CDD Records. This category relates to records, documents, and information about customers, their due diligence, and the investigation and analysis of their activities, and can be further divided into sub-categories such as records pertaining to:
             
            -Customer Information, including account files and business correspondence, and results of any analysis undertaken
            -Company Information
            -Reliance on Third Parties to Undertake CDD
            -Ongoing Monitoring of Business Relationships
            -Suspicious Transaction Reports (STRs)
             

            Additional guidance related to these record types is provided in the following sub-sections.

            • 9.2.1 Transactions

              (AML-CFT Law Articles 16.1(f); AML-CFT Decision Articles 24.1-3, 28.1-2, 29.4)

              FIs are obliged to retain the operational and statistical records, documents and information concerning all transactions executed or processed by the FI, whether domestic or international in nature, and irrespective of the type of customer and whether or not a Business Relationship is maintained, for a minimum period of five (5) years. Some examples of the type of records, documents and information which must be retained include but are not limited to:

              Customer credit or debit advices, and transaction orders or applications (including those for cash deposits or withdrawals, currency exchange transactions);
               
              Credit-related documentation, including loan or guarantee applications, agreements, amendments and supporting documents, disbursement or repayment records, collateral pledges, letter of credit documentation, promissory notes;
               
              Deal tickets, trade blotters and ledgers, settlement and dividend payment records related to foreign exchange, securities dealing or investing transactions;
               
              Escrow or fiduciary account transaction records;
               
              Insurance policy premiums, pay-outs, and related transaction records and documents;
               
              Money transfer records, including book transfers orders, and domestic and cross-border wire transfer orders, and their related originator and beneficiary records;
               
              Statistics and analytical data related to customers’ financial transactions, including their monetary values, volumes, currencies, interest rates, and other information.
               

              In addition to the above, FIs should compile notes on any particularly large or unusual transactions, and keep these notes as part of their records. In particular, FIs licensed by the Central Bank must examine the background and purpose of all complex, unusual large transactions and all unusual patterns of transactions, which have no apparent economic or lawful purpose, and document their findings in writing. This includes transactions that are not considered necessary to be reported as suspicious. These findings must be maintained for inspection by the Central Bank for a period of at least five years.

            • 9.2.2 Customer Information

              (AML-CFT Law Articles 16.1(b); AML-CFT Decision Articles 24.2-4, 27.7, 28.1-2, 29.4, 37.1-3)

              FIs are required to retain all customer records and documents obtained through the performance of CDD measures in relation to Business Relationships, including customers, Beneficial Owners, beneficiaries, or other controlling persons. Examples of such records include but are not limited to:

              Customer account information and files;
               
              Customer correspondence (including email and fax correspondence), call reports or meeting minutes (including where applicable recordings, transcripts or logs of telephone or videophone calls);
               
              Copies of personal identification documents, CDD (including EDD and SDD) forms, profiles and supporting documentation, and results of due diligence background searches, queries and investigations;
               
              Customer risk assessment and classification records.
               
            • 9.2.3 Company Information

              (AML-CFT Law Articles 16.1(b); AML-CFT Decision Articles 8.1(b), 9.1, 34-36)

              The AML-CFT Decision provides that the administrators, liquidators, or any other stakeholders involved in the dissolution of a company are obliged to retain the records, documents and information specified in the relevant articles for a minimum period of five (5) years from the date of its dissolution, liquidation or termination. These records pertain to corporate documents as well as to information on Beneficial Owners, legal shareholders, and senior managers. Such records include but are not limited to documents and information concerning:

              Company formation, registration, deregistration, liquidation, dissolution or expiry, including documents such as share registers, memoranda and articles of association, deeds of settlement and foundation charters, or similar documents, along with any amendments to them (whether the organisation is for-profit or not-for-profit);
               
              Changes to company information, such as name, registered address, legal representatives and corporate officers (directors, company secretary), or legal form;
               
              Identification and identity verification documents related to Beneficial Owners, shareholders, nominee shareholders, directors and senior management officers and, in the case of Legal Arrangements, settlors or founders, protectors, beneficiaries, trustees or executors, governing council or committee members, or similar controlling persons.
               

              In order to fulfil their statutory record-keeping obligations in this regard, FIs should determine the appropriate policies, procedures and controls related to the adequate retention, organisation, and maintenance of records when they dissolve or liquidate companies in which they hold a controlling interest. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation (see Section 9.1, Obligations and Timeframe for the Retention and Availability of Records for additional guidance concerning policies, procedures, controls and statutory retention periods related to record-keeping and data protection).

            • 9.2.4 Reliance on Third Parties to Undertake CDD

              (AML-CFT Law Article 16.1(b); AML-CFT Decision Articles 24.2-4, 19.1(b)-2(a))

              FIs that rely on third parties, whether unaffiliated or members of their own financial groups, are obliged to ensure that copies of all the necessary documents collected through the performance of CDD measures can be obtained upon request and without delay, and that the third parties adhere to the record-keeping provisions of the AML-CFT Decision. See Section 9.2.2, Customer Information above for examples of such records.

              In order to fulfil their statutory obligations, and commensurate with the nature and size of their businesses, FIs should determine the appropriate policies, procedures and controls related to the assessment, monitoring, and testing of third parties’ record-retention frameworks. The policies, procedures and controls should be documented, approved by senior management, and communicated to appropriate levels of the organisation. Some of the factors to which FIs should give consideration when formulating relevant policies, procedures and controls include but are not limited to:

              Organisational roles and responsibilities in regard to the assessment, monitoring and testing of the third party’s policies, procedures and controls related to record-keeping and data protection, including appropriate business contingency and escalation procedures;
               
              Organisational roles and responsibilities for the implementation of service-level agreements with third parties governing the provision of record-keeping services;
               
              Operational procedures related to request and transfer of records and documents, as well as their physical and cyber security, and the protection of active and archived data and records from unauthorised access;
               
              Appropriate audit and quality assurance testing policies related to the monitoring and testing of the third-party’s record-retention framework.
               
            • 9.2.5 Ongoing Monitoring of Business Relationships

              (AML-CFT Law Article 16.1(b),(f); AML-CFT Decision Article 24.2-4)

              FIs are required to retain all customer records and documents obtained through the ongoing monitoring of Business Relationships. Examples of such records include but are not limited to:

              Transaction review, analysis, and investigation files, with their related correspondence;
               
              Customer correspondence (including email and fax correspondence), call reports or meeting minutes (including where applicable recordings, transcripts or logs of telephone or videophone calls) related to those transactions or their analysis and investigation;
               
              CDD records, documents, profiles or information gathered in the course of reviewing, analysing or investigating transactions, as well as transaction-related supporting documentation, including the results of background searches on customers, Beneficial Owners, beneficiaries, controlling persons, or counterparties to transactions;
               
              Transaction handling decisions, including approval or rejection records, together with related analysis and correspondence.
               
            • 9.2.6 Suspicious Transaction Reports (STRs)

              (AML-CFT Law Article 16.1(f); AML-CFT Decision Articles 24.2-4)

              FIs are required to retain all records and documents pertaining to STRs and the results of all analysis or investigations performed. Such records relate to both internal STRs and those filed with the FIU, and include but are not limited to:

              Suspicious transaction indicator alert records, logs, investigations, recommendations and decision records, and all related correspondence;
               
              Competent authority request for information, correspondent bank requests for assistance, and their related investigation files and correspondence;
               
              CDD and Business Relationship monitoring records, documents and information obtained in the course of analysing or investigating potentially suspicious transactions, and all internal or external correspondence or communication records associated with them;
               
              STRs (internal and external), logs, and statistics, together with their related analysis, recommendations and decision records, and all related correspondence;
               
              Notes concerning feedback provided by the FIU with respect to reported STRs, as well as notes or records pertaining to any other actions taken by, or required by, the FIU.
               
        • 10. International Financial Sanctions

          The UAE is a member of several multinational and international organisations and governing bodies, including the United Nations. As such, the UAE is a party to many international agreements and conventions pertaining to the combating of money laundering and the financing of terrorism, as well as to the prevention and suppression of the proliferation of weapons of mass destruction. These conventions include, among others, the International Convention for the Suppression of the Financing of Terrorism and the Treaty on the Non-Proliferation of Nuclear Weapons.

          FIs are obliged to comply with the directives of the Competent Authorities of the State in relation to the agreements and conventions referred to above, including but not limited to Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions On the Suppression and Combating of Terrorism, Terrorists Financing & Proliferation of Weapons of Mass Destruction, and Related Resolutions.

          Because it is outside of the scope of these Guidelines to provide detailed guidance on this, reference is made to the guidance on TFS issued by the Executive Office for the Import and Export of Goods. Due to the significance, complexity and extent of the subject matter of international financial sanctions, it is deemed appropriate that this material be covered in depth in separate guidance materials.

      • Part V—Appendices

        • 11 Appendices

          • 11.1 Glossary of Terms

            TermDefinition
            Beneficial Owner:Natural person who owns or exercises effective ultimate control, directly or indirectly, over a customer or the natural person on whose behalf a transaction is being conducted or, the natural person who exercises effective ultimate control over a legal person or Legal Arrangement.
            Beneficiary Financial InstitutionThe Financial Institution that receives a wire transfer from an Ordering Financial Institution directly or indirectly via an Intermediary Financial Institution and makes funds available to the beneficiary.
            Business RelationshipAny ongoing commercial or financial relationship established between Financial Institutions, Designated Non-Financial Businesses and Professions, and their customers in relation to activities or services provided by them.
            Committee:National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations.
            Competent Authorities:The competent government authorities in the State entrusted with the implementation of any provision of the Decree-Law and the present Decision.
            Correspondent Relationship:Relationship between a correspondent financial institution and a respondent one through a current account or any other type of account or through a service related to such an account and includes a corresponding relationship established for the purpose of securities transactions or transfer of funds.
            Crime:Money laundering crime and related Predicate Offences, or Financing of Terrorism or Illegal Organisations.
            Customer Due Diligence (CDD):Process of identifying or verifying the information of a Customer or Beneficial owner, whether a natural or legal person or a Legal Arrangement, and the nature of its activity and the purpose of the Business Relationship and the ownership structure and control over it for the purposes of the Decree-Law and this Decision.
            Customer:Any person involved in or attempts to carry out any of the activities specified in the Implementing Regulations of this Decree Law (Articles 2 and 3 the Cabinet Resolution) with one of the Financial Institutions or Designated Non-Financial Businesses and Professions.
            Decree-Law (or “AML-CFT Law”):Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations.
            Decision (or “AML-CFT Decision” or “Cabinet Decision”):Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.
            Designated Nonfinancial Businesses and Professions (DNFBPs):Anyone who conducts one or several of the commercial or professional activities defined in Article 3 of the Cabinet Decision, being anyone who is engaged in the following trade or business activities:
            1. Brokers and real estate agents when they conclude operations for the benefit of their Customers with respect to the purchase and sale of real estate
            2. Dealers in precious metals and precious stones in carrying out any single cash transaction or several transactions that appear to be interrelated or equal to more than AED 55,000.
            3. Lawyers, notaries, and other independent legal professionals and independent accountants, when preparing, conducting or executing financial transactions for their Customers in respect of the following activities:
            (a) Purchase and sale of real estate.
            (b) Management of funds owned by the Customer.
            (c) Management of bank accounts, saving accounts or securities accounts.
            (d) Organising contributions for the establishment, operation or management of companies.
            (e) Creating, operating or managing legal persons or Legal Arrangements.
            (f) Selling and buying commercial entities.
            4. Providers of corporate services and trusts upon performing or executing a transaction on the behalf of their Customers in respect of the following activities:
            (a) Acting as an agent in the creation or establishment of legal persons.
            (b) Working as or equipping another person to serve as director or secretary of a company, as a partner or in a similar position in a legal person.
            (c) Providing a registered office, work address, residence, correspondence address or administrative address of a legal person or Legal Arrangement.
            (d) Performing work or equipping another person to act as a trustee for a direct Trust or to perform a similar function in favour of another form of Legal Arrangement.
            (e) Working or equipping another person to act as a nominal shareholder in favour of another person.
            5. Other professions and activities which shall be determined by a decision of the Minister
            Egmont Group:The Egmont Group is an intergovernmental body of 159 Financial Intelligence Units (FIUs), which provides a platform for the secure exchange of expertise and financial intelligence to combat money laundering and the financing of terrorism (ML/FT).
            FATF:The Financial Action Task Force is an intergovernmental body that sets international standards and promotes effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system.
            FSRBs:FATF-Style Regional Bodies are regional intergovernmental organisations which promote and assess the implementation of internationally accepted AML/CFT policies and regulations.
            Financial Group:A group of financial institutions that consists of holding companies or other legal persons exercising the control over the rest of the group and coordinating functions for the application of supervision on the group, branch, and subsidiary level, in accordance with the international core principles for financial supervision, and AML/CFT policies and procedures.
            Financial Institution:Anyone who conducts one or several of the financial activities or operations of /or on behalf of a Customer.
            Financial Transactions or Activities:Any activity or transaction defined in Article (2) of the Cabinet Decision.
            Financing of Illegal Organisations:Any physical or legal action aiming at providing funding to an illegal organisation, or any of its activities or members.
            Financing of Terrorism:Any of the acts mentioned in Articles (29, 30) of Federal Law no. (7) of 2014 on combating terrorism offences.
            FIU:Financial Intelligence Unit.
            Funds:Assets in whatever form, whether tangible, intangible, movable or immovable including national currency, foreign currencies, documents or notes evidencing the ownership of those assets or associated rights in any forms including electronic or digital forms or any interests, profits or income originating or earned from these assets.
            High Risk Customer:A customer who represents a risk either in person, activity, Business Relationship, nature or geographical area, such as a customer from a high-risk country or non-resident in a country that does not hold an identity card, or a costumer having a complex structure, performing complex operations or having unclear economic objective, or who conducts cash-intensive operations, or operations with an unknown third party, or operations without directly confronting any other high risk operations identified by Financial Institutions, or Designated Non-Financial Businesses and Professions, or the Supervisory Authority.
            Illegal Organisations:Organisations whose establishment is criminalised or which exercise a criminalised activity.
            Intermediary Account:Corresponding account used directly by a third party to conduct a transaction on its own behalf.
            Intermediary Financial Institution:The Financial Institution that receives and sends wire transfer between the Ordering Financial Institution and the Beneficiary Financial institution or another Intermediary Financial Institution.
            Law Enforcement Authorities:Federal and local authorities which are entrusted under applicable legislation to combat, search, investigate and collect evidences on the crimes including AML/CFT crimes and financing illegal organisations.
            Legal Arrangement:A relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality such as Trusts or other similar arrangements.
            MENAFATF:MENAFATF is a FATF-Style Regional Body (FSRB), for the purpose of fostering co-operation and co-ordination between the countries of the MENA region in establishing an effective system of compliance with international AML/CFT standards. The UAE is one of the founding members of MENAFATF.
            Means:Any means used or intended to be used for the commitment of an offence or felony.
            Minister:Minister of Finance
            Money Laundering:Any of the acts mentioned in Clause (1) of Article (2) of the Decree-Law.
            Non-Profit Organisations (NPOs):Any organized group, of a continuing nature set for a temporary or permanent time period, comprising natural or legal persons or not for profit Legal Arrangements for the purpose of collecting, receiving or disbursing funds for charitable, religious, cultural, educational, social, communal or any other charitable activities.
            Politically Exposed Persons (PEPs):Natural persons who are or have been entrusted with prominent public functions in the State or any other foreign country such as Heads of States or Governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties and persons who are, or have previously been, entrusted with the management of an international organisation or any prominent function within such an organisation; and the definition also includes the following:
            1. Direct family members (Of the PEP, who are spouses, children, spouses of children, parents).
            2. Associates known to be close to the PEP, which include:
            a- Individuals having joint ownership rights in a legal person or arrangement or any other close Business Relationship with the PEP.
            b- Individuals having individual ownership rights in a legal person or arrangement established in favour of the PEP.
            Predicate Offense:Any act constituting an offense or misdemeanour under the applicable laws of the State whether this act is committed inside or outside the State when such act is punishable in both countries.
            Proceeds:Funds generated directly or indirectly from the commitment of any crime or felony including profits, privileges, and economic interests, or any similar funds converted wholly or partly into other funds.
            RBA:A Risk-Based Approach is a method for allocating resources to the management and mitigation of ML/FT risk in accordance with the nature and degree of the risk.
            Registrar:Entity in charge of supervising the register of commercial names for all types of establishments registered in the State.
            Sanctions Committee:The UN Security Council Committee established as per resolution nos. 1988 (2011), 1267 (1999), 1989 (2011), 2253 (2015), 1718 (2006) and all other related resolutions.
            Sanctions List:A list wherein individuals and terrorist organizations, which are subject to the Sanctions imposed as per the Security Council Sanctions Committee are listed, along with their personal data and the reasons for Listing.
            Settlor:A natural or legal person who transfers the control of his funds to a Trustee under a document.
            Shell BankBank that has no physical presence in the country in which it is incorporated and licensed, and is unaffiliated with a regulated financial group that is subject to effective consolidated supervision.
            State:United Arab Emirates
            Supervised institutions:Financial institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs) which fall under the scope of Federal Decree-Law No. (20) of 2018 on Facing Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, and of Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.
            Supervisory Authority:Federal and local authorities, which are entrusted by legislation to supervise Financial Institutions, Designated Non-Financial Businesses and Professions and non-profit organisations or the Competent Authority in charge of approving the pursuit of an activity or a profession in case a supervisory authority is not assigned by legislations.
            Suspicious Transactions:Transactions related to funds for which there are reasonable grounds to believe that they are earned from any misdemeanour or felony or related to the Financing of Terrorism or of illegal organisations, whether committed or attempted.
            TFS:Targeted Financial Sanctions are part of an international sanctions regime issued by the UN Security Council under Chapter (7) of the United Nations Convention for the Prohibition and Suppression of the Financing of Terrorism and Proliferation of Weapons of Mass Destruction.
            Transaction:Any business of either dealing, structuring, advising, drafting, appearing, arranging for funding or investing, preparing documentation or disposal or use of Funds or proceeds including for example: deposit, withdrawal, conversion, sale, purchase, lending, swap, mortgage, and donation.
            Trust:A legal relationship in which a settlor places funds under the control of a trustee for the interest of a beneficiary or for a specified purpose. These assets constitute funds that are independent of the trustee's own estate, and the rights to the trust assets remain in the name of the settlor or in the name of another person on behalf of the settlor.
            Trustee:A natural or legal person who has the rights and powers conferred to him by the Settlor or the Trust, under which he administers, uses, and acts with the funds of the Settlor in accordance with the conditions imposed on him by either the Settlor or the Trust.
            Wire Transfer:Financial transaction conducted by a Financial Institution or through an intermediary institution on behalf of a transferor whose funds are received by a beneficiary in another financial institution, whether or not the transferor and the beneficiary are the same person.
    • Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting

      Effective from 7/6/2021
      • 1. Introduction

        • 1.2. Applicability

          Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

           National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
           Insurance companies, agencies, and brokers.
           
        • 1.3. Legal Basis

          (AML-CFT Law Articles 9.1, 15, 24, 25, 27; AML-CFT Decision Articles 16-18, 20.2, 21.2, 40-43)

          The requirement to submit Suspicious Transaction Reports (“STRs”) to the Financial Intelligence Unit ("FIU”) is outlined in the (i) Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and Financing Illegal Organisations and Federal Decree law No. (26) of 2021 To amend certain provisions of Federal Decree-law No. (20) of 2018, on anti-money laundering and combating the financing of terrorism and financing of illegal organisations (the “AML-CFT Law”); (ii) Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organisations (the “AML-CFT Decision”); and (iii) Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution.

          Under the UAE AML-CFT legal and regulatory framework, all LFIs are obliged to promptly report to the FIU suspicious transactions and any additional information when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing, or benefitting from a crime. “Crime” is defined in Article 1 of the AML-CFT Law as “money laundering crime and related predicate offences, or financing of terrorism or illegal organisations.” There is no minimum reporting threshold; all suspicious transactions, including attempted transactions, should be reported regardless of the amount of the transaction. LFIs are also required to put in place and update indicators that can be used to identify possible suspicious transactions.

          Although the AML-CFT Law uses the term “STRs” to mean both suspicious transactions and activity, for the purposes of this Guidance document, suspicious activity involving transactions should be reported (in the first instance) to the FIU as STRs; suspicious activity that does not involve transactions, on the other hand, should be reported (in the first instance) to the FIU as Suspicious Activity Reports (“SARs”). Examples of scenarios that warrant a SAR filing include, but are not limited to: the customer is the subject of material adverse media; the customer alerts as a positive sanctions match; the prospective customer acts in a manner that is suspicious upon account opening (e.g., refusing to answer account opening questions; providing falsified or counterfeit documentation; exhibiting reluctance to provide detailed information about a business account, etc.); or the customer exhibits other suspicious behavior (e.g., inquiring about ways to circumvent certain reporting thresholds). STRs, SARs, and other report types (referenced in greater detail in Section 3.2 (“Basic Structure of an STR or SAR”)) align with the FIU’s current reporting regime and utilization of the goAML system.

          Under federal law and regulations, whether the LFIs operate in the mainland UAE or in a Financial or Commercial Free Zone, the designated competent authority for receiving report of suspicious transactions or activity is the FIU. The UAE’s minimum statutory obligations that apply to LFIs are covered in the following requirements:

           To put in place indicators to identify suspicious transactions (AML-CFT Law Article 15, AML-CFT Decision Article 16).
           To report suspicious activity to the FIU and cooperate with relevant authorities, including to not disclose the information or data in an STR (AML-CFT Law Articles 9.1, 15, 24, 25, 27, AML-CFT Decision Articles 13.2, 17.1, 18.1, 20.2, 42.1/2).
           
          • 1.3.1. Consequences for Failure to Disclose Suspicious Activity

            Failure to report a suspicious transaction (STR, SAR, or other report types) without delay, whether intentionally or by gross negligence, is a federal crime in the UAE. The AML-CFT Law provides for the following sanctions against any person, including an LFI, or their managers and employees, who fail to perform, whether purposely or through gross negligence, their statutory obligation to report a suspicion of money laundering and related predicate offences or the financing of terrorism or of illegal organisations:

             Imprisonment and fine of no less than AED100,000 and no more than AED1,000,000; or
             Any of these two sanctions (i.e., imprisonment or fine of no less than AED100,000 and no more than AED1,000,000), according to Article 24 of the AML-CFT Law.
             

            According to Article 15 of the AML-CFT Law, the requirement to report is in the case of suspicion or reasonable grounds to suspect a crime.

          • 1.3.2. Protection for Individuals Disclosing Suspicious Activity

            LFIs as well as their board members, employees, and authorized representatives, are protected by Article 15 of the AML-CFT Law and Article 17.3 of the AML-CFT Decision from any administrative, civil, or criminal liability resulting from their good-faith performance of their statutory obligation to report suspicious activity to the FIU. This is also the case even if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred. This covers cases when an employee files an STR, SAR, or other report types that its employer did not want to file.

            However, it should be noted that such protections do not extend to the unlawful disclosure to the customer or any other person, whether directly or indirectly, that they have reported or intend to report a suspicious transaction, or of the information or data the report contains, or that an investigation is being conducted in relation to the transaction.

          • 1.3.3. Meaning of Suspicious Transaction

            Within the AML-CFT Law and its AML-CFT Decision, a suspicious transaction refers to any transaction, attempted transaction, or funds for which an LFI has reasonable grounds to suspect as constituting—in whole or in part, and regardless of the amount or the timing - any of the following:

             The proceeds of crime (Money laundering and related predicate offenses, or financing of terrorism or illegal organisations);
             Being related to the crimes of money laundering and related predicate offences, the financing of terrorism or illegal organisations; and
             Being intended to be used in an activity related to such crimes.
             

            The AML-CFT Law and its AML-CFT Decision define a predicate offence as “any act constituting an offense or misdemeanour under the applicable laws of the State whether this act is committed inside or outside the State when such act is punishable in both countries.”

            It should be noted that the only requirement for a transaction to be considered as suspicious is “reasonable grounds” in relation to the conditions referenced above. Thus, the suspicious nature of a transaction can be inferred from certain information, including indicators; financial/transactional and behavioral patterns; Customer Due Diligence (“CDD”) information; or adverse media information, and it is not dependent on obtaining evidence that a predicate offense has actually occurred or on proving the illicit source of the proceeds involved. LFIs do not need to have knowledge of the underlying criminal activity nor any founded suspicion that the proceeds originate from a criminal activity; reasonable grounds to suspect any such criminal activity are sufficient.

            LFIs should also note that suspicious transactions need not be completed, in progress, or pending completion. Attempted transactions, transactions that are not executed and past transactions, regardless of their timing or completion status, which are found upon review to cause reasonable grounds for suspicion, must be reported in accordance with the relevant requirements.

        • 1.4. Acronyms

          TermsDescription
          AIFAdditional Information File without Transactions
          AIFTAdditional Information File with Transactions
          AML / CFTAnti-Money Laundering / Combatting the Financing of Terrorism and Illegal Organisations
          CBUAECentral Bank of the United Arab Emirates
          CDDCustomer Due Diligence
          EDDEnhanced Due Diligence
          FATFFinancial Action Task Force
          FIUFinancial Intelligence Unit
          HRCHigh Risk Country Transaction Report
          HRCAHigh Risk Country Activity Report
          KYCKnow Your Customer
          QCQuality Control
          ReportAny STR, SAR, AIF, AIFT, RFI, or RFIT based report
          RFIRequest for Information without Transactions
          RFITRequest for Information with Transactions
          RFRReason For Reporting
          SARSuspicious Activity Report
          STRSuspicious Transaction Report

           

      • 2. Identification of Suspicious Transactions

        • 2.1. Role of the First Line of Defens

          Employees within the first line of defense (e.g., relationship managers, business executives, and backoffice operations functions) should understand the AML/CFT risks posed to the business in which they work. First line of defense employees are central to the management of customer and third-party risk and the timely escalation of potentially suspicious activity. LFIs should not rely solely on transaction monitoring systems to identify unusual and potentially suspicious activity in their customer population. First line of defense employees play a critical role in the detection and prevention of money laundering and the financing of terrorism and illegal organisations. Appropriately trained employees are in fact well-placed to identify suspicious transactions and assess that information once deemed reasonable—collected through interactions with a customer—now appears suspicious. They should therefore be trained regarding potential risk and risk mitigation and reporting within their business area. Employees should understand the regulatory requirements within the scope of their role; red flags associated with their customers, products, services, delivery channels, and geographies; and the appropriate escalation procedure both to their management and to the second line of defense without compromising their responsibility to report suspicious transactions.

        • 2.2. Role of the Second Line of Defense

          The second line of defense (e.g., compliance employees) provides policy advice, guidance, assurance, oversight, and challenge to the first line of defense. While employees in Financial Crime Operations Units (possibly in the first line of defense) can investigate suspicious transactions and document the resultant investigation, the ultimate filing of the STR or SAR must be made by the Compliance Officer or the MLRO (in the second line of defense). To this end, the second line of defense is charged with overseeing the investigations programme comprised of both automated and manual monitoring processes. The second line of defense is also charged with monitoring risks facing the LFI, such as noncompliance with UAE laws and regulations, and reporting directly to senior management on the LFI’s risk exposure, including through financial crime-related metrics. Specifically, the second line of defense and first line of defense (as applicable) should generate financial crime-related metrics (e.g., STRs or SARs filed, alert backlogs) to provide senior management with an adequate overview of the LFI’s compliance program, including the timeliness and quality of the LFI’s handling and resolution of transaction monitoring alerts and the STR or SAR filing process. The second line of defense should retain records of all information relating to transaction monitoring and suspicious activity reporting for a period of no less than five (5) years as provided in Article 24 of the AML-CFT Decision.

          • 2.2.1. Role of the Compliance Officer / MLRO

            According to Article 21 of the AML-CFT Decision, LFIs are required to appoint a Compliance Officer with the appropriate competencies and experience to perform the necessary tasks to:

             Detect transactions relating to any crime as defined in Article 1 of the AML-CFT Decision.
             Review, scrutinize, and study records; receive data concerning suspicious transactions; and make decisions to either notify the FIU or maintain the transaction with a documented rationale for maintaining the transaction while upholding confidentiality requirements.
             Review the internal rules and procedures relating to combating the crime and their consistency with relevant laws and regulations; assess the extent to which the LFI is committed to the application of these rules and procedures; propose what is needed to update and develop these rules and procedures; prepare and submit semi-annual reports on these points to senior management; and send a copy of that report to the relevant supervisory authority with senior management remarks and decisions.
             Prepare, execute, and document ongoing training and development programs and plans for the LFI’s employees on money laundering and the financing of terrorism and financing of illegal organisations, and the means to combat them.
             Collaborate with the supervisory authority and FIU, provide them with all requested data, and allow their authorized employees to view the necessary records and documents that will allow them to perform their duties.
             

            According to CBUAE’s Guidelines, the Compliance Officer is the LFI’s money laundering reporting officer (“MLRO”) charged with reviewing, scrutinizing, and reporting STRs and other reports pertaining to suspicious activity. In this capacity, the Compliance Officer or MLRO is ultimately responsible for the detection of transactions related to money laundering and financing of terrorism and illegal organisations; for reporting suspicions to the FIU; implementing the appropriate actions following an STR, SAR, or other report filing (e.g., ensuring the STR or SAR subject is input into the relevant list for close monitoring or internal watchlists/blacklists; changing the customer risk rating; etc.); and for cooperating with the relevant authorities on AML/CFT matters. The Compliance Officer or MLRO is ultimately responsible to ensure that an appropriate programme exists in the LFI and that the LFI effectively deploys a risk-based approach to detect and report suspicious activity.

            The Compliance Officer or MLRO should also act as the primary point of contact with law enforcement agencies for their requests and investigations. The Compliance Officer or MLRO is responsible for liaising with regulators and external bodies on financial crime issues in order to share knowledge, report cases, develop best practices, and where possible, to improve coordination within the financial sector.

        • 2.3. Role of the Third Line of Defense

          The independent testing function is responsible for evaluating the design and operational effectiveness of an LFI’s compliance program controls, including technical compliance with AML/CFT policies and procedures. This function serves as a “third line of defense” to identify gaps, deficiencies, and weaknesses in operational controls owned or overseen by an LFI’s business, operations, and compliance functions. Independent testing should be conducted by an internal audit department, outside auditors, consultants, and/or other qualified, independent third parties. At a minimum, employees responsible for conducting independent testing should not be involved in the function being tested or in other AML/CFT functions that could compromise their independence. Risk-based auditing assists an LFI’s Board of Directors and senior management in identifying areas of weakness, prioritizing those areas for remediation, and ensuring the provision of adequate resources, oversight, and training for affected employees.

        • 2.4. Purpose of Transaction Monitoring

          The purpose of transaction monitoring is the ongoing, retrospective monitoring of customers’ and prospective customers’ transactions or activity to identify activity anomalous from normal behavior. This may, on further investigation, generate knowledge or reasonable suspicion of financial crime and thereby require reporting to the appropriate law enforcement and/or regulatory authority as an STR, SAR, or equivalent local report in line with AML/CFT regulatory and/or UAE FIU reporting requirements. LFIs may choose to use a combination of automated transaction monitoring scenarios and exception-based (manual) transaction reports to monitor for potentially suspicious activity. The aim of the alert review process is to identify and respond to potential indicators of money laundering, associated predicate offenses, financing of terrorism and illegal organisations , financing of proliferation, and any potentially unusual activity that does not align to a customer’s or account's profile including by deploying a risk-based approach. An LFI’s transaction monitoring systems and manual processes should be reviewed, assessed, and revised periodically—at least annually—and otherwise as appropriate, justified by the required circumstances. Additionally, this review should include both an evaluation of transaction monitoring system thresholds and a fine tuning of the LFI’s transaction monitoring system as well as an evaluation of its effectiveness. The individuals responsible for the review should have a proper understanding of the LFI’s framework-including the LFI's business and customer base—to generate a meaningful output.

        • 2.5. Internal Organization

          In order for an LFI’s transaction monitoring and suspicious activity reporting program to be effective, it must be based on the foundation of a sound governance structure. Namely, an LFI’s internal organization is important to appropriately identifying unusual or potentially suspicious activity. Internal organization comprises an LFI’s policies, procedures, and processes designed to oversee and manage risks and to achieve compliance with UAE AML/CFT laws and regulations. In particular, an LFI’s internal organization addresses the core organizational elements of an LFI’s compliance program: governance and management oversight; policies and procedures; clear lines of responsibility and reporting; and ongoing training to account for changes in the UAE’s legislative and regulatory frameworks.

           Governance and Management Oversight: Governance and management oversight helps to ensure that an LFI’s compliance program is appropriately funded, staffed, and equipped with the requisite technology, including to identify and report suspicious activity. An LFI’s Board of Directors also ensures that the compliance program has an appropriately prominent status within the organization and is operationally independent. In this capacity, senior management, inclusive of the Compliance Officer, within a compliance program should have the appropriate authority; independence; access to employees and information within the organization; and appropriate resources to conduct their activities—including the identification and reporting of suspicious activity—effectively. The compliance program should have access to the Board of Directors or a designated board committee to raise any issues or risks; report on the status of ongoing compliance; and escalate any other pertinent AML/CFT-related information.
           As part of an LFI’s risk management framework, senior management and an LFI’s Board of Directors should oversee the design, implementation, and maintenance of a transaction monitoring and suspicious activity reporting program based on an LFI’s AML/CFT risks and in accordance with all applicable laws and regulations. Senior management should likewise oversee a vendor selection process (as applicable) if a third-party vendor is used to acquire, install, implement, or test a transaction monitoring program or any aspect of identifying and reporting suspicious activity, among other responsibilities. The Compliance Officer (or MLRO) shall periodically update the Board of Directors (or a committee of the Board) on the overall capability framework (that includes technology and process aspects of suspicious activity identification, investigation and reporting aspects).
           Policies and Procedures: An LFI should have policies and procedures that govern changes to its transaction monitoring program which ensures that changes are defined, managed, controlled, reported, and audited. Namely, LFIs should have governance protocols surrounding the design and implementation of new detection scenarios; periodic assessment and validation of existing detection scenarios; and retiring of detection scenarios. In addition, an LFI should develop a procedure for the investigation and processing of transaction monitoring alerts in order to file an STR, SAR, or other report type promptly and qualitatively. These policies and procedures should cover the key processes for drafting and filing an STR, SAR, or other report type and other regulatory reports. More broadly, policies and procedures work to manage key AML/CFT risks and create processes for adherence across an LFI.
           Clear Lines of Responsibility and Reporting: In relation to suspicious transactions, an LFI should have clear roles, responsibilities, and reporting lines, including reporting and escalations to the Board of Directors and senior management. These roles, responsibilities, and reporting lines should be clearly documented across all three lines of defense. Clear lines of responsibility help with effectively identifying and reporting suspicious activity in a timely manner while ensuring that there is appropriate and effective oversight of employees who engage in activities which may pose greater AML/CFT risk. LFIs should also have a mechanism to inform senior management and the Board of Directors (or a committee of the Board) of compliance initiatives, compliance deficiencies, STRs or SARs (or other reports) filed, and corrective actions taken.
           Ongoing Training: Training should be provided on an ongoing basis to an LFI’s employees and should include changes to the UAE’s legislative and regulatory frameworks; internal policies or procedures; and understanding of evolving risk issues with respect to an LFI’s transaction monitoring and suspicious activity reporting program. Training topics can include, but are not limited to, thematic analysis of STRs or SARs; regulatory requirements and best practices related to STR or SAR reporting; noteworthy STRs or SARs (or other reports) filed during the prior quarter; and controls related to emerging financial crime risks. Training should be customized to include any other internal data that would be beneficial to both the first line and second line of defense.
           
          • 2.5.1. Considerations for Institutions with Foreign Branches and Subsidiaries

            For LFIs operating in an international context, FATF Recommendation 18 recommends that financial groups are required to implement group-wide AML/CFT programs applicable to foreign branches and majority-owned subsidiaries. Recent major enforcement actions taken by supervisors in key jurisdictions have highlighted the need to ensure that systems and controls are aligned across a financial group and that foreign branches and majority-owned subsidiaries align AML/CFT measures with a financial group’s home country requirements. As a result, LFIs have implemented global AML/CFT policies that outline a group risk appetite and are managed in each jurisdiction to align to local regulatory or legislative requirements. To support alignment of controls, LFIs operating across jurisdictions may seek to leverage the same control solutions for key processes, such as customer screening or transaction monitoring, though there may be different rules for different jurisdictions. For example, if the LFI operates in an economy which is known to be more cash-based than another, the cash trigger rules in transaction monitoring may vary appropriately. Centralized controls with operational centers of excellence also provide a means of ensuring alignment across the group around systems and controls.

        • 2.6. Transaction Monitoring Methods

          The five key components to an effective transaction monitoring and reporting system are: (i) identification of unusual or suspicious activity; (ii) managing alerts with an alert risk scoring model; (iii) STR or SAR decision making; (iv) STR or SAR completion and filing; and (v) monitoring and STR or SAR filing on continuing activity. To effectively identify unusual or potentially suspicious activity, LFIs should first maintain a transaction monitoring program based on an underlying AML/CFT risk-based assessment. The transaction monitoring program should take into account the AML/CFT risks of the LFI’s customers, prospective customers, counterparties, businesses, products, services, delivery channels, and geographic markets in addition to helping prioritize high-risk alerts. However, the sophistication of monitoring systems can differ based on an LFI’s AML/CFT risks. Monitoring systems typically include employee identification or referrals, transaction-based (manual) systems, surveillance (automated) systems, or a combination of these. Overall, LFIs must adopt monitoring processes and procedures to monitor customer activity that are commensurate with the size and nature of the line of business and the money laundering and the financing of terrorism and illegal organisations’ risks posed by their relevant customer base. The monitoring system and/or manual processes must reasonably demonstrate that transactions that carry the highest risk of money laundering and financing of terrorism and illegal organisations are subject to enhanced scrutiny.

          As part of a risk-based approach to AML/CFT, in the case of customers or Business Relationships identified as high-risk, LFIs are expected to investigate and obtain more information about the purpose of transactions, and to enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities. In the case of customers or Business Relationships that are identified as low-risk, LFIs may consider monitoring and reviewing transactions at a reduced frequency.

          Examples of some of the methods that may be employed for the ongoing monitoring of transactions include, but are not limited to:

           Threshold-based rules, in which transactions above certain pre-determined values, numerical volumes, or aggregate amounts are examined;
           Transaction-based rules, in which the transactions of a certain type are examined;
           Location-based rules, in which the transactions involving a specific location (either as origin or destination) are examined; and
           Customer-based rules, in which the transactions of particular customers are examined.
           
          • 2.6.1. Manual Monitoring

            An LFI may seek to utilize a manual transaction monitoring system, which typically targets specific categories of transactions (e.g., those involving large amounts of cash, those to or from certain geographies) and includes a manual review of various reports generated by the LFI’s systems in order to identify unusual activity. The type and frequency of reviews and resulting reports used should be commensurate with the LFI’s AML/CFT risk profile—including the nature, size, and complexity of its operations—and properly cover customers, counterparties, businesses, products, services, delivery channels, and geographic markets. System-generated reports typically use a certain currency threshold to detect unusual activity. An LFI’s responsible senior employee should periodically evaluate the appropriateness of filtering criteria and thresholds used in the monitoring process and periodically appraise Senior Management and where required, notify the Board of Directors (as part of periodic updates), on the appropriateness of design of manual monitoring reports. LFIs should be alert to the fact that complex and evolving financial crime risks can undermine the effectiveness of manual monitoring systems, and therefore, manual monitoring systems should also be independently reviewed for reasonable filtering criteria.

          • 2.6.2. Automated Transaction Monitoring

            Automated transaction monitoring systems can cover multiple types of transactions and use different rules to identify potentially suspicious activity. In addition, many systems can adapt over time based on historical activity, trends, or internal peer comparison. After parameters and filters have been developed, they should be reviewed before implementation to identify any gaps in coverage to address potential financial crime schemes that may not have been addressed. LFIs should also seek to have appropriate case management systems so that such funds or transactions are scrutinized in a timely manner and a determination is made as to whether the funds or transaction are suspicious.

            Once established, the LFI should review and test system capabilities and thresholds on a periodic basis, commensurate to its risk profile. This review should focus on specific parameters or filters in order to ensure that intended information is accurately captured, and that the parameter or filter is appropriate for the LFI’s particular risk profile, including the applicability of the detection scenarios, underlying rules, threshold values, and assumptions used. An LFI should also aim to review its transaction monitoring program at least annually to account for changes in the LFI’s internal procedures; local laws and regulations; and best practices.

            Relatedly, the authorization to establish or alter expected activity profiles should be clearly defined through policies and procedures. An LFI’s internal controls should ensure limited access to the monitoring systems, and changes should require the approval of the Compliance Officer, MLRO, or senior management. The LFI should implement a robust end-to-end, pre- and post-implementation testing procedure of its transaction monitoring program with documentation detailing current detection scenarios and the underlying assumptions, parameters, and thresholds applied.

            Employees appointed by the LFI should also be responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the transaction monitoring program, which may extend to assessing the timely review and decision-making of generated alerts and potential STR or SAR filings. Such employees should be responsible for independently validating an LFI’s transaction monitoring system's programming methodology and effectiveness to ensure that the LFI’s automated transaction monitoring system is effectively detecting potentially suspicious activity. These appointed employees should also ensure that customer segments, customer types, and transactions/transaction codes are mapped into the transaction monitoring system, and that the transaction monitoring system is integrated with the LFI’s core banking and other relevant system. Independent validation should also take place of an LFI’s policies with an aim to assess if employees are adhering to these policies. This is especially important to validate the proper use of automated tools and to ensure that the application of information technology instruments or algorithms—often leveraged by LFIs to reduce the number of false positives in their transaction monitoring programs—is not inadvertently suppressing instances of reportable suspicious activity. Where appropriate, the LFI, in lieu of maintaining full time employees to perform aforementioned functions, may hire qualified specialist consultants or external vendors to provide such review services.

          • 2.6.3. Intelligence-led Transaction Monitoring Approach

            LFIs have begun to invest in forming and developing their own intelligence units or capabilities. By establishing such units or capabilities, these units seek to maximize the use of data and information available both internally—within the LFI—and externally—across jurisdictions and businesses—in order to tackle money laundering, the financing of terrorism and illegal organisations, and fraud schemes, as well as to consolidate analytical capacity and remove any jurisdictional and business silos. This has led some LFIs to shift from a pure transaction-level monitoring approach towards adopting a “customer-level” or “network” monitoring approach. Under this approach, previous investigations can be applied to inform and refine risk models, which can then be used to customize monitoring for different business lines and customer types. These enhancements are focused on looking beyond single transactions or single customers to identify the wider network in which a customer operates—looking at the customer as an entity—enabling LFIs to manage networks of accounts and report on these networks, that in turn, increases opportunities to disrupt that network. This model moves reporting away from reports of single suspicious transactions towards suspicious entities and networks with a view on how the funds flow between them.

      • 3. Procedures for the Reporting of Suspicious Transactions

        All customers and accounts should be subject to monitoring under a risk-based approach in order to identify potentially suspicious transactions, patterns, as well as behavior that is inconsistent with past behavior on the account or with the anticipated activity on the account as determined at onboarding. Alerts on such behavior are risk relevant indicators of potentially suspicious activity. Upon identifying unusual or potentially suspicious activity, an LFI’s employees must review and, as appropriate, escalate the activity for further investigation or immediate action.

        Although the process for reviewing unusual or potentially suspicious activity for further investigation or immediate action is not outlined in this guidance, LFIs should establish a process to investigate such activity, including developing policies and procedures that document the process for deciding whether to close the alert or to promptly report the transaction as suspicious and should include guidance on capturing detailed descriptions for the manner in which the alerts were either disposed of by reporting or closure of the alerts. For the purposes of this guidance, best practices are discussed once activity is determined to meet one or more of the regulatory definitions of suspicious activity and when an LFI decides to report such activity to the FIU by filing an STR, SAR, or other report type.

        • 3.1. Importance of Filing an STR and SAR

          The information generated from an STR, SAR, and other report type is important for identifying and combatting financial crime. First, the quality of STRs, SARs, and other report types is imperative for increasing the FIU’s analytical function to identify vulnerabilities and threats to the UAE financial system and develop an overall understanding of money laundering and the financing of terrorism and illegal organisations’ risks based on emerging trends and patterns. Relatedly, STRs, SARs, and other report types also assist law enforcement in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system. Law enforcement uses the intelligence generated from STRs, SARs, and other report types to initiate and supplement money laundering or terrorist financing investigations and other criminal cases. As a result, it is critical that the information provided in all reports of suspicious activity be as accurate, timely, and complete as possible.

        • 3.2. Basic Structure of an STR or SAR

          The Compliance Officer or MLRO and other concerned employees responsible for using the goAML system must be aware of the different report types. As such, the LFI should select the correct report type when filing a report through the goAML system. The STR and SAR are the primary (or first instance) reports which must be used to report a new suspicion, whereas Additional Information File without Transactions (“AIF”) and Additional Information File with Transactions (“AIFT”) report types are supplementary reports which can be used to escalate additional information or transactions that correspond to a previously filed STR or SAR. When filing an AIF or AIFT, the LFI should input the Reference Number that corresponds to the STR or SAR.

           STR: If, during the establishment or course of the customer relationship, or when conducting transactions on behalf of a customer or an occasional customer, an LFI suspects transactions are related to money laundering, related predicate offenses, or the financing of terrorism or illegal organisations, then the LFI should submit an STR to the FIU within the timelines established in this guidance.
           SAR: If, during the establishment or course of the customer relationship, an LFI suspects any activity or an attempted transaction (i.e., a non-executed transaction) can be related to money laundering, related predicate offenses, or the financing of terrorism or illegal organisations, then the LFI should submit a SAR to the FIU within the timelines established in this guidance.
           Additional Information File (“AIF”) without Transactions: Should the FIU require any further details while reviewing an STR or SAR, then the LFI that originally submitted the report may be solicited for further information by receiving an AIF request from the FIU through the Message Board. Should such a situation arise, the LFI is required to submit an AIF based report through the goAML platform. Please note that an AIF is a supplemental report that does not contain transactional details.
           Additional Information File with Transactions (“AIFT”): Should the FIU require any further details including transactions while processing an STR or SAR, then the LFI that originally submitted the said report may be solicited for further information including transactions by receiving an AIFT request from the FIU through the Message Board. Should such a situation arise, then the LFI is required to submit an AIFT report through the goAML. Please note that an AIFT is a supplemental report that contains transactional details.
           Request for Information (“RFI”) without Transactions: Should the FIU require further information from multiple LFIs rather than just the entity responsible for submitting the STR or SAR, then an RFI request will be sent out to the concerned LFIs through the goAML Message Board. Should such a situation arise, then the LFI is required to submit an RFI report through the goAML portal.
           Request for Information with Transactions (“RFIT”): The ‘RFI with Transaction(s)’ report is similar to the structure of an RFI request, with the exception that this report type supports the use of transactions.
           High Risk Country Transaction Report (“HRC”): If, during the establishment or course of the customer relationship, or when conducting transactions on behalf of a customer or a potential customer, an LFI identifies transactions related to high-risk countries as defined by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee2, then the LFI should submit an HRC to the FIU. Such reported transaction(s) may only be executed three working days after reporting such to the FIU, and if the FIU does not object to conducting the transaction within the set period.
           High Risk Country Activity Report (“HRCA”): If, during the establishment or course of the customer relationship, or when conducting an activity on behalf of a customer or a potential customer, a reporting entity identifies activities related to high-risk countries as defined by the National Anti- Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee3, then the entity should submit an HRC to the FIU. Such reported activity(ies) may only be executed three working days after reporting such to the FIU, and if the FIU does not object to conducting the activity within the set period.
           

          When all applicable information is collected, analyzed, and documented and the LFI decides that an STR or SAR is required, the information should be described in the narrative within an investigative narrative report template in a concise and chronological format. The LFI should divide the narrative into three sections: an introduction, a body, and a conclusion. The investigative narrative report template is considered as an addition to the goAML report (due to the potential text limitation within the “goAML description of the report” field).

           Introduction
           
           The introductory paragraph should provide:
           
           A brief statement addressing the purpose of the report with a general description of the known or alleged violation.
           The name(s) of the subject against whom the report is filed.
           Any linked/ previous STRs, SARs, or other reports, including the date of any STR(s) / SAR(s) filed (or other reports) previously on the suspect or related suspects and the reason why the previous STR(s) / SAR(s) (or other report) was filed.
           
           Additional Guidance:
           
           Whether the activity is associated with any sanctioned countries or contained on government lists for individuals or organisations.
           A summary of the “red flags” and suspicious patterns of activity that initiated the report. (This information should be provided either in the introduction or conclusion of the narrative).
           
           Body
           
           The next paragraph or paragraphs of the narrative can provide all pertinent information documenting why the STR, SAR, or other report was filed and might include:
           
           Details of parties facilitating the suspicious activity or transactions. If the subject is an entity, details of the subject can include the entity’s trade license number, date established, line of business, licensing authority, and ownership structure.
           Involved suspected transactions (usually identified in chronological order by date and amount) [To be included only for an STR and supplementary reports involving transactions].
           The review period for the suspicious activity or transactions.
           The source of funds, destination of funds, and total of suspected amounts. This can include the transactor and beneficiary information, providing as much detail as possible, including the name and location of any involved domestic and/or international financial institution(s); names, addresses, account numbers, and any other available identifiers of originator and beneficiary transactor(s); and/or third parties or business entities on whose behalf the conductor was acting; the date(s) of the transaction(s); and amount(s).
           Explain in detail the reason for the suspicion, and why the activity or transaction is determined to be illegal or suspicious.
           Description of the method of operation (i.e., modus operandi).
           
           Additional Guidance:
           
           A breakdown of larger volumes of financial activity into categories of credits and debits, and by date and amount. [To be included only for an STR and supplementary reports involving transactions].
           An explanation of any observed relationships among the transactors (e.g., shared accounts, addresses, employment, known or suspected business relationships and/or frequency of transactions occurring amongst them; appearing together at the LFI and/or counter). [To be included only for an STR and supplementary reports involving transactions].
           Specific details on cash transactions that identify the branch(es) where the transaction(s) occurred, the type of transaction(s), and how the transaction(s) occurred (e.g., night deposit, on-line banking, ATM, etc.). [To be included only for an STR and supplementary reports involving transactions].
           Any factual observations or incriminating statements made by the suspect.
           
           Conclusion
           
           The final paragraph will be covered under “Action Taken by Reporting Entity” field. The final paragraph of the narrative can summarize the report and might also include:
           
           Any planned/initiated mitigating steps, including information about any follow-up actions conducted by the LFI (e.g., intent to close or closure of accounts, ongoing monitoring of activity, etc.).
           
           Additional Guidance:
           
           Names and telephone numbers of other contacts at the LFI if different from the point of contact indicated in the report.
           A general description of any additional information related to the LFI that may be made available to law enforcement by the LFI.
           Names of any law enforcement or department/unit investigating the case who are not already identified in another section of the report.
           

          2 https://www.namlcftc.gov.ae/en/high-risk-countries.php
          3 Idem note

        • 3.3. Best Practices for Drafting an STR or SAR

          In general, a narrative should identify the five core components - who? what? when? where? and why? -of the suspicious activity being reported to the FIU. The method of operation/modus operandi (or how?) is also important and should be included in the report narrative. An LFI should ensure that the following five questions are answered prior to submitting an STR, SAR, or other report in the FIU’s goAML system.

          Who is conducting the suspicious activity or transaction?

           Describe the subject of the STR, SAR, or other report, otherwise known as the suspect(s), including the conductor, beneficiary, and accountholders involved in the transaction or activity.
           Provide identifying information on the parties involved in the transaction, such as the suspect’s occupation and position or title within the business.
           List beneficial owners, directors, officers, and those with signing authority, if possible. If the transaction or activity involves an entity, include information on the ownership, control, and structure of the business.
           Provide details about each individual or entity's role in each of the financial transactions described. It is important to understand who is sending and receiving the funds. [To be included only for an STR and supplementary reports involving transactions].
           If more than one individual or entity is involved in the suspicious activity, explain the relationships among the individuals or entities (if known).
           

          Even though information may not always be available, information should be included to the extent possible. For instance, addresses for suspects are important; filing LFIs should note not only the suspect’s primary street addresses, but also, other known addresses. Any identification numbers associated with the suspect(s) such as passport and driver’s license numbers are also important to document.

          What instruments or mechanisms are being used to facilitate the suspicious activity or transaction(s)?

           Review the instruments or mechanisms used in the suspicious activity (e.g., wire transfers, foreign currency, Wages Protection System (WPS), letters of credit and other trade instruments, correspondent accounts, money orders, credit/debit cards, etc.).
           Understand the number of different methods employed for initiating the negotiation of funds, such as the Internet, phone access, mail, night deposit box, remote dial-up, couriers, or others.
           Describe the source of the funds (as originator) or use of the funds (as beneficiary). In documenting the movement of funds, identify all account numbers at the LFI affected by the suspicious activity or transaction and when possible, provide any account numbers held at other LFIs and the names/locations of the other LFIs involved in the reported activity.
           

          When did the suspicious activity or transaction take place?

           If the activity takes place over a period of time, provide the date when the suspicious activity or transaction was first observed and describe the duration of the activity.
           To better understand the history and nature of the activity, and the flow of funds, LFIs should provide information on each individual transaction in a chronological order (e.g., individual dates and transaction amounts, rather than only the aggregated amount). [To be included only for an STR and supplementary reports involving transactions].
           Provide information on when the transaction was completed or attempted. If the transaction was not completed, the LFI should indicate this in the narrative. [To be included only for an STR and supplementary reports involving transactions].
           

          Where did the suspicious activity or transaction take place?

           Explain if multiple offices of a single LFI were involved in the suspicious activity or transaction being reported. Provide the addresses of those locations.
           Specify if the suspected activity or transaction(s) involves a foreign jurisdiction. In this case, list the foreign jurisdiction, LFI, address, and any account numbers involved in, or affiliated with the suspected activity or transaction(s).
           This information should include any location involved in the full transaction chain, including ultimate originators and beneficiaries to the extent this can be ascertained. [To be included only for an STR and supplementary reports involving transactions].
           

          Why does the LFI think the activity or transaction is suspicious?

           Describe the industry or business and why the activity or transaction is unusual for the customer. Consider the types of products and services involved in the activity and the expected activities of similar customers.
           Assess why the activity created a red flag for the LFI or triggered an alert within the system.
           

          These answers will vary based on the LFI type (for example, a depository institution versus an insurance company) and an LFI should also consider such factors as:

           The types of products and services the LFI offers;
           The types of accounts the customer has with the LFI;
           The normally expected business activity of the customer (if they are a customer of the LFI), and why this is not normal or expected activity;
           The purpose of the payment or transaction, to the extent known, reported, alleged, or questioned; and
           If the activity resulted from an automated alert, the scenario or rule that generated the alert.
           

          How did the suspicious activity or transaction occur?

           Describe how the transaction or pattern of transactions was committed (i.e., the “modus operandi” or the method of operation). [To be included only for an STR and supplementary reports involving transactions].
           For example, if there appear to be multiple cheques deposited matched with outgoing wire transfers from the accounts, the narrative should include information about both the cheques and outbound transfers (including dates, destinations, amounts, accounts, frequency, and beneficiaries of the funds transfers).
           
          • 3.3.1. Defensive STR or SAR Filings4

            Defensive filing is the practice of filing STRs or SARs on transactions or activity(ies) that LFIs do not deem truly suspicious in order to reduce the risk of regulatory penalties for non-filing of STRs or SARs.5 Although there may be some aspect of the transaction or activity creating potential suspicion, defensive filings do not report on activity that the LFI truly considers suspicious. As such, defensive filings are generally discouraged given that such filings diminish the value of STRs and SARs, including by leading to an increase in non-valuable filings. An STR, SAR, and other report types should be of the best possible quality, including in that it should have a clearly written narrative with sufficient detail that comprehensively articulates the factors involving the reported suspicious transaction or activity. As a result, the CBUAE considers defensive STR or SARs as indicative of an inefficient transaction monitoring system and an LFI’s weak system of internal controls. An LFI may be asked to correct such deficiencies as part of broader supervisory measures provided by applicable law, including administrative sanctions, temporary limitation to business activities, etc. If, for any reason, an LFI needs additional data to assess whether unusual activity is truly suspicious, the LFI should review other mechanisms—such as expanding the time period for reviewing alerted transactions (e.g., from 30 days to 90 days) or reviewing threshold-based reports—to make the determination that an STR or SAR is required.


            4 The UAE FIU has noted instances where SAR or STRs are reported due to the LFI not receiving supporting documents that would justify the transaction or activity. However, upon the FIU raising a request to the same LFI in the form of an AIF, supporting documents were subsequently provided for the same subjects and report. This documentation in some instances removed the suspicion of the transaction and in others, helped explain the transaction or action. Submitting reports to the FIU without first conducting a thorough investigation and looking at all available evidence creates a situation where non-suspicious transactions may be reported to the FIU. LFIs are reminded that internal investigations into the suspicious transaction or activity should be conducted to the fullest extent possible prior to raising an STR or SAR and that related documentation, when available or easily retrievable, should be included with the STR or SAR. 
            5 Egmont Group, Enterprise-wide STR Sharing: Issues and Approaches, Pg. 17

        • 3.4. How to Submit an STR and Other Report Types

          LFIs are required to submit suspicious transaction and activity reports directly to the FIU using the “goAML” portal, and registration in the system is mandatory for all entities under CBUAE’s supervision. According to the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions, the FIU has launched the goAML system for the purposes of facilitating the filing of STRs, SARs, and other report types by all LFIs. LFIs should register themselves on the goAML system by following the “GoAML Registration Guide” and maintaining their registration in an “active” status. An entity’s Compliance Officer or MLRO can register as the user of the system. GoAML provides a secure link from each LFI to the FIU through their respective supervisory authorities. The system also has an .xml schema for filing batches of STRs. All newly licensed LFIs should register themselves immediately after obtaining their financial services license. Failure to register within the goAML system may result in a breach of the LFI’s AML/CFT obligations and will be dealt with in accordance with the prevailing legal provisions related to non-compliance.

          According to the “goAML XML Submission Guide,” the goAML system reflects multiple mandatory fields, business rules, and various binding scenarios. Combined, the system only accepts reports that pass through the minimum requirements set by the FIU. Mandatory fields for submitting a report in the goAML system are noted below:

          1.Select the Report Type [4.2.1 GoAML XML Submission Guide]: A Compliance Officer or MLRO should select a report type and populate all available details in the ‘Report Cover’ as depicted below:
           
          • Reporting Entity ID - Entity name as per the registration (auto-generated)
          • Internal STR/SAR # - Internal STR/SAR number
          • Submission Date* - Date of escalating the Report to the FIU (auto-generated)
          • Description/Summary of the Report* - Brief overview for the suspicion/reason for submitting this report to the FIU. This field is only mandatory for STR and SAR report types
          • Reporting Entity Branch - Branch where the main subject(s) of the report were identified
          • Report Type* - Report type relevant to the suspicion/reason for submission to the FIU
          • FIU Reference - Only applicable in the case of AIF/RFI/ AIFT/RFIT type reports. Provide the corresponding case number as specified in the Message Board communication sent by the FIU
          • Action Taken by Reporting Entity* - The action(s) taken by the reporting entity post- identifying the reason for suspicion/submission

           

          2.MLRO Details [4.2.2 GoAML XML Registration Guide]: This section of the report includes details on the Compliance Officer, MLRO, or individual filing the report, which is automatically populated using the details provided during the registration phase.6
          3.Location of the Incident [4.2.3 GoAML XML Registration Guide]: The location of the incident requires the location where the suspicious incident/transaction originated from. This is mandatory for STR and SAR report types.
          4.Reason for Reporting [4.2.4 GoAML XML Registration Guide]: The LFI is expected to select the most appropriate reason for reporting available from the menu selection provided. If necessary, more than one reason may also be provided. It is imperative that the correct Reason for Reporting (“RFR”) is chosen for STRs or SARs submitted in the goAML system.7
          5.Transactions [4.2.5 GoAML XML Registration Guide]: If the reported activity involves transaction(s), the LFI should populate the following transaction details:
           
          • Transaction Ref. Number* - Kindly use the auto-generate button to generate a unique identification number if the LFI is not a Bank/Exchange House
          • Reporting Entity Internal Reference Number*- Reporting entity's internal transaction reference number
          • Type of Transaction* - The mode used to conduct the transaction being reported
          • Late Deposit - Does this transaction account as a late deposit? (Yes or No)
          • Total Suspected Amount* (AED) - Suspected amount in AED
          • Date* - Date when transaction was initiated
          • Indemnified for Repatriation* - If the reporting entity has received an indemnity for repatriation
          • Transaction Executed by (Staff Name) - Name of the staff member who executed the transaction
          • Authorizer - Name of the staff member responsible for authorizing the transaction
          • Branch executing the transaction* - Branch where the transaction was executed
          • Date of receipt for recall request* (that field will only show if ‘Yes’ was selected for Indemnified for Repatriation) - The date when the reporting entity received the fund recall request
          • Purpose of the Transaction* - Purpose for executing the transaction
          • Transactions Comments - Comments (if any)
           
          6.Transaction Type, From Type / To Type, My Client / Not My Client, Foreign Currency, Conductor, [4.2.5.1-4.2.5.5 GoAML XML Registration Guide]: Additional transaction details should be added according to the transaction type; transaction type (to/from) (i.e., my client, not my client); and foreign currency type (if applicable); and the amount. These fields should be populated by the LFI according to the GoAML XML Registration Guide’s instructions. Please refer to Party Type: Person (below) to populate information on the conductor of the transaction for 4.2.5.6.
          7.Phone, Address, Identification, Email, and Employer Address and Employer Phone [4.2.5.7-4.2.5.11 GoAML XML Registration Guide]: These fields should be populated by the LFI according to the GoAML XML Registration Guide’s instructions.
          8.Party Type [4.2.5.12 GoAML XML Registration Guide]: The Party Type’ refers to the initiating source (source of funds) and beneficiary/destination party in relation to the report being filed. The initiating source and beneficiary/destination party can be either a Person, Account, or Entity.
           
           Party Type: Person [4.2.5.6, 4.2.5.13 GoAML XML Registration Guide]: Where the subject initiating or receiving the transaction is a person, clicking the ‘Person’ radio button will generate the following form and fields.
           
          • Title - e.g., Mr./Mrs./Dr.
          • Prefix - Prefix Name e.g., Von, Jr.
          • First Name* - First name of the person
          • Middle Name - Middle name of the person
          • Last Name* - Last name of the person
          • Gender - Male / Female
          • Birth Date - Date of birth of the subject person
          • Birthplace - Location where the person was born
          • Mother’s Name - Name of the person’s mother (if available)
          • Alias - A known alias for the person (if applicable)
          • Emirates ID - Emirates ID number; input the number without using any spaces/hyphens
          • Nationality 1 - First nationality of the person
          • Nationality 2 - Second nationality of the person
          • Nationality 3 - Third nationality of the person
          • ID Number - ID number; input the number without using any spaces/hyphens
          • Tax Number - Tax number for outside UAE without hyphens/spaces (e.g., FATCA number for US citizens)
          • Residence - Country of residence
          • Occupation - Known occupation of the subject
          • Employer Name - Name of the person’s current employer
          • PEP (Y/ N) - Specify if the person is a politically exposed person. Input “Y” or “N” accordingly
          • Source of funds - Primary source of funds used for the reported transaction
          • Passport* - Select if the passport details are available (Y/N)
          • Passport Number* - Input the passport number without any spaces/hyphens only in the absence of an Emirates ID
          • Passport Country* - Country of the passport provided
          • Deceased - Is the person deceased? (Y/N)
          • Date of Death - Date when the person died (applicable only if “Y” was provided in the ‘Deceased’ field)

           

           Party Type: Account [4.2.5.14 GoAML XML Registration Guide]: If the transaction was initiated or received through an Account, clicking the ‘Account’ radio button will generate the following form and fields:

           

          • Account Number* - Account number without any spaces/ hyphens
          • Status Code (is mandatory for My Client) - Account status when transaction was initiated
          • Institution Name - Name of the institution where the account was created
          • UBO* - Who is the beneficial owner of the account?
          • Non-Banking Institution - Is the mentioned account held in a bank or otherwise (Y/N)
          • Client Number - Client Number as per reporting entity’s records
          • Account Type - Drop-down menu for type of account
          • Currency Code - Currency of the account
          • I BAN - I BAN as per standard format (no spaces/hyphens)
          • Opened* - Date of account opening
          • Closed - Date of account closure
          • Balance* (Y/N) - Input "Y" or "N” on whether there is a credit / debit in the account
          • Balance (if the ‘Yes’ radio button is selected (above)) - The current balance of the account in AED
          • Date of balance - Date when the balance was recorded
           
           Please note that LFIs should also add a ‘Signatory(ies)’ form for reports involving accounts that are classified as ‘My Client.’ When the accountholder is a person, the LFI is required to enter all involved signatories. If the accountholder is an entity, the LFI is required to populate the entity details. For instances where an account has multiple signatories, all of the signatory details need to be captured in the goAML system.
           Party Type: [4.2.5.15 GoAML XML Registration Guide]: If the transaction was initiated through an Entity, clicking the 'Entity radio button will generate the following form and fields.

           

          • Name* - Legal name as per documentation
          • Commercial Name - Commercial name as per documentation
          • Business Activity - Business activity of entity (drop-down)
          • Licensing Authority - Regulatory authority responsible for licensing the entity
          • Trade License Number Authority
          • Place of incorporation - Specify the city (Emirate in case of a UAE entity)
          • Establishment Date - Date when entity was established
          • Incorporation Country - Country where the entity was incorporated (drop-down)
          • Email - Registered email for the entity (if any)
          • Website - Website for the entity (if any)
          • Tax Number - Tax number for outside UAE without hyphens/spaces (e.g., FATCA number for US citizens)
          • Comments - Comments (if any)
          • PEP (Y/ N) - Specify if the person is a politically exposed person. Input "Y" or "N" accordingly
          • Latest date of trade license issuance/renewal - Date of trade license issuance/renewal
          • Latest date of trade license issuance/renewal - Date of trade license issuance/renewal
          • **Phones, Addresses, and Controlling Persons/Beneficial Owners can also be added. Addresses and Controlling Persons/Beneficial Owners section are mandatory only when the entity is classified as ‘My Client.’

           

          9.Involved Parties [4.2.5.16 GoAML XML Registration Guide]: If there are multiple parties involved in the reported activity, the ‘Involved Parties’ form should be populated with the following fields.
           
          • Role* - Nature of association with the transaction
          • Funds Code* - The type of funds
          • Country* - Country of the involved party
          • Significance - Rate the significance of the concerned subject from 0 - 10 (0 being the lowest and 10 being the highest score
          • Funds comment - Comments on use of funds (if any)
          • Comments - Comments (if any)
          • **Foreign Currency can also be added

           

          10.Good and Services [4.2.5.17 GoAML XML Registration Guide]: This section corresponds to transactions involving the exchange of goods and services.

           

          • Item Type* - The type of item (e.g., Vehicle)
          • Description - Description of the item (e.g., Luxury Car)
          • Manufacturer - Item maker (e.g., if the item is a car - BMW)
          • Presently Registered To - Name of current owner
          • Previously Registered To - Name of previous owner
          • Status Code - Stats code (e.g., Bought, Hired)
          • Estimated Value - Estimated value of the item
          • Currency Code - Used to report service conducted in foreign currency
          • Disposed Value - Effective value for property transfer (value must be in AED)
          • Size UOM - Unit of measurement (e.g. square meters)
          • Size - Size of the property
          • Registration Number - Official registration number (e.g., Car VIN Number)
          • Registration Date - Official registration date (in MM/DD/ YYYY format)
          • Identification Number - Any number that can identify the item (e.g., Car Plate Number)
          • Comments - If applicable
          • **Addresses can be added

           

          11.Activity [4.2.6 GoAML XML Registration Guide]: If the report does not contain any transaction(s), then the activity details may be captured in the report. The activity details should include the significance of a concerned subject (scale of 0-10), the reason for reporting the party, and any comments. The ‘Activity’ tab will be shown only in the case the reporting entity is submitting an “SAR”, “RFI without transaction(s)” or an “AIF without transaction(s)” based report file.
           

          Upon completion of all the mandatory fields (noted above) and submission of the report in the goAML system, the report will be provided to the FIU. It is mandatory for the LFI’s filer to attach supplemental documents to accompany the submission—including but not limited to—Know Your Customer (“KYC”) documentation, copies of identification documentation, account opening forms, transaction receipts, financial statements, and other documents relevant to the investigation. In the instance that the LFI conducted due diligence or internal investigations, the corresponding documents must also be attached. This will assist the FIU in reviewing the report with all the appropriate documentation to support its review and analysis.


          6 The UAE FIU has noted that there have been instances of reports being received whereby upon review, the LFI’s MLRO and related team members’ contact details were not updated in the goAML system, which included email addresses and phone numbers. Keeping contact information updated helps with the two-way communication between LFIs and the FIU while helping to shorten the turnaround time of report analysis. It also enhances the ability of the FIU to analyze and subsequently process reports in a timely manner. The contact information should be kept updated at all times.
          7 The UAE FIU has noted that in some cases LFIs file reports while choosing RFRs that, upon closer examination, are not linked to the actual suspicions of the report. As an example, reports have been received with RFRs related to the financing of terrorism and illegal organisations with no evidence of any activity connected to the financing of terrorism and illegal organisations. Selecting incorrect RFRs hinders the FIU’s analysis, and the LFI should expect multiple requests by the FIU for further clarification in these cases. LFIs should be prudent and diligent when choosing RFRs and submitting reports to the UAE FIU. RFRs should be chosen correctly and in relation to the actual suspicions of the STR or SAR being submitted.

           

        • 3.5. Amendments to Submitted Reports

          Once a report is submitted and accepted in the system, neither the Compliance Officer, MLRO, nor FIU employees can apply any changes and amendments to the report for missing or incorrect information. However, LFIs may be requested to file a corresponding AIF, AIFT, RFI, or RFIT, and mention in the “Description of the Report” field the reason of filing. LFIs should ensure that the filer uses the correct web reference number of the initial report. In order to avoid such incident(s) and in order to safeguard the system data integrity, LFIs should adopt a maker and checker process/concept to verify the quality and accuracy of uploaded information.

      • 4. Timing of Alert Reviews and STR or SAR Filings

        • 4.1. Alert Review, Case Investigation, and STR or SAR Decision Making

          An efficient alert management and dispositioning process is essential to safeguarding the financial integrity of LFIs, assisting law enforcement in the identification and investigation of criminal activity, and satisfying regulatory expectations concerning timely suspicious activity reporting. The alert management and dispositioning process should be adequately staffed and free of bottlenecks and should include a process for the expedited filing of urgent reports in appropriate cases. For purposes of this guidance, “alerts” shall be understood to include automated transaction monitoring alerts, employee referrals, and law enforcement requests. The LFI should apply a risk-based approach to the alert review process by prioritizing alerts based on their risk category. For instance, alerts generated on suspicious transactions of higher-risk customers should be risk-scored higher and prioritized for review.

          Alert Review: An LFI’s employees should review an alert and determine whether further investigation is warranted. The underlying basis for the determination should be documented in accordance with an LFI’s investigations procedures. An LFI may choose to have alert review decisions subject to Quality Control (“QC”) review, prior to final dispositioning.

          Where the facts available at the alert review stage are or may be sufficient to warrant an STR or SAR filing without further investigation, or where the transaction may otherwise require immediate attention (per criteria set forth below in 4.4 Activity Requiring Immediate Attention), employees should immediately escalate the alerted activity to the designated STR or SAR decision authority for expedited review.

          Case Investigation: For any alerted activity determined to require further investigation, employees should conduct and complete (at least preliminarily) an investigation of the alerted activity, document the results of any research or analysis performed, and make a recommendation as to whether an STR or SAR should be filed.

          Where a case investigator becomes aware of activity that requires immediate attention (per criteria set forth below in 4.4 Activity Requiring Immediate Attention), employees should immediately escalate the activity to the designated STR or SAR decision authority for expedited review.

          If, in the case investigator’s judgment, the facts available at the filing recommendation deadline meet one or more of the UAE regulatory definitions of suspicious activity, the case investigator should submit a recommendation to file an STR or SAR, even if certain aspects of the activity remain unexplained. Unanswered requests for information (RFIs) made in the course of a case investigation should not delay the timely submission of recommendations with respect to an STR or SAR filing. LFIs should define the reasonable RFI timeframe to allow the customer to respond to quires raised during a case investigation as part of the RFI process. 

          In the event of escalation for expedited review, the Compliance Officer or MLRO should review the activity and make a determination as to whether it is suspicious within 24 hours of the date of escalation. Where appropriate, the Compliance Officer or MLRO also should escalate the activity for potential exit and account closure.

        • 4.2. STR/SAR Decision Making and Filing

          In the absence of escalation for expedited review, LFIs are expected to file an STR/SAR within a maximum of 35 business days from the date of automated alert generation. The establishment of adequate grounds of suspicion may involve the investigation procedures as per the LFIs' AML and/or Financial Crime Compliance policies and procedures. LFIs are expected to complete the required investigative procedures as expeditiously as possible. LFIs must maintain adequately detailed records of investigative procedures performed against alerts and when filing an STR/SAR, must include a summary justifying the time taken to establish grounds of suspicion.

          In the event of escalation for expedited review, the Compliance Officer or MLRO should file an STR or SAR to the FIU within 24 hours of the determination. All prospective STRs or SARs should be reviewed for accuracy and completeness prior to filing, in accordance with applicable procedures.

          LFIs are ultimately responsible under UAE’s AML-CFT Law to report suspicious activity without delay and should seek to file STRs and SARs ahead of the prescribed timeline.

        • 4.3. Monitoring and Reporting of Continuing Suspicious Activity

          Upon filing an STR/SAR pertaining to an account holder, LFIs are expected to implement enhanced monitoring on such account holders. In the case of continued suspicious activity detected against said account holder, LFIs are expected to expeditiously file an STR/SAR with the FIU.

        • 4.4. Activity Requiring Immediate Attention

          Situations requiring immediate attention include reportable violations that are ongoing (e.g., part of an ongoing money laundering scheme as indicated by an appropriate law enforcement authority) and transactions that the LFI suspects are related to the financing of terrorism and illegal organisations.

        • 4.5. Exceptions for Complex Investigations

          There may be instances when the LFI encounters potentially unusual or suspicious activity that is of a “complex” nature. The following is a non-exhaustive list of factors that should be considered to determine whether investigated activity qualifies as a complex investigation: employee-related investigations; significant investigations involving multiple customers, multiple jurisdictions, multiple accounts, multiple transactions, and/or multiple subpoena requests; and legal referred investigations.

          If the LFI designates an investigation as “complex”, the LFI should submit an initial STR or SAR to the FIU within 15 business days of the alert generation. The initial STR/SAR should be labelled as a “Complex investigation” to the FIU. Following the initial STR or SAR filing, the LFI has an additional 30 business days to obtain all necessary information related to the complex investigation and submit a follow-up STR or SAR to the FIU.

        • 4.6. Summary of Review, Investigation, and Reporting Timelines

          The following table summarizes the recommended suspicious activity review, investigation, and reporting timelines in the absence of escalation for expedited review. Please note – the following table captures the maximum timeline by which LFIs should identify and report suspicious activity and transactions. LFIs are ultimately responsible under UAE’s AML-CFT Law to report suspicious activity without delay and should seek to file STRs and SARs ahead of the below timelines.

          ActionMaximum Timeline in Calendar Days
          Dispositioning of alert; recommendation on whether to file an STR or SAR; and decision on whether to file an STR or SARLFIs are expected to file an STR/SAR within a maximum of 35 business days from the date of automated alert generation.
          Filing of a follow-up STR or SAR for a “complex investigation”If an LFI designates an investigation as “complex”, the LFI should submit an initial STR within 15 business days of alert generation – SAR/STR to be labelled “Complex investigation”. Followup SAR/STR to be submitted within 30 business days of filing the initial STR.
          Filing of STR or SAR on continuing activityUpon filing an STR/SAR pertaining to an account holder, LFIs are expected to implement enhanced monitoring on such account holders. In the case of continued suspicious activity detected against said account holder, LFIs are expected to expeditiously file an STR/SAR continuing activity with the FIU.

           

        • 4.7. Escalation for Expedited Review

          In certain cases, an alert or case may need to be dispositioned and an STR or SAR filed more rapidly than usual processes allow. In such cases, the alert will be dispositioned and the STR or SAR filed according to the expedited review timeline as laid out below.

          Circumstances where expedited review is expected include:

           The activity requires immediate attention (as defined above); and
           The facts available at the alert review stage are or may be sufficient to warrant an STR or SAR filing without further investigation.
           

          The following table summarizes the recommended suspicious activity review, investigation, and reporting timelines in the event of escalation for expedited review.

          ActionMaximum Timeline in Calendar Days
          Decision on whether to file an STR or SAR and filing of first STR or SAR24 hours from decision to file
          Filing of STR or SAR on continuing activityUpon filing an STR/SAR pertaining to an account holder, LFIs are expected to implement enhanced monitoring on such account holders. In the case of continued suspicious activity detected against said account holder, LFIs are expected to expeditiously file an STR/SAR with the FIU.

           

      • 5. Confidentiality and Prohibition against “Tipping Off”

        According to Article 18 of the AML-CFT Decision, when reporting suspicious activity or transactions to the FIU, LFIs are obliged to maintain confidentiality with regard to both the information being reported and to the act of reporting itself, and to make reasonable efforts to ensure that the information and data reported are protected from access by any unauthorized person.

        As part of their risk-based AML/CFT framework, and in keeping with the nature and size of their businesses, LFIs and their foreign branches or group affiliates where applicable, should establish adequate policies, procedures and controls to ensure the confidentiality and protection of information and data related to STRs, SARs, and other report types. These policies, procedures and controls should be documented, approved by senior management, and communicated to the appropriate levels of the organization.

        LFIs must ensure that all relevant information relating to STRs, SARs, and other report types is kept confidential, with due regard to the conditions and exceptions provided for in the law, and the guiding principles for this must be established in policies and procedures. LFIs should ensure that policy and procedures are reflected in for example, appropriate access rights with regard to core systems used for case management and notifications, secure information flows and guidance/training to all employees involved. This guidance and training are particularly important for the first line of defense employees who have contact with customers. It is essential that these employees know when there may be cases of suspicious transactions, what questions they have to ask the customer and which information they must not under any circumstances disclose to the customer.

        It should be noted that the confidentiality requirement does not pertain to communication within the LFIs or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention or reporting of suspicious transactions and/or crimes related to money laundering and the financing of terrorism and illegal organisations, according to the Article 39.1 of the AML-CFT Decision.

        It is a federal crime for LFIs or their managers, employees, or representatives, to inform a customer or any other person, whether directly or indirectly, that a report has been filed or will be filed, or of any information or data contained in the report, or that an investigation is under way concerning the transaction, otherwise known as “tipping off.” Any person violating this prohibition is liable to a penalty of no less than AED100,000 and no more than AED500,000 and imprisonment for a term of not less one year, according to the Article 25 of the AML-CFT Law.

      • 6. Handling of Transactions and Business Relationships after Filing STRs or SARs

        • 6.1. Requirements for Corresponding with the FIU

          As a standard practice and as specified in Article 9.1 of the AML-CFT Law, the FIU can reach out to LFIs to provide additional requested information pertaining to an STR or SAR. Therefore, when responding to the FIU’s inquiries, details should be provided in a way that is precise and outlined as per the request. LFIs should maintain clarity on the presented information and provide it in the required format (e.g., tabular format, pdf, etc.). Moreover, LFIs should avoid adding unnecessary codes and abbreviations or any raw information extracted directly from the core databases, which are unknown to the FIU. It is important to understand that the details pertaining to the source and destination of funds are essential for investigating the reported activity. Therefore, names; account numbers; country of origin and destination; currencies; dates; source and purpose of transactions; and other related information should be detailed in LFI’s response. Once the report is filed, LFI should send the report web reference number and inform the FIU via the goAML Message Board.

        • 6.2. Post STR and SAR Process

          Following an STR or SAR filing, the FIU may or may not revert to the LFI with specific instructions, requests for additional information, feedback or further guidance related to the STR or SAR, or to the business relationship in general. In such cases, these communications will generally be directed to the Compliance Officer or MLRO of the LFI. However, LFIs may not receive instructions, additional information requests, or other feedback from the FIU regarding STRs or SARs that have been filed; or the receipt of such communications may be delayed beyond what they consider to be a reasonable time period. In such instances, LFIs must follow their internal policies in relation to such customers and should determine the appropriate handling of the STR or SAR and of the business relationship in general, taking into consideration all of the risk factors involved.

          Specifically, once a suspicious transaction or other suspicious information related to a customer or business relationship has been reported to the FIU, the LFI should take the following immediate responses:

           LFIs should follow the instructions, if any, of the FIU in relation to both the specific transaction and to the business relationship in general.
           LFIs should identify all related/associated accounts or relationship of STR or SAR customers and conduct a review on those accounts/relationship to check whether any suspicious transaction(s) has taken place. If yes, appropriate risk-based Enhanced Due Diligence (“EDD”) and ongoing monitoring procedures should be implemented.
           The customer or business relationship, including the related/associated accounts and relationship to the STR or SAR customers, should immediately be classified as a high-risk customer and appropriate risk-based EDD and ongoing monitoring procedures should be implemented in order to mitigate the associated money laundering and the financing of terrorism and illegal organisations risks.
           

          Unless specifically instructed by the FIU to do so, LFIs are under no obligation to carry out transactions they suspect, or have reasonable grounds to suspect, of being related to a crime. Furthermore, unless specifically instructed by the FIU to maintain the business relationship (for example, so that the competent authorities may monitor the customer’s activity), it should be the LFI’s responsibility to take appropriate steps in order to decide whether or not to maintain the business relationship based on their risk appetite. However, LFIs should consider the risk of tipping off a customer when taking these restrictive measures on the account. These steps may include, but are not limited to:

           Reassessing the business relationship risk and re-evaluating the customer’s risk profile, where necessary.
           Initiating an enhanced customer due diligence review.
           Considering the performance of an enhanced background investigation (including, if appropriate, the use of a third-party investigation service).
           Any other reasonable steps, commensurate with the nature and size of their businesses, and bearing in mind the obligation to avoid “tipping off” the customer.
           

          LFIs that determine to maintain the business relationship should, commensurate with the nature and size of their businesses:

           Document the process by which the decision was made to maintain the business relationship, along with the rationale for, and any conditions related to, the decision; and
           Implement adequate EDD measures to manage and mitigate the money laundering/the financing of terrorism and illegal organisations risks associated with the business relationship.
           

          In such cases, beyond EDD measures, LFIs should also implement additional control measures such as, but not limited to:

           Requiring additional data, information or documents from the customer in order to carry out transactions (for example, evidence of relevant licenses or authorizations, customs documents, additional identification documents, bank or other references).
           Restricting the customer’s use of certain products or services. Placing restrictions and/or additional approval requirements on the processing of the customer’s transactions (for example, transaction size and/or volume limits, or limits to the number of transactions of certain types that can be executed during a given time period).
           

          LFIs should also document the specific EDD, ongoing monitoring, and additional control measures to be taken. In this regard, LFIs should obtain senior management approval for the plan, including its specific conditions, duration and any requirements for its removal, as well as the roles and responsibilities for its implementation, monitoring and reporting, commensurate with the nature and degree of the money laundering and the financing of terrorism and illegal organisations risks associated with the business relationship.

          Thus, retaining a customer relationship, exiting the relationship, restricting an account, or any other actions taken by an LFI following the filing of an STR, SAR, or other report is a decision based on the LFI’s internal policies and procedures, including its risk appetite, to safeguard the LFI from relevant risks. This is unless the entity receives instructions from the FIU or any other competent authority that should be immediately implemented without delay. In cases where the LFI decides to reject a new customer or to exit an existing relationship due to an STR or SAR filing (or other report), the LFI should ensure that the subject of the filing is added to internal watch lists, (e.g., a list of individuals and entities that have been exited for financial crime-related reasons and that should be screened by the LFI to avoid future on-boarding).

          While individual STRs, SARs, or other reports that pose particular risk may require escalation and review for potential exit, repeated filings on a single account or group of related accounts should trigger consideration of customer exit. Repeat filings should also prompt a review of risks associated with accounts of a similar type and of whether internal controls are effectively mitigating risk. An LFI should determine a threshold for which an account that has been subject to a certain amount of STR or SAR filings (or other report) will be escalated to senior management for consideration of account closure, possible restrictions on the account, and/or enhanced monitoring.

          LFIs should also maintain a customer exit policy that outlines the process for reviewing the overall customer relationship and deciding on next steps, including ending the relationship and notifying law enforcement and/or other group affiliates, as appropriate. Customer exit policies should include criteria for when these actions are appropriate and outline how the LFI should monitor the activity of a customer it decides to retain. The LFI should contact law enforcement before closing an account if the entity has knowledge of an ongoing law enforcement investigation involving that account or customer, or the LFI has filed an STR(s), SAR(s), or other report types on the customer or account due to continuing suspicious activity. LFIs should be aware that law enforcement may have an interest in ensuring that certain accounts remain open notwithstanding suspicious or potential criminal activity in connection with those accounts. If a law enforcement agency requests that an LFI keep a particular account open, the LFI should ask for a written request. The written request should indicate that the agency has requested that the LFI maintain the account along with the purpose and duration of the request. Ultimately, the decision to maintain or close an account should be made by an LFI in accordance with its own standards and guidelines.

        • 6.3. Governance and Reporting to Senior Management

          LFIs should have mechanisms to inform the Board of Directors (or a committee of the Board) and senior management of compliance initiatives, compliance deficiencies, STRs, SARs, or other regulatory reports filed, and corrective actions taken. LFIs should also develop and maintain a system of reporting that provides accurate and timely information on the status of the AML/CFT program, including statistics on key elements of the program, such as the number of transactions monitored, alerts generated, cases created, and STRs, SARs, or other report types filed.

          Employees should report the number and types of STRs, SARs, or other regulatory reports filed to the Board of Directors or a Board-designated committee. While employees are not required to provide actual copies of STRs, SARs, or other regulatory reports to the Board (or a committee of the Board), such notifications should contain sufficient information to enable the Board or its committee to provide appropriate oversight over the LFI’s AML/CFT program. Where an individual filing documents activity that poses a particular risk, management may provide a copy of the report to the Board or Board-designated committee. Where appropriate, the suspicious activity or transaction underlying the filing of an STR, SAR, or other regulatory reports should be communicated to those individuals responsible for managing the risk associated with the customer and/or activity that is the subject of the STR, SAR, or other regulatory reports in order to permit such employees to respond appropriately to the AML/CFT risks identified. Although all such communications are subject to the confidentiality restrictions, it should be noted that the confidentiality requirement does not pertain to communication within the LFIs or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention, or reporting of suspicious transactions and/or crimes related to money laundering and the financing of terrorism and illegal organisations, according to Article 39.1 of the AML-CFT Decision (also referenced in Section 5. Confidentiality and Prohibition against “Tipping Off”).

        • 6.4. Record Retention

          According to Article 24 of the AML-CFT Decision, LFIs are required to retain all records and documents pertaining to STRs and the results of all analysis or investigations performed for at least five (5) years from the date of completion of the transaction or termination of the business relationship. Such records relate to both internal STRs and those filed with the FIU, and should include but are not limited to:

           Suspicious transaction indicator alert records, logs, investigations, recommendations and decision records, and all related correspondence;
           Competent authority request for information, correspondent bank requests for assistance, and their related investigation files and correspondence;
           CDD and Business Relationship monitoring records, documents, and information obtained in the course of analyzing or investigating potentially suspicious transactions, requests for assistance by LFIs, and all internal or external correspondence or communication records associated with them;
           STRs, SARs, and other report types (internal and external), logs, and statistics, together with their related analysis, recommendations and decision records, and all related correspondence; and
           Notes concerning feedback provided by the FIU with respect to reported STRs, SARs, and other report types, as well as notes or records pertaining to any other actions taken by, or requested by, the FIU.
           
      • Annex 1. Indicative Examples of Insufficient STR and SAR Narratives

        Example 1:

         Reason for reporting: Statements show large payments to luxury car companies. High amounts of funds transfers continue over several months.
         

        Comments: The narrative lacks identifying information on the STR subject (name, occupation, address, account number, etc.), and no explanation is given as to why the LFI considers this activity suspicious. The narrative lacks specific transaction data that identifies the dates and amounts of the large payments and specific details on the destination of the funds (the name, location, bank, and account number of the beneficiary car companies, if identifiable).

        Example 2:

         Money orders were purchased on 03-28-21 to ABC Corporation in the amount of AED30,000.
         

        Comments: No explanation is given as to why the MVTS considers this activity suspicious. The LFI does not indicate if money orders were purchased with cash. The LFI does not provide any information about the purchaser or nature of the business (ABC Corporation) and if this activity was normal or unusual for the purchaser or the business.

        Example 3:

         Mr. X was the originator of 12 wires totaling AED400,000. All of the wires were remitted to a Hong Kong based company. During the same period of time, Mr. X deposited cash into his account.
         

        Comments: The narrative lacks specific details on the destination of the funds (the name of the Hong Kong based company, bank, and account number of the beneficiary, if identifiable). The depository LFI fails to include any information concerning the relationship, if any, between the LFI and the customer. Also, no specific transaction data is provided that identifies the dates and amounts of each wire transfer and the cash deposit.

        Example 4:

         The reason for the suspicion is due to multiple third-party transfers being paid into Mr. Y account that were soon followed by multiple cash withdrawals. Funds sent from the account to multiple third parties.
         

        Comments: The narrative lacks specific details on the source of the funds (the individual/entity sending the multiple third-party transfers). The STR does not provide a timeframe of when the transfers were made, the number and value of the third-party transfers, the number and value of the cash withdrawals, and the timeframe (how soon) the cash withdrawals were made following the third-party transfers. The depository LFI fails to include any information concerning the relationship, if any, between the individual/entity sending the multiple third-party transfers and the customer.

        Example 5:

         Information has come to our attention that the Mrs. Y has been convicted of a drug trafficking offense.
         

        Comments: The narrative fails to describe the depository LFI’s relationship with the subject and include additional identifying details about the subject (name, occupation, address, account number, etc.). The narrative does not describe any suspicious activity aside from the conviction and fails to state if the suspicion is related to money laundering or if there are possible links to the financing of terrorism and illegal organisations.

        Example 6:

         Mrs. Y came into the bank and asked questions during the account opening process that were suspicious.
         

        Comments: The narrative does not describe the suspicious activity in detail as a basis for filing the SAR (e.g., the customer refusing to answer account opening questions; providing falsified or counterfeit documentation; exhibiting reluctance to provide detailed information about the customer’s business). The narrative template also fails to describe information that the LFI was able to gather on the prospective customer during account opening (occupation, address, etc.).

        Example 7:

         Mr. LMN was the subject of adverse media involving his association with a terrorist group.
         

        Comments: The narrative fails to describe the depository LFI’s relationship with the subject and include additional identifying details about the subject (name, occupation, address, account number, etc.). The narrative template also does not identify the terrorist group, describe the customer’s relationship with the terrorist group, the timeframe for the customer’s involvement with the terrorist group, and how the LFI became aware of this association, such as a hyperlink to the adverse media report.

        Example 8:

         Mrs. ABC purchased an insurance product using unusual payment methods. Mrs. ABC is a teacher at Happy Day Elementary School in Dubai and resides at 11111 Street Name, Dubai, UAE. Mrs. ABC also has two motor vehicles insured with the LFI since April 2019.
         

        Comments: The narrative fails to describe the type of insurance product purchased, on what date, with what payment method, and why the institution considers this payment method unusual. The institution also does not indicate the customer’s stated purpose for purchasing the insurance product and if this is line with what the LFI knows about the customer.

        Example 9:

         Mr. XYZ requests to increase payments on his life insurance policy during the period from 02-01- 21 to 05-01-21, and the payments appear to be excessive, given Mr. XYZ’s prior history.
         

        Comments: The narrative fails to include additional identifying details about the subject (name, occupation, address, etc.). The narrative lacks specific transaction data that identifies the dates, amounts, and method of payment on the life insurance policy. The narrative also does not describe why the institution considers these payments to be excessive based on the customer’s prior history of payments. The narrative does not indicate how long the subject has been in possession of the life insurance policy.

      • Annex 2. Red Flag Indicators in the Context of the UAE

        The FIU published the following typologies and indicators in their Biannual Financial Crime Trends and Typologies Report (January - June 2020). These typologies and indicators, as well as any future ones the FIU may determine, should be incorporated into an LFI’s AML/CFT program with a view to update policies, procedures, detection scenarios, and red flag indicators for identifying potentially suspicious activity.

        B.1 General indicators

        According to the FIU, the following indicators are present in many of the typologies used in money laundering and the financing of terrorism and illegal organisations.

         Transactions involving locations with poor AML/CFT regimes or high exposure to corruption.
         Significant and/or frequent transactions in contrast to known or expected business activity.
         Significant and/or frequent transactions in contrast to known employment status.
         Ambiguous or inconsistent explanations as to the source and/or purpose of funds.
         Where relevant, nervous or uncooperative behavior exhibited by the LFI’s employees and/or customers.
         

        B.2 Wire transfers to and from bank accounts

         How it works: Transferring proceeds of crime from one person to another via money remittance services.
         Possible indicators
          oSignificant and/or frequent cash payments for transfers.
          oTransfers to or from locations that have poor AML/CFT regimes or high exposure to corruption.
          oTransfers to high-risk countries or known tax havens.
          oTransfers to numerous offshore jurisdictions with no business rationale.
          oSame home address provided by multiple remitters.
          oReluctant to provide the LFI with identification details.
         

        B.3 Purchase of valuable commodities

         How it works: Laundering proceeds of crime by purchasing valuable commodities, for example, precious metals or gems.
         Possible indicators
          oSignificant and/or frequent cash purchases of valuable commodities.
          oRegularly buying and selling of valuable commodities that is not supported with a business purpose and/or does not make economic sense.
         

        B.4 Purchase of valuable assets

         How it works: Laundering proceeds of crime by purchasing valuable assets, for example, property or vehicles.
         Possible indicators
          oPurchase/sale of real estate above/below market value irrespective of economic disadvantage.
          oCash purchases of valuable assets with cash and/or cash deposits for valuable assets.
          oLow value property purchased with improvements paid for in cash before reselling.
          oRapid repayment of loans/mortgages with cash or funds from an unlikely source.
         

        B.5 Offshore companies

         How it works: The process of registering companies in the UAE, especially in the free zones, with foreign directors and/or shareholders in order to open bank accounts to facilitate money laundering and/or the financing of terrorism and illegal organisations by unverified beneficiaries.
         Possible indicators
          oLarge numbers of companies registered with the same office address.
          oAddress on file is for a ‘Virtual office’.
          oAccounts/facilities are opened/operated by company formation agents.
          oLack of information regarding overseas directors/beneficiaries.
          oComplex ownership structures.
          oCompanies where there is no apparent business purpose.
         Additional indicators:
          oThe same natural person is the director for a large number of single director companies.
          oThe same person (natural or corporate) is the shareholder of a large number of single-shareholder companies.
          oUse of a small number of local 'agents' who undertake transactions with the companies’ register.
         

        B.6 Nominees, trustees, family members or third parties

         How it works: Utilizing other people to carry out transactions in order to conceal the true identity of the individual ultimately controlling the proceeds of crime.
         Possible indicators
          oCustomers using family members or third parties, including the use of children’s accounts.
          oTransactions where third parties seem to be retaining a portion of funds, which would indicate the use of mules.
          oAccounts operated by someone other than the account holder.
          oMany transactions conducted at various LFIs and/or branches, in one day.
          oSignificant and/or frequent transactions made over a short period of time.
         

        B.7 Trade-based money laundering

         How it works: Manipulating invoices, often in connection with international trade, by overstating the value of a shipment providing criminal entities with a paper justification to either launder proceeds of crime and/or send funds overseas to finance terrorism.
         Possible indicators
          oInvoice value greater than value of goods.
          oDiscrepancies in domestic and foreign import/export data.
          oSuspicious cargo movements.
          oSuspicious domestic import data.
          oDiscrepancies in information regarding the origin, description, and value of the goods.
          oDiscrepancies with tax declarations on export declarations.
          oSudden increase in online auction sales by particular vendors (online auction sites).
          oFrequent purchases between same buyers and vendors (online auction sites).
         

        B.8 Cancellation of credits or overpayments

         How it works: Laundering proceeds of crime by overpaying then requesting refund cheques for the balance.
         Possible indicators
          oFrequent cheque deposits issued by car dealers, dealers in jewelry, etc.
          oSignificant and/or frequent payments to utility companies, for example, prepaid cards for fuel, telecom e-wallets etc.
          oFrequent cheque deposits issued by utility companies (i.e., electricity providers).
          oSignificant and/or frequent payments for purchases from online auction sites.
          oFrequent personal cheque deposits issued by third parties.
         

        B.9 Electronic transfers to and from bank accounts

         How it works: Transferring proceeds of crime from one bank account to another via LFIs.
         Possible indicators
          oTransfers to or from locations that have poor AML/CFT regimes or high exposure to corruption.
          oTransfers involving accounts located in high-risk countries or known tax havens.
          oTransfers to offshore jurisdictions with no business rationale.
          oMultiple transfers sent to the same person overseas by different people.
          oDeparture from the UAE shortly after transferring funds.
          oTransfers of funds between various accounts that show no economic purpose (i.e., multiple transfers incurring bank fees where one single transfer would have been sufficient).
         

        B.10 Co-Mingling

         How it works: Combining proceeds of crime with legitimate business takings.
         Possible indicators
          oSignificant and/or frequent cash deposits when business has electronic funds transfer at point-of-sale facilities.
          oLarge number of accounts held by a customer with the same LFI.
          oAccounts operated by someone other than the account holder.
          oMerging businesses to create layers.
          oComplex ownership structures.
          oRegular use of third-party accounts.
         

        B.11 Gatekeepers/professional services

         How it works: Utilizing ‘Professionals’ to establish seemingly legitimate business activities, for example, Lawyers, Accountants, Brokers, Company Formation Agents.
         Possible indicators
          oAccounts and/or facilities opened and/or operated by company formation agents.
          oGatekeepers that appear to have full control.
          oKnown or suspected corrupt professionals offering services to criminal entities.
          oAccounts operated by someone other than the account holder.
         

        B.12 Cash deposits

         How it works: Placement of cash into the financial system.
         Possible indicators
          oLarge cash deposits followed immediately by withdrawals or electronic transfers.
         

        B.13 Structuring

         How it works: Separating large transactions into small transactions to avoid scrutiny and detection from LFIs.
         Possible indicators
          oMany transactions conducted at various LFIs and/or branches, in one day.
          oSmall/frequent cash deposits, withdrawals, electronic transfers made over a short time period.
          oMultiple low value domestic or international transfer.
         

        B.14 Smurfing

         How it works: Utilizing third parties or groups of people to carry out structuring.
         Possible indicators
          oThird parties conducting numerous transactions on behalf of other individuals.
          oMany transactions conducted at various LFIs and/or branches, in one day.
          oAccounts operated by someone other than the account holder.
         

        B.15 Credit Cards/Cheques/Promissory Notes

         How it works: Instruments used to access funds held in an LFI, often in another jurisdiction.
         Possible indicators
          oFrequent cheque deposits in contrast to known or expected business activity.
          oMultiple cash advances on credit card facilities.
          oCredit cards with large credit balances.
         

        B.16 Transactions inconsistent with intended purpose of the account

         How it works: Transactions that are out of the ordinary for the individual or conducted without a clear rationale.
         Possible indicators
          oTransactions to or from unrelated parties.
          oTransaction amounts that are inconsistent with the account’s expected volumes or frequencies.
          oTransactions that are out of the ordinary for the customer’s profession or business activity.
         

        B.17 Cash couriers

         How it works: Concealing the movement of currency from one jurisdiction to another using people, luggage, mail, or any other mode of shipment, without declaration.
         Possible indicators
          oTransactions involving locations with poor AML/CFT regimes or high exposure to corruption.
          oCustomers originating from locations with poor AML/CFT regimes/high exposure to corruption.
          oSignificant and/or frequent cash deposits made over a short period of time.
          oSignificant and/or frequent currency exchanges made over a short period of time.
         

        B.18 Other payment technologies

         How it works: Utilizing emerging or new payment technologies such as virtual currencies/crypto- currencies, peer-to-peer (P2P) lending etc. to facilitate money laundering and/or the financing of terrorism and illegal organisations.
         Possible indicators
          oExcessive use of stored value cards.
          oSignificant and/or frequent transactions using mobile telephone services.
          oUnjustified transactions to and from Cryptocurrency platforms and digital assets exchanges.
         

        B.19 Underground banking/alternative remittance services

         How it works: Transferring proceeds of crime from one person to another via informal banking mechanisms such as unregistered Hawaladars.
         Possible indicators
          oMostly prevalent under the auspices of a general trading company license.
          oSignificant and/or frequent cash payments for transfers in which the cash deposits could be from many different individuals using the cash deposit machines.
          oCash volumes and transfers in excess of average income of migrant account holders.
          oTransfers to or from locations that have poor AML/CFT regimes or high exposure to corruption.
          oLarge transfers from accounts to potential cash pooling accounts.
          oSignificant and/or frequent transfers recorded informally using unconventional bookkeeping.
          oSignificant and/or frequent transfers requested by unknown or intermittent customers.
          oNumerous deposits to one account followed by numerous payments made to various people.
          oVague invoices and documentation which may deliberately be made to appear complex.
         

        B.20 Cash exchanges

         How it works: Exchanging low denomination notes for high denomination notes (also known as refining) as a means to launder proceeds of crime, as well as reduce large volumes of cash obtained from serious crime.
         Possible indicators
          oSignificant and/or frequent cash exchanges from small to large denominations.
         

        B.21 Currency conversion

         How it works: Converting one currency into another as a means to launder proceeds of crime, as well as reduce large volumes of cash obtained from serious crime.
         Possible indicators
          oSignificant and/or frequent local or foreign currency exchanges.
          oOpening of foreign currency accounts with no apparent business or economic purpose.
         
      • Annex 3. Red Flag Indicators for the UAE Insurance Sector

        The UAE Insurance Authority has issued the following list of red flag indicators when handling life and general insurance products. The indicators, as well as any future ones the UAE Insurance Authority may determine, should be incorporated into an LFI’s AML/CFT program with a view to update policies, procedures, detection scenarios, and red flag indicators for identifying potentially suspicious activity related to life and general insurance products.

         1.The purchase of an insurance product does not reflect a customer’s known needs (e.g., purpose of the account).
         2.The early surrender of an insurance product is taken at a cost to the customer.
         3.The surrender of an insurance product is initiated with the refund directed to a third party.
         4.The customer exhibits no concern for the investment performance of a purchased insurance product and instead exhibits significant concern for its early surrender terms.
         5.The customer purchases insurance products using unusual payment methods, such as cash or cash equivalents, or with monetary instruments in structured amounts.
         6.The customer demonstrates reluctance to provide identifying information when purchasing an insurance product.
         7.The customer borrows the maximum amount available from their insurance product shortly after purchase.
         8.The customer used to purchase low-premium insurance and pay premiums by making regular payments but suddenly purchases insurance that requires a large lump-sum premium payment, for which no reasonable explanations are provided.
         9.The customer purchases an insurance product without concern for the coverage or benefits, or the customer only cares about the procedures for the policy loan, cancellation of insurance policy, or changing beneficiary when purchasing an insurance policy that has a high cash value or requires a high lump-sum premium payment.
         10.The customer usually pays a premium by making regular payments but suddenly requests to purchase a large-sum policy by paying off premium all at once.
         11.The customer purchases insurance products with high cash value successively over a short period of time, and the insurance products purchased do not appear to be commensurate with the customer’s status and income or are unrelated to the nature of the customer’s business.
         12.The customer pays premiums in cash and in several payments marginally below the threshold for declaration but cannot reasonably explain the source of funds. In addition, the transactions do not appear to be commensurate with the customer’s status and income or are unrelated to the nature of the customer’s business.
         13.The customer, after making a large premium payment for a policy purchased, applies for a large policy loan or cancels the policy in a short period of time, for which no reasonable explanations are provided.
         14.The customer is a policyholder of several motor vehicles which is inconsistent with their profile.
         15.The theft of a motor vehicle is not reported by the customer/policyholder.
         16.The customer attempts to insure a motor vehicle that was reported as stolen or as a total loss.
         
      • Annex 4. Overarching Rules and Principles for the goAML System

        The FIU published the goAML XML Submission Guide (please see Section 3.4) with additional detail on the rules that an LFI should consider when submitting an STR, SAR, or other report type in the goAML system:

         All LFIs transactions should be reported as bi-party transactions on the goAML system.
         Reporting entities should submit only suspicious transactions in a report. Any additional transactions can be submitted via an AIFT (upon request only).
         For AIFT submissions where the number of transactions exceed 10,000, reporting entities are advised to split them into more than one AIFT; however, the AIFT should use the same “Internal Reference Number”.
         A deposit is composed of a bi-party transaction occurring from a person who may be a conductor to an account.
         A withdrawal is composed of a bi-party transaction occurring from an account to a person.
         A remittance is composed of a bi-party transaction occurring from one person/account/entity to another.
         A wire transfer is composed of a bi-party transaction occurring from an account to another account.
         In case a LFI is acting as a correspondent bank within a reported transaction, then the transaction is occurring from one account to another, in which both accounts should be classified as ‘Not My Client’ by the LFI/Compliance Officer/MLRO.
         In the case of Exchange Houses, where a currency exchange transaction is being reported, it should be reported as a bi-party transaction, where the “from” and “to” parties are the same Person.
         The conductor field is mandatory when the transaction is conducted from an entity.
         If the date of birth for a subject (person) is unknown, then the user may enter the 1st of January 1900 in the ‘Birth Date’ field.
         In case the expiration date of a registered ID is unknown, then the user may enter the 31st of December 2100 in the ‘Expiry Date’ field.
         When reporting a transaction that involves an account, it is imperative that the LFI also provide details for the person or entity associated with the said account.
         
      • Annex 5. Synopsis of the Guidance

        IntroductionPurposeThe purpose of the Guidance is to assist the understanding and effective performance by the United Arab Emirates Central Bank's (CBUAE) licensed financial institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE.
        ApplicabilityThis guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories: •National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and •Insurance companies, agencies, and brokers.
        Legal Basis

        The legal basis of STR reporting is based on the (i) Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (AML) and Combatting the Financing of Terrorism (CFT) and Financing Illegal Organisations and Federal Decree law No. (26) of 2021 To amend certain provisions of Federal Decree-law No. (20) of 2018, on anti-money laundering and combating the financing of terrorism and financing of illegal organisations; (ii) Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organisations; and (iii) Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution. The legal basis addresses (i) the consequences for failure to disclose suspicious activity, (ii) protection for individuals disclosing suspicious activity, and (iii) the meaning of suspicious transactions.

        Identification of Suspicious TransactionsRole of the First Line of Defense

        The first line of defense plays a critical role in the management of customer and third-party risk and the timely escalation of potentially suspicious activity. The first line of defense is well-placed to identify suspicious transactions and assess that information once deemed reasonable—collected through interactions with a customer—now appears suspicious. Employees within the first line of defense include relationship managers, business executives, and back-office operations functions.

        Role of the Second Line of DefenseThe second line of defense (e.g., compliance employees) provides policy, advice, guidance, assurance, oversight, and challenge to the first line of defense. While employees in Financial Crime Operations Units (possibly in the first line of defense) can investigate suspicious transactions and document the resultant investigation, the ultimate filing of the STR or SAR should be made by the Compliance Officer or the money laundering reporting officer (MLRO) (in the second line of defense). The second line of defense is charged with overseeing the investigations programme.
        Role of the Third Line of DefenseThe third line of defense identifies gaps, deficiencies, and weaknesses in operational controls owned or overseen by an LFI’s business, operations, and compliance functions.
        Purpose of Transaction MonitoringThe purpose of transaction monitoring is the ongoing, retrospective monitoring of customers’ and prospective customers’ transactions or activity to identify activity anomalous from normal behavior. This may, on further investigation, generate knowledge or reasonable suspicion of financial crime and thereby require reporting to the appropriate law enforcement and/or regulatory authority as an STR, SAR, or equivalent local report in line with AML/CFT regulatory and/or UAE FIU reporting requirements.
        Internal OrganizationAn LFI’s internal organization is important to appropriately identify unusual or potentially suspicious activity. Internal organization comprises an LFI’s governance and management oversight; policies and procedures; clear lines of responsibility and reporting; and ongoing training to account for changes in the UAE’s legislative and regulatory frameworks. There are also specific considerations for institutions with foreign branches and subsidiaries.
        Transaction Monitoring MethodsA transaction monitoring program should take into account the AML/CFT risks of the LFI’s customers, prospective customers, counterparties, businesses, products, services, delivery channels, and geographic markets in addition to helping prioritize high-risk alerts. Monitoring systems typically include employee identification or referrals, transaction-based (manual) systems, surveillance (automated) systems, or a combination of these, including an intelligence-led transaction monitoring approach.
        Procedures for the Reporting of Suspicious TransactionsImportance of Filing an STR or SARInformation generated from an STR, SAR, and other report type is important for law enforcement and the FIU to effectively identify and combat financial crime. Specifically, the quality of STRs, SARs, and other report types is imperative for increasing the FIU’s analytical function to identify vulnerabilities and threats to the UAE financial system and develop an overall understanding of money laundering and the financing of terrorism and illegal organisations risks
        Basic Structure of an STR or SARDifferent report types can be filed in the FIU’s “goAML” portal (i.e., STR, SAR, AIF, AIFT, RFI, RFIT, HRC, HRCA). In addition, an LFI should divide a narrative into three sections (introduction, body, and conclusion).
        Best Practices for Drafting an STR or SARA narrative should identify and answer the five questions – who? what? when? where? and why? – of the suspicious activity being reported to the FIU in addition to the operation/modus operandi (or how?). The Guidance also addresses how defensive STR or SAR filings are generally discouraged.
        How to Submit an STR or SARLFIs are required to submit suspicious transaction and activity reports directly to the FIU using the “goAML” portal. There are certain mandatory fields that an LFI should populate when submitting a report in the goAML portal in addition to providing certain supplemental documents.
        Amendments to Submitted ReportsOnce a report is submitted and accepted in the goAML system, changes cannot be applied, including amendments for missing or incorrect information. However, LFIs may file a corresponding AIF, AIFT, RFI, or RFIT.
        Timing of Alert Reviews and STR FilingsAlert Review, Case Investigation, and STR/SAR Decision Making and FilingIn the absence of escalation for expedited review, LFIs are expected to file an STR/SAR within a maximum of 35 business days from the date of automated alert generation. The establishment of adequate grounds of suspicion may involve the investigation procedures as per the LFIs' AML and/or Financial Crime Compliance policies and procedures. LFIs are expected to complete the required investigative procedures as expeditiously as possible. LFIs must maintain adequately detailed records of investigative procedures performed against alerts and when filing an STR/SAR, must include a summary justifying the time taken to establish grounds of suspicion. In the event of escalation for expedited review, the Compliance Officer or MLRO should file an STR or SAR to the FIU within 24 hours of the determination. All prospective STRs or SARs should be reviewed for accuracy and completeness prior to filing, in accordance with applicable procedures.
        Monitoring and Reporting of Continuing Suspicious ActivityUpon filing an STR/SAR pertaining to an account holder, LFIs are expected to implement enhanced monitoring on such account holders. In the case of continued suspicious activity detected against said account holder, LFIs are expected to expeditiously file an STR/SAR with the FIU.
        Activity Requiring Immediate AttentionSituations requiring immediate attention include reportable violations that are ongoing (e.g., part of an ongoing money laundering scheme as indicated by an appropriate law enforcement authority) and transactions that the LFI suspects are related to the financing of terrorism and illegal organisations.
        Exceptions for Complex InvestigationsIf the LFI designates an investigation as “complex”, the LFI should submit an initial STR or SAR to the FIU within 15 business days of the alert generation. The initial STR/SAR should be labelled as a “Complex investigation” to the FIU. Following the initial STR or SAR filing, the LFI has an additional 30 business days to obtain all necessary information related to the complex investigation and submit a follow-up STR or SAR to the FIU.
        Summary of Review, Investigation, and Reporting TimelinesThere are recommended timelines for the review, investigation, and reporting of suspicious activity in the absence of an escalation for expedited review.
        Escalation for Expedited ReviewIn certain cases, an alert or case may need to be dispositioned and an STR or SAR filed more rapidly than usual processes allow. In such cases, the alert will be dispositioned and the STR or SAR filed within 24 hours.
        Confidentiality and Prohibition against “Tipping Off”Confidentiality and Prohibition against “Tipping Off”When reporting suspicious activity or transactions to the FIU, LFIs are obliged to maintain confidentiality regarding both the information being reported and specific to the act of reporting itself, and to make reasonable efforts to ensure that the information and data reported are protected from access by any unauthorized person.
        Handling of Transactions and Business Relationships after Filing STRsRequirements for Corresponding with the FIUIf the FIU reaches out to an LFI for additional information pertaining to an STR or SAR, details should be provided in a way that is precise and outlined as per the request. LFIs should maintain clarity on the presented information and provide it in the expected format.
        Post STR or SAR ProcessFollowing the filing of an STR or SAR filing, LFIs are obliged to follow the instructions, if any, of the FIU in relation to both the specific transaction and to the business relationship in general. LFIs may decide to retain a customer relationship, exit the relationship, or restrict an account, among others. Any actions taken by an LFI following the filing of an STR or SAR is a decision based on the LFI’s internal policies and procedures, including its risk appetite, although LFIs should consider the risk of tipping off a customer when implementing such restrictive measures.
        Governance and Reporting to Senior ManagementLFIs should have mechanisms to inform the Board of Directors (or a committee of the Board) and senior management on the status of its AML/CFT program, including reporting on the number and types of STRs or SARs.
        Record RetentionLFIs are required to retain all records and documents pertaining to STRs or SARs and the results of all analysis or investigations performed for a period of no less than five (5) years from the date of completion of the transaction or termination of the business relationship.
        AnnexesAnnex 1: Indicative Examples of Insufficient STR or SAR NarrativesExamples of insufficient STR or SAR narratives are provided with an explanation on why these STR or SAR narratives are not sufficient and comprehensive.
        Annex 2. Red Flag Indicators in the Context of the UAEThe FIU published typologies and indicators of suspicious activity that an LFI should consider with a view to update policies, procedures, detection scenarios, and red flag indicators for identifying potentially suspicious activity.
        Annex 3. Red Flag Indicators for the UAE Insurance SectorThe UAE Insurance Authority issued a list of red flag indicators that an LFI should consider with a view to update policies, procedures, detection scenarios, and red flag indicators for identifying potentially suspicious activity.
        Annex 4. Overarching Rules and Principles for the goAML SystemThe goAML XML Submission Guide provides additional detail on the rules that an LFI should consider when submitting an STR, SAR, or other report type in the goAML system.
        Annex 5Synopsis of the Guidance
    • Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions

      Effective from 4/7/2021
      • 1. Introduction

        • 1.2. Applicability

          Unless otherwise noted, this Guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

          National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
           
          Insurance companies, agencies, and brokers.
           
        • 1.3. Legal Basis

          This Guidance builds upon the provisions of the following laws and regulations:

          Decree Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (“AML-CFT Law”).
           
          Cabinet Decision No. (10) of 2019 concerning the Implementation Regulation of Decree Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (“AML-CFT Decision”).
           
          Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorists Financing & Proliferation of Weapons of Mass Destruction, and Related Resolutions (“Cabinet Decision 74”).
           

          The AML-CFT Law and the AML-CFT Decision require LFIs to promptly apply directives issued by the competent authorities of the UAE for implementing the decisions issued by the United Nations Security Council (“UNSC”) under Chapter VII of the Charter of the United Nations (“UN”). In furtherance of this requirement, the Cabinet Decision 74 sets out the legislative and regulatory framework regarding the Targeted Financial Sanctions (“TFS”), including the Local Terrorist List and the UN Consolidated List.

          The Executive Office3 acts as a national lead to coordinate and liaison implementation of TFS with all the federal and local government stakeholders including financial institutions (FIs) and designated non-financial business and professions (DNFBPs) and has issued the Guidance on Targeted Financial Sanctions for FIs and DNFBPs”. The Executive office is mainly responsible for:

          Receiving and processing grievances against Listing in UN and Local Lists decisions;
           
          Receiving and processing applications to use frozen funds as per sanctions lists;
           
          Working closely with the Supreme Council with regards to the local Listing;
           
          Circulating updates to the local and UN lists to the government and private sector; and
           
          Coordinating and exchanging information between Government Agencies.
           

          This Guidance issued by the CBUAE is supplementary to the above mentioned “Guidance on Targeted Financial Sanctions for Financial Institutions and Designated Non-financial Business and Professions” issued by the Executive Office.


          3 Website: Home | Committee for goods & material subjected to import & export (uaeiec.gov.ae)

        • 1.4. Definitions

          Controlling Shareholder: A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the board of directors, or the decisions made by the board or by the general assembly of the entity, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence.

          Direct Relationship: A relationship between two parties that knowingly provide the other material, technological, logistical, or financial support and both parties are directly impacted by the other party.

          Funds: Assets of all types, in whatever form and however acquired, whether corporeal or incorporeal, tangible or intangible, movable or immovable, electronic, digital or encrypted, including national currency, foreign currencies, documents and legal instruments establishing ownership of such assets or any associated rights, in whatever form, including electronic or digital forms, as well as economic resources considered as assets of any kind, including oil and natural resources, and bank credits, cheques, money orders, shares, securities, bonds, drafts, and letters of credit and any interest, dividends, or other income accruing from or generated by such assets, and that may be used to obtain any other funds, goods or services including internet posting services or related services.

          Indirect Relationship: A relationship between two parties that affect each other through a third-party source or one or more intermediaries.

          Listed Person: Individuals, legal entities and groups listed by the UN Security Council on the UN Consolidated List, or listed by the UAE Cabinet on the Local Terrorist List, as the case may be.

          Listing: Identifying the individuals, legal entities and groups subject to sanctions imposed pursuant to relevant UNSC Resolutions (“UNSCRs”), decisions of the Sanctions Committee, or relevant decisions of the UAE Cabinet, as the case may be, and implementing relevant sanctions against such individuals, legal entities and groups, with a statement of the reasons for Listing.

          Local Terrorist List: Terrorism lists issued by the UAE Cabinet pursuant to the provisions of Article (63) paragraph (1) of Federal Law No. (7) of 2014 on Combating Terrorism Offences.

          Other Measures: Sanction measures other than freezing that must be enforced, and which may be included in Relevant UNSCRs or UAE Cabinet decisions regarding the issuance of Local Terrorist List, such as prohibitions relating to travel, weapons, imports, or provision of fuel supplies and other.

          Previous Customer: A customer with whom the relationship was terminated and the LFI maintains relevant records according to record keeping and other requirements.

          Relevant UNSCRs: All current and future UNSCRs relating to the suppression and combating of terrorism, terrorist financing and proliferation of weapons of mass destruction and its financing, including but not limited to Resolutions 1267 (1999), 1373 (2001), 1988 (2011), 1989 (2011), 1718 (2006), 2231 (2015) and any successor resolutions.

          Sanctions Committee: Any of the UN Security Council Committees established as per its resolutions, including UNSCRs 1267 (1999) and 1989 (2011) relating to ISIL and Al-Qaida, 1988 (2011) relating to the Security and Stability of Afghanistan, and 1718 (2006) relating to the suppression and combating of proliferation of weapons of mass destruction for the DPRK.

          Subsidiary: An entity owned by another entity by more than 50% of its capital or under full control of that entity regarding appointment of the Board of Directors.

          Targeted Financial Sanctions (TFS): The term Targeted Financial Sanctions means that such sanctions are against certain individuals, entities, groups, or undertakings. The term Targeted Financial Sanctions includes both asset freezing and prohibitions to prevent funds or other assets from being made available, directly, or indirectly, for the benefit of individuals, entities, groups, or organization who are sanctioned.

          The Executive Office: The Executive Office of the Committee for Goods and Materials Subject to Import and Export Control.

          UN Consolidated List: A list containing the names of individuals and organizations linked to terrorism, financing of terrorism or proliferation of weapons of mass destruction and its financing, and that are subject to sanctions imposed as per UNSCRs and decisions of the Sanctions Committee, along with information related to such persons and reasons for their Listing.

          Without Delay: Within 24 hours of the Listing decision being issued by the UNSC, the Sanctions Committee or the UAE Cabinet, as the case may be.

           

      • 2. Sanctions Compliance Program

        LFIs should take appropriate steps to develop, implement and regularly update an appropriate Sanctions Compliance Program (SCP) in order to fulfil their obligation to comply with the provisions of the Cabinet Decision 74 as well as with the directives of the relevant competent authorities and supervisory authorities in regard to sanctions issued by the UNSC. An appropriate SCP also assists LFIs to manage their exposure to the risks associated with international financial sanctions programs and restrictive measures implemented by other countries.

        LFIs should design and update their SCP so that its scope is proportionate to the level of their risk profile, tailored to their nature, scale, and complexity, appropriate for the products and services they offer, the customers, clients, and partner relationships they maintain, and the geographic regions in which they operate. LFIs should ensure the SCP includes the eight (8) essential components: senior management commitment, risk assessment, sanctions risk appetite, internal controls, policies and procedures, training, independent audit and testing of processes and systems, and record keeping.

        • 2.1. Senior Management Commitment

          Senior management is defined broadly to include senior leadership, executives, and the board of directors. Senior management’s commitment to, and support of, the LFI’s SCP is one of the most important factors in determining its success. In order to facilitate effective senior management commitment, an LFI should:

           Ensure that senior management has reviewed and approved the organization’s SCP.
           Ensure that senior management has reviewed and approved the methodology used for undertaking the risk assessment and reviewed and approved the LFI’s risk assessments at least on an annual basis.
           Clearly designate the personnel responsible for ensuring proper implementation of the SCP, including day-to-day operations, and compliance with statutory obligations. This personnel should have the appropriate competencies and experience, or be appropriately trained, to perform the duties and responsibilities associated with this role, has sufficient seniority, and is delegated sufficient authority and autonomy in order to discharge the LFI’s responsibilities. The personnel may have other responsibilities in the LFI, provided that these responsibilities do not conflict with their role in implementing the SCP. For example, large LFIs may choose to hire a dedicated sanctions compliance officer, while smaller LFIs may choose a specific officer or manager currently working at the LFI to be responsible for the SCP in addition to their other duties.
           Ensure the existence of direct reporting lines between the personnel responsible for the SCP and senior management to facilitate the escalation of financial sanctions issues, including regular and periodic meetings.
           Ensure that the SCP is fully integrated into the organization’s daily operations and allocated adequate resources in the form of human capital, expertise, information technology, and other resources as appropriate.
           Recognize compliance failings and implement necessary measures to reduce future incidents, including through addressing root causes and implementing systemic solutions.
           
        • 2.2. Risk Assessment

          LFIs should take appropriate steps to conduct a regular and updated risk assessment to identify, understand, assess, monitor, and manage their risks in line with their business nature and size. While there is no “one-size-fits all” risk assessment, the assessment exercise should generally consist of a holistic review of the LFI from top-to-bottom and assess its touchpoints to the outside world where the LFI may potentially, directly or indirectly, be exposed to sanctioned parties or transactions. In most cases, LFIs should consider performing such risk assessments annually; however, assessments that are more frequent or less frequent may be justified, depending on the particular circumstances. These may include a change to the LFI risk profile, regulatory or law enforcement advisories, or global trends in terrorism financing (“TF”) and the financing of proliferation of weapons of mass of mass destruction (“PF”).

           In determining potential risks, LFIs should take into account, to the extent relevant, any vulnerabilities relating to:
            oits customers, supply chain, intermediaries, and counterparties;
            oits products and services, including how and where such items fit into other financial or commercial products, services, networks, or systems;
            othe geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counterparties;
            oits distribution channels and business partners;
            othe complexity and volume of its transactions;
            othe development of new products and business practices including new delivery mechanisms, channels, and partners; and
            othe use of new or developing technologies for both new and pre-existing products and services.
           LFIs should document risk assessment operations, maintain them up-to-date on an on-going basis, and make them available upon request.
           The results of a risk assessment are integral to informing the SCP’s policies, procedures, internal controls, and training in order to effectively mitigate risks.
           LFIs should develop and thoroughly document their risk assessment methodologies to identify, analyze, and address relevant risks. The methodologies should reflect the conduct and root cause of any violations or systemic deficiencies identified.
           
        • 2.3. Sanctions Risk Appetite

          LFIs should develop and maintain a comprehensive written sanctions risk appetite approved by the LFI’s senior management and embedded through policies, procedures, and screening systems parameterization.

           The sanctions risk appetite should specify which sanctions regimes are applicable to the LFI (for example UNSCR, OFAC, EU, UK etc.).
           LFIs should specify their policy on treating of interests, properties, assets, or entities that are owned or controlled 50% or more by a Listed Person.
           LFIs should specify their approach on mitigating the risk of breaching of unilateral sanctions, especially in the context of sanctions that may have extra-territorial implications or the Listed Persons may or may not have a presence in UAE (for example secondary sanctions by OFAC).
           LFIs should specify their approach on screening of alias names such as one word synonyms, vessel names or paper based instruments.
           LFIs should identify and document any exceptions to sanctions risk appetite or deviations from their policies and procedures; these should be approved by senior management.
           

          For more details and information, please refer to Annex 2 for related Lessons learned from CBUAE Supervision.

        • 2.4. Internal Controls

          Internal controls are the mechanisms, rules, and procedures implemented to help ensure the integrity and effectiveness of an LFI’s SCP. As required by Cabinet Decision 74, LFIs must have appropriate internal controls in place, including the most recent publication of Targeted Financial Sanctions of the UN Consolidated List and the Local Terrorist List. Accordingly, LFIs must maintain strong and clear internal controls that ensure the effective implementation of their SCP, including policies, procedures, processes, and systems.

           LFIs should document how their processes and systems are configured in order to demonstrate that their configuration is reasonably expected to detect and manage the specific sanctions risks to which the LFI is exposed to and ensure transparency of any system limitations or risk-based decisions that the screening controls are not designed to detect.4
           LFIs should establish a mechanism to ensure that, upon learning of a weakness pertaining to its SPC compliance, immediate and effective action is taken to identify compliance gaps and their root causes, including all program-related software, systems, and other technology, and remediate them by implementing systemic solutions to reduce the chances of future failures.
           

          4 See https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20Sanctions%20Screening.pdf

        • 2.5. Policies and Procedures

          LFIs should develop and maintain clear and comprehensive written policies and procedures to enable them to manage and mitigate the sanctions risks they have identified, commensurate with the nature and size of their business.

           LFIs should ensure that policies and procedures are approved by senior management and that they:
            oEnable the LFI to clearly and effectively identify, prevent, escalate, and report suspicious transactions and activities;
            oAre tailored to the organization and capture the organization’s day-to-day operations and processes;
            oAre easy to follow and designed to prevent employees from engaging in misconduct;
            oProhibit employees from, directly or indirectly, informing the customer or any third party that freezing or any Other Measures shall be implemented;
            oRequire enhanced due diligence to be conducted on all customers and transactions that are assessed to be high-risk for TF and PF; and
            oContain sufficient detail of their record keeping obligations.
           LFIs should ensure the effective and consistent implementation of the policies and procedures related to the SCP across their organizations, including branches, Subsidiaries, and other entities in which LFIs hold a majority interest.
           LFIs should clearly communicate the SCP’s policies and procedures, including for record keeping, to all relevant employees and external or outsourced service providers.
           LFIs should review and update policies and procedures in a timely manner in response to events or emerging risks and ensure that such updates are communicated to employees on a timely basis.
           LFIs should implement a formal review process at least annually of the policies and procedures at appropriate levels subject to approval where changes are material.
           LFIs should identify and document any exceptions or deviations from the policies and procedures related to the SCP; these should be approved by senior management.
           
        • 2.6. Training

          The maintenance and implementation of an effective SCP requires that all relevant employees and management understand requirements and obligations, policies and procedures, internal control mechanisms, and threats, risks, and vulnerabilities. A robust training program is an integral component of an effective SCP. A training program should:

           Be of a scope and nature proportionate to the LFI’s overall risk profile;
           Be specific to the role carried out by the employee, with tailored training for employees engaged in sensitive roles;
           Provide training to all appropriate employees and personnel upon onboarding in a timely manner and at least annually thereafter;
           Hold employees accountable for training through assessments;
           Include measures to take immediate and effective action to provide corrective training or other corrective actions to relevant personnel upon learning of a confirmed negative risk assessment result or audit finding, or other deficiency pertaining to the SPC.
           
        • 2.7. Independent Audit and Testing of Processes and Systems

          Independent audit helps the LFI assess the effectiveness of current processes, including by assessing the sufficiency of the program and by checking for any inconsistencies between the policy and procedures and day-to-day operations in order to identify SCP weaknesses and deficiencies. Independent audits should:

           Be undertaken regularly to review and assess the effectiveness of the financial sanctions policies, procedures, systems and controls, and their compliance with the LFI’s obligations;
           Be undertaken by the internal audit function, or by a competent independent external auditor, or both, and resourced with skilled and competent staff that understand the SCP of the LFI; and
           Be commensurate to the level and sophistication of the SCP and updated to account for changing risk assessments or sanctions environments.
           

          LFIs should ensure that the audit function is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization. LFIs should immediately address negative audit findings and take the necessary steps to identify and implement compensating controls until the root cause is remediated.

          In addition, LFIs should deploy an independent risk-based testing regime to regularly test their processes’ and systems’ adequacy and expected outcomes, as well as to assess their effectiveness in managing the specific risks articulated in the risk assessment. Regular testing of processes and systems ensures that the screening application generates expected alerts, threshold settings and/or screening rules to forego or suppress undesirable alerts in accordance with the LFI’s risk appetite. Regular testing should be supported by metrics, analysis, and reporting, and be reviewed by the personnel responsible for the SPC to determine whether risk acceptance or remediation is appropriate with respect to any relevant findings. Regular testing could be undertaken by the internal audit function, or by a competent external provider, or both.

        • 2.8. Record Keeping

          According to the AML-CFT Law and the AML-CFT Decision, LFIs must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as all records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, and copies of personal identification documents, including STRs and results of any analysis performed. LFIs must maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. LFIs must make the records available to the competent authorities immediately upon request.

          The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, all depending on the circumstances.

      • 3. Screening Operations

        Under Article 21.2 of Cabinet Decision 74, LFIs must regularly screen their databases and transactions against names on the UN Consolidated List and the Local Terrorist List, and also immediately when notified of any changes to any of such lists, provided that such screening includes the following:

         -Searching their customer databases
         -Search for the names of parties to any transactions.
         -Search for the names of potential customers.
         -Search for the names of beneficial owners.
         -Search for names of persons and organizations with which they have a direct or indirect relationship.
         -Continuously search their customer database before conducting any transaction, or entering into a serious business relationship with any person, to ensure that their name is not listed on the UN Consolidated List or the Local Terrorist List.
         
        • 3.1. Sanctions Evasion

          Illicit actors targeted by sanctions are likely to utilize a range of tactics to evade the prohibitions, which can be difficult to identify. LFIs should remain vigilant in order to identify attempts to evade, avoid, or circumvent sanctioned activities. Frequent tactics employed for sanctions evasion include renaming, using intermediaries, creating front companies, and using alternative financial networks. LFIs should monitor not only for sanctions violations but also for red flags of potential evasion risks. LFIs also a need to remain vigilant for new methods of evading sanctions. Customer Due Diligence (“CDD”) and Enhanced Due Diligence (“EDD”) play a critical role, in combination with sanctions screening, to identify and prevent more complicated forms of sanctions evasion.

          LFIs should also prohibit activity that aims to evade or circumvent sanctions prohibitions. Accordingly, LFIs must not engage in activities that could be part of a sanctions evasion scheme, including but not limited to:

           Tipping off customers or counterparties;
           Omitting, withholding, altering, misstating, or removing any information about customers or transactions;
           Accepting incomplete (when the customer deliberately does not provide an identifier to obscure being matched with the sanctions lists, such as a date of birth or address) or false information (when the customer provides a false identifier that would not match with the sanctions lists listed details, such as a wrong date of birth);
           Providing false or incomplete information to counterparties or sanctions-imposing authorities; or
           Any other activities that would cause a conflict with or failure to comply with this Guidance.
           

          For more details and information, please refer to the Executive Office’s “Typologies on the circumvention of Targeted Sanctions against Terrorism and the Proliferation of Weapons of Mass Destruction” (circulated by CBUAE Notice No. 2893 dated 02/06/2021).

        • 3.2. Maintenance of UN Consolidated List and Local Terrorist List

          LFIs should rely on the official website of the UNSC for the most updated UN Consolidated List:

            https://www.un.org/securitycouncil/content/un-sc-consolidated-list
           

          LFIs should rely on the official website of the Executive Office to obtain the most recent publication of the Local Terrorist List issued by the UAE Cabinet:

             https://www.uaeiec.gov.ae/en-us/
             https://www.uaeiec.gov.ae/ar-ae/
           

          In addition, under Article 21 of Cabinet Decision 74, LFIs must register on the Executive Office’s website in order to receive automated email notifications with updated and timely information about the Listing and de-Listing of individuals or entities in the Local Terrorist List and in the UN Consolidated List.

          When LFIs utilize external vendors’ lists for their Sanctions List and Local Lists, it is the LFI’s responsibility to undertake due diligence on these vendors and ensure that the vendors’ lists contain all names listed by the UN Consolidated List and UAE Local Terrorist List.

        • 3.3. Customer Screening

          Screening processes should be conducted at various stages of the customer lifecycle to include:

           Periodic name screening: A change to either the customer identifying information or UN Consolidated List /Local Terrorist List should trigger an automatic rescreening.
           Ad hoc name screening: Such screening is triggered by a specific business need or in order to comply with a request by a competent authority, or in the case of feedback from a downstream financial institution.
           Re-screening: A specific scenario in the transaction monitoring system identifies a high-risk jurisdiction in updated customer information.
           
        • 3.4. Name Screening

          In addition to the regular screening utilizing the UN Consolidated List and Local Terrorist List indicated above, LFIs should maintain the following sanctions compliance procedures to prevent and detect sanctions breaches:

           1.Ownership/Control Rule: Individuals or legal entities that are directly or indirectly owned or controlled mainly or fully by one or more Listed Person are subject to the same prohibitions as the Listed Person, even if such individuals or legal entities are not specifically named by the competent authority on the respective UN Consolidated List or Local Terrorist List.
           

          The criterion to be taken into account when assessing whether an individual or legal entity is mainly owned by a Listed Person is the possession of more than 50% of the proprietary rights of an entity or having majority interest in it. If this criterion is satisfied, it is considered that the individual or legal entity is owned by a Listed Person.

          The criteria to be taken into account when assessing whether an individual or legal entity or arrangement is mainly controlled by a Listed Person, alone or pursuant to an agreement with another shareholder or other third party, include the following:

          Having the right to appoint or remove a majority of the members of the administrative or management body of such a legal person, entity, group or arrangement;
           
          Having appointed solely as a result of the exercise of one's voting rights a majority of the members of the administrative or management body of a legal person, entity, group or arrangement who have held office during the present and previous financial year;
           
          Controlling alone, pursuant to an agreement with other shareholders in or members of a legal person, group or entity, a majority of shareholders' or members' voting rights in that legal person, entity, group or arrangement;
           
          Having the right to exercise a dominant influence over a legal person, group or entity, pursuant to an agreement entered into with that legal person, entity, group or arrangement, or to a provision in its Memorandum or Articles of Association, where the law governing that legal person, entity, group or arrangement permits its being subject to such agreement or provision;
           
          Having the power to exercise the right to exercise a dominant influence referred to in the previous point, without being the holder of that right;
           
          Having the right to use all or part of the assets of that legal person, entity, group or arrangement;
           
          Managing the business of that legal person, entity, group or arrangement on a unified basis, while publishing consolidated accounts; or
           
          Sharing jointly and severally the financial liabilities of legal person, entity, group or arrangement, or guaranteeing them.
           
           2.Fuzzy Matching: An algorithm-based technique to match one data point, where the contents of the information being screened is not identical, but its spelling, pattern or sound is a close match to the contents contained on a list used for screening.
           
           3.Weak or Low-quality Aliases: Relatively broad or generic alias may generate a large volume of false hits when such names are run through a computer-based screening system. LFIs should perform their own assessments on whether to screen for weak aliases based on their understanding of their own risk profile.
           
        • 3.5. Verification of False Positives

          Because many names may be common, various potential matches may be found. A potential match is when there is any match between data in the sanctions lists with any information in the LFI’s databases. However, it does not necessarily mean that the individual or entity the LFI is dealing with is subject to sanctions. When identifying the potential match, LFIs should suspend any transaction until they are satisfied it is not a Listed Person.

          LFIs should compare potential matches with the UN Consolidated List and the Local Terrorist List in order to confirm whether they are true matches and to eliminate “false positives.” LFIs should compare information that is known about the party in question, such as date of birth and address, with other information provided in the designation order. Furthermore, LFIs should undertake efforts to obtain additional information and identification documents, which may have previously not been obtained from the customer or a counterparty to ascertain whether the customer is the actual designated person in the case of similar or common names. If the LFI establishes that the match is a false positive, then the LFI does not need to freezing or apply Other Measures related to sanctions. Therefore, the LFI may allow the transaction or relationship to continue its normal course, provided that the transaction or relationship is not suspicious and does not trigger any other concerns. LFIs are required to maintain evidence of the false positive verification process in their records and make them available to the competent authorities immediately upon request.

          LFIs may create a “white list” (or a “good customer list”) of names of customers that have been flagged as potential matches to the UN Consolidated List and the Local Terrorist List but subsequently cleared through thorough due diligence by the LFI. Those “white lists” may be used to improve the process related to screening by leveraging the results of past due diligences and reducing the number of false positives. While an LFI should not overly rely on such a list and must diligently and continuously screen customers and transactions in case they are implicated in updated UN Consolidated List and Local Terrorist List, the use of such a “white list” may assist the LFI in expediting the dispositioning in case of repeated false positive matches. LFIs should have documented procedures to managing and periodically reviewing and updating those “white lists”.

          For more details and information, please refer to Annex 2 for related Lessons learned from CBUAE Supervision.

        • 3.6. Payments Screening

          LFIs should also screen information regarding counterparties of all incoming and outgoing transfers in order to identify any potential match to Listed Persons. The information to be screened includes:

           The parties involved in a transaction, including the sender and the receiver;
           Third parties and intermediaries;
           Bank Names, Bank Identifier Code ("BIC”) and other routing codes;
           Free text fields;
           International Securities Identification Number (“ISINs”) or other risk relevant product identifiers (there are multiple fields in the identifier information section for sanctions lists. An ISIN number can be screened as an identifier number similar to a date of birth/passport number, and towns/regions can be screened as jurisdictions operating in);
           Geography, including addresses, countries, cities, towns, regions.
           
        • 3.7. Confirmed match

          Under Articles 15 and 21 of Cabinet Decision 74, when a match is found through the screening process, LFIs must immediately, without delay and without prior notice, freeze all Funds. Without delay, as defined by Article 1 of Cabinet Decision 74, means within 24 hours of the Listing decision being issued by the UNSC, the Sanctions Committee or the UAE Cabinet, as the case may be.

          For more details and information, please refer to the Executive Office’s Guidance on Targeted Financial Sanctions for FIs and DNFBPs.

      • 4. Notification to Cbuae and Executive Office

        Under Article 21(5) of Cabinet Decision 74, LFIs must immediately notify the CBUAE in the following cases:

         Identification of funds and actions that have been taken as per requirements of Relevant UNSCRs or decisions of the Cabinet regarding the issuance of Local Terrorist List (including but not limited to freezing), including attempted transactions.
         Detection of any match with Listed Persons or entities, details of the matched data, and actions that have been taken as per the requirements of Relevant UNSCRs and Local Terrorist Lists, including attempted transactions.
         Identification of a previous customer or an occasional customer listed on the UN Consolidated List or Local Terrorist List.
         Suspicion that a current or previous customer, or a person with whom they have a business relationship, is a Listed Person or has a direct or indirect relationship with a Listed Person.
         No action has been taken due to a false positive and the inability to dismiss a false positive through available or accessible information (i.e. given insufficient information, such as matching identifier information, address, DOB, or nationality). Please see also section 3.5 above.
         Unfreezing of Funds, identifying the information relating to funds that have been unfrozen, including their status, nature, value and measures that were taken in respect thereof, and any other information relevant to such decisions.
         

        Under Article 15(2) of Cabinet Decision, LFIs must also notify the Executive Office of any freezing measures and/or attempted transactions.

        According to the Executive Office’s Guidance on Targeted Financial Sanctions for FIs and DNFBPs, LFIs should notify the CBUAE and the Executive Office within two (2) business days from taking any freezing measure and/or attempted transactions. For the reporting mechanism and form(s), please consult the CBUAE’s and the Executive Office’s websites as updated from time to time.

      • Annex 1. Red Flag Indicators for TF and PF

        Accurately identifying and assessing the TF and PF risks of a customer or business relationship is critical for appropriately managing these risks. A single indicator on its own may seem insignificant, but when combined with others it could provide reasonable grounds to suspect that the transaction is related to TF or PF activity.

        • 1. Red Flag Indicators for TF7

          Potentially Suspicious Activity That May Indicate Terrorist Financing Published in the FFIEC BSA/AML Examination Manual5

          Activity Inconsistent with the Customer’s Business:

           Funds are generated by a business owned by persons of the same origin or by a business that involves persons of the same origin from higher-risk countries (e.g., countries designated by national authorities and FATF as non-cooperative countries and territories).
           The stated occupation of the customer is not commensurate with the type or level of activity.
           Persons involved in currency transactions share an address or phone number, particularly when the address is also a business location or does not seem to correspond to the stated occupation (e.g., student, unemployed, or self-employed).
           Regarding nonprofit or charitable organizations, financial transactions occur for which there appears to be no logical economic purpose or in which there appears to be no link between the stated activity of the organization and the other parties in the transaction.
           A safe deposit box opened on behalf of a commercial entity when the business activity of the customer is unknown or such activity does not appear to justify the use of a safe deposit box.
           

          Funds Transfers:

           A large number of incoming or outgoing funds transfers take place through a business account, and there appears to be no logical business or other economic purpose for the transfers, particularly when this activity involves higher-risk locations.
           Funds transfers are ordered in small amounts in an apparent effort to avoid triggering identification or reporting requirements.
           Funds transfers do not include information on the originator, or the person on whose behalf the transaction is conducted, when the inclusion of such information would be expected.
           Multiple personal and business accounts or the accounts of nonprofit organizations or charities are used to collect and funnel funds to a small number of foreign beneficiaries.
           Foreign exchange transactions are performed on behalf of a customer by a third party, followed by funds transfers to locations having no apparent business connection with the customer or to higher-risk countries.
           

          Other Transactions That Appear Unusual or Suspicious:

           Transactions involving foreign currency exchanges are followed within a short time by funds transfers to higher-risk locations.
           Multiple accounts are used to collect and funnel funds to a small number of foreign beneficiaries, both persons and businesses, particularly in higher-risk locations.
           A customer obtains a credit instrument or engages in commercial financial transactions involving the movement of funds to or from higher-risk locations when there appear to be no logical business reasons for dealing with those locations.
           Banks from higher-risk locations open accounts.
           Funds are sent or received via international transfers from or to higher-risk locations.
           Insurance policy loans or policy surrender values that are subject to a substantial surrender charge.
           

          Terrorist Financing Indicators Published by FINTRAC (Canada’s Financial Intelligence Unit)6

           Transactions involving certain high-risk jurisdictions such as locations in the midst of or in proximity to, armed conflict where terrorist groups operate or locations which are subject to weaker ML/TF controls.
           An account opened in the name of an entity, a foundation or association, which may be linked or involved with a suspected terrorist organization.
           The use of funds by a non-profit organization is not consistent with the purpose for which it was established.
           Raising donations in an unofficial or unregistered manner.
           Client identified by media or law enforcement as having travelled, attempted or intended to travel to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
           Transactions involve individual(s) or entity(ies) identified by media and/or Sanctions List as being linked to a terrorist organization or terrorist activities.
           Law enforcement information provided which indicates individual(s) or entity(ies) may be linked to a terrorist organization or terrorist activities.
           Client conducted travel-related purchases (e.g. purchase of airline tickets, travel visa, passport, etc.) linked to high-risk jurisdictions (including cities or districts of concern), specifically countries (and adjacent countries) under conflict and/or political instability or known to support terrorist activities and organizations.
           Individual or entity's online presence supports violent extremism or radicalization.
           Client donates to a cause that is subject to derogatory information that is publicly available (e.g. crowdfunding initiative, charity, non-profit organization, non-government organization, etc.).
           

          5 Available at: https://bsaaml.ffiec.gov/manual/Appendices/07
          6 Available at: https://www.fintrac-canafe.gc.ca/guidance-directives/transaction-operation/indicators-indicateurs/fin_mltf-eng

        • 2. Red Flag Indicators for PF

          Indicators of Possible Proliferation Financing as mentioned in Annex 1 to the 2008 FATF Typologies Report on Proliferation Financing7

           (i)Transaction involves person or entity in foreign country of proliferation concern.
           (ii)Transaction involves person or entity in foreign country of diversion concern.
           (iii)The customer or counterparty or its address is similar to one of the parties found on publicly available lists of “denied persons” or has a history of export control contraventions.
           (iv)Customer activity does not match business profile, or end-user information does not match end-user’s business profile.
           (v)A freight forwarding firm is listed as the product’s final destination.
           (vi)Order for goods is placed by firms or persons from foreign countries other than the country of the stated end-user.
           (vii)Transaction involves shipment of goods incompatible with the technical level of the country to which it is being shipped, (e.g. semiconductor manufacturing equipment being shipped to a country that has no electronics industry).
           (viii)Transaction involves possible shell companies (e.g. companies do not have a high level of capitalisation or displays other shell company indicators).
           (ix)Transaction demonstrates links between representatives of companies exchanging goods i.e. same owners or management.
           (x)Circuitous route of shipment (if available) and/or circuitous route of financial transaction.
           (xi)Trade finance transaction involves shipment route (if available) through country with weak export control laws or weak enforcement of export control laws.
           (xii)Transaction involves persons or companies (particularly trading companies) located in countries with weak export control laws or weak enforcement of export control laws.
           (xiii)Transaction involves shipment of goods inconsistent with normal geographic trade patterns (e.g. does the country involved normally export/import good involved?).
           (xiv)Transaction involves financial institutions with known deficiencies in AML/CFT controls and/or domiciled in countries with weak export control laws or weak enforcement of export control laws.
           (xv)Based on the documentation obtained in the transaction, the declared value of the shipment was obviously under-valued vis-à-vis the shipping cost.
           (xvi)Inconsistencies in information contained in trade documents and financial flows, such as names, companies, addresses, final destination etc.
           (xvii)Pattern of wire transfer activity that shows unusual patterns or has no apparent purpose.
           (xviii)Customer vague/incomplete on information it provides, resistant to providing additional information when queried.
           (xix)New customer requests letter of credit transaction awaiting approval of new account.
           (xx)Wire instructions or payment from or due to parties not identified on the original letter of credit or other documentation.
           (xxi)Involvement of items controlled under WMD export control regimes or national control regimes.
           (xxii)Involvement of a person connected with a country of proliferation concern (e.g. a dual-national), and/or dealing with complex equipment for which he/she lacks technical background.
           (xxiii)Use of cash or precious metals (e.g. gold) in transactions for industrial items.
           (xxiv)Involvement of a small trading, brokering or intermediary company, often carrying out business inconsistent with their normal business.
           (xxv)Involvement of a customer or counterparty, declared to be a commercial business, whose transactions suggest they are acting as a money-remittance business.
           (xxvi)Transactions between companies on the basis of “ledger” arrangements that obviate the need for international financial transactions.
           (xxvii)Customers or counterparties to transactions are linked (e.g. they share a common physical address, IP address or telephone number, or their activities may be coordinated).
           (xxviii)Involvement of a university in a country of proliferation concern.
           (xxix)Description of goods on trade or financial documentation is nonspecific, innocuous or misleading.
           (xxx)Evidence that documents or other representations (e.g. relating to shipping, customs, or payment) are fake or fraudulent.
           (xxxi)Use of personal account to purchase industrial items.
           

          7 Available at: fatf guidance on proliferation financing (fatf-gafi.org)

        • 3. Red Flag Indicators for Potential Sanctions Circumventions

          Some Red Flags or Situations to Identify Potential Sanctions Circumventions Published in the Executive Office’s “Typologies on the circumvention of Targeted Sanctions against Terrorism and the Proliferation of Weapons of Mass Destruction” 8

          The following are some red flags or situations that could be looked at more closely or monitored by financial institutions and designated non-financial businesses or professions to identify potential sanctions circumventions of your clients, their business, or their transactions.

           Dealings in sectors vulnerable for terrorist financing and/or proliferation of weapons of mass destructions, for example
            oFinancial sector
            oHawalas or other money transfer services providers
            oOil and gas sector
            oNon-profit organizations
            oInternational trade
           Dealings, directly or through a client of your client, with high-risk countries for terrorism financing.
           Dealings, directly or through a client of your client, with sanctioned countries or territories where sanctioned persons are known to operate.
           The use of shell companies through which funds can be moved locally and internationally by misappropriating the commercial sector in the UAE.
           Dealings with sanctioned goods or under embargo. For example:
            oWeapons
            oOil or other commodities
            oLuxury goods (for DPRK sanctions)
           Dealings with dual-used goods.
           Dealings with controlled substances.
           Identifying documents that seemed to be forged or counterfeited.
           Identifying tampered or modified documents with no apparent explanation, especially those related to international trade.
           Use of intermediaries.
           When the flows of funds exceed those of normal business (revenues or turnover).
           The activity developed or financed does not relate to the original or intended purpose of the company o entity. For example:
           For companies, they are importing high-end technology devices, but they are registered as a company that commercializes nuts.
           For a non-profit organization, they are exporting communication devices, but they are an entity aimed to provide health services.
           Very complex commercial or business deals that seem to be aiming to hide the final destiny of the transaction or the good.
           Complex legal entities or arrangements that seem to be aiming to hide the beneficial owner.
           Carrying out of multiple ATM cash withdrawals in short succession (potentially below the daily cash reporting threshold) across various locations in territories where sanctioned people have influence or in the border of sanctioned countries.
           Irregularities during the CDD process which could include, but is not limited to:
            oInaccurate information about the source of funds and/or the relationship with the counterparty.
            oRefusal to honor requests to provide additional KYC documentation or to provide clarity on the final beneficiary of the funds or goods.
            oSuspicion of forged identity documents
           

          8 Available at https://www.uaeiec.gov.ae/en-us/un-page#

      • Annex 2. Lessons learned from CBUAE Supervision

        In 2020 the CBUAE’s AML/CFT Supervision Department conducted a thematic review of 30 LFIs’ sanctions screening systems. The aim of the review was to assess the LFIs’ compliance with these provisions and their sanctions screening systems’ effectiveness and efficiency levels.

        For more details and information, please refer to the CBUAE’s “Sanctions Screening Testing Thematic Review – Lessons Learned and Expectations”.9


        9 Available at https://www.centralbank.ae/en/cbuae-amlcft.

      • Annex 3. Synopsis of the Guidance

        Purpose of this GuidancePurposeThe purpose of this Guidance is to assist the understanding and effective performance by the CBUAE licensed financial institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE related to targeted financial sanctions, screening and reporting requirements as well as the development of an appropriate sanctions compliance program.
        ApplicabilityThis Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories:
        • national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
        • insurance companies, agencies, and brokers.
        Sanctions Compliance ProgramSenior Management CommitmentLFI senior management's commitment to, and support of, the Sanctions Compliance Program (SCP) is one of the most important factors in determining its success. In order to facilitate effective senior management commitment, an LFI should, among other things:
        • Ensure that senior management has reviewed and approved the organization's SCP;
        • Clearly designate the personnel responsible for ensuring proper implementation of the SCP; and
        • Ensure that the SCP is fully integrated into the organization's daily operations and allocating adequate resources to it.
        Risk AssessmentLFIs should take appropriate steps to conduct a regular and updated sanctions risk assessment to identify, understand, assess, monitor and manage their risks in line with their business nature and size.
        Sanctions Risk appetiteLFIs should develop and maintain a comprehensive written sanctions risk appetite approved by the LFI's senior management and embedded through policies, procedures, and screening systems parameterization.
        Internal ControlsInternal controls are the mechanisms, rules, and procedures implemented to help ensure the integrity and effectiveness of an LFI's SCP. LFIs must have and maintain strong and clear internal controls to ensure compliance with their statutory sanctions obligations and ensure the effective implementation of their SCP.
        Policies and ProceduresLFIs should develop and maintain clear and comprehensive written policies and procedures that should, among other things:
        • Be approved by senior management; and
        • Enable the LFI to clearly and effectively identify, prevent, escalate, and report potentially prohibited transactions and activities.

        LFIs should ensure the effective and consistent implementation of the policies and procedures related to the SCP across their organizations, including branches, subsidiaries, and other entities in which LFIs hold a majority interest. LFIs should implement a formal review process, at least annually, of the policies and procedures at appropriate levels subject to approval where changes are material.

        TrainingA robust training program is an integral component of an effective SCP and should, among other things:
        • Be of a scope and nature proportionate to the LFI's overall risk profile;
        • Be specific to the role carried out by the employee, with tailored training for employees engaged in sensitive roles; and
        • Provide training to all appropriate employees and personnel upon onboarding in a timely manner and at least annually thereafter.
        Independent Audit and Testing of Processes and SystemsIndependent audit helps the LFI assess the effectiveness of current processes, including by assessing the sufficiency of the program and by checking for any inconsistencies between the policy and procedures and day-to-day operations in order to identify SCP weaknesses and deficiencies. In addition, LFIs should deploy an independent risk-based testing regime to regularly test their processes’ and systems’ adequacy and expected outcomes, as well as to assess their effectiveness in managing the specific risks articulated in the risk assessment.
        Record keepingLFIs must maintain, at least for five years, detailed records associated with their ML/FT risk assessment and mitigation measures as well as all records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, and copies of personal identification documents, including STRs and results of any analysis performed; and make them available to authorities on request.
        Screening OperationsSanctions EvasionLFIs should remain vigilant in order to identify attempts to evade, avoid, or circumvent sanctioned activities. LFIs should monitor not only for sanctions violations but also for red flags of potential evasion risks. LFI's should also prohibit activity that aims to evade or circumvent sanctions prohibitions.
        Maintenance of Sanctions List and Local ListsLFIs should rely on the official websites of the UNSC and the Executive Office of the Committee for Goods & Materials Subject to Import & Export Control (Executive Office) respectively for the most updated UN Consolidated List and Local Terrorist List. LFIs must register on the Executive Office's website in order to receive automated email notifications with updated and timely information about the listing and de-listing of individuals or entities in the Local Terrorist List and in the UN Consolidated List.
        Customer ScreeningScreening should be conduct at various stages of the customer lifecycle, to include periodic name screening, ad hoc name screening, and re- screening.
        Name ScreeningIn addition to the regular screening utilizing the lists indicated above, LFIs should maintain additional sanctions compliance procedures relating to name screening to prevent and detect sanctions breaches. These procedures should address the ownership/control rule, fuzzy matching, and weak or low-quality aliases.
        Verification of False PositivesLFIs should compare potential matches with the sanctions lists indicated above in order to confirm whether they are true matches and to eliminate “false positives.” If the LFI establishes that the match is a false positive, then the LFI does not need to freezing or apply other measures related to sanctions. The LFI may allow the transaction or relationship to continue its normal course, provided that the transaction or relationship is not suspicious and does not trigger any other concerns. LFIs are required to maintain evidence of the false positive verification process in their records and make them available to the competent authorities immediately upon request.
        Payments ScreeningLFIs should also screen information regarding counterparties of all incoming and outgoing transfers in order to identify any potential match to Listed Persons.
        Confirmed MatchWhen a match is found through the screening process, LFIs must immediately, without delay and without prior notice, freeze all Funds. Without delay, as defined by Cabinet Decision 74, means within 24 hours of the listing decision being issued by the UNSC, the Sanctions Committee or the UAE Cabinet, as the case may be.
        NotificationsNotifications to the CBUAE and Executive OfficeLFIs must immediately notify the CBUAE, as well as the Executive Office, of any freezing measures and/or attempted transactions. LFIs should notify the CBUAE and the Executive Office within two (2) business days from taking any freezing measures and/or attempted transactions. For the reporting mechanism and form(s), please consult the CBUAE's and the Executive Office's websites as updated from time to time.
        AnnexesAnnex 1Red flag indicators for TF and PF
        Annex 2Lessons learned from CBUAE Supervision
        Annex 3Synopsis of the Guidance

         

    • Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening

      Effective from 8/9/2021
      • 1. Introduction

        • 1.2. Applicability

          Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

           National banks, branches of foreign banks, exchange houses, finance companies and other LFIs; and
           Insurance companies.
           
        • 1.3. Legal Basis

          This Guidance builds upon the provisions of the following laws and regulations:

           (i)Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and Financing Illegal Organisations (‘AML-CFT Law”);
           
           (ii)Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organisations (“AML-CFT Decision”); and
           
           (iii)Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution (“Cabinet Decision 74”).
           

          With respect to transaction monitoring (“TM”), and as per Articles 4.2 (a) and 20 of AML-CFT Decision, LFIs are obliged to develop internal policies, controls, and procedures that are commensurate with the nature and size of their business and are approved by senior management to enable them to manage the crime risks that have been identified. They must also continuously update them. Furthermore, under Article 16 of AML-CFT Decision, LFIs must put in place indicators that can be used to identify suspicious transactions and other activity in order to file suspicious transaction reports (“STR”), suspicious activity reports (“SAR”) or other report types to the UAE’s Financial Intelligence Unit (“FIU). LFIs must update these indicators on an ongoing basis, in line with all applicable instructions from the UAE’s supervisory authorities and FIU.

          With respect to sanctions screening, and as per Article 21.2 of Cabinet Decision 74, LFIs are obliged to regularly screen their databases and transactions against names on lists issued by the UNSC and its relevant Committees (UN Consolidated List) or by the UAE Cabinet (Local Terrorist List), and also immediately when notified of any changes to any of such lists. Such screening must include regular searches of their customer databases, parties to any transactions, potential customers, beneficial owners, and persons and organizations with which the LFI has a direct or indirect relationship. LFIs must also screen their customer database before conducting any transaction, or entering into a business relationship with any person, to ensure that their name is not listed on the UN Consolidated List or the Local Terrorist List.

          For more details and information, please refer to the Executive Office of the Committee for Goods and Materials Subject to Import and Export Control’s (“Executive Office”) Guidance on TFS for Financial Institutions and Designated Non-financial Business and Professions2, the CBUAE’s Guidance for Licensed Financial Institutions on the Implementation of TFS, and the CBUAE’s Guidance for Licensed Financial Institutions on STR3. LFIs should consult the CBUAE’s and the Executive Office’s websites as updated from time to time.


          2 Available at: https://www.uaeiec.gov.ae/en-us/un-page.
          3 Available at: https://www.centralbank.ae/en/cbuae-amlcft.

        • 1.4. Acronyms

          TermsDescription
          AMLAnti-money laundering
          CBUAECentral Bank of the United Arab Emirates
          CDDCustomer due diligence
          CFTCombating the financing of terrorism
          FATFFinancial Action Task Force
          FIUFinancial intelligence unit
          ISINInternational Securities Identification Numbers
          KYCKnow your customer
          LFILicensed financial institution
          MISManagement information systems
          MLMoney laundering
          OCROptical character recognition
          PFProliferation financing
          SARSuspicious activity report
          STRSuspicious transaction report
          SWIFTSociety for Worldwide Interbank Financial Telecommunications
          TFTerrorist financing
          TMTransaction monitoring
          TFSTargeted financial sanctions

           

      • 2. Transaction Monitoring

        An effective TM program enables LFIs to detect, investigate, and report suspicious transactions, in compliance with the UAE’s legal and regulatory framework, and to ensure that the institutions’ customers and transactions remain within their risk appetite. Effective TM therefore depends critically on information obtained through the application of customer due diligence (“CDD”)/know your customer (“KYC”) measures, including but not limited to information regarding the types of transactions in which the customer would normally be expected to engage.

        Obtaining a sufficient understanding of its customers and the nature and purpose of the customer relationship, together with the ongoing analysis of actual customer behavior and the behavior of relevant peer groups, allows the LFI to develop a baseline of normal or expected activity for the customer, against which unusual or potentially suspicious transactions can be identified. TM compliance personnel should escalate for priority remediation any identified omissions or inaccuracies in relevant customer or beneficial ownership information or gaps or data quality issues in required transaction or payment message fields.

        An effective TM program consists of the following core elements:

         A well-calibrated risk-based framework: The risks LFIs face are dynamic and the transactions they carry out may be varied and high in volume. LFIs should therefore review and enhance their TM frameworks regularly and upon the occurrence of specified “trigger events,” such as material changes in the LFI’s business or risk profile or its legal and regulatory environment, to ensure that they remain tailored to the institution’s financial crime risks. Incorporating feedback from the personnel handling the alerts to the TM system also helps in better calibration and tuning.
         
         Robust training and risk awareness: To ensure proper functioning and implementation of their TM programs, LFIs should ensure that personnel with TM responsibilities have adequate experience and expertise and receive role-specific training on the institution’s TM policies, procedures, and risks.
         
         Meaningful integration into the AML/CFT program: LFIs should ensure that their TM systems and frameworks reinforce, and are reinforced by, the wider AML/CFT control environment of which they are a part. An effective TM program depends on the quality and completeness of data drawn from the LFI’s customer and transactional systems and databases. In tandem, the outcomes of TM should inform the LFI’s understanding and management of its financial crime risks, including by prompting off-cycle customer reviews and the application of enhanced scrutiny or additional controls to higher-risk customers or transactions.
         
         Active oversight: The LFIs’ board and senior management should take an active role in overseeing the performance of their TM programs and the ongoing enhancement of TM systems on the basis of the institution’s risks. Where the outcomes of TM are compromised by factors such as inappropriate calibration, process inefficiencies, staff issues, or system failures, it is necessary that the board (or a board-designated committee) and senior management be made aware of these issues in a timely manner so as to ensure that they are promptly and adequately remediated. The board and senior management should also communicate clear risk appetites within their institutions and set a strong tone from the top that the prevention, detection, and reporting of illegal or suspicious transactions are a priority. A quality assurance process should also play a crucial part in the TM program, by validating the review from accuracy and detail perspective. Any changes in the transaction codes or changes in the core banking system should be approved by senior management.
         
        • 2.1. Risk Assessment

          The design of an LFI’s TM program should be informed by the LFI’s risk assessment, so that TM controls are applied across the full range of risks to which the institution is exposed and enhanced scrutiny is applied to the areas of highest risk. An LFI’s risk assessment should include, at a minimum, an assessment of the customers, products and services, delivery channels, and geographic exposure presenting the greatest money laundering (“ML”), terrorist financing (“TF”), and proliferation financing (“PF”) risks, as well as the strength of the controls currently in place to mitigate these risks. The risk assessment serves a range of critical purposes, including but not limited to enabling an LFI to:

           -understand the type of level of risk associated with its business relationships and transactions;
           
           -develop risk-based policies, procedures and controls;
           
           -make informed decisions with respect to resourcing and staffing;
           
           -apply additional controls to areas of heightened risk; and
           
           -ensure that the LFI’s residual risks are within its risk appetite.
           

          With respect to transaction monitoring specifically, the risk assessment can be used to ensure that each mode of transacting with or through the institution—domestically or internationally—is subject to a form of TM that is commensurate with its risks and is operating effectively to mitigate those risks. The risk assessment should be updated at periodic intervals (at least annually or otherwise as appropriate and justified by the required circumstances) and also upon the occurrence of “trigger events,” such as material changes in the LFI’s business or risk profile or the legal and regulatory environment.

        • 2.2. Risk-Based Deployment of Transaction Monitoring Controls

          TM can include manual monitoring processes and the use of automated and intelligence-led monitoring systems. In all cases, the appropriate type and degree of monitoring should appropriately match the ML/TF/PF risks of the institution’s customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an LFI’s business lines or units, where applicable. TM programs should also be calibrated to the size, nature, and complexity of each institution. LFIs with a larger scale of operations are expected to have in place automated systems capable of handling the risks from an increased volume and variance of transactions. LFIs utilizing automated systems should perform a typology assessment to design appropriate rule- or scenario-based automated monitoring capabilities and processes. While smaller LFIs may rely on TM systems that are less automated, they should still ensure that these are appropriately executed to address the risks from their day-to-day transactional activity.

          Examples of automated tools include rule- or scenario-based automated suspicious activity monitoring systems (which typically perform post-execution batch screening of transactions on a daily, weekly, monthly, and/or ad hoc schedule), automated fraud detection systems, trade surveillance systems, and automated negative news screening tools. Examples of manual tools include unusual activity or unusual transaction reporting by business-line employees (including especially, but not limited to, customer relationship managers or those otherwise in customer-facing roles), reporting of potentially suspicious activity by LFI employees (including internal whistleblower reporting), manual reviews of document-based transactions (such as documentary trade finance transactions or loans), manual negative news screening, and periodic or event-based CDD reviews.

          Particularly where purely manual processes are employed, LFIs should implement appropriate training on TM policies and procedures to ensure that personnel adhere to the internal processes for identification and referral of potentially suspicious activity. LFIs should be aware of all methods of identification and should ensure that their suspicious activity monitoring program includes processes to facilitate the transfer of internal referrals to appropriate personnel for further research. Regardless of whether automated or manual processes (or a combination of the two) are used to perform TM, it is the LFI’s responsibility to demonstrate that the monitoring program is effective and appropriately risk based.

          Where practicable and on a risk basis, LFIs should monitor transactions at the customer or relationship level, including across financial groups, and not only on an individual account basis, so as to obtain a complete view of a customer’s transaction profile at the institution. Holistic monitoring of customers with multiple accounts is especially important for customers assessed to be politically exposed persons or as belonging to other high-risk categories.

        • 2.3. Data Identification and Management

          LFIs should have in place adequate processes to ensure that customer and transactional data feeding into their TM program (whether using manual or automated processes, or both) meets established data quality standards, that data is subject to testing and validation at risk-based intervals, and that identified data quality and completeness issues are remediated in a timely manner.

          As an initial matter, LFIs should identify and document all data sources that serve as inputs into their TM program. TM data sources may include both internal customer databases, core banking or other transaction processing systems, and applicable “flat-file” databases, as well as external sources such as Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) message data. Source system documentation should include the identification of a system owner or primary party responsible for overseeing the quality of source data and addressing identified data issues. Where automated TM systems are used, LFIs should institute data extraction and loading processes to ensure a complete, accurate, and fully traceable transfer of data from its source to TM systems. LFIs should also ensure that staff’s access rights to both source systems and TM systems are commensurate with their roles and responsibilities, so as to ensure that relevant staff can perform their duties effectively and that access is not extended to unauthorized persons or those no longer requiring system access.

          Both prior to the initial deployment of a TM system or process and at risk-based intervals thereafter, LFIs should test and validate the integrity, accuracy, and quality of data to ensure that accurate and complete data is flowing into their TM program. Data testing and validation should typically occur at minimum every 12 to 18 months, as appropriate based on the LFI’s risk profile, and the frequency of such activities should be clearly mandated and documented in the LFI’s policies and procedures. Such testing can include data integrity checks to ensure that data is being completely and accurately captured in source systems and transmitted to TM systems, as well as the reconciliation of transaction codes across core banking and TM systems. Testing may also utilize quantitative data quality standards or benchmarks to track data quality over time and specify a threshold or range beyond which data irregularities or other data quality issues shall require corrective action.

          In addition, LFIs should put in place appropriate detection controls, such as the analysis of trends observable through management information system (“MIS”) data and the generation of exception reports, to identify abnormally functioning TM rules or scenarios and ensure that any such irregularities caused by data integrity or other data quality issues are appropriately diagnosed and remediated. Where appropriate, a root cause analysis should be performed, and any findings and recommended remedial actions should be escalated to senior management to address the underlying issue in a timely manner.

        • 2.4. Rule Definition and Pre-Implementation Testing

          LFIs should employ TM detection scenarios (or “rules”) that are designed to identify potentially suspicious or illegal transactions and elevate them for further review and investigation, as warranted. LFIs utilizing automated systems should perform a typology assessment to design appropriate rule- or scenario-based automated monitoring capabilities and processes. Transactions may be suspicious simply in virtue of their individual characteristics (such as their value, source, destination, or use of intermediaries) or because, together with other transactions, they form a pattern that diverges from expected or historical transactional activity or may otherwise be indicative of illicit activity, including the evasion of reporting or recordkeeping requirements.

          TM rules may be automated or manual and should employ value and other thresholds and parameters that take into account the specific risks and contexts of the institution, as identified in the financial crimes risk assessment, and the specific product or service and customer type involved in the transaction. To this end, LFIs should perform risk-based customer and product segmentation, so that rule parameters and thresholds are appropriately calibrated to the type of activity subject to TM. LFIs with larger transaction volumes should consider employing the use of statistical tools or methods such as above-the-line and below-the-line testing, which involves increasing and decreasing the predetermined thresholds of TM rules in a testing environment and measuring the resulting output, to better fine-tune their calibrations and reduce the volume of false-positive alerts.

          In order to identify patterns of potentially suspicious or illegal activity spanning multiple transactions, LFIs should group individual TM parameters and thresholds into multi-factor risk scenarios in order to more precisely target transaction patterns and behaviors consistent with known illicit financing typologies. Key typologies and associated indicators of relevance in the context of the UAE published by the FIU are included in the CBUAE’s Guidance for LFIs on Suspicious Transaction Reporting.4 The use of scenarios should not be limited to LFIs with automated transaction monitoring systems, as smaller institutions with less-automated systems can and should apply the same logic in training and guiding their staff to detect these more complex risks. However, LFIs with a larger scale of operations are expected to have in place automated systems capable of handling the risks from an increased volume and variance of transactions. In all cases, LFIs should maintain documentation that articulates the institution’s current detection scenarios and their underlying assumptions, parameters, and thresholds.

          Where automated systems are employed, LFIs should perform pre-implementation testing of TM rules and systems, using historical transaction data as appropriate. Such testing should include system integration testing to ensure compatibility of the TM system with source systems and other AML/CFT compliance infrastructure and user acceptance testing to ensure that the system performs as anticipated in the operating environment. Material data mapping, transaction coding, and other data quality issues, as well as irregularities in TM model performance and outputs, identified through pre-implementation testing should be prioritized for remediation and subject to re-testing prior to the deployment of a TM system.


          4 Available at https://www.centralbank.ae/en/cbuae-amlcft.

        • 2.5. Alert Scoring and Prioritization

          Consistent with a risk-based approach, LFIs may consider assigning risk-weighted scores to TM alerts in order to prioritize higher-risk alerts for expedited review. LFIs may opt to assign a higher risk score, and thus to prioritize for review and investigations, transactions that violate individual TM rules corresponding with especially heightened risks (based on the risk profile and risk appetite of the institution) as well as transactions identified as violating multiple TM rules. LFIs with larger TM alert review and investigation teams may likewise opt to allocate higher-scoring alerts to more senior investigators or those with specialized expertise in certain risk areas. In such a scenario, non-high scoring alerts could then be allocated to the staff using a “round robin” or any other technique in order to ensure a balanced and efficient distribution of alerts among staff. Although alert scoring may be used to achieve a risk-based prioritization and allocation of manually generated TM alerts, such processes may be especially useful for LFIs faced with a high volume of alerts produced by automated TM systems.

        • 2.6. Outcomes Analysis and Management Information Systems Reporting

          LFIs should document and track TM outputs in order to identify and address any technical or operational issues and understand key risks or trends over time. Irregularities in TM system performance, including significant changes in the productivity of TM rules over time, may be indicative of underlying data quality or data integrity issues or of the need to recalibrate rule thresholds or parameters. Identified data quality or integrity issues should be reported back to designated data or owners, and apparent rule calibration issues (such as unproductive rules or those producing excessive volumes of false positive alerts) should be reported back to model owners for tuning and optimization. Where TM outcomes analysis reveals that certain transaction types or patterns are repeatedly flagged by the TM system and then consistently cleared as false positives by TM investigators, the LFI may consider employing a risk-based suppression logic or other “whitelisting” process to prevent the generation of alerts on activity repeatedly deemed not to be suspicious. Such methods, however, should not be applied to higher-risk customer or transaction types and should be carefully monitored and subject to periodic and event-driven testing, tuning, and validation, as described below.

          In addition, LFIs should ensure that senior management is regularly updated on the performance and output of their TM program, including through the provision of metrics, trends, and other MIS reporting generated by TM systems or produced by TM alert review and investigation teams. Such reporting may include an analysis of the number of alerts produced by each TM rule and the proportion of such alerts that are cleared as false positives, that require further investigation, and that ultimately result in the filing of an STR/SAR. TM-related reporting and analysis should feed back into an LFI’s financial crimes risk assessment, and LFI management should use this information to ensure that the institution’s customers and transaction remain within the LFI’s risk appetite and that activity exceeding its risk appetite is addressed through appropriate risk mitigation measures, including but not limited to the use of account- or customer-based risk markers and/or activity, product, or service restrictions.

        • 2.7. Post-Implementation Testing, Tuning, and Validation

          On a periodic basis and in the event of material system output or operational irregularities, LFIs should reassess the functionality of TM systems and processes, including the continued relevancy of detection scenarios and assumptions and the calibration of rule threshold values and parameters. As with pre-implementation testing, post-implementation testing should include checks for system integration, data quality, and operational functionality, and should additionally include back-testing of TM rules to ensure that they remain current and effective in targeting riskier transactions and activity. Any proposed tuning or adjustment to TM rules, particularly material adjustments, should be subject to pre-implementation testing using sample or historical data to ensure the proper functioning of the new or revised rules, and should be reflected in updated TM documentation.

          TM model testing and validation should be performed by individuals with sufficient expertise and appropriate level of independence from the model’s development and implementation. Generally, validation should be done by people who are not responsible for the development or use of the TM model and do not have a stake in whether a model is determined to be valid. Independence may be supported by the separation of reporting lines (as where model validation is performed by an internal audit department as part of independent testing of the AML/CFT program) or by the engagement of an external party not responsible for model development or use. As a practical matter, some validation work may be most effectively done by model developers and users; it is essential, however, that such validation work be subject to critical review by an independent party, who should conduct additional activities to ensure proper validation. All model validation activities and identified issues should be clearly documented, and management should take prompt action to address model issues.

      • 3. Sanctions Screening

        As per Article 21.2 of Cabinet Decision 74, LFIs are required to perform regular searches against applicable sanctions lists of their customer databases, parties to any transactions, potential customers, beneficial owners, and persons and organizations with which the LFI has a direct or indirect relationship, as well as continuous searches of their customer database before conducting any transaction or entering into a business relationship with any person. Sanctions screening systems and processes are essential, but are also only as effective as the customer and transactional information used when comparing against applicable sanctions lists. Therefore, effectiveness depends critically on the completeness and accuracy of information obtained through the application of CDD/KYC measures and contained in payment instructions and other transactional data fields.

        Sanctions compliance personnel should escalate for priority remediation identified omissions or inaccuracies in relevant customer or beneficial ownership information, as well as gaps or data quality issues in required transaction or payment message fields. On a risk basis, LFIs should perform sample testing of payment messages to ensure proper usage of message types and compliance with payment transparency requirements.

        An effective sanctions screening program consists of the following core elements:

         A well-calibrated risk-based framework: The risks LFIs face are dynamic and the transactions they carry out may be varied and high in volume. LFIs should therefore review and enhance their sanctions screening frameworks regularly and upon the occurrence of specified “trigger events,” such as material changes in the LFI’s business or risk profile or its legal and regulatory environment, to ensure that they remain tailored to the institution’s financial crime risks.
         
         Robust training and risk awareness: To ensure proper functioning and implementation of their sanctions screening programs, LFIs should ensure that personnel with sanctions screening responsibilities have adequate experience and expertise and receive role-specific training on the institution’s sanctions screening policies, procedures, and risks.
         
         Meaningful integration into the sanctions program: LFIs should ensure that their sanctions screening systems and frameworks reinforce, and are reinforced by, the wider sanctions control environment of which they are a part. An effective sanctions screening program depends on the quality and completeness of data drawn from the LFI’s customer and transactional systems and databases. In tandem, the outcomes of sanctions screening should inform the LFI’s understanding and management of its financial crime risks, including by prompting off-cycle customer reviews and the application of enhanced scrutiny or additional controls to higher-risk customers or transactions, as warranted.
         
         Active oversight: The LFIs’ board and senior management should take an active role in overseeing the performance of their sanctions screening programs and driving the ongoing enhancement of sanctions screening systems on the basis of the institution’s risks. Where the outcomes of sanctions screening are compromised by factors such as inappropriate calibration, process inefficiencies, staff issues, or system failures, it is necessary that the board (or a board-designated committee) and senior management be made aware of these issues in a timely manner so as to ensure that they are promptly and adequately remediated. The board and senior management should also communicate clear risk appetites within their institutions and set a strong tone from the top that the implementation of targeted financial sanctions is a priority. A quality assurance process should also play a crucial part in the sanctions screening program, by validating the review from accuracy and detail perspective.
         
        • 3.1. Risk Assessment

          An LFI’s risk assessment is a critical tool for ensuring that the institution has a complete, accurate, and up-to-date understanding of the sanctions risks to which their institution may be exposed, and for facilitating a risk-based approach to sanctions compliance. In the context of targeted financial sanctions, the risk-based approach cannot provide a justification for failing to apply sanctions-related controls, including sanctions screening, to all customer relationships and transactions, as defined below, which is a minimum legal requirement for all LFIs. Rather, the risk-based approach should be utilized by LFIs to apply additional or more rigorous controls—above the minimum legal requirement—to areas of heightened sanctions risk.

          The LFI’s risk assessment should include, at a minimum, an assessment of the customers, products and services, delivery channels, and geographies through which the LFI is most likely to engage, directly or indirectly, with sanctioned persons, parties, countries, or regions, as well as the strength of the controls currently in place to mitigate sanctions risks. The risk assessment should be updated at periodic intervals (at least annually or otherwise as appropriate and justified by the required circumstances) and also upon the occurrence of “trigger events,” such as material changes in the LFI’s business or risk profile or its legal and regulatory environment.

        • 3.2. Risk-Based Deployment of Sanctions Screening Controls

          Sanctions screening can include the manual review of customers and transactions against applicable sanctions lists, as well as the use of automated screening and interdiction software and systems. In all cases, the appropriate method of sanctions screening and the screening criteria employed should be appropriately calibrated to the sanctions risks presented by the institution’s customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an LFI’s business lines or units, where applicable. Areas of heightened risk may require additional sanctions-related due diligence, more frequent or more intensive manual reviews of customers, counterparties, and their transactions, enhanced monitoring for transactions or behavior designed to evade sanctions controls, or the specialized training for sanctions compliance personnel in high-risk roles.

          Sanctions screening controls should also be calibrated to the size, nature, and complexity of each institution. LFIs with a larger scale of operations are expected to have in place automated systems capable of handling the risks from an increased volume and variance of transactions. While smaller LFIs may rely on sanctions screening systems that are less automated, they should also still ensure that these are appropriately executed to address the risks from their day-to-day transactional activity, as well as fully automated for the update of any changes to the UN Consolidated List and the Local Terrorist List.

          Examples of automated tools include automated name screening tools that compare customer databases against applicable sanctions lists, live payment and other transaction filtering tools that screen payment message and transaction data against applicable sanctions lists prior to execution, and text analytics tools that automatically convert paper documentation into electronic data that can then be screened against applicable sanctions lists.

          Examples of manual tools include manual reporting and escalations of potentially sanctions-related activity by LFI employees (including especially customer relationship managers and other business-line personnel), manual reviews of document-based transactions (such as documentary trade finance transactions or loans), and periodic or event-based CDD reviews.

          Particularly where purely manual processes are employed, LFIs should implement appropriate training on sanctions screening policies and procedures to ensure that personnel adhere to the internal processes for identification and referral of potentially sanctions-related activity. LFIs should be aware of all methods of identification and should ensure that their sanctions screening program includes processes to facilitate the transfer of internal referrals to appropriate personnel for searches against applicable lists. Regardless of whether automated or manual processes (or a combination of the two) are used to perform sanctions screening, the onus is on the LFI to demonstrate that the screening program is effective and appropriately risk based.

        • 3.3. Data Identification and Management

          LFIs should have in place adequate processes to ensure that customer and transactional data feeding into their sanctions screening program (whether using manual or automated processes, or both) meets established data quality standards, that data is subject to testing and validation at risk-based intervals, and that identified data quality issues are remediated in a timely manner.

          As an initial matter, LFIs should identify and document all data sources that serve as inputs into their sanctions screening program, including applicable customer databases and core banking or other transaction processing systems. Source system documentation should include the identification of a system owner or primary party responsible for overseeing the quality of source data and addressing identified data issues. Where automated sanctions screening systems are used, LFIs should institute data extraction and loading processes to ensure a complete and accurate transfer of data from its source to sanctions screening systems. LFIs should also ensure that staff’s access rights to both source systems and sanctions screening systems are commensurate with their roles and responsibilities, so as to ensure that relevant staff can perform their duties effectively and that access is not extended to unauthorized persons or those no longer requiring system access.

          Both prior to the initial deployment of a sanctions screening system or process and at risk-based intervals thereafter, LFIs should test and validate the integrity, accuracy, and quality of data to ensure that accurate and complete data is flowing into their sanctions screening program. Data testing and validation should typically occur at minimum every 12 to 18 months, as appropriate based on the LFI’s risk profile, and the frequency of such activities should be clearly mandated and documented in the LFI’s policies and procedures. Such testing can include data integrity checks to ensure that data is being completely and accurately captured in source systems and transmitted to sanctions screening systems, as well as the reconciliation of transaction codes across core banking and sanctions screening systems. Testing may also utilize quantitative data quality standards or benchmarks to track data quality over time and specify a threshold or range beyond which data irregularities or other data quality issues shall require corrective action.

          In addition, LFIs should put in place appropriate detection controls, such as the analysis of trends observable through MIS data and the generation of exception reports, to identify abnormally functioning sanctions screening logic and ensure that any such irregularities caused by data integrity or other data quality issues are appropriately diagnosed and remediated. Where appropriate, a root cause analysis should be performed, and any findings and recommended remedial actions should be escalated to appropriate senior management to address the underlying issue in a timely manner.

        • 3.4. Screening Program Design and Pre-Implementation Testing

          The process of screening information collected and maintained by an LFI on the parties it does business with and their related parties is referred to as “name screening”. The concept encompasses any data set within the LFI’s operations, separate from its transaction records, that may present a relevant sanctions risk indicator or be conducive to detection through screening on a periodic basis and prior to entering into a customer relationship. The process of screening a movement of value—including funds, goods, or assets— out of, into, or through the LFI between parties or accounts is referred to as “transaction screening”.

          Where automated systems are employed, LFIs should perform pre-implementation testing of sanctions screening systems, using historical transaction data as appropriate. Such testing should include system integration testing to ensure compatibility of the sanctions screening system with source systems and other sanctions compliance infrastructure and user acceptance testing to ensure that the system performs as anticipated in the operating environment. Material data mapping, transaction coding, and other data quality issues, as well as irregularities in sanctions screening model performance and outputs, identified through pre-implementation testing should be prioritized for remediation and subject to re-testing prior to the deployment of a sanctions screening system.

          The following sections provide additional detail about system design and pre-implementation testing as these relate specifically to name screening and transaction screening processes respectively.

          • 3.4.1. Name Screening

            As per the Executive Office’s Guidance on TFS for Financial Institutions and Designated Non-financial Business and Professions,name screening (whether automated or manual) must be performed prior to the onboarding of a customer and/or the facilitation of an occasional transaction and on an ongoing basis (at least daily) thereafter. As indicated above, name screening encompasses any data set within the LFI’s operations, separate from its transaction records, that may present a relevant sanctions risk indicator or be conducive to detection through screening on a periodic basis and prior to entering into a customer relationship.

            Data relevant for name screening may include:

             Customer data, including the names and addresses of existing or prospective customers, their beneficial owners, and other related or connected parties whose information is collected pursuant to risk-based due diligence procedures;
             
             Employee data, including employee names and addresses;
             
             Third-party service provider data, including the names, addresses, and beneficial owners of an LFI’s vendors, landlords, and tenants, as applicable;
             
             International Securities Identification Numbers (“ISINs”) and other sanctions-relevant identifying features of assets held in custody by the LFI; and
             
             Recipients of the LFI’s corporate donations or sponsorship.
             

            Not all data elements within an LFI’s records are relevant for sanctions screening. When determining what reference data should be screened, an LFI should identify the data within its operations and records that is relevant to sanctions risk, determine how it is relevant, ensure it is conducive to effective screening, and differentiate it from data that is not relevant or suitable to screening. For example, the names of individuals and entities with whom the LFI has a relationship are relevant for screening against name-based sanctions lists but not for geographic (region- or country-based) sanctions programs. Likewise, while the data contained in the addresses of such individuals and entities may not be directly relevant for screening against name-based sanctions lists, this data may assist in differentiating a true name match from a false name match when reviewing apparent name screening hits.

            An LFI should also define other data elements (such as date of birth, nationality, and place of birth) that may be relevant for sanctions screening in some situations but not others. Date of birth, for example, is relevant as a distinguishing factor to assess a potential or a true match from a false match on an individual and might be used for screening in combination with another attribute, such as a name. In each case, LFIs should weigh up the relative incremental value of screening the data element against the reliability of the data and whether an alert against the data will meaningfully assist in detecting or preventing a sanctions risk that would not be reasonably detected through other controls, or by screening different data attributes. The screening criteria used by LFIs to identify name variations and misspellings should be based on the level of sanctions risk associated with the particular product or type of transaction. For example, in a higher-risk area with a high volume of transactions, the LFI’s interdiction software should be able to identify close name derivations for review.

            An LFI’s reference data is typically maintained in electronic files and is most effective when screened through an automated process and repeated at defined intervals. The use of manual screening can be considered when the risk is sufficiently low and where the reference data cannot be sourced reliably, either electronically or in a format necessary for automated screening. For example, if an LFI has identified only a small population of names requiring screening, it may choose to forego investing in an automated screening system and instead manually input these names into an online screening filter.


            5 Available at: https://www.uaeiec.gov.ae/en-us/un-page#.

          • 3.4.2. Transaction Screening

            LFIs should screen all payments prior to completing the transaction (also referred to as “real-time” screening), utilizing all transaction records necessary to the movement of value between parties and at a point in the transaction where detection of a sanctions risk is actionable to prevent a violation. The LFI should then identify which attributes within those records are relevant for sanctions screening and the context in which they become relevant. As with name screening, names of parties involved in a transaction are relevant for list-based sanctions programs, whereas addresses are more relevant to screening against geographic sanctions programs but can be used as identifying information to help distinguish a potential or true match from a false match under a list-based program. Other data elements, such as bank identification codes, may be relevant for both list-based and geographic sanctions programs.

            Some data elements are more relevant for sanctions screening purposes when found in combination with other attributes or references. For example, detection of sectoral sanctions risk typically requires detection of multiple factors, such as those where both the targeted parties and the prohibited activities are involved. Where automated controls alone may not be capable of detecting both factors simultaneously, manual review of the associated activity may be required alongside review to confirm a true match to applicable sanctions lists. In addition, certain data elements offer little or no risk mitigation through screening, for example, amounts, dates, and transaction reference numbers have no relevance from a screening perspective, although they may be relevant for TM or other risk management purposes.

            Data relevant for transaction screening may include:

             The parties involved in a transaction, including the originator and beneficiary;
             
             Agents, intermediaries, and financial institutions involved in a transaction;
             
             Bank names, Bank Identifier Codes (“BICs”), and other routing codes;
             
             Free text fields, such as payment reference information or the stated purpose of the payment in Field 70 of a SWIFT message;
             
             ISINs or other risk-relevant product identifiers, including those that relate to sectoral sanctions identifications within securities-related transactions, as applicable;
             
             Trade finance documentation, including any:
             
              oImporters and exporters, manufacturers, drawees, drawers, notify parties, and signatories;
             
              oShipping companies, vessel names and International Maritime Organization (IMO) numbers, names of parties associated with the vessel (including ship owners, charterers, and captains), and freight forwarders;
             
              oFacilitators, such as insurance companies, agents, and brokers; and
             
              oFinancial institutions, including issuing, advising, confirming, negotiating, claiming, collecting, reimbursing, and guarantor banks.
             
             Geographic details, including:
             
              oAddresses, countries, cities, towns, regions, ports, and airports (e.g., as contained within SWIFT Fields 50 and 59 or acquired through vessel tracking inquiries);
             
              oPhone or fax numbers and web addresses, insofar as these contain geographic or other relevant details;
             
              oPlace of taking in charge, receipt, dispatch, delivery, or final destination;
             
              oCountry of origin, destination, and transshipment of goods or services; and
             
              oAirport of departure or destination.
             

            Transaction screening should be performed at a point in time where a transaction can be stopped and before a potential violation occurs. This typically occurs at a number of points in the lifecycle of a transaction, but certainly prior to executing any commitment to move funds. Particular attention should be directed to any points within the transactional process where relevant information could be changed, modified, or removed in order to undermine screening controls.

            Transactional records are typically found in large volumes and within business processes predicated on speed of execution. These transaction types are generally in electronic form and conducive to systemic, automated screening. Some transaction types, however, still rely on documentation in various formats and varying methods of presentation. LFIs may employ text analytics tools such as optical character recognition (“OCR”) that automatically convert paper documentation into electronic data that can then be screened against applicable sanctions lists, but some paper-based transactions, such as documentary trade finance transactions, may require manual screening processes, where relevant information is physically added into a system for screening. OCR requires quality assurance validation to ensure the information has been captured fully and accurately. Certain paper-based transactions, such as paper cheque clearing, where the volumes can be high and the manual screening process creates high rates of errors, may rely on controls other than screening, such as CDD/KYC processes, where the sanctions risks for the product are assessed as being low.

        • 3.5. List Management

          Under Article 21.2 of Cabinet Decision 74, LFIs’ sanctions screening lists must include all names on lists issued by the UNSC and its relevant Committees (UN Consolidated List) or by the UAE Cabinet (Local Terrorist List). LFIs’ sanctions screening processes should also include searches for entities that are not themselves listed but that are owned or controlled mainly or fully by a listed person (also referred to as “shadow listed persons”). LFIs cannot conduct transactions with shadow listed persons and must freeze any funds or assets of a shadow listed person that they may hold as per Article 15 of Cabinet Decision 74. Although shadow designated persons, by their very nature, are not listed by government authorities, LFIs should develop internal lists of such persons based on their own due diligence and consideration of external sources, such as adverse media reporting. LFIs should include such a list, together with any other internal lists (such as lists of customers exited for financial crime concerns) in its sanctions screening systems and processes.

          Given the dynamic nature of targeted financial sanctions, LFIs should establish and implement sanctions list management procedures that enable the institution’s sanctions screening program to adjust rapidly to changes published by sanctions authorities. The following considerations are relevant to effective list management, and each should be documented and reviewed on a regular basis, to ensure that the LFI’s chosen approach remains in line with its risk appetite and in compliance with applicable legal requirements:

           List selection: The LFI should determine which sanctions lists are relevant for screening. Lists must include, at a minimum, all names on the UN Consolidated List and the Local Terrorist List, but may also include other jurisdictional lists as well as internal lists of persons known to have a sanctions nexus, lists of geographic terms (such as cities, regions, and ports), banking terms (such as BICs), and lists of prohibited goods or prohibited securities, where applicable. Although lists issues by the UNSC or by the UAE Cabinet must be employed in the screening of all customers and transactions, as outlined above, other lists may be employed on a risk basis. For example, screening against lists of prohibited goods may be limited to the context of trade finance transactions, whereas such transactions likely would not need to be screened against sanctioned securities.
           
           Sourcing of lists: The LFI should determine which lists are to be generated internally and which lists are best sourced from external vendors, and the processes for generating and implementing such lists.
           
           List maintenance: The LFI should determine the processes for adding and removing lists or entries on internal lists, where screening is no longer required or where the result is within the institution’s risk appetite. The LFI should identify and implement appropriate controls to ensure that lists remain up to date and that only appropriate individuals can add or remove lists or list entries.
           
           Data enhancement: The LFI should determine whether certain list entries should be modified or enhanced based on additional information.
           
           Whitelisting: The LFI may consider establishing and maintaining a “white list” of customer names or other data elements that have already been flagged and cleared through thorough due diligence by the LFI as false positives. These “white lists” may be used to improve the process related to screening by leveraging the results of past due diligence and reducing the number of false positives. While the LFI should not overly rely on such a list, and must diligently and continuously screen customers and transactions in case they are implicated in the updated UN Consolidated List and Local Terrorist List, the use of such a “white list” may assist the LFI in expediting the dispositioning in case of repeated false positive matches. LFIs should have documented procedures to managing and periodically reviewing and updating those “white lists” to account for the possibility that persons on a whitelist may later become sanctioned persons. Where automated screening tools are employed, the LFI should determine the management of rules for automatically eliminating potential hits caused by the interaction of certain list terms and frequently encountered data. Where manual screening processes are employed, the LFI should establish a process for manually reviewing potential hits against the whitelist.
           
           Geographic scope of application: Where the LFI has operations in multiple jurisdictions, the LFI should determine which lists should be screened in all jurisdictions of an LFI’s operations and which, if any, could be screened only within a certain jurisdiction or several jurisdictions.
           
           Exact matching versus “fuzzy logic”: The LFI should determine which lists should be deployed within the screening filter on an exact match basis, and which should use fuzzy matching (i.e., an algorithm-based technique to match one name or other string of words where the content of the information being screened is not identical—but its spelling, pattern, or sound is a close match—to the contents on a list used for screening).
           
           Frequency of screening: The LFI should determine the frequency or the triggers for static data screening, so as to account for additions to lists and changes in customer data.
           

          List management procedures should be documented and subject to periodic review to ensure that list management practices remain aligned to the LFI’s risk profile and risk appetite.

        • 3.6. Outcomes Analysis and Management Information Systems Reporting

          LFIs should document and track sanctions screening outputs in order to identify and address any technical or operational issues and understand key risks or trends over time. Irregularities in sanctions screening system performance, including significant changes in the volume of apparent matches to sanctions lists over time, may be indicative of underlying data quality or data integrity issues or of the need to recalibrate sanctions screening search logic. Identified data quality or integrity issues should be reported back to designated data owners, and apparent screening logic issues should be reported back to model owners for tuning and optimization.

          In addition, LFIs should ensure that senior management is regularly updated on the performance and output of their sanctions screening program, including through the provision of metrics, trends, and other MIS reporting generated by sanctions screening systems or produced by sanctions screening alert review and investigation teams. Such reporting may include an analysis of the number and type of screening hits and the proportion of apparent matches that are cleared as false positives compared to those that are confirmed as potential or true matches. Sanctions screening-related reporting and analysis should feed back into an LFI’s financial crimes risk assessment, and LFI management should use this information to ensure that the institution’s customers and transaction remain within the LFI’s risk appetite and that activity exceeding its risk appetite is addressed through appropriate risk mitigation measures, up to and including account activity restrictions and customer exit.

        • 3.7. Post-Implementation Testing, Tuning, and Validation

          On a periodic basis and in the event of material system output or operational irregularities, LFIs should reassess the functionality of sanctions screening systems and processes, including threshold settings, screening rules, and the accuracy and completeness of data used in the screening process. Any proposed material adjustments to sanctions screening search logic should be subject to pre-implementation testing using sample or historical data to ensure the proper functioning of the new or revised logic, and reflected in updated sanctions screening documentation.

          Sanctions screening model testing and validation should be performed by individuals with sufficient expertise and appropriate level of independence from the model’s development and implementation. Generally, validation should be done by people who are not responsible for the development or use of the sanctions screening model and do not have a stake in whether a model is determined to be valid. Independence may be supported by the separation of reporting lines (as where model validation is performed by an internal audit department as part of independent testing of the sanctions compliance program) or by the engagement of an external party not responsible for model development or use. As a practical matter, some validation work may be most effectively done by model developers and users; it is essential, however, that such validation work be subject to critical review by an independent party, who should conduct additional activities to ensure proper validation. All model validation activities and identified issues should be clearly documented, and management should take prompt action to address model issues.

      • 4. Program Governance and Oversight

        The following sections outline program governance expectations relating to TM and sanctions screening systems and processes.

        • 4.1. Oversight, Management Reporting, and Auditing

          The LFI’s board of directors and senior management should exercise active oversight of the institution’s key financial crimes risks and the controls in place to mitigate those risks. The board (or a board-designated committee) and senior management should receive regular reports on the institution’s key risks and trends and the overall performance of AML/CFT and sanctions controls, and should review the institution’s financial crimes risk assessment, any AML/CFT and sanctions audit and regulatory reports, and the institution’s written AML/CFT and sanctions program. The AML/CFT and sanctions program should be subject to senior management approval, and the board and senior management should ensure that clear, current, and appropriate policies and procedures are put in place and that there are effective TM and sanctions screening systems supported by adequate internal expertise and resources.

          TM and sanctions screening functions should be given clear and distinct responsibilities for their respective tasks in the TM and sanctions screening process chain (e.g., for alert handling and the filing of STRs/SARs). Additionally, as detailed above, LFIs are expected to implement effective reporting systems, to include quantitative MIS report as well as qualitative analysis of key risks and trends as appropriate, to ensure that their board and senior management are updated on key financial crimes risks in a timely manner. Any data quality or system functionality or output issues should be documented and tracked, and the status of remedial actions should be reported regularly to senior management.

          TM and sanctions screening programs should be subject to independent testing by internal or external auditors with sufficient technological expertise and understanding of ML/TF/PF and sanctions risks and requirements. The LFI’s independent testing function (whether internal or external) should ensure adequate TM and sanctions screening coverage of the LFI’s customers, products, services, delivery channels, and geographies and may perform model testing and validation, as detailed above, as part of its AML/CFT and sanctions independent testing plan and methodology; otherwise, model testing and validation should be performed at periodic, risk-based intervals by a qualified and independent third party.

        • 4.2. Use of Vendors and Other Third Parties

          LFIs may use externally provided TM or sanctions screening services and other third-party providers to fulfil their legal and regulatory obligations to monitor and screen their customers and transactions. However, LFIs are ultimately responsible for complying with AML/CFT and sanctions requirements, even if they choose to use third-party models to assist with their compliance obligations.

          The selection of third-party system or service should be guided by the LFI’s size, geographic footprint, business and technology environments, and financial crimes risks, as well as functional requirements, such as the volume of data to be screened, the degree to which TM and sanctions screening processes will be centralized across business lines within the LFI, the nature of existing data integrity processes, and the ability of the application to integrate effectively within an LFI’s technological infrastructure. When selecting a vendor, LFIs should require the vendor to provide developmental evidence explaining the product components, design, and intended use, so as to determine whether the model is appropriate for the LFI’s products, exposures, and risks. Vendors should provide appropriate testing results that show their product works as expected. They should also clearly indicate the model’s limitations and assumptions and where the product’s use may be problematic. LFIs should expect vendors to conduct ongoing performance monitoring and outcomes analysis, with disclosure to their clients, and to make appropriate modifications and updates over time.

          LFIs are expected to validate their own use of vendor products. External models may not allow full access to computer coding and implementation details, so the LFI may have to rely more on sensitivity analysis and benchmarking. Vendor models are often designed to provide a range of capabilities and so may need to be customized by an LFI for its particular circumstances. An LFI’s customization choices should be documented and justified as part of validation. If vendors provide input data or assumptions, or use them to build models, their relevance for the LFI’s situation should be assessed. LFIs should obtain information regarding the data used to develop the model and assess the extent to which that data is representative of the LFI’s situation. The LFI also should conduct ongoing monitoring and outcomes analysis of vendor model performance using the LFI’s own outcomes. Systematic procedures for validation help the LFI to understand the vendor product and its capabilities, applicability, and limitations. Such detailed knowledge is necessary for basic controls of an LFI’s operations. It is also very important for the LFI to have as much knowledge in-house as possible, in case the vendor or the LFI terminates the contract for any reason, or if the vendor is no longer in business. LFIs should have contingency plans for instances when the vendor model is no longer available or cannot be supported by the vendor.

        • 4.3. Role-Specific Training

          LFIs should ensure that personnel responsible for performing TM and sanctions screening roles receive training that covers key financial crimes risks faced by the institution (such as common ML/TF/PF or sanctions evasion typologies), complex and higher-risk customer and transaction types relevant to TM and sanctions screening processes, applicable legal and regulatory requirements, and internal policies, procedures, and processes. Training should be tailored to each individual’s specific responsibilities and include desktop procedures or instructions for the use of any TM or sanctions screening systems or other technology relevant to the individual’s role.

          An LFI’s TM and sanctions screening training should be based on an assessment of the institution’s training needs, incorporated into wider AML/CFT and sanctions training plans and programs, and subject to completion tracking and escalation procedures to ensure timely completion of mandatory training by all relevant personnel. Mandatory training should also be extended to any staff located abroad whose responsibilities cover accounts booked in or activity flowing into, out of, or through the UAE.

        • 4.4. Record Keeping

          According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, LFIs must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, copies of personal identification documents, including STRs/SARs and results of any analysis performed. LFIs must maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions.

          Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. LFIs must make the records available to the competent authorities immediately upon request.

          The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.

      • Annex 1. Synopsis of the Guidance

        Purpose of this GuidancePurposeThe purpose of this Guide is to assist the understanding and effective performance by CBUAE licensed financial institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE relating to the design, implementation, and maintenance of effective transaction monitoring and sanctions screening programs.
        ApplicabilityThis Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies and other LFIs as well as insurance companies.
        Transaction Monitoring Risk AssessmentAn LFI's risk assessment should include, at a minimum, an assessment of the customers, products and services, delivery channels, and geographic exposure presenting the greatest money laundering ("ML"), terrorist financing ("TF"), and proliferation financing ("PF") risks, as well as the strength of the controls currently in place to mitigate these risks. The risk assessment should be updated at periodic intervals (at least annually or otherwise as appropriate and justified by the required circumstances) and also upon the occurrence of "trigger events" such as material changes in the LFI's business or risk profile or the legal and regulatory environment.
        Risk-Based Deployment of TM ControlsIn all cases, the type and degree of monitoring should appropriately match the ML/TF/PF risks of the institution's customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an LFI's business lines or units, where applicable. TM programs should also be calibrated to the size, nature, and complexity of each institution. Where practicable and on a risk basis, LFIs should monitor transactions at the customer or relationship level, including across financial groups, and not only on an individual account basis, so as to obtain a complete view of a customer's transaction profile.
        Data Identification and ManagementLFIs should identify and document all data sources that serve as inputs into their TM program. LFIs should test and validate the integrity, accuracy, and quality of data to ensure that accurate and complete data is flowing into their TM program. In addition, LFIs should put in place appropriate detection controls, such as the analysis of trends through management information systems (MIS) data and the generation of exception reports, to identify abnormally functioning TM rules or scenarios and ensure they are appropriately diagnosed and remediated.
        Rule Definition and Pre-lmplementation TestingLFIs should employ TM detection rules or scenarios that are designed to identify potentially suspicious or illegal transactions and elevate them for further review and investigation, as warranted. To this end, LFIs should:
        • Perform a typology assessment to design appropriate rule- or scenario-based automated monitoring capabilities and processes;
        • Perform risk-based customer and product segmentation, so that rule parameters and thresholds are appropriately calibrated;
        • Consider employ statistical tools or methods such as above-the-line and below-the-line testing, to better fine-tune their calibrations and reduce the volume of false-positive alerts; and
        • Perform pre-implementation testing of TM rules and systems to ensure compatibility of the TM system with source systems and other AML/CFT compliance infrastructure to ensure that it performs as anticipated in the operating environment.
        Alert Scoring and PrioritizationLFIs may consider assigning risk-weighted scores to TM alerts in order to prioritize higher-risk alerts for expedited review. LFIs with larger TM alert review and investigation teams may likewise opt to allocate higher-scoring alerts to more senior investigators or those with specialized expertise in certain risk areas.
        Outcomes Analysis and MIS ReportingLFIs should document and track TM outputs in order to identify and address any technical or operational issues and understand key risks or trends over time. In addition, LFIs should ensure that senior management is regularly updated on the performance and output of their TM program, including through the provision of metrics, trends, and other MIS reporting.
        Post-Implementation Testing, Tuning, and ValidationOn a periodic and event-driven basis, LFIs should reassess the functionality of TM systems and processes, including the continued relevancy of detection scenarios and assumptions and the calibration of rule threshold values and parameters. TM model testing and validation should be performed by individuals with sufficient expertise and appropriate level of independence from the model's development and implementation. All model validation activities and identified issues should be clearly documented, and management should take prompt action to address model issues.
        Sanctions Screening Risk AssessmentThe LFI's risk assessment should include, at a minimum, an assessment of the customers, products and services, delivery channels, and geographies presenting the greatest sanctions risks, as well as the strength of the controls in place to mitigate these risks. The risk assessment should be updated at periodic intervals (at least annually or otherwise as appropriate and justified by the required circumstances) and also upon the occurrence of "trigger events," such as material changes in the LFI's business or risk profile or its legal and regulatory environment.
        Risk-Based Deployment of Sanctions Screening ControlsSanctions screening programs should be appropriately calibrated to the sanctions risks presented by the institution's customers, products and services, delivery channels, and geographic exposure and may vary across an LFI's business lines or units, where applicable. Sanctions screening controls should also be calibrated to the size, nature, and complexity of each institution. LFIs should apply additional or more rigorous sanctions controls—such as enhanced customer or transactional due diligence, increased monitoring for sanctions evasion, and specialized training for personnel in high-risk roles—to areas of heightened sanctions risk.
        Data Identification and ManagementLFIs should identify and document all data sources that serve as inputs into their sanctions screening program and test and validate the integrity, accuracy, and quality of data flowing into their sanctions screening program. In addition, LFIs should put in place appropriate detection controls, such as MIS trends analysis and exception reports, to identify abnormally functioning screening logic to ensure such irregularities are appropriately diagnosed and remediated.
        Screening Program Design and Pre-Implementation TestingLFIs should perform pre-implementation testing of screening systems to ensure compatibility with source systems and other sanctions compliance infrastructure to ensure it performs as anticipated in the operating environment. Name screening (whether automated or manual) must be performed prior to the onboarding of a customer and/or the facilitation of an occasional transaction and on an ongoing basis (at least daily) thereafter. LFIs should screen all payments prior to completing the transaction (also referred to as "real-time" screening), utilizing all transaction records necessary to the movement of value between parties. Transaction screening should be performed at a point in time where a transaction can be stopped and before a potential violation occurs.
        List ManagementLFIs should establish and implement sanctions list management procedures that enable the institution's sanctions screening program to adjust rapidly to changes published by sanctions authorities. List management procedures should be documented and subject to periodic review to ensure that list management practices remain aligned to the LFI's risk profile and risk appetite.
        Outcomes Analysis and MIS ReportingLFIs should document and track screening outputs in order to identify and address any technical or operational issues and understand key risks or trends over time. In addition, LFIs should ensure that senior management is regularly updated on the performance and output of their screening program, including through the provision of metrics, trends, and other MIS reporting.
        Post-Implementation Testing, Tuning, and ValidationOn a periodic and event-driven basis, LFIs should reassess the functionality of sanctions screening systems and processes, including threshold settings, screening rules, and the accuracy and completeness of data used in the screening process. Sanctions screening model testing and validation should be performed by individuals with sufficient expertise and level of independence. All model validation activities and identified issues should be clearly documented, and management should take prompt action to address model issues.
        Program Governance and OversightOversight, Management Reporting, and AuditingLFIs'board (or board-designated committee) and senior management should receive regular reports on the key risks and trends and overall performance of the AML/CFT and sanctions controls. TM and sanctions screening functions should be given clear and distinct responsibilities for their tasks. TM and sanctions screening programs should be subject to independent testing by internal or external auditors.
        Use of Vendors and Other Third PartiesLFIs may use externally provided TM or sanctions screening services. However, LFIs are ultimately responsible for complying with AML/CFT and sanctions requirements. Systematic procedures for validation help the LFI to understand the vendor product and its capabilities, applicability, and limitations.
        Role-Specific TrainingLFIs should ensure that TM and sanctions screening personnel receive role-specific training that covers key financial crimes risks, complex and higher-risk customer and transaction types, applicable legal and regulatory requirements, internal policies, procedures, and processes.

         

    • Guidance for Licensed Financial Institutions Providing Services to Cash-intensive Businesses

      Effective from 27/9/2021
      • 1. Introduction

        • 1.2 Applicability

          Unless otherwise noted, this Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories:

           National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
           Insurance companies, agencies, and brokers.
           
        • 1.4 Definitions

          Bearer Negotiable Instruments: Financial instruments of whatever form, whether in the form of a bearer document, such as: traveler’s cheques; promissory notes and cheques, payment orders, or others. These instruments may either be in bearer form, endorsed without restriction, made out to a fictitious payee, or otherwise in such form that title thereto passes upon delivery; or may be incomplete instruments (including cheques, promissory notes and money orders) signed, but with the payee’s name omitted.

          CBUAE Regulations: Any resolution, regulation, circular, rule, instruction, standard or notice issued by the Central Bank.

          Cash Couriers: Natural persons who physically transport currency and bearer negotiable instruments on their person or accompanying luggage from one jurisdiction to another.

          Cash or Currency: Banknotes and coins that are legal tender in circulation as a medium of exchange.

          Cross-Border Transportation of Currency or Bearer Negotiable Instruments: Any in-bound or outbound physical transportation of currency or bearer negotiable instruments from one country to another country. The term includes the following modes of transportation: (1) physical transportation by a natural person, or in that person’s accompanying luggage or vehicle; (2) shipment of currency through containerized cargo; or (3) the mailing of currency or bearer negotiable instruments by a natural or legal person.

          Predicate Offense: Any act constituting a felony or misdemeanor under the applicable laws of the UAE whether this act is committed inside or outside the UAE when such act is punishable in both countries.

           

      • 2. Understanding Risks

        • 2.1 Vulnerabilities of Cash

          The FATF’s Mutual Evaluation Report of the UAE issued in April 2020 stated that, as the UAE is a cash-intensive economy and plays an important part in global trade, there are significant risks associated with the cross-border movement of cash and bearer negotiable instruments, including bulk-cash smuggling that is associated with third-party money laundering risks.

          As a major medium of exchange in the UAE, cash is particularly vulnerable to abuse by illicit actors to conduct money laundering activities and finance criminal activities. The specific characteristics of cash-anonymity, interchangeability, and transportability—make it an attractive method by illicit actors seeking to conceal the proceeds of crime. Unlike other monetary instruments, such as credit cards or wire transfers, cash holds no record of its source or owner, and can be easily concealed in large quantities upon which it is difficult to trace once spent. Cash transactions are also instantaneous and widely accepted across jurisdictions.

          Criminal activity—or a predicate offense—is often cash based. A predicate offense for money laundering is the underlying criminal activity that generates proceeds. Criminals then seek to “launder” these illicit proceeds, which leads to the offense of money laundering. The FATF Recommendations identify “designated categories of offenses”2 as the following:

           Participation in an organized criminal group and racketeering;
           Terrorism, including financing of terrorism and illegal organisations;
           Trafficking in human beings and migrant smuggling;
           Sexual exploitation, including sexual exploitation of children;
           Illicit trafficking in narcotic drugs and psychotropic substances;
           Illicit arms trafficking;
           Illicit trafficking in stolen and other goods;
           Corruption and bribery;
           Fraud;
           Counterfeiting currency;
           Counterfeiting and piracy of products;
           Environmental crime;
           Murder, grievous bodily injury;
           Kidnapping, illegal restraint, and hostage-taking;
           Robbery or theft;
           Smuggling;
           Tax crimes;
           Extortion, Forgery;
           Piracy and
           Insider trading and market manipulation.

          However, as the FATF expects countries to include the above-mentioned list at the minimum, the UAE’s definition of Predicate Offense is broader to include any act constituting a felony or misdemeanor under the applicable laws of the UAE, whether this act is committed inside or outside the UAE when such act is punishable in both countries.


          2 Available at https://www.fatf-gafi.org/glossary/d-i/

        • 2.2 Vulnerabilities of Alternatives to Cash

          Illicit actors also use various monetary instruments in conjunction with, or as a replacement to, cash. Both bearer negotiable instruments and prepaid cards for instance offer similar benefits to cash, including anonymity and accessibility. They can store large amounts of value in a compact physical size that makes them potentially vulnerable to abuse by illicit actors who use them instead of cash to make physical cross-border transportations of value. Illicit actors seeking to avoid an LFI’s identification and verification requirements can exploit the ease of payment offered by bearer negotiable instruments and prepaid cards for the purpose of moving their proceeds—thus obscuring the origin of the funds—and converting them to payments for other goods or services. This may also include obtaining funds in one jurisdiction and having access to cash withdrawals in another jurisdiction. Additional characteristics and associated vulnerabilities of bearer negotiable instruments and prepaid cards are discussed below.

          • 2.2.1 Bearer Negotiable Instruments

            Bearer negotiable instruments are financial instruments of whatever form, whether in the form of a bearer document, such as traveler’s cheques, promissory notes and cheques, payment orders, or other forms that can be attractive to illicit actors as alternatives to cash. Bearer negotiable instruments provide the opportunity to move large amounts of funds in bearer form without the bulkiness of cash. They are transferable documents that provide unconditional guarantees of cash payments either on demand or at a future date. The individual who issues a negotiable instrument is known as the ‘payer’ or ‘issuer,’ and the person who receives a negotiable instrument is known as the ‘bearer’ or ‘payee’.

            Bearer negotiable instruments often include the instruction 'pay to the bearer', meaning the bearer would be the person in physical possession of the instrument. The risk, in this scenario, is that the holder is a criminal and/or not the intended payee of the negotiable instrument. Bearer negotiable instruments are also unique in that they can also be easily transferred from one party to another, which effectively obscures the paper trail on the ‘payer’ or ‘issuer’, and enables illicit actors to distance the proceeds of crime from the illegitimate source. LFIs should seek to mitigate these risks by continuing accepting cash and third party cheques as long as the due diligence measures regarding the person presenting the cheque have been duly conducted by the LFI.

          • 2.2.2 Prepaid Cards

            Prepaid cards can be used as an alternative to cash in that they provide access to funds that have been paid in advance. Funds can be claimed or transferred through an electronic device, such as through a card, code, electronic serial number, mobile identification number, or personal identification number within either an "open" or "closed" loop system:

             “Open loop” prepaid cards can be used for purchases at any merchant where that brand of the card is accepted and offers access to cash at any automated teller machine (“ATM”) that connects to the affiliated ATM network. Some prepaid cards may be reloaded, allowing the cardholder or third-party (such as an employer) to add value to the card. For example, a travel card can allow cardholders to top up at various locations, including online and at kiosks, and then allows cardholders to utilize the card to purchase local travel as well as goods or services at various participating stores.
             
             “Closed loop” prepaid cards generally can only be used to buy goods or services from the issuing merchant of the card or a select group of merchants that participate in that specific network. These cards generally do not allow for cash access, although they can often be re-sold through third-party websites in exchange for other closed loop cards or payments. For example, a chain of coffee shops may offer reloadable cards that can only be used to purchase goods at the coffee shop.
             

            Prepaid cards can be abused by illicit actors seeking to launder money and finance terrorist activities. For instance, both open and closed loop prepaid cards can be utilized in conjunction with, or as a replacement to, bulk cash smuggling. Specifically, drug traffickers have been known to convert cash derived from narcotic sales to prepaid debit cards, which they then use to purchase goods and services or send to narcotic suppliers, who in turn use the cards to withdraw cash from an ATM. In addition, funds can be loaded onto prepaid cards in support of terrorist activities, such as purchasing various products and services whether buying a terrorist a plane ticket or providing other resources (e.g. car rental or hotel) to support a terrorist group.

            When assessing the risks associated with prepaid cards, LFIs should consider the specific risks posed by the features and functionalities of the monetary instrument. If the cardholder is anonymous, or if the holder or purchaser provides false information on their identity for instance, the money laundering and financing of terrorism and illegal organisations risks are higher. In addition, LFIs should evaluate the risks associated with cash access, and the volume and velocity of funds that can be loaded and retrieved on prepaid cards. Further risk factors include type and frequency of loads and transactions, geographic location where the transaction activity occurs, value limits, distribution channels, and the nature of funding sources.

        • 2.3 Vulnerabilities of Cash-Intensive Businesses

          • 2.3.1 Types of Cash-Intensive Businesses

            Cash-intensive businesses are businesses that experience a high volume of cash flows. However, because cash-based transactions are inherently difficult to trace, as discussed above, cash-intensive businesses may potentially be used as vehicles for money laundering and the financing of terrorism and illegal organisations. Businesses that generate a large volume of cash revenue may be susceptible to abuse by illicit actors that integrate the proceeds of crime into the banking system under the guise of legitimate business. In particular, they may exploit cash-intensive businesses for money laundering and the financing of terrorism and illegal organisations by using cash-intensive business to:

             Provide a front to launder large amounts of cash and reinvest cash proceeds of crime in the economy;
             
             Co-mingle illicit and legitimate income; and
             
             Finance, though often through small amounts of cash, terrorist activities without traceability.
             

            Cash-intensive businesses span across various industry sectors. Most of these businesses are operating a legitimate business; however, some aspects of these businesses may be vulnerable to money laundering or the financing of terrorism and illegal organisations. Examples of cash-intensive businesses include but are not limited to the following:

             Convenience stores;
             
             Retail stores;
             
             Restaurants;
             
             Wholesale or general trading businesses;
             
             Travel agencies and tour operators; and
             
             Car dealers.
             

            In addition, please consult the CBUAE’s Guidance for Licensed Financial Institutions providing services to the Real Estate and the Precious Metals and Stones sector3 for further information.

            LFIs may expand on the above by considering additional factors when identifying cash-intensive businesses in their customer base. For example LFIs can define cash-intensive businesses based on specific criteria, such as a proportion or more of the business’ revenue is in cash or the business has a monthly revenue in cash above a certain threshold. In either scenario, the definition of cash-intensive business should be determined by the LFI, justified by a sound methodology that considers various factors including risk and characteristics, documented in the LFI’s policies and procedures, and approved by the LFI’s senior management.

            The LFI should monitor whether the cash-intensive business appears to generate unusual transactions compared to the business’ expected activity and profile, and with other similar cash-intensive businesses. For example, a small business making significantly larger amounts of cash deposits than other businesses of a similar size in the same industry should be reviewed for potential money laundering activity. The extent of the vulnerability presented by cash-intensive businesses may be particularly severe due to large volumes of cash transactions, limited record keeping, and high customer turnover. LFIs should therefore understand the nature and purpose of the business relationship and expected activity of the customer in order to identify types of transactions that appear to be unusual, potentially suspicious, and/or inconsistent with the customer’s profile and stated purpose of the account.

            The following sections examine common features of cash-intensive businesses that impact risk. LFIs should consider the specific risks posed by these features to determine whether the customer is considered as high-risk and should be subject to enhanced due diligence (“EDD”) measures. LFIs should incorporate this assessment into their AML/CFT program and update their policies, procedures, and processes with the aim to detect illicit activity and manage illicit financing risks.


            3 Available at https://www.centralbank.ae/en/cbuae-amlcft

            • 2.3.1.1 Cross-Border Movement of Cash and Cash Couriers

              Cash-intensive businesses may move cash across borders as part of their business model. Cross-border movement of licit cash can be legal, subject to compliance with reporting and other relevant legal and regulatory requirements. However, criminals may also seek to move cash across borders; according to FATF, the physical transportation of cash across an international border is “one of the oldest and most basic forms of money laundering” and is still widely used today.4 The criminal economy tends to be cash-based with illicit proceeds of crime moving quickly and anonymously, including across borders. Illicit actors often choose to remove their illicit assets from a bank account in order to obscure the audit trail by transporting it to another country where they can spend the cash on goods or services or reintroduce the cash into the financial system. Illicit actors who generate cash proceeds also seek to move their profits to jurisdictions that will allow the placement of cash into the legal economy without detection. Their selection of a jurisdiction can be driven by the predominant use of cash in that jurisdiction, the weaker AML/CFT controls of a jurisdiction’s financial system including few or no restrictions on cash payments, or a jurisdiction’s reputation as a banking secrecy haven. Illicit actors can exploit the high volume of passenger, cargo, and mail movements into and out of jurisdictions to move cash without attracting the attention of authorities.

              Cash-intensive businesses may utilize cash couriers to move cash across borders. Cash couriers are natural persons who physically transport currency and bearer negotiable instruments on their person or accompanying luggage from one jurisdiction to another. Couriers may be directly involved in the underlying crime or may be third parties recruited specifically to move money to another jurisdiction. Mechanisms to conceal the cash include within pieces of clothing on the physical persons (such as a money belt), hidden within luggage, or even concealed internally. Cash couriers may use air, sea, or rail transport to cross an international border and typically use high denomination banknotes as part of their transportation, which decreases the size and bulk of low denomination banknotes.

              Specifically, cross-border movements of cash across an international border are used to:

               Launder proceeds of crime by placing them in another jurisdiction, typically with weaker AML/CFT controls.
               Move illicit value to purchase assets that can hold considerable value, such as luxury goods, or transfer the value of the funds for them to be stored.
               Hide proceeds from authorities and complicate asset recovery.
               

              It is not illegal to move cash into or out of the UAE. However, natural or legal persons must declare upon entering or leaving the UAE any currencies, bearer negotiable instruments, precious metals and stones above the threshold of AED 60,000. The relevant extract of the Regulation on the Declaration of Currencies, Bearer Negotiable Instruments, and Precious Metals and Stones in Possession of Travelers Entering or Leaving the UAE (issued in the Official Gazette No 703 dated 31/05/2021) is in the box below.

              Article (8) of Federal Decree-Law No. (20) of 2018 on Anti Money Laundering and Combating the Financing of Terrorism and the financing of Illegal Organizations stipulates that (when entering or leaving the country, any person must declare the currencies or bearer negotiable financial instruments, precious metals or stones of value, in accordance with the declaration regulation issued by the Central Bank).

              Accordingly, the Board of Directors of the Central Bank has decided that the maximum threshold for currencies, bearer negotiable instruments, and precious metals and stones, shall be in accordance with the table below, and shall apply to all forms of physical cross-border transportation, whether by travelers or through mail and cargo. Bearer negotiable instruments mean financial instruments of whatever form, whether in the form of a bearer document, such as travelers checks, promissory checks, payment orders, or others. Based on the above, any natural or legal person shall declare upon entering or leaving the UAE any currencies, bearer negotiable instruments, precious metals and stones above the threshold specified in the table and shall provide an honest and clear answer and adequate information to the Customs authority and its staff upon request. Declarations shall also be made for currencies, bearer negotiable instruments, precious metals or stones of a value exceeding the specified threshold crossing the border through cargo, mail or shipments transported using transport service companies using the official customs systems of the UAE.

               

              Maximum threshold for currencies, bearer negotiable instruments, and precious metals and stones
               
              Currencies/Instruments/Metals/ Precious stonesThreshold above which declaration is required
              1. Currencies (UAE Dhrs or equivalent in other currencies)UAE Dhrs 60,000
              or equivalent in any other
              currencies
              2. Any type of bearer negotiable instrumentsUAE Dhrs 60,000
              or equivalent in any other
              currencies
              3. Precious metals with high economic value in any form, type or classification, provided they are not intended for commercial purposes or transported by a traveler that engages in the same trade or a traveler that transports such materials as a profession and frequently visits the department or the customs port.UAE Dhrs 60,000
              or equivalent in any other currencies
              4. Precious stones with high economic value in any form, type or classification, provided they are not intended for commercial purposes or transported by a traveler that engages in the same trade or a traveler that transports such materials as a profession and frequently visits the department or the customs port.UAE Dhrs 60,000
              or equivalent in any other
              currencies

               

              Understanding whether customers have made any such declarations, in accordance with the Regulation should form part of any due diligence by the LFIs where required. As part of due diligence, LFIs may require additional information on the customer or the transaction, including the source of funds and relevant documentation.

              Potential Risk Indicators:

                oTransactions involving locations or customers originating from locations with poor AML/CFT regimes or high exposure to corruption.
                oSignificant and/or frequent cash deposits or currency exchanges made over a short period of time.
                oCustomer is in possession of money supposedly for business reasons while travelling to countries where cash payments are restricted.
                oCustomer requests to purchase, or has possession of, large volumes of high denomination banknotes.
                oCustomer requests to purchase, or has possession of, large amounts of foreign currency without a plausible explanation.
                oCustomers who use false identification or offer different identifications on separate occasions
               

              4 FATF “Money Laundering through the Physical Transportation of Cash” (October 2015), available at: https://www.fatf- gafi.org/media/fatf/documents/reports/money-laundering-through-transportation-cash.pdf

            • 2.3.1.2 Cash Deposits

              Cash-intensive businesses can be expected to make cash deposits, which is legal and a natural fit with their business model. Illicit actors, however, will seek ways to place their illicit cash into the financial system. Illicit actors involved in cash generating crimes frequently need to use a significant portion of the cash they have acquired to pay for the illicit goods they have sold, to purchase additional goods, and to pay the various expenses incurred in acquiring or transporting the goods. As part of the money laundering process, individuals seek to use the proceeds of crimes by disguising the origin of the funds as legitimate economic activities. Terrorists also seek to finance, often through small amounts of cash, terrorist activities without traceability. LFIs should therefore be aware of cash deposits placed into the banking system that involve high-risk customers and/or geographical areas, third parties without a relationship to the customer, and transactions that lack an apparent business purpose. LFIs should, as the case may be, undertake CDD measures on the third party cash depositors transacting in any accounts above the threshold specified in Article 6 of the AML-CFT Decision. LFIs should also obtain appropriate information regarding the source of cash deposited in a customer’s account as well as mandate the use of Emirates ID for cash deposits in ATMs.

               Potential Risk Indicators:
                oLarge cash deposits followed immediately by withdrawals or electronic transfers.
                oLarge cash deposit followed by an immediate request that the money be wired out or transferred to a third party, without any apparent business purpose.
                oFrequent cash deposits by multiple individuals into a single bank account, followed by international wire transfers and /or international withdrawals through ATMs.
                oLarge cash deposit is followed within a short time by wire transfers to high-risk jurisdictions.
                oNumerous cash deposits made in different bank branches over a short period of time.
                oFrequent cash deposits in small amounts, without any apparent business purpose or reasonable grounds.
                oCustomers who use false identification or offer different identifications on separate ccasions
               
            • 2.3.1.3 Currency Exchanges

              Cash-intensive businesses may include currency exchanges as legitimate providers of services. Currency exchanges, however, can also be an attractive vehicle that illicit actors seek to exploit to enter the financial system and transfer their funds. According to the FATF, the simplicity and certainty of currency exchanges transactions and the anonymity and portability of cash make them attractive to money laundering and the financing of terrorism and illegal organisations.5 Once the money has been exchanged, it is difficult to trace its origin. There are two different ways to perform a currency exchange: (1) the use of cash to exchange and transfer the funds; or (2) the use of the internet to perform the currency exchange and transfer the funds to a bank account.

               Potential Risk Indicators:
                oSignificant and/or frequent local or foreign currency exchanges.
                oOpening of foreign currency accounts with no apparent business or economic purpose.
                oCustomers who know little about or are reluctant to disclose details about the payee, or customers or parties with no apparent ties to the destination country.
                oSuspicion that the customer is acting on behalf of a third party but not disclosing it.
                oTransactions involving charities and other non-profit organizations, which are not properly licensed or registered. It is reminded that when opening any accounts for non-profit organisations, LFIs must obtain an original signed letter from the Ministry of Community Development for opening accounts to collect donations and an authorization from the UAE Red Crescent for conducting financial transfers out of the UAE through some of these accounts.
                oCustomers who use false identification or offer different identifications on separate ccasions.
                oCustomers who receive transfers in seasonal patterns or transactions in a pattern consistent with criminal proceeds.
               

              5 FATF “Money Laundering through Money Remittance and Currency Exchange Providers” (June 2010), available at: https://www.fatf-gafi.org/media/fatf/ML%20through%20Remittance%20and%20Currency%20Exchange%20Providers.pdf

      • 3. Mitigating Risks

        Effective risk mitigation is critical to protecting the LFI, complying with its legal obligations, and meeting supervisory expectations. When establishing and maintaining relationships with cash-intensive businesses, LFIs should establish policies, procedures, and processes to identify higher-risk relationships, assess AML/CFT risks of the cash-intensive business, conduct due diligence at account opening and throughout the relationship, and monitor these relationships for unusual or potentially suspicious activity. When performing a risk assessment of cash-intensive businesses, LFIs should allocate resources to those accounts that pose the greatest risk of money laundering or financing of terrorism and illegal organisations. To that end, LFIs should understand their risk and take effective, risk-based steps to protect themselves from abuse and from illicit actors and transactions.

        The sections below discuss how LFIs can apply specific preventive measures to identify, manage, and mitigate the risks associated with cash-intensive businesses. LFIs should consult the legal and regulatory framework currently in force, the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations for Financial Institutions, and the CBUAE issued Guidances for further information.6 The controls discussed below should be integrated into the LFI’s larger AML/CFT compliance program and supported with appropriate governance and training.


        6 Available at https://www.centralbank.ae/en/cbuae-amlcft.

        • 3.1 Risk-Based Approach

          LFIs must take a risk-based approach to the preventive measures they put in place for all customers, including cash-intensive businesses. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision. The risk-based approach has three principal components:

          • 3.1.1 Conducting an Enterprise Risk Assessment

            As required by Article 4.1 of AML-CFT Decision, the enterprise risk assessment must reflect the presence of higher-risk customers, including cash-intensive business customers, in an LFI’s customer base. These assessments should in turn be reflected in the LFI’s inherent risk rating. In addition, the LFI’s controls risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its cash-intensive business customers, including the preventive measures discussed below.

          • 3.1.2 Identifying and Assessing the Risks Associated with Specific Customers

            The LFI is expected to assess the risk of each customer to identify those that require EDD and to support its entity risk assessment. In assessing the risks of a cash-intensive business, LFIs should consider:

             i.Geographic Risk: LFIs should assess the risks associated with the jurisdictions in which the business is registered/headquartered and where it operates, including the jurisdictions where it has subsidiaries, where it sources its products (where relevant), and where its main counterparties are based. These may include the overall risk of money laundering, financing of terrorism and illegal organisations, and financing of proliferation, as well as what is known regarding the prevalence of abuse of entities in these sectors. There are a number of sources that LFIs can use to develop a list of high-risk countries, jurisdictions, or regions. LFIs should consult any publications issued by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (NAMLCFTC)7, the UAE Financial Intelligence Unit (UAE FIU), and the FATF, including the FATF’s list of jurisdictions subject to countermeasures and to increased monitoring. LFIs may also use public free databases such as, for example, the Basel AML Index8 or the Transparency International Corruption Perceptions Index.9 LFIs should not solely rely on public lists, however, and should consider their own experiences and the nature of their exposure to each jurisdiction when assessing the risk of that jurisdiction.
             
             ii.Customer Risks: LFIs should assess the type of cash-intensive business, the maturity of that relationship (if the relationship is a long-term business relationship of the LFI), and other characteristics of the business relationship, such as the customer’s ownership structure. Cash-intensive businesses that have a complex legal ownership structure, for example, may be higher risk than those with simpler ownership structures.
             
             iii.Product, Service, and Delivery Channel Risk: LFIs should assess risk in this category based on the products and services that the customer intends to use, and the delivery channels through which the LFI will provide these services. LFIs should draw on their entity risk assessment to assess the risk of the products and services each customer uses or intends to use. (See also Section 3.2.3 below in relation to understanding the nature of the customer’s business and purpose of the business relationship.)
             

            Questions that an LFI may ask to determine the risk profile of a cash-intensive business include, but are not limited to:

             Where is the business incorporated? Where does it operate? Are these high-risk jurisdictions?
             What type of industry does the cash-intensive business operate in?
             What types of products and services is the business requesting?
             What is the intended volume, frequency, and nature of cash transactions that the cash-intensive business intends to conduct through its account?
             What is the regulatory environment in the jurisdiction(s) where the cash-intensive business is incorporated/has operations?
             What is the ownership structure of the customer? Do the customer’s beneficial owners, shareholders, directors, and senior managers reside in a high-risk jurisdiction?
             What is the availability of information on the customer? Is the customer cooperating with the LFI to provide all the necessary customer due diligence (“CDD”)/EDD information to the LFI?
             If the customer is an existing customer, does the customer have a history of Suspicious Transaction Report (“STR”) filings?
             

            7 Available at: https://www.namlcftc.gov.ae/en/high-risk-countries.php
            8 Available at: https://baselgovernance.org/basel-aml-index
            9 Available at: https://www.transparency.org/en/cpi/2020/index/nzl

          • 3.1.3 Applying EDD and other Preventive Measures

            Where the LFI determines a customer to be higher-risk, Article 4.2(b) of AML-CFT Decision requires that the LFI apply EDD. EDD is also required for specified higher-risk customer types, no matter their risk rating:

             Customers who are Politically Exposed Persons (“PEPs”) or that are owned or controlled by PEPs;
             
             Customers from higher-risk jurisdictions; and
             
             Customers with whom the LFI is establishing a correspondent relationship.
             

            EDD measures should be designed to mitigate the specific risks identified with particular customers. Examples of EDD measures are described below in Section 3.2.

        • 3.2 Customer Due Diligence and Enhanced Due Diligence

          CDD, and where necessary EDD, are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers. As discussed below, each stage of the CDD process gives LFIs an opportunity to collect the information they need to identify and manage the specific risks of higher-risk customers.

          The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFIs services. Where an LFI cannot satisfy itself that it understands a customer, then it should not accept it as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a STR, as discussed in Section 3.3.2.

          Under Article 5 of AML-CFT Decision, LFIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. Although Article 5 permits CDD to be delayed in circumstances of lower risk, the potential higher risk of cash-intensive businesses makes it unlikely that delayed CDD will be appropriate in the context of onboarding such customers. To this end, at the time of account opening, the LFI should seek to understand the cash-intensive business’ operations and business structure, the intended use of the account (including anticipated transaction volume, products, and services used), the geographic location(s) involved in the relationship, and jurisdiction(s) of operations. As part of collecting this information, the LFI should also assess the availability of information on the cash-intensive business and cooperation of the business in providing information to the LFI.

          The following elements of CDD should be carried out for all customers, no matter the customer type.

          • 3.2.2 Beneficial Owner Identification

            The majority of cash-intensive businesses will be legal persons. Article 9 of AML-CFT Decision requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI should identify and verify the identity of the individual(s) holding the senior management position in the entity.

            The beneficial owner of a legal person must be an individual. Another legal person cannot be classified as the beneficial owner of a customer, no matter what percentage it owns. LFIs should continue tracing ownership all the way up the ownership chain until it discovers all individuals who own or control at least 25% of the LFI’s customer. When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision (10). If no individual qualifies as a beneficial owner, LFIs should identify the individual(s) holding the position of senior management officer(s) within the customer. This option should be used only as a last resort, however, and when the LFI is confident that no one individual, or small group of individuals, exercises control over the customer. Please see the CBUAE's Guidance for LFIs providing services to Legal Persons and Arrangements10 for more information on identification of beneficial owners.


            10 Available at https://www.centralbank.ae/en/cbuae-amlcft.

            • 3.2.2.1 EDD: Beneficial Ownership

              If the LFI has followed the steps described above and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the LFI should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25% ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10% or even the 5% level, as risk warrants. It should also involve requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks.

          • 3.2.3 Nature of the Customer’s Business and Purpose of the Business Relationship

            Under article 8 of AML-CFT Decision, for all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s products and services. This element of CDD will have important implications for the customer risk rating.

            It is critical that LFIs have processes and controls in place to ensure that they are able to identify cash-intensive business customers. In line with a risk-based approach, LFIs should interview the customer, review the customer’s business license, request recent financial statements (audited if available), tax returns or additional information, search company databases and assess the primary business activity, products, and services offered by the customer to understand the full scope of the customer’s business.

            If an LFI determines that a customer or prospective customer has materially misrepresented itself or its business, it should not onboard the customer and should exit the relationship if one has been established. In addition, the LFI should consider filing a Suspicious Transaction Report (STR), Suspicious Activity Report (SAR) or other report types to the UAE FIU as discussed in section 3.3.2 below. The LFI may also consider adding the customer, its beneficial owners, directors, and its managers to internal watchlists.

            High-risk customers should be treated as high risk no matter the financial services they use. Even so, the risk to which the LFI may be exposed can vary based on the purpose of the account and the types of financial products and services the customer wishes to use. LFIs should fully understand the uses to which the cash-intensive business intends to put the account and the expected activity on the account, to the extent that it can generally predict activity on the account and identify activity that does not fit the profile. To that end, the LFI should seek to assess the expected volume, frequency, and nature of cash transactions that the customer intends to conduct through its account, as this will be an important risk factor for identifying money laundering and financing of terrorism and illegal organisations risks associated with the cash-intensive business. In addition, the LFI may wish to consider whether the expected volume of cash coming through the account is consistent with the declared sales income and whether the expected volume of cash appears reasonable compared to other similar cash-intensive customers of the LFI (i.e., operating as similar business types in similar markets).

          • 3.2.4 Ongoing Monitoring

            Under Article 7 of AML-CFT Decision, all customers must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

            • 3.2.4.1 CDD Updating

              LFIs are expected to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of customers that are companies or that engage in cash-intensive business. The risk associated with a cash-intensive business can change overnight if the customer changes its business activities. LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

              CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:

               The customer’s beneficial owners remain the same;
               The customer continues to have an active status with a company registrar;
               The customer has the same legal form and is domiciled in the same jurisdiction; and
               The customer is engaged in the same type of business, and in the same geographies.
               

              In addition to a review of the customer’s CDD file, the LFI should also review the customer’s transactions to determine whether they continue to fit the customer’s profile and business and are consistent with the business the customer expected to engage in when the business relationship was established. In this capacity, the LFI should pay particular attention whether the volume of cash coming through the account is consistent with the declared sales income of the cash-intensive business customer. This type of transaction review is distinct from the ongoing transaction monitoring discussed below. The purpose of the review is to complement ongoing transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules.

              The techniques used for transaction review will vary depending on the customer. For lower-risk customers, a review of alerts, if any, is likely to be sufficient. For higher risk customers, such as cash-intensive businesses rated as high-risk, a more intensive review may be necessary. For customers with a large volume of transactions, LFIs may use data analysis techniques to identify unusual behaviour. If the review finds that the customer’s behaviour or information has materially changed, the LFI should risk-rate the customer again. New information gained during this process may cause the LFI to believe that EDD is necessary or may bring the customer into the category of customers for which EDD is mandatory (i.e., customers that are PEPs; customers that are based in high-risk jurisdictions; etc.).

              LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change but should still update CDD on a schedule appropriate to the customer’s risk rating.

            • 3.2.4.2 EDD: Ongoing Monitoring

              When customers are higher risk, such as for cash-intensive businesses rated as high-risk following the completion of the CDD process, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, such as every six or nine months for very high-risk customers. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:

               Reviewing more or all transactions on the account, rather than a sample of transactions;
               
               Conducting site visits at the customer’s premises, whenever the LFI is not satisfied with the documentation provided by the customer, and requesting a meeting between an appropriate LFI representative and the customer’s managing director or Chief Financial Officer. Site visits can be particularly important for certain cash-intensive businesses, including those that use an LFI’s cash management services on a large scale, as they allow the LFI’s compliance personnel to inspect the institution’s cash management program and the controls it has in place to prevent illicit cash being commingled with legitimate funds; and
               
               Conducting searches of public databases, including news and government databases, to independently identify material changes in a customer’s ownership or business activities or to identify adverse media reports. Such searches should include adverse media searches of public records and databases, using relevant key words, including but not limited to, allegation, fraud, corruption, laundering.
               
        • 3.3 Transaction Monitoring and STR Reporting

          • 3.3.1 Transaction Monitoring

            Under Article 16 of AML-CFT Decision, LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of a suspicious transaction report (“STR”) or suspicious activity report ("SAR") or other report types. As with all customer types, LFIs that use automated monitoring systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose. In addition, higher-risk customers should be subject to more stringent transaction monitoring, with lower thresholds for alerts and more intensive investigation.

            Monitoring systems can include manual monitoring processes and the use of automated and intelligence-led monitoring systems. In all cases, the appropriate type and degree of monitoring should appropriately match the ML/TF risks of the institution’s customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an LFI’s business lines or units, where applicable. TM programs should also be calibrated to the size, nature, and complexity of each institution. Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening for further information.11

            The transaction monitoring system used by LFIs should be equipped to identify patterns of activity that appear unusual and potentially suspicious for cash-intensive business customers as well as unusual behaviour that may indicate that a customer’s business has changed in such a way as to require a high-risk rating. Some red flags for cash-intensive business customers are described below. If an LFI’s automated transaction monitoring system is not capable of alerting on these red flags, LFIs should have in place manual monitoring, such as management information systems.

             The business engages in significantly greater volumes of cash transactions in comparison to other similar business types operating in similar jurisdictions and markets.
             The business engages in unusually frequent domestic and international ATM activity.
             The customer makes a cash deposit followed by an immediate request that the money be wired out or transferred to a third party, without any apparent business purpose.
             There are frequent cash deposits by multiple individuals into a single bank account, followed by international wire transfers and /or international withdrawals through ATMs.
             The parties to the transaction (e.g. originator or beneficiary) are from countries that are known to support terrorist activities and organizations.
             The customer uses a personal/individual account for business purposes or vice versa.
             Upon request, a customer is unable or unwilling to produce appropriate documentation (e.g. invoices) to support a transaction, or documentation appears doctored or fake (e.g. documents contain significant discrepancies between the descriptions on the invoice, or other documents such as the certificate of origin or packing list).
             The customer engages in transactions involving foreign currency exchanges that are followed within a short time by wire transfers to high-risk jurisdictions.
             Funds are transferred into an account and are subsequently transferred out of the account in the same or nearly the same amounts, especially when the origin and destination locations are high-risk jurisdictions.
             

            11 Available at https://www.centralbank.ae/en/cbuae-amlcft.

          • 3.3.2 STR Reporting

            As required by Article 15 of the AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a suspicious transaction report (“STR”) or suspicious activity report ("SAR") or other report types with the UAE Financial Intelligence Unit (“UAE FIU”) when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. STR filings assist law enforcement in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system.

            In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations involving higher-risk customers:

             A potential customer decides against opening an account or purchasing other financial services after learning about the LFI’s CDD requirements;
             A current customer cannot provide required information about its business or its beneficial owners;
             A customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty; or
             The LFI is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the customer. In such cases, the LFI should not establish the business relationship, or continue an existing business relationship.
             

            Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting12 for further information.


            12 Available at https://www.centralbank.ae/en/cbuae-amlcft.

        • 3.4 Governance and Training

          The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. The core of an effective risk-based program is an appropriately experienced AML/CFT Compliance Officer who understands the LFI’s risks and obligations and who has the resources and autonomy necessary to ensure that the LFI’s program is effective. Additionally, the LFI’s senior management must clearly endorse and support the AML/CFT program.

          As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks of cash-intensive business customers, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the LFI’s risk and the nature of its operations. For example, an LFI that has a large number of cash-intensive business customers should offer training that includes an in-depth discussion of risk factors and red flags related to such customers.

      • Annex 1. Synopsis of the Guidance

        Purpose of this GuidancePurposeThe purpose of this guidance is to assist Licensed Financial Institutions (LFIs) understand and mitigate the risks when providing services to customers who are cash-intensive businesses (CIBs), and to guide them in fulfilling their AML/CFT obligations. The FATF's Mutual Evaluation Report of the UAE issued in April 2020 stated that, as the UAE is a cash-intensive economy and plays an important part in global trade, there are significant risks associated with the cross-border movement of cash and bearer negotiable instruments.
        ApplicabilityThis guidance applies to natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:
        • all national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
        • insurance companies, agencies, and brokers.
        Understanding RisksVulnerabilities of CashThe specific characteristics of cash—its anonymity, interchangeability, and transportability—make it an attractive option for illicit actors seeking to conceal the proceeds of crime. Cash holds no record of its source or owner and can be easily concealed in large quantities Cash transactions are also instantaneous and widely accepted across jurisdictions.
        Vulnerabilities of Alternatives to CashIllicit actors also use various monetary instruments in conjunction with, or as a replacementto, cash. Both bearer negotiable instruments and prepaid cards, for instance, offer similar benefits to cash, including anonymity and accessibility. They can store large amounts of value in a compact physical size that is easily transportable and obscures the origin of the funds.
        • Bearer negotiable instruments are financial instruments of whatever form, whether in the form of a bearer document, such as traveler's cheques, promissory notes and cheques, payment orders, or others.
        • Prepaid cards can be used as an alternative to cash in that they provide access to funds that have been paid in advance Funds can be claimed or transferred through an electronic device, such as through a card, code, electronic serial number, mobile identification number, or personal identification number within either an open or closed loop system.
        Vulnerabilities of Cash- intensive BusinessesTypes of CIBs: CIBs are businesses that experience a high volume of cash flows. CIBs span across various industry sectors and most are operating a legitimate business. However, some aspects of these businesses may be vulnerable to money laundering or the financing of terrorism and illegal organisations. Examples of cash-intensive businesses that can pose a higher risk include but are not limited to: convenience and retail stores; restaurants; wholesale and general trading businesses; travel agencies and tour operators and car dealers. LFIs may expand on the above by considering additional factors when identifying cash-intensive businesses in their customer base and should consider the specific risks posed by the below features to determine whether the customer is considered as high-risk and should be subject to enhanced due diligence ("EDD") measures.
        Cross-Border Movement of Cash and Cash Couriers: CIBs may move cash across borders as part of their business model including by utilizing cash couriers. Cross-border movement of licit cash can be legal, subject to compliance with reporting and other relevant legal and regulatory requirements. However, criminals may also seek to move cash across borders to launder proceeds of crime by placing them in another jurisdiction. Natural of legal persons must declare upon entering or leaving the UAE any currencies, bearer negotiable instruments, precious metals and stones above the threshold of AED 60000. Understanding whether customers have made any such declarations, in accordance with the Regulation should form part of any due diligence by the LFIs where required.
        Cash Deposits: CIBscan be expected to make cash deposits, which is legal and a natural fit with their business model. Illicit actors, however, will also seek ways to place their illicit cash into the financial system Terrorists also seek to finance, often through small amounts of cash, activities without traceability. LFIs should, as the case may be, undertake CDD measures on the third party cash depositors transacting in any accounts above the threshold specified in Article 5 of the AML-CFT Decision. LFIs should also obtain appropriate information regarding the source of cash deposited in a customer's account as well as mandate the use of Emirates ID for cash deposits in ATMs.
        Currency Exchanges: CIBs may include currency exchanges as legitimate providers of services Currency exchanges, however, can also be an attractive vehicle for illicit actors seeking to enter the financial system and transfer their funds. Once the money has been exchanged, it is difficult to trace its origin.
        Mitigating Risks Risk-Based ApproachLFIs must take a risk-based approach in their AML programs. This means that they should assess all customers, including CIB customers, to determine their degree of risk. The LFlis expected to assess the risk of each customer to identify those that require EDD and to support its entity risk assessment. In assessing the risks of a cash-intensive business, LFIs should consider:
        • Geographic Risk related to the jurisdiction(s) in which the customer is based and where it operates;
        • Customer Risks related to the customer's customer base, incl, its type and the characteristics of the business relationship; and
        • Product, Service, and Delivery Channel Risk related to the products and services the customer intends to use and the delivery channels through which the LFI will provide these services.
        Customer Due Diligence and Enhanced Due DiligenceFor all customers, including CIB customers, LFIs must perform Customer Due Diligence ("CDD") with the following components:
        Customer Identification: LFIsare required to identify and verify the identity of all customers. Please seethe Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and illegal Organisations for Financial Institutions for further information on customer identification.
        Beneficial Owners identification: The majority of cash-intensive businesses will be legal persons. For all legal person customers, LFIs must identify all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no such individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer.
        Nature of the Customer's Business and Purpose of the Business relationship: The purpose of the account and the nature of the customer's business are critical drivers of risk for CIB customers. LFIs should fully understand the uses to which the CIB intends to put the account and the expected activity on the account, to the extent that it can generally predict activity on the account and identify activity that does not fit the profile. As they seek to understand the customer's business, LFIs should collect all information necessary to assess customer risk.
        Perform Ongoing Monitoring: For all customers, LFIs should ensure that the customer information is accurate, complete and up-to-date, and that the customer's profile and business are consistent with the expectations set at onboarding. If not, the customer risk rating may need to be changed. When customers are higher risk, such as for cash-intensive businesses rated as high-risk following the completion of the CDD process, monitoring should be more frequent, intensive, and intrusive.
        Transaction Monitoring and Suspicious Transaction ReportingThe transaction monitoring system used by LFIs should be equipped to identify patterns of activity that appear unusual and potentially suspicious for CIB customers as well as unusual behaviour that may indicate that a customer's business has changed in such a way as to require a high-risk rating. Please consult the CBUAE's Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening for further information. LFIs must file a suspicious transaction report ("STR") or suspicious activity report ("SAR") or other report types with the UAE Financial Intelligence Unit ("UAE FIU")when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. Please consult the CBUAE's Guidance for LFIs on Suspicious Transaction Reporting for further information.
        Governance and TrainingThe preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks of cash-intensive business customers, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls.

         

    • Guidance for Licensed Exchange Houses

      Effective from 11/11/2021
      • 1. Introduction

        • 1.2. Applicability

          Unless otherwise noted, this Guidance applies to all Exchange Houses that are licensed and supervised by the CBUAE.

        • 1.4. Definitions

          Beneficial Owner: The ‘Natural Person’ who ultimately owns or exercises effective control, directly or indirectly, over a customer or the natural person on whose behalf a transaction is being conducted, or the natural person who exercises effective ultimate control over a legal person or legal arrangement.

          Exchange Business: Shall mean: (1) Dealing in sale and purchase of foreign currencies and travelers cheques; (2) Executing remittance operations in local and foreign currencies; (3) Payment of wages through establishing a link to the operating system of “wages protection system” (WPS); and (4) Other business licensed by the CBUAE.

          Exchange House: A juridical person licensed in accordance with the provisions of Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities to carry on money exchange activity, and conduct funds transfers within and outside the UAE, and any other businesses determined by the CBUAE.

          Politically Exposed Person (PEP): natural persons who are or have been entrusted with a prominent public function in the UAE or any other foreign country such as heads of states or governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state-owned corporations, and senior officials of political parties, and persons who are, or have previously been, entrusted with the management of an international organization or any prominent function within such an organization; and the definition also includes the following:

          1.Direct family members (of the PEP who are spouses, children, spouses of children, parents)
          2.Associates known to be close to the PEP, which include:
           (a)Individuals having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP;
           (b)Individuals having individual ownership rights in a legal person or arrangement established in favor of the PEP.
           

          Instant Money Transfer Service Provider: A money remitting institution licensed and regulated by an appropriate Regulator in its home country who will have the necessary proprietary software applications and infrastructure to transfer funds instantly from an agent in one country to an agent in another country and/or domestically.

          Legal person: Any entities other than natural persons that can establish in their own right a permanent customer relationship with a financial institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations, along with similar entities.

          Legal arrangement: A relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality. Examples include trusts or other similar arrangements. Many legal arrangements allow for ownership, control, and enjoyment of funds to be divided between at least two different persons.

          Licensed Exchange House (LEH): An Exchange House licensed by the CBUAE.

          Source of funds: How the money, involved in the transaction, was originally derived or earned. Examples of source of funds are: salary, wages, inheritance, gratuity, end of service benefits, bank loan, income from businesses, sale of property, sale of land, sale of investments, etc. For verification of the source of funds, documents include but are not limited to salary slip, labor contract, court order, bank statements, etc.

      • 2. Risks related to the Exchange Houses Sector

        The FATF’s Mutual Evaluation Report of the UAE issued in April 2020 stated that the Money or Value Transfer Services’ sector (MVTS), including the Exchange Houses’ sector, is weighted as highly important in terms of risk and materiality in the UAE. The inherent risk and materiality of these sectors has been notably increased by their exposure to cash transactions.

        The Exchange Houses sector provides widely used financial services to diverse customer sectors. While the majority of its Exchange Business is legitimate in purpose, it can be abused to facilitate illegal activity, including terrorist financing, money laundering, and other type of criminal activity. The Exchange Houses sector may provide significant opportunities for criminals to move, conceal and eventually use the funds generated by their illegal activities, unless appropriate safeguards are in place. This is due to the simplicity and speed of transactions, worldwide reach and often cash-based nature of transactions. Importantly, money laundering and financing of terrorism (ML/FT) vulnerabilities also stem from the fact that Exchange Houses often carry out occasional transactions rather than establishing an ongoing formal relationship with their customers, which means that their understanding of the ML/FT risk associated with the customer may be limited.

        Risks to the Exchange Houses sector also stem from generally uneven regulatory disparity, supervision and enforcement of the sector globally because Exchange Business often involves different jurisdictions. Criminals may seek to exploit differences in regulatory requirements in different jurisdictions or deficiencies in certain jurisdictions to move, structure and conceal their funds.

        Exchange Houses may also potentially be abused by criminal groups and corrupt employees or agents cooperating with criminals, who may seek to own an Exchange House outright, or indirectly through an associate, or could seek to coerce employees through financial incentives in order to use the Exchange House to circumvent AML/CFT obligations and advance criminal schemes.

      • 3. Regulation and Supervision of Exchange Houses

        The Exchange Houses sector is regulated by the Regulations and the Standards issued by the CBUAE. For more details and information on AML/CFT compliance, please refer to Chapter 16 of the Standards for the Regulations Regarding Licensing and Monitoring for Exchange Business, version 1.20 of November 2021 amending Version 1.10 of February 2018. LEH are supervised by the CBUAE, who may examine the activities of the LEH at any time it deems appropriate to ensure proper compliance with their statutory obligations under the legal and regulatory framework in the UAE, or impose supervisory action or administrative and financial sanctions for violations. Similar to its all LFIs, the CBUAE applies the principle of proportionality in its supervision and enforcement process, whereby small LEH may demonstrate to the CBUAE that the objectives of the regulatory requirements are met without necessarily addressing all the specifics cited in the legal and regulatory framework in the UAE.

      • 4. AML/CFT Program for Licensed Exchange Houses

        LEH must carefully design, document and effectively implement an AML/CFT Program in line with the provisions of the Standards, AML-CFT Law, and AML-CFT Decision. As per Paragraph 16.1 of the Standards, LEH must establish, maintain and regularly update effective, written, and risk-based AML/CFT programs designed to prevent LEH from being abused to facilitate ML/FT. When designing or updating their AML/CFT programs, the scope of the AML/CFT Program should be proportionate to the level of the risk posed by the LEH’s size, scale, complexity, the nature and volume of its Exchange Business, the nature of its customer base, the business relationships it maintains, and the geographic areas in which it operates. For example, a large LEH with a high volume of Exchange Business with high-risk countries is expected to have an AML/CFT Program commensurate with its higher risk of possibly being abused to facilitate ML/FT. However, as all LEH are exposed to some degree of risk, they must perform their own assessments and design their AML/CFT programs in accordance with their overall risk profile in order to meet their statutory obligations.

        LEH should ensure the AML/CFT Program includes the following ten (10) essential components, which are described in detail in the following sections:

         Risk assessment,
         Policies and procedures,
         Governance and the Compliance Officer,
         Customer due diligence,
         Transaction monitoring,
         Sanctions obligations and freezing without delay,
         Training,
         Independent audit,
         Record keeping requirements, and
         Managing employee risk.

         

        • 4.1. Risk Assessment

          As required by Article 4 of the AML-CFT Decision and Paragraph 16.2 of the Standards, LEH must identify, assess and understand the ML/FT risks associated with their businesses and perform an enterprise wide ML/FT risk assessment on a regular basis. It must develop a risk assessment in order to understand how and to what extent it is vulnerable to ML/FT, and help determine the nature and extent of AML/CFT resources necessary to mitigate and manage that risk.

          The risk assessment creates the basis for the LEH’s risk-based approach. LEH may utilize a variety of models or methodologies to analyze their risks. In general, the risk assessment process would entail the following six (6) steps:

          Step 1Step 2Step 3Step 4Step 5Step 6
          Scope DeterminationRisk IdentificationInherent Risk AssessmentControls EvaluationResidual Risk AssessmentRisk Mitigation
          Define in-scope processesAssess the exposure to threats and vulnerabilities in order to identify risksAssess the impact and likelihood of risks and assign inherent risk ratingsIdentify and evaluate effectiveness of controls and identify weaknessesCalculate Residual Risk (Inherent Risk Rating minus Controls Evaluation = Residual Risk Rating)Develop and implement mitigation plans against risks that are above an acceptable level
           

          The nature and extent of any assessment of ML/FT risks must be appropriate to the nature, size, and complexity of the LEHS business. The risk assessment should cover all relevant factors including but not limited to:

           Customer risk;
           Products and services risk;
           Delivery channel risk;
           New technologies risk;
           Jurisdiction or geographic risk;
           Counterparty risk; and
           Other areas of risk.
           

          As per Article 4.2 of the AML-CFT Decision as well as Paragraphs 16.2 and 16.3 of the Standards, the senior management of the LEH must be closely engaged in the risk assessment process and take responsibility for conducting an appropriate assessment. It must review and approve at least on an annual basis the LEH’s risk appetite statement, risk assessment methodology, and risk assessment findings. If an initial risk assessment assesses the LEH as higher risk, it may be necessary to conduct a more intensive assessment of certain areas of the LEH’s operations. In assessing ML/FT risks, the LEH must have the following elements in place:

           Documented risk assessment methodology, procedures, and processes.
           Documented risk assessment findings, including determination of overall risk and specific risks, and mitigating measures to be applied to minimize the impact of risks.
           Written risk appetite statement that clearly identifies the acceptable level of risk.
           Appropriate mechanisms to provide information on risk assessments to the CBUAE when required.
           

          The risk assessment must be regularly updated annually at a minimum as well as in response to major changes in the LEH’s operations. The risk assessment process must also be fully aligned with the LEH’s products, services, customers, and geographic locations, changes in the LEH’s operations, appetite statement, the legal and regulatory framework in force in the UAE, and the guidance issued by the CBUAE. In addition, LEH may consult the the FATF Guidance on the Risk-Based Approach for Money Services Businesses and the Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption for more information on how to plan and perform comprehensive and appropriate risk assessments.3 In tandem, the risk assessment findings should be used to inform the AML/CFT Program policies, procedures, internal controls, and training in order to effectively mitigate risks. The risk assessment should also inform the LEH’s risk-based approach by directing an efficient allocation of AML/CFT risk management resources to the areas of greatest concern. The risk assessment findings should be provided to all business lines across the LEH, its senior management, and relevant employees.


          3 Available at: https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf; and https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/faqs/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf.

          • 4.1.1. Customer Risk

            Under Article 4.1 of the AML-CFT Decision and Paragraph 16.2.3 of the Standards, LEH must identify, assess, understand, and mitigate the risk posed by their customers. Customer risk is a critical component of an institutional-level risk assessment because customers engaged in illicit activity can seek to exploit the LEH to facilitate ML/FT and other types of financial crimes. The customer risk assessment process is composed of the customer risk rating, and the assessment of the inherent risk of the customer base. It should be noted that these are closely related concepts, and that risk in the customer base depends in part on the customer risk rating.

            • 4.1.1.1. Customer Risk Rating

              LEH should be able to determine whether a particular customer poses higher risk and the potential impact of any mitigating factors on that assessment. Such categorization may be due to the occupation, behavior, or activity of customers. Accordingly, the LEH should assess the risk of key customer elements in order to generate an overall customer rating. Generally, the list of elements includes but is not limited to the following:

               Customer’s address and country.
               Type of customer (Domestic, foreign, company/corporate, cash-intensive business, etc.).
               Industry in which the customer does business.
               Anticipated transactional activities.
               Customer’s source of wealth.
               ML/FT risk of the customer’s industry
               The beneficial owners.
               Purpose of the relationship or transactional activities.
               

              Below are some examples of risk factors that could be considered by the LEH:

               Customers conducting their business or transactions in an unusual manner.
               Customers who travel unexplained distances to locations to conduct transactions.
               Customers who are Politically Exposed Persons (PEPs) or their direct family members or known close associates and customers whose beneficial owner is a PEP.
               Customers involved in transactions that have no apparent ties to the destination country and with no reasonable explanations.
               Customers who have been the subject of legal proceedings in relation to proceeds-generating crimes known to the LEH.
            • 4.1.1.2. Assessment of the Inherent Risk of the Customer Base

              In addition to assessing individual customers, LEH should assess the inherent ML/FT risk of the customer base overall.

              1.IDENTIFY: LEH should identify categories or types of customers that pose elevated risks. Under Chapter 16 of the Standards, the categories identified will depend on the specific customer base of the LEH and may include but are not limited to: customer types like dealers in precious metals and stones (DPMS), customers that qualify as Designated Non-Financial Businesses and Professions (DNFBPs), cash-intensive businesses which are rated as high-risk4, PEPs, and customers with ties to high risk jurisdictions. LEH should also include as a customer segment those customers who have been off-boarded or refused service due to ML/FT suspicions.
               
              2.ASSESS: LEH should assign a risk rating (for example, low risk, medium risk, etc.) to each customer category or type identified above. In assessing the risk of each category or type, LEH should consider:
               
               Guidance published by the FATF;
               The potential exposure of customers in each category to illicit funds; and
               The features of each customer type that make them useful to illicit actors.
               
              3.CALCULATE EXPOSURE: The LEH should then determine its exposure to the customer categories or types identified and rated above. LEH should consider the proportion of their entire customer base that is made up of each category of customer, the proportion of all transactions carried out by each category of customer, and the total value of all transactions carried out by each customer as a proportion of the LEH’s total transaction volume. The institutional risk assessment should also take into account the individual customer risk-ratings and the proportion of higher or lower risk customers within that group. Where a LEH has large exposure to higher-risk customer types and to higher-risk customers as assessed by individual risk ratings, its overall inherent risk will generally be higher.
               
              4.DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should keep detailed records of its assumptions, statistics used to complete this process, and the resulting analysis and outcomes.

              4 For more details and information, please refer to the CBUAE’s Guidance for Licensed Financial Institutions providing services to Cash-Intensive Businesses available at https://www.centralbank.ae/en/cbuae-amlcft

          • 4.1.2. Products and Services Risk

            Under Article 4.1 of the AML-CFT Decision and Paragraph 16.2.3 of the Standards, LEH must identify, assess, understand, and mitigate the risk posed by the products and services they offer. The products and services risk is a critical component of an institutional-level risk assessment because customers engaged in illicit activity can seek to exploit the LEH to facilitate ML/FT and other types of financial crimes.

            1.IDENTIFY: LEH should identify the full list of products and services they offer.
             
            2.ASSESS: LEH should assign a risk rating to each product type identified above. Determining the risk of products and services should include a consideration of their characteristics and attributes and could include factors such as:
             
             Products or services that may inherently favor anonymity, or products that can readily cross international borders, such as cash, online money transfers, stored value cards, money orders and international money transfers by mobile phone.
             Products or services that have a very high or no transaction limit.
             The global reach of the product or service offered.
             The complexity of the product or service offered.
             Products or services that permit the exchange of cash for a negotiable instrument, such as a stored value card or a money order.
             
            3.CALCULATE EXPOSURE: The LEH should consider what proportion of its total products and services, and of total transactional activity, is associated with higher and lower-risk products and services. Where a LEH has large exposure to higher-risk products and services, its overall inherent risk will generally be higher.
             
            4.DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should keep detailed records of its assumptions, statistics used to complete this process, and the resulting analysis and outcomes.
          • 4.1.3. Delivery Channel Risk

            Under Article 4.1 of the AML-CFT Decision and Paragraph 16.2.3 of the Standards, LEH must identify, assess, understand, and mitigate the risk presented by the delivery channels they use. Some delivery channels can increase ML/FT risk because they increase the risk that the LEH does not truly know or understand the identity and activities of the customer.

            1.IDENTIFY: The LEH should identify the delivery channels that they use to provide their products and services to customers. These may include, for example: face-to-face; via a website; via an introducer or other third party; and other methods.
             
            2.ASSESS: The LEH should assign an inherent risk rating to the delivery channels identified. The rating should take into consideration the characteristics and attributes of these delivery channels that make them more susceptible to abuse by illicit actors, and could include factors such as whether the delivery channel makes it more difficult to observe the customer’s behavior or to be certain that the person transacting is in fact the identified customer, allows for faster transactions, or involves reliance on a third party.
             
            3.CALCULATE EXPOSURE: The LEH should then determine what proportion of its transactional activity involves each delivery channel, both by volume and value. Where a LEH delivers a large proportion of its products or services via higher-risk delivery channels, its overall risk is likely to be higher as well.
             
            4.DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should keep detailed records of its assumptions, statistics used to complete this process, and the resulting analysis and outcomes.
          • 4.1.4. New Technologies Risk

            Under Article 23 of the AML-CFT Decision and Paragraphs 16.2.3 and 16.2.7 of the Standards, LEH must identify, assess, understand, and mitigate the ML/FT risk to which they may be exposed by new technologies, including new delivery mechanisms and the use of new or developing technologies for both new and existing products. LEH must undertake the risk assessment prior to obtaining approval from the CBUAE to launch or use such products, services, and technologies if applicable.

            1.IDENTIFY: LEH should identify the new technologies they plan to introduce. New technologies can involve new or modified products and services and also new or modified delivery channels.
             
            2.ASSESS: The LEH should assign an inherent risk to each proposed new technology. Determining the risk of new technologies should include a consideration of their characteristics and attributes. In addition to the factors listed above under sections 4.1.2 and 4.1.3, this could include factors such as features of the technology that promote anonymity or obstruct access to transaction or customer information, a history of ML/FT abuse of the technology, the inherent risk of the target customer and market segments that are projected to use the new technology, and expected growth in use of the technology.
             
            3.CALCULATE EXPOSURE: The LEH should consider the projected or expected volume of transactional activity associated with the new technology and follow the procedure described in sections 4.1.2 and 4.1.3 above.
             
            4.DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should keep detailed records of its assumptions, statistics used to complete this process, and the resulting analysis and outcomes.
             
          • 4.1.5. Jurisdiction or Geographic Risk

            Under Article 4.1 of the AML-CFT Decision and Paragraph 16.2.3 of the Standards, LEH must identify, assess, understand, and mitigate their jurisdiction or geographic ML/FT risk.

            1.IDENTIFY: LEH should identify the geographic footprint of their operations, which should include:
             
             The jurisdictions in which they have locations, including domestic locations;
             The jurisdictions in which their customers are resident or of which they are nationals (for Non-Resident Customers only);
             The jurisdictions to which they send remittances to or receive remittances from; and
             The jurisdictions to or from which they import or export foreign currency.
             

            LEH need not include every single jurisdiction to or from which they send or receive remittances or with which their customers have ties in the risk assessment, but should at least include the jurisdictions to which they have regular or routine exposure.

            2.ASSESS: The LEH should assign each jurisdiction identified above an inherent risk-rating, based on the degree of ML/FT risk present in that jurisdiction. The LEH is strongly encouraged to develop its own country risk model that takes into consideration any publications issued by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (NAMLCFTC)5, the UAE Financial Intelligence Unit (FIU), the FATF lists of High-Risk Jurisdictions subject to a Call for Action and Jurisdictions under Increased Monitoring,6 as well as the Organization for Economic Cooperation and Development (OECD) list of jurisdictions classified as uncooperative tax havens.7 The LEH should also consider whether a jurisdiction:
             
             Has been identified by credible sources as providing an environment conducive to funding or supporting terrorist activities or that have designated terrorist organizations operating within them.
             Has been identified by credible sources as having significant levels of organized crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking and smuggling and illegal gambling.
             Is subject to sanctions, embargoes or similar measures issued by international organizations such as the United Nations.
             Has been identified by credible sources as having weak governance/law enforcement/regulatory regimes, including countries identified by the FATF as having weak AML/CFT regimes 8, for which financial institutions should give special attention to business relationships and transactions.
             
             Finally, the LEH should take into consideration its own knowledge and experiences, such as the number of Suspicious Transaction Reports (STR) or Suspicious Activity reports (SAR) filed that involve each jurisdiction.
             
            3.CALCULATE EXPOSURE: The LEH should consider what proportion of its total customer base and transactional activity, by volume and value, is associated with or linked to higher or lower-risk jurisdictions. Based on its documented understanding of the risks, the LEH may decide to weigh its exposure so that a cross-border transaction to a beneficiary in a high-risk jurisdiction has a greater impact than, for example, a domestic transaction between two UAE residents where one party is a citizen of a high-risk jurisdiction. Where a LEH has large exposure to higher-risk jurisdictions, its overall inherent risk will generally be higher.
             
            4.DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should keep detailed records of its assumptions, statistics used to complete this process, and the resulting analysis and outcomes.

            5 Available at: https://www.namlcftc.gov.ae/en/high-risk-countries.php
            6 Available at: https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/?hf=10&b=0&s=desc(fatf_releasedate)
            7 Available at: http://www.oecd.org/ctp/harmful/theoecdissuesthelistofunco-operativetaxhavens.htm.
            8 See footnote 12

          • 4.1.6. Counterparty Risk

            As required by Article 25 of the AML-CFT Decision and Paragraph 16.2.3 of the Standards LEH must identify, assess, understand, and mitigate counterparty risk prior to establishing business relationships with counterparties, and on an ongoing basis once the relationship is established. Counterparty relationships include the following types:

             Domestic and Foreign correspondent banking arrangements, such as those with banks, exchange houses, or any other financial institutions for the purpose of money transfer services.
             Money transfer arrangements with instant money transfer service providers.
             Hedging arrangements with local or foreign institutions.
             Arrangements to import or export banknotes from/to foreign institutions, such as Banks, exchange houses, or other financial institutions outside the UAE.
             Arrangements with local or foreign entities to offer special products/services.
             
            1.IDENTIFY: LEH should identify all counterparties that fit the description above, including with affiliates and other members of the same group.
             
            2.ASSESS: The LEH should assign an inherent risk rating to each counterparty. The determination of the counterparty’s risk should include a consideration of all characteristics and attributes that make the counterparty more or less susceptible to abuse by illicit actors, as well as characteristics and features of the counterparty relationship that could increase or decrease risk. This could include for example:
             
             The risk of the country in which a counterparty is registered;
             The products and services it offers and the risks of the counterparty’s customer base overall;
             Its reputation in the sector and any adverse media;
             Its ownership (including links to PEPs or persons associated with adverse media);
             The counterparty’s experience in this sector and its overall sophistication;
             The quality and intensiveness of the counterparty’s AML/CFT program, including whether the program’s requirements are consistent with minimum requirements imposed in LEH by the legal and regulatory framework in force in the UAE;
             The quality and rigor of supervision applied to the counterparty;
             Any regulatory or criminal enforcement actions taken against the counterparty; and
             The nature and purpose of the counterparty relationship, including the risk of the products and services involved and the types of customers who use the relationship.
             
            3.CALCULATE EXPOSURE: LEH should determine the proportion of counterparties that are rated higher risk, both in terms of actual numbers and in terms of the volume and value of the transactions involving that counterparty. Because counterparty relationships may involve rapid, large changes in the volume of transactions, LEH should continuously monitor their exposure to counterparties and update their risk assessment whenever exposure changes substantially.
             
            4.DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should keep detailed records of its assumptions, statistics used to complete this process, and the resulting analysis and outcomes.
          • 4.1.7. Other Areas of Risk

            In addition to the ML/FT risks discussed in this section, LEH may be exposed to other areas of illicit finance risk, including sanctions and proliferation financing. The LEH may choose to include these risk domains in its AML/CFT assessment as long as the resulting assessment gives appropriate space and attention to ML/FT risk. Given the evolving nature of ML/FT risks, LEH may also choose to assess their ML/FT risk in additional categories to those discussed above (although they must always address at least the categories covered in this section).

            Under Article 4.1 (b) of the AML-CFT Decision and Paragraph 16.2.5 of the Standards, LEH must thoroughly document their risk assessment process so that they can fully explain and justify their assessment methodology.

        • 4.2. Policies and Procedures

          As required by Article 4.2.a) of the AML-CFT Decision and Paragraph 16.3 of the Standards, LEH must establish and implement comprehensive and documented AML/CFT policies and procedures to enable them to effectively manage and mitigate the risks they have identified. Under Paragraph 16.3.6 of The Standards, these must be approved by the Manager in Charge, the Compliance Officer, and the Board of Directors (or Owner/Partners where there is no Board of Directors). They must be reviewed and updated annually at a minimum to ensure that they are consistent with statutory obligations and other international best practices, and effective in mitigating existing as well as emerging ML/FT risks as per Paragraph 16.3.7 of the Standards. Policies and procedures should at a minimum:

           Be commensurate with the nature, size, and complexity of the LEH’s operations.
           Outline the AML/CFT Program.
           Be consistently implemented across all branches, subsidiaries and affiliated entities in which the LEH holds a majority interest.
           Capture the LEH’s day-to-day operations and processes.
           Clearly define the roles and the day-to-day responsibilities of the Manager in Charge, Compliance Officer, Compliance Committee and employees in relation to AML/CFT compliance as well as the ones of the Board of Directors (or Owner/Partners where there is no Board of Directors) in relation to implementing a robust compliance program across the business of the LEH.
           Enable the LEH to clearly and effectively identify, escalate, and report suspicious transactions and activities.
           Require enhanced due diligence to be conducted on all customers and transactions that are assessed to be high-risk.
           Prohibit employees from, directly or indirectly, informing the customer or any third party that their transactions are subject to monitoring or under investigation or have been reported to the FIU as suspicious transactions.
           Contain sufficient detail of their record keeping obligations.
           

          Policies and procedures should be clearly communicated to all relevant employees. They should be easy to follow and be designed to support the compliant and effective functioning of the AML/CFT program and prevent employees from engaging in misconduct.

        • 4.3. Governance and Compliance Officer

          The core of an effective risk-based program is an appropriately experienced AML/CFT Compliance Officer who understands the LEH’s risks and obligations and who has the resources and autonomy necessary to ensure that the LEH’s program is effective. As per Article 21 of the AML-CFT Decision and Paragraph 16.4 of the Standards, the LEH must appoint a Compliance Officer who is responsible for day-to-day compliance with the legal and regulatory framework in the UAE and the management of the AML/CFT Program. The role of Compliance Officer must be limited to tasks related to AML/CFT compliance and not be combined with any other functions of the LEH to avoid conflict of interest from multiple roles. Furthermore, as per Paragraphs 16.5 and 6.9.3 of the Standards, the LEH must further appoint an Alternate Compliance Officer to strengthen the AML/CFT Program as well as establish and maintain a Compliance Committee to provide additional oversight of the AML/CFT program. Chapter 6 of the Standards refers to Corporate Governance as the mechanisms and processes by which the LEH is managed, controlled and directed. For more details and information please refer to the relevant section in the Standards.

        • 4.4. Customer Due Diligence

          The goal of the CDD process is to ensure that LEH understand who their customer is and the purpose for which the customer will use the LEH’s services. Where a LEH cannot satisfy itself that it understands a customer, then it must not accept the customer. If there is an existing business relationship, the LEH should not continue it. LEH should also consider filing an STR, SAR or other report types to the FIU as discussed in section 5 below. This guidance is not an exhaustive list of CDD obligations and LEH should consult the legal and regulatory framework in force in the UAE for the measures to be taken.

          Under Article 8 of AML-CFT Decision, LEHs are required to identify and verify the identity of all customers. In particular, when verifying the Emirates ID card (either physically or by way of digital or e-KYC solutions) the LEH must use the online validation gateway of the Federal Authority for Identity & Citizenship, the UAE-Pass Application, or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where acceptable IDs other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original ID and certified as “Original Sighted and Verified” by the employee who carries out the CDD process.

          As required by Paragraph 16.7 of the Standards, LEH must implement a strong Know Your Customer (“KYC”) process that is based on clear and comprehensive written policies and procedures. Implementation of an effective KYC process is an essential cornerstone of a LEH’s AML/CFT Program and is necessary in order to:

           Understand who LEH’s customers and counterparties are.
           Detect suspicious activity or transactions in a timely manner.
           Promote safe and sound business practices.
           Minimize the risk that the LEH is abused by illicit actors.
           Reduce the risk of processing transactions when the customer is involved in criminal activity.
           Protect the reputation of the LEH.
           Comply with statutory obligations.
           

          The KYC process must be risk-based and, as such, the KYC measures applied must be commensurate with the ML/FT risks associated with their customers or transactions. Accordingly, Paragraph 16.7.3 of the Standards requires three types of KYC processes that must be applied depending on the customer’s risk and the nature of the transaction and customer. These are:

           Customer Identification (CID);
           Customer Due Diligence (CDD); and
           Enhanced Due Diligence (EDD).
           

          Please refer to the table below on when to use each KYC measure and to refer to the respective paragraphs in the Standards for the detailed requirements:

          Customer TypeCustomer ActivityValue of TransactionPreventive Measure RequiredParagraph in the Standards, Version 1.20
          Natural PersonsCurrency ExchangeEqual to or greater than AED 3,500 and less than AED 35,000CID16.8
          Equal to or greater than AED 35,000 and less than AED 55,000 within a 90-day periodCID and
          CDD
          16.8
          16.9
          Equal to or greater than AED 55,000 within a 90-day periodCID,
          CDD, and
          EDD
          16.8
          16.9
          16.10
          Money TransferAny value less than AED 55,000CID and
          CDD
          16.8
          16.9
          Equal to or greater than AED 55,000 within a 45-day periodCID,
          CDD, and
          EDD
          16.8
          16.9
          16.10
          All Legal Persons or ArrangementsAny ActivityAny ValueCDD and
          EDD
          16.11
          Counterparty RelationshipsAny ActivityAny ValueCDD and
          EDD
          16.11.8 to
          16.11.12
          16.11.2
          PEPsAny ActivityAny ValueCID,
          CDD, and
          EDD
          16.13
          DNFBPs/DPMSAny ActivityAny ValueCID (if the customer is a natural person), CDD, and
          EDD
          16.14/16.15
          High-Risk Natural PersonsAny ActivityAny ValueCID,
          CDD, and
          EDD
          16.16
          16.8,
          16.9
          16.10
          High-Risk circumstancesAny ActivityAny ValueCID (if the customer is a natural person), CDD, and
          EDD
          16.16
          16.8,
          16.9
          16.10/11
          Third Party TransactionsAny ActivityAny ValueCID (if the customer is a natural person), CDD, and
          EDD
          16.20
          16.8,
          16.9
          16.10/11

           

          • 4.4.1. Ongoing Monitoring

            Under Article 7 of the AML-CFT Decision, LEH are required to ensure that the documents, data or information obtained under CDD measures are up-to-date and appropriate by reviewing the records, particularly those of high-risk customer categories. Ongoing monitoring allows the LEH to ensure that the Exchange Business is being used in accordance with the customer or relationship profile developed through KYC during onboarding, and that transactions are normal, reasonable, and legitimate.

            As per Paragraphs 16.9.11 and 16.11.7 of the Standards, where the customer is a natural person (when CDD must be applied) or a legal person or arrangement, the customer profile must be reviewed and updated either annually, or at least upon the expiry of the ID, the trade license or the ID of any person authorized to make transactions on behalf of the customer, whichever comes first. At this time, the LEH must conduct ongoing monitoring on the customer which must consist of the following:

             The original ID must be verified (in accordance with Paragraphs 16.8.3, 16.9.6 and 16.9.7) and its copy must be held in the records during the review of a customer profile;
             CDD (and, where appropriate, EDD) must be repeated and the customer profile updated, including the information required under Paragraph 16.9.4 or 16.11.2 of this Chapter.
             CDD and EDD must also be repeated whenever there is a change in the profile of the customer;
             LEH must scrutinize the transactions concluded by a customer to ensure that transactions are consistent with its knowledge of the customer, the customer’s business, risk profile, the source of funds and where necessary, source of the customer’s wealth; and
             LEH must review transaction monitoring results for the customer to determine whether any STR/SARs or other reports have been filed or whether the customer’s behavior has generated alerts.
             

            Unless otherwise required, such as in the cases above mentioned, LEH should update the KYC information on customers and counterparties on a risk-based schedule, with KYC on higher-risk customers being updated more frequently. KYC updates should include a refresh of all elements of initial KYC, and in particular must ascertain whether:

             The customer/counterparty’s beneficial owners remain the same.
             The customer continues to have an active status with the LEH Point of Sale system.
             The customer/counterparty is domiciled in the same jurisdiction.
             The customer/counterparty is engaged in the same type of business, and in the same geographies.
             The customer/counterparty’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established, or the business that the LEH expected to engage in when it established the counterparty relationship.
             

            If any of the above characteristics have changed, the LEH should risk-rate the customer/counterparty again.

            Furthermore, LEH should conduct EDD when the revised risk rating demands it or if the customer/counterparty’s history of transactions is not consistent with its profile and the expectations established at account opening. In particular, if the customer/counterparty’s transactions/behavior have resulted in the filing of an STR/SAR with the FIU, the LEH should review the customer/counterparty profile and the activity that led to the report and make a determination as to whether the risk rating should be raised or the relationship should be terminated. LEH may consider requiring that the customer/counterparty update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LEH must not rely on the customer/counterparty to notify it of a change, but must still update KYC on a schedule appropriate to the customer’s risk rating.

        • 4.5. Transaction Monitoring

          As required by Article 7 of the AML-CFT Decision and Paragraph 16.24 of the Standards, LEH must continuously monitor all their transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. Transaction monitoring systems allow the LEH to monitor the transactions made by their customers in real-time and/or on a daily basis. All LEH should have a form of transaction monitoring system in place in order to monitor for any suspicious transactions to and from customers. Failure to have such a system in place may not only cost a LEH its reputation, but also lead to large fines and other penalties.

          Transaction monitoring is distinct from the ongoing monitoring discussed in section 4.4.1. Both are required, but the purpose of transaction monitoring is not primarily to update the customer risk profile but to detect and investigate transactions that may need to be reported to the FIU because they are potentially related to illicit activity. While CDD review (as discussed in section 4.4.1) may take place once a year, transaction monitoring occurs in real time and is thus able to support prompt reporting to the FIU after the transaction takes place.

          Under Article 4.2 (a) of the AML-CFT Decision and Paragraph 16.24.1 of the Standards, Transaction monitoring must be commensurate with the risk posed by the LEH’s size, scale, complexity, the nature and volume of its Exchange Business, the nature of its customer base, and the geographic areas in which it operates. The transaction monitoring system used by a LEH, whether automated or manual, must be able to flag unusual movements of funds or transactions for further analysis. Rules and parameters must take account of ML/FT typologies in the Exchange Houses sector.

          When the monitoring system generates an alert, it must be investigated and either escalated or otherwise dispositioned in a timely fashion in order to support prompt reporting to the FIU. Transaction monitoring systems should create an audit trail of all activity related to alert generation, investigation, and disposition to have a clear understanding of the activity, and potentially report it to the relevant authorities.

          For more details and information, please refer to the CBUAE Guidance for Licensed Financial Institutions on Transaction Monitoring Screening and Sanction screening9.


          9 Available at https://www.centralbank.ae/en/cbuae-amlcft.

          • 4.5.1. Indicative Risk Factors Associated with Transactions

            The following is an indicative and non-exhaustive list of risk factors associated with transactions10.

            Customer’s behavior at point of origination:
             oCustomer structures transaction in an apparent attempt to break up amounts to stay under any applicable CDD threshold to avoid reporting or other requirements.
             oCustomer attempts a transaction, but given he or she would likely be subject to the CDD monitoring, cancels transaction to avoid reporting or other requirements.
             oTransaction is unnecessarily complex with no apparent business or lawful purpose
             oNumber or value of transactions is inconsistent with financial standing or occupation, or outside the normal course of business of the customer in light of the information provided by the customer when conducting the transaction or during subsequent contact.
             oCustomer offers a bribe or a tip, or is willing to pay unusual fees to have transactions conducted.
             oCustomer has vague knowledge about amount of money involved in the transaction.
             oCustomer makes unusual enquiries, threatens or tries to convince employees to avoid reporting.
             oCustomer sends money internationally and then expects to receive an equal incoming transfer or vice versa.
             oCustomer transfers money to illegal online gambling sites. Email addresses containing gambling references or transfers to countries with large numbers of internet gambling sites.
             oCustomer wires money to higher-risk jurisdiction/country/corridor.
             oCustomer transfers money to claim lottery or prize winnings
             oCustomer transfers money to someone met only online or appears to have no familial relationship with the receiver and no explanation forthcoming for the transfer.
             
            Activity detected during monitoring (in many of these scenarios the customer’s activity may be apparent both during point-of-sale interaction and back-end transaction monitoring):
             oTransfers to the same person from different individuals or to different persons from the same individual with no reasonable explanation.
             oUnusually large aggregate wire transfers or high volume or frequency of transactions with no logical or apparent reason.
             oCustomer uses aliases, nominees or a variety of different addresses.
             oCustomers whose concentration ratio of transfers made to a jurisdiction is notably higher than what is to be expected considering overall customer base.
             oCustomer transfers/receives funds from persons involved in criminal activities as per the information available.
             oA network of customers using shared contact information (such as address, telephone or e-mail) where such sharing is not normal or reasonably justifiable.
             
            Transactions received:
             oTransactions that are not accompanied by the required originator or beneficiary information.
             oAdditional customer or transactional information was requested from an ordering counterparty but not received.
             oLarge number of transactions received at once or over a certain period of time which do not seem to match the recipient’s usual past pattern.

            10 FATF: Guidance-RBA-money-value-transfer-services.pdf (fatf-gafi.org)

        • 4.7. Training

          As per Paragraph 16.23 of the Standards LEH must provide comprehensive AML/CFT compliance training to all employees. The effective application of AML/CFT policies and procedures depends on the employees understanding not only of the processes they are required to follow, but also the risks these processes are designed to mitigate, and the possible consequences of those risks. Employees should remain abreast on an ongoing basis of emerging ML/FT typologies and new internal and external risks. The AML/CFT compliance training should be relevant to the LEH’s ML/FT risks, business activities and up to date with the latest legal and regulatory obligations and internal controls. It should be tailored to particular lines of business within the LEH, equipping employees with a sound understanding of specialized ML/FT risks they are likely to face, and their obligations in relation to those risks and must be provided to all new employees within thirty (30) calendar days from the date of joining. Thereafter, refresher training must be provided to all employees at regular intervals depending on the ML/FT risk exposure of each employee; for example, employees who deal directly with customers, products or services must be trained annually at a minimum. Refresher training must also be provided whenever there are changes in the legal and regulatory framework in force in the UAE or the LEH’s AML policy/procedures. Furthermore, the AML/CFT compliance training should be provided to relevant employees upon learning of a confirmed negative risk assessment result or audit finding, or other deficiency pertaining to the AML/CFT Program. Evidence for all trainings conducted must be retained for inspection by the CBUAE.

        • 4.8. Independent Audit

          The independent audit process helps the LEH assess the effectiveness and adequacy of its current processes, including by assessing the adequacy of the AML/CFT Program and checking for any inconsistencies between the policy and procedures and day-to-day operations in order to identify any weaknesses and deficiencies. Independent auditing must be undertaken regularly to review and assess the effectiveness of the AML/CFT compliance policies, procedures, systems and controls, and their compliance with the LEH’s obligations. As per Paragraph 16.31.1 of the Standards, the Compliance Officer’s function must undergo regular audit by the LEH’s internal audit department. In addition, under Paragraph 16.31.2 of the Standards, “agreed-upon procedures” for the review of the AML/CFT Compliance function must be performed by external auditors annually.

          The independent audits, whether internal or external, should be undertaken by skilled and competent auditors. The internal audit department should be resourced with skilled and competent employees that understand the AML/CFT Program of the LEH. The audit should be commensurate to the level and sophistication of the LEH, and be updated to account for changes in risk assessments and the legal and regulatory framework in force in the UAE. The internal audit function should be accountable to the Board of Directors (or the Owner/Partners if there is no Board of Directors), independent of the audited activities and functions, and have sufficient authority, skills, expertise, and resources within the organization.

        • 4.9. Record Keeping Requirements

          Under Article 24 of the AML-CFT Decision, LEH must retain all records, documents, data and statistics for all transactions for a minimum period of five (5) years from the date of completion of the transaction or termination of the business relationship or from the closing date of the account. Records must be maintained in an organized manner so as to permit data analysis and, where relevant, the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. For more details and information please refer to paragraph 16.29 of the Standards.

        • 4.10. Managing Employee Risk

          As per Paragraphs 8.2 and 16.22 of the Standards, the LEH must implement an appropriate recruitment and Know Your Employee (“KYE”) process for hiring employees and confirm the background of applicants prior to placing them in employment. The level of vetting procedures applied should reflect the ML/FT risks to which individual employees are exposed in their assigned roles. The LEH should be aware of potential conflicts of interest for employees with AML/CFT responsibilities and should act to reduce or manage such conflicts of interest.

          Furthermore, under Paragraph 16.28 of the Standards, the LEH must watch out for its employee’s behavior and be aware of possible indicators of illicit behavior displayed by employees, such as:

           An employee whose lifestyle cannot be supported by his/her salary, which may indicate receipt of tips or bribes.
           An employee who is reluctant to take a vacation, which may indicate they have consented or are being forced to provide services to customers in violation of the law or company policy.
           An employee who is associated with an unusually large number of transactions or a transaction in an unusually large amount, which may indicate they have consented or are being forced to provide services to customers in violation of the law or company policy.
           
      • 5. Reporting Obligations

        • 5.1. Reporting to the CBUAE

          As per Paragraph 4.21 of the Standards, LEH must submit reports to the CBUAE, which may be updated from time to time in terms of the frequency and form of submission and their deadline. For the submission of periodical returns/reports via the online system, the LEH must obtain access to the CBUAE reporting portals, such as its Integrated Regulatory Reporting System, Remittance Reporting System and/or other applicable system.

        • 5.2. Reporting to the FIU

          All LEH should have procedures and systems in place to ensure that suspicious activity is reported to authorities in an appropriate and timely manner. LEH must take into account all information from both the ordering and beneficiary sides in order to determine whether an STR or SAR is to be filed.

          As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LEH must file without any delay an STR or SAR or other report types with the FIU using the “goAML” portal when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. Under Article 24 of the AML-CFT Law, any person, including a LEH or their managers and employees, who violates on purpose or by gross negligence their statutory obligation to report a suspicion of money laundering and related predicate offences, financing of terrorism or illegal organisations is liable of the following sanctions:

           Imprisonment and fine of no less than AED100,000 and no more than AED1,000,000; or
           Any of these two sanctions (i.e. imprisonment or fine of no less than AED100,000 and no more than AED1,000,000).
           For more details and information, please refer to Paragraph 16.27 of the Standards as well as the “CBUAE Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting13.

          13 Available at: https://www.centralbank.ae/en/cbuae-amlcft

      • 6. Prohibition of Tipping Off

        Under Article 25 of AML-CFT Law, anyone who notifies or warns a person or reveals any transaction under review in relation to suspicious transactions or being investigated by the competent authorities is punishable by a penalty of imprisonment for no less than six months and/or a fine of no less than AED 100,000 and no more than AED 500,000. Any such action is known as “tipping off.” As per Paragraph 16.27 of the Standards, the prohibition on tipping off means that the LEH or its employees must not inform customers or any persons or third parties, either directly or indirectly, that their transactions are subject to monitoring, under investigation or have been reported to the FIU as suspicious transactions. The Compliance Officer should ensure that all employees of the LEH are aware of the consequences of tipping off. Sufficient AML/CFT training should be provided to all employees to ensure that they understand what constitutes tipping off and how to avoid it.

      • Annex1 - Synopsis of the Guidance

        Purpose of this GuidancePurposeThe purpose of this Guidance is to assist the understanding of risks and effective performance by the Licensed Exchange Houses ("LEH") of their AML/CFT statutory obligations. The FATF's Mutual Evaluation Report of the UAE issued in April 2020 stated that the Money or Value Transfer Services' sector, including the Exchange Houses' sector, is weighted as highly important in terms of risk and materiality in the UAE. The inherent risk and materiality of these sectors has been notably increased by their exposure to cash transactions.
        ApplicabilityThis Guidance applies to all Exchange Houses that are licensed and supervised by the CBUAE.
        Risks Related to the Exchange House SectorThe Exchange House sector provides widely used financial services to diverse customer sectors. While the majority of its Exchange Business is legitimate in purpose, it can be abused to facilitate illegal activity, including terrorist financing, money laundering, and other type of criminal activity. This is due to the simplicity and speed of transactions, worldwide reach, global regulatory disparity and often cash-based nature of transactions. Exchange Houses may also potentially be abused by criminal groups and corrupt employees or agents co-operating with criminals, who may seek to own an Exchange House outright, or indirectly through an associate or could seek to coerce employees through financial incentives.
        Regulation and Supervision of Exchange HousesThe Exchange Houses sector is regulated by the Regulations and the Standards issued by the CBUAE. For more detail and information, please refer to Chapter 16 on AML/CFT Compliance of the Standards for the Regulations Regarding Licensing and Monitoring of Exchange Business (Version 1.20 of November 2021 amending Version 1.10 of February 2018 ("The Standards")). LEH are supervised by the CBUAE, which may examine the activities of the LEH at any time it deems appropriate to ensure proper compliance with their statutory obligations under the legal and regulatory framework in the UAE, or impose supervisory action or administrative and financial sanctions for violations.
        AML/CFT Compliance Program for LEHAML/CFT ProgramLEH must carefully design, document and effectively implement an AML/CFT Program in line with the provisions of the Standards, AML-CFT Law, and AML-CFT Decision. When designing or updating their AML/CFT programs, the scope of the AML/CFT Program should be proportionate to the level of the risk posed by the LEH's size, scale, complexity, the nature and volume of its Exchange Business, the nature of its customer base, the business relationships it maintains, and the geographic areas in which it operates.
        Risk AssessmentLEH must develop a risk assessment in order to understand how and to what extent it is vulnerable to ML/TF, and help determine the nature and extent of AML/CFT resources necessary to mitigate and manage that risk, which should cover all relevant factors including but not limited to:
        •   Customer risk;
        •   Products and services risk;
        •   Delivery channel risk;
        •   New technologies risk;
        •   Jurisdiction or geographic risk;
        •   Counterparty risk; and
        •   Other areas of risk.
        Policies and ProceduresLEH must establish and implement comprehensive and documented AML/CFT policies and procedures to enable them to effectively manage and mitigate the risks identified. They must be approved, reviewed and updated, annually at a minimum, to ensure that they are consistent with the legal and regulatory framework in the UAE and other international best practices, and effective in mitigating existing as well as emerging ML/FT risks.
        Governance and the Compliance OfficerThe core of an effective risk-based program is an appropriately experienced AML/CFT Compliance Officer who understands the LEH's risks and obligations and who has the resources and autonomy necessary to ensure that the LEH's program is effective. The role of Compliance Officer must be limited to tasks related to AML/CFT compliance and not be combined with any other functions of the LEH to avoid conflict of interest from multiple roles. The LEH must also appoint an Alternate Compliance Officer.
        Customer Due Diligence and Ongoing MonitoringThe goal of the CDD process is to ensure that LEH understand who their customer is and the purpose for which the customer will use the LEH's services. Where an LEH cannot satisfy itself that it understands a customer, then it must not accept the customer. If there is an existing business relationship, the LEH should not continue it. LEH should also consider filing an suspicious transaction report ("STR") or suspicious activity report ("SAR") or other report types to the FIU as discussed in section 5 of the Guidance.

        The Standards require three types of KYC processes that must be applied depending on the customer's risk and the nature of the transaction and customer. These are Customer Identification (CID); Customer Due Diligence (CDD); and Enhanced Due Diligence (EDD). Please refer to the table in Section 4.4 on when to use each KYC measure and to the respective paragraphs in the Standards for the detailed requirements.

        LEH are required to ensure that the documents, data or information obtained under CDD measures are up-to-date and appropriate by reviewing the records, particularly those of high-risk customer categories. Unless otherwise required, LEH should update the KYC information on customers and counterparties on a risk-based schedule, with KYC on higher-risk customers being updated more frequently. When customer's characteristics has changed, LEH should risk-rate the customer again, and, where necessary, conduct EDD.
        Transaction MonitoringLEH must continuously monitor all their transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. All LEH should have a form of transaction monitoring system in place in order to monitor for any suspicious transactions to and from customers; failure to have such a system in place may not only cost an LEH its reputation, but also lead to large fines and other penalties. For more information and details, please consult the CBUAE's Guidance for Licensed Financial Institutions on Transaction Monitoring Screening and Sanction screening.
        Sanctions Obligations and Freezing Without DelayLEH are required to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council under Chapter VII of the Charter of the United Nations and the requirements set by Cabinet Decision 74 of 2020 regarding Targeted Financial Sanctions. For more information and details, please consult the Standards, the Executive Office of the Committee for Goods and Materials Subjected to Import and Export Control's Guidance on Targeted Financial Sanctions for Financial Institutions and designated non-financial business and professions, the CBUAE's Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions as well as the CBUAE's Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening.

        Furthermore, LEH must sign up for the Integrated Enquiries Management System (IEMS) introduced by the FIU to automate and facilitate the execution process of requests for information, implementing decisions of public prosecutions and any other type of ML/FT requests.
        TrainingLEH must provide comprehensive AML/CFT compliance training to all employees, which should be relevant to the LEH's ML/FT risks, business activities and up to date with the latest legal and regulatory obligations and internal controls. It should be tailored to particular lines of business within the LEH, equipping employees with a sound understanding of specialized ML/FT risks they are likely to face and their obligations in relation to those risks, and provided to all new employees within thirty calendar days from the date of joining and regularly thereafter proportionate to their ML/FT risk exposure.
        Independent AuditIndependent auditing must be undertaken regularly to review and assess the effectiveness of the AML/CFT compliance policies, procedures, systems and controls, and their compliance with the LEH's obligations by the LEH's Internal Audit Department. In addition, "agreed-upon procedures" for the review of the AML/CFT Compliance function must be performed by external auditors annually.
        Record-KeepingLEH must retain all records, documents, data and statistics for all transactions for a minimum period of five (5) years from the date of completion of the transaction or termination of the business relationship or from the closing date of the account. Records must be maintained in an organized manner so as to permit data analysis and, where relevant, the tracking of financial transactions.
        Managing Employee RiskThe LEH must implement an appropriate recruitment and Know Your Employee ("KYE") process for hiring employees and confirm the background of applicants prior to placing them in employment. The level of vetting procedures applied should reflect the ML/FT risks to which individual employees are exposed in their assigned roles.
        Reporting ObligationsReporting to the CBUAELEH must submit reports to the CBUAE, which may be updated from time to time in terms of the frequency and form of submission and their deadline. For the submission of periodical returns/reports via the online system, the LEH must obtain access to the CBUAE reporting portals, such as its Integrated Regulatory Reporting System ("IRR"), Remittance Reporting System ("RRS") and/or other applicable system.
        Reporting to the FIULEH must file without any delay a STR, SAR or other report types with the FIU using the "goAML" portal when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. Please consult the CBUAE's Guidance for Licensed Financial institutions on Suspicious Transaction Reporting for further information.
        Prohibition of Tipping OffThe prohibition on tipping off means that the LEH or its employees must not inform customers or any persons or third parties, either directly or indirectly, that their transactions are subject to monitoring, under investigation or have been reported to the FIU as suspicious transactions.

         

    • Guidance for Licensed Financial Institutions Providing Services to Legal Persons and Arrangements

      Effective from 7/6/2021
      • 1. Introduction

        • 1.2. Applicability

          Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

          National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
           
          Insurance companies, agencies, and brokers.
           
        • 1.4. Definitions

          Key Terms
           

          Beneficial owner: The natural person who owns or exercises effective ultimate control, directly or indirectly, over a client; or the natural person on whose behalf a transaction is being conducted; or the natural person who exercises effective ultimate control over a legal person or legal arrangement.

          Legal person: Any entities other than natural persons that can establish in their own right a permanent customer relationship with a financial institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations, along with similar entities.

          Legal arrangement: A relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality. Examples include trusts or other similar arrangements. Many legal arrangements allow for ownership, control, and enjoyment of funds to be divided between at least two different persons.

          Settlor: A natural or legal person who transfers the control of his funds to a trustee under a trust document.

          Trust: A legal relationship in which a settlor places funds under the control of a trustee for the interest of a beneficiary or for a specified purpose. These assets constitute funds that are independent of the trustee's own estate, and the rights to the trust assets remain in the name of the settlor or in the name of another person on behalf of the settlor.

          Trustee: A natural or legal person who has the rights and powers conferred to him by the settlor or the trust, under which he administers, uses, and acts with the funds of the settlor in accordance with the conditions imposed on him by either the settlor or the trust.

           

      • 2. Understanding and Assessing the Risks of Legal Persons and Arrangements

        Legal persons and arrangements are critical to the conduct of business, charitable activity, estate planning, and many other activities. They have a wide variety of acceptable and desirable purposes, and the vast majority of legal persons and arrangements are engaged solely in licit behaviour.

        Nevertheless, certain aspects of legal persons and arrangements are acknowledged to pose risk for LFIs that accept such entities as customers. Most importantly, the use of legal persons and arrangements to manage funds or do business can obscure or conceal the identity of the individuals who are truly controlling, directing, or benefiting from the services the LFI offers its legal person or legal arrangement customer. This concealment can allow illicit actors to abuse services offered by LFIs in order to launder the proceeds of crime, engage in terrorist financing, evade United Nations or UAE sanctions, and threaten the integrity of the UAE financial system and the security of the State.

        Legal persons and arrangements are attractive to participants in illicit finance—including money laundering (ML), the financing of terrorism (TF), and the financing of proliferation (PF)—because these entities offer the opportunity to transact anonymously, or nearly anonymously, through complex and/or opaque corporate structures. Section 2.1 discusses the ways that legal persons and arrangement can be abused to conceal illicit transactions from financial institutions.

        It is important to be aware, however, that not all legal persons and arrangements pose equal risk of abuse. The vulnerabilities arising from the basic characteristics of legal persons and arrangements can be enhanced or mitigated through the formation process and other controls jurisdictions apply to legal persons and arrangements. Thus, it is critical for LFIs seeking to understand the risks of their customer base to be aware of the presence or absence of these features and controls in the jurisdiction of formation. Section 2.2 below discusses specific aspects of a control regime and how these can impact vulnerability.

        • 2.1. ML/TF Risks Legal Persons and Arrangements Pose to LFIs

          Legal persons and arrangements offer many advantages to illicit actors. Most importantly, however, they could be abused to hide the identity of natural persons and allow bad actors to seek to open an account or carry out a transaction with an LFI under a name other than their own. Weak laws governing the formation of legal persons and arrangements, could allow for bad actors to abuse legal persons and arrangements and enable them to conduct a transaction or transactions almost without the LFI understating the real risks and the involvement of the bad actors—an action that would otherwise be prohibited under the laws of most jurisdictions. This ability to conceal identity has a number of ramifications for financial institutions.

          • 2.1.1. Obscuring Identity/Beneficial Ownership

            Individuals can use legal persons and arrangements to obscure or conceal their involvement in a transaction. In many jurisdictions, the individuals who truly own, control, direct, or benefit from a transaction—known as the beneficial owners—are not required to reveal their identities to the authorities. Individuals who are wanted criminals, known terrorist financiers, or connected to heavily sanctioned jurisdictions can form opaque companies in lower-risk jurisdictions and seek financial services under the name of a legal person or arrangement they control.

            Even in jurisdictions where legal persons and arrangements are required to report their beneficial ownership, illicit actors can seek to conceal their ownership interest through the use of complex corporate structures, intermediaries, and nominees, as discussed below.

          • 2.1.2. Obscuring the Purpose of an Account or Transaction

            Legal persons, particularly businesses, engage in a wide variety of transactions with a wide range of counterparts. Depending on its size and the nature of its business, a legal person customer might be likely to send and receive far larger and more irregular transfers than would an individual—many of them with counterparties that are also legal persons. For example, a company that manufactures for export may send payments to suppliers in a number of foreign jurisdictions, and receive payments from purchasers in different jurisdictions.

            The variety and unpredictability of transactions carried out by legal persons can make it more difficult to identify behaviour that is unusual or has no obvious economic purpose. This is especially true when the counterparts are also opaque legal persons or arrangements. For example, a company may seek to reduce its tax burden by claiming that certain transfers are tax-deductible expenses, when in reality they are payments to a legal person with the same beneficial owners as the originating company.

          • 2.1.3. Obscuring Source of Funds or of Wealth

            Legal persons can also be abused by individuals seeking to hide the source of an incoming transfer. For example, a politically exposed person (PEP) might receive a transfer that supposedly represents investment returns from a company located in another jurisdiction. Without knowing the beneficial owners of the originating company, it is difficult to say whether the transfer does in fact represent a return on investments, or whether it is in fact a bribe or somehow related to corruption.

            The involvement of legal persons and arrangements can also make it more difficult for LFIs to identify a customer’s true source of wealth. A legal person that is represented as a profitable business, for example, may in fact be a shell company that merely passes on income from illicit sources.

          • 2.1.4. Common Typologies of Abuse of Legal Persons and Arrangements

            The use of shell companies: Shell companies, commonly defined as companies that have no significant operations or related assets, may have legitimate business purposes. A shell company’s lack of employees and physical presence, however, makes it possible to abuse it as a vehicle for illicit transactions. These features also make it very difficult for law enforcement agencies in jurisdictions where the company operates to investigate its owners and activities.

            Case Study: Shell Companies
             

            A group of individuals conducted an investment fraud scheme which promised victims high returns on an initial investment of USD 35,000. As part of the scheme, the group established a complex web of bank and brokerage accounts and shell companies in the United States and several foreign jurisdictions. The group also opened cash management accounts at brokerages utilizing the shell corporations. Investors were told to send their investment funds to the accounts established utilizing the shell corporation names. Once in this account, the funds were transferred to secondary accounts. From these accounts, the funds were then disbursed to various foreign and domestic accounts and liquidated through the use of checks, debit cards, and ATM cards.

             

            Complex ownership and control structures: Individuals who seek to hide their interest in a company may create multiple layers of ownership and control that make it difficult to identify who really owns and controls the company. For example, a company may be owned by a second legal person, that is in turn owned by three legal persons, that are controlled via a debt financing arrangement. Where directors are required to be reported to the registering authority, a company may name legal persons as directors, further complicating the control structure.

            Case Study: Complex Ownership
             

            Company G was 95% owned by Mr. A and 5% by Mr. B. Company G purchased a power generator from Company K, owned by Company R in the Cayman Islands. Company R was linked to Panamanian Foundation P, which had Mr. A and his spouse as beneficiaries. Company G leased the generator to Company E, receiving amounts cleared by Company L The funds were drawn against Company K’s bank account, and Company G made payments to Company K to settle a debt. The funds were credited to the accounts of Companies S, T and R.

             

            Use of nominee shareholders and directors: Nominee arrangements involve an individual (the nominator) assigning his or her shares or voting rights to a second individual (the nominee) who agrees to act in accordance with the wishes of the nominator. The nominee is listed as the shareholder or director of record, but in fact has no power to direct the company and does not have a legal ownership right over the benefits accruing to the ownership interest, such as dividends. Nominee relationships may be contractual or based on a handshake agreement. Such informal arrangements often involve a nominator and nominee who are close associates or family members.

            Case Study: Informal Nominee Shareholders and Directors
             

            A Russian state agency contracted with Company 1 and Company 2 to perform software development. Neither company had the relevant expertise; they each hired subcontractors to do the work. The majority of funds received by both companies were funnelled into foreign shell companies, invested in real estate, or used to purchase luxury goods. Company 2 had previously been owned by Mr. X, who transferred the ownership to complicit associates. The real estate company that received the investment funds was owned by Mr. X’s daughter. Mr. X also controlled the nominal owners of Company 1, who received a salary from the company. Mr. X was the brother of the director of the state agency’s research department.

             

            Use of intermediaries: Individuals seeking to create complex, opaque corporate structures will often seek out professional intermediaries (lawyers, accountants, and trust and company service providers (TCSPs)) who are experienced in bending and manipulating the rules in the jurisdiction where the legal person or arrangement is formed. Intermediaries may create new legal persons or arrangements, or sell the rights to existing legal persons that appear to have been in operation for some time. These intermediaries may also serve as directors, nominees, or trustees of the resulting legal persons and arrangements.

            Case Study: Use of Intermediaries
             

            Companies registered in New Zealand by a Vanuatu-based TCSP operated by New Zealand citizens were suspected of acting as shell companies that facilitated crime in foreign jurisdictions. The TCSP acted as nominee shareholders and provided nominee directors who resided in jurisdictions such as Vanuatu, Panama and the Seychelles. The TCSP also provided a New Zealand-based nominee director to satisfy the legal requirement to have a New Zealand resident director and address. By 2010, the TCSP had registered approximately 2,000 companies in New Zealand on behalf of clients in foreign jurisdictions. Its address, in Auckland, was used as the registered office for most of the companies. Authorities suspect that at least 73 of these companies facilitated crimes in foreign jurisdictions.

             

        • 2.2. Features and Controls that Mitigate the Risk of a Legal Person or Arrangement

          At a high level, features and controls that affect the vulnerabilities of legal persons and arrangements can be divided into four categories:

           The formation process and requirements to establish the legal person or arrangement;
           The identification of the individuals actually owning and controlling legal persons and arrangements;
           The reporting and recordkeeping requirements imposed on companies throughout their lifetime; and
           The formation authority’s supervisory regime and enforcement tools.
           

          The subsections that follow briefly discuss the various measures that—if effectively implemented—can help mitigate the vulnerabilities of legal persons and arrangements.

          LFIs should be aware of the risks associated with all customer types, including legal persons and arrangements established outside the UAE. Appropriately assessing these risks will often involve developing an understanding of the controls in place to ensure transparency.

          CBUAE recognizes that LFIs do not control the legal frameworks governing their customers. Nevertheless, CBUAE recommends that LFIs familiarize themselves with the features of the company forms most commonly found within their customer base, and the controls in place in the jurisdictions where their legal person customers are most commonly registered. LFIs should also consider seeking some or all of the following information in order to understand legal person and legal arrangement risks, particularly when conducting enhanced due diligence on legal person and legal arrangement customers that pose higher risks.

          • 2.2.1. Formation Requirements and Process

            Abuse of legal persons and arrangements for ML/TF/PF often includes the creation of complex ownership structures with many such entities—including entities of different types and in different jurisdictions; the use of one-time ‘disposable’ entities that are abandoned after they have served their purpose; or the use of previously inactive ‘shelf companies. In addition, illicit actors will be able to more easily transact anonymously if they are required to reveal only minimal information during the formation process, can rely on nominees, or can complete processes without face-to-face interaction. For these reasons, legal persons and arrangements in jurisdictions whose formations processes allow for rapid, remote, and inexpensive formation and registration may be more attractive to illicit actors.

          • 2.2.2. Identification and Reporting of Beneficial Owners

            Because anonymity is one of the greatest attractions for illicit actors who seek to abuse legal persons and arrangements, they are likely to gravitate towards jurisdictions and company forms that require them to provide minimal information about the entities and themselves and that make it difficult for third parties to identify who in fact owns and controls the entity. The following controls that may be applied by the jurisdiction registering the entity in question can, to a certain extent, reduce the vulnerabilities created by corporate opacity.

             The registering authority collects key information about the company (such as name, address, and the names of directors) at formation and makes it available to the public;
             The registering authority collects the identities of all beneficial owners, or all beneficial owners owning at least a given percentage of the company, at the time of establishment, and makes this information available to domestic and foreign law enforcement, as well as AML/CFT regulated entities.
              oThe threshold for identifying ownership should be in line with international and UAE standards.
              oWhere the registering authority applies a threshold that exceeds 25% of the ownership interests in a legal person, LFIs should be aware that the customer is not required to report all individuals qualifying as beneficial owners in the UAE;
             The legal person or arrangement is prohibited from being owned by another legal person or arrangement;
             Nominee shareholders and directors are prohibited, or are appropriately regulated.
             
          • 2.2.3. Reporting and Recordkeeping

            Unlike individuals, legal persons and arrangements can swiftly change fundamental elements of their identity, rendering information provided during the formation process obsolete. Legal persons and arrangements can also compartmentalize information about themselves so that no single individual possesses full information about the entity. Because legal persons and arrangements abused for ML/TF/PF may not engage in licit commercial activity and may be controlled by only a small number of closely connected individuals, there is little commercial rationale for such entities to maintain adequate books and records. Illicit actors take advantage of these features by purchasing already-established companies “off the shelf;” selling companies to new owners; changing the company name; or failing to maintain records of their ownership. These vulnerabilities can, to a certain extent, be mitigated through effective controls, such as:

             Legal persons and arrangements are required to promptly update the registering authority if their key information (including beneficial ownership) changes;
             Legal persons and arrangements are required to appoint a resident agent in the jurisdiction where they are established to respond to inquiries;
             Legal persons and arrangements are required to make annual financial reports to their registering authority and/or to undergo a regular audit and provide the audit report to their registering authority.
             
          • 2.2.4. Supervision

            The effectiveness of any regime of controls over legal persons and arrangements depends on the consistency with which such controls are enforced and on the sanctions available to the supervisor and law enforcement.

             Legal persons and arrangements are monitored by their supervisor for their compliance with requirements;
             The supervisor can and does levy substantial penalties, whether civil or criminal, for violations of these requirements.
             
      • 3. Legal Persons and Arrangements in the UAE

        The UAE has a complex regime for formation of legal persons and arrangements, with 39 corporate registrars across the Emirates, the Commercial Free Zones (CFZs), and the Financial Free Zones (FFZs). Historically, each registrar has its own processes, but following the passage of AML-CFT Decision, which institutes common basic standards for all registrars, these processes are being harmonized across the UAE.

        Certain information on legal persons doing business in the UAE is publicly available through the National Economic Register. For entities with a UAE business license, the National Economic Register contains the entity’s license number, address, business activities, and the name of a manager. LFIs are encouraged to consult the Register when conducting CDD on legal persons, but should not rely on information contained in the Register without independently verifying it with the customer.

        • 3.1. Identification of Beneficial Owners

          Under AML-CFT Decision, all registrars of legal persons in the UAE must comply with the following requirements:

           Registrars must provide the public with information on the types and features of companies they establish, the process for creating those companies, and the process by which members of the public can obtain information on those companies, including on the beneficial owner(s).
           Registrars must obtain and maintain certain basic information on each company they register, including its name, address, a list of directors, its legal form, and its founding statutes.
           Registrars must identify the beneficial owners of each company they register, defined as any individual owning or controlling at least 25 percent of the company.
           

          In addition, all legal persons in the UAE are required to:

           Maintain accurate and up to date information on their shareholders and beneficial owners;
           Identify nominee shareholders and directors to their Registrar; and
           Appoint an individual resident in the UAE to be responsible for providing this information to the Registrar.
           

          Cabinet Decision No. (58) of 2020 Regulating the Beneficial Owner Procedures further defined these requirements. All legal persons in the UAE must be licensed or registered, must identify their beneficial owners, and must hold accurate, up-to-date information on their beneficial owners in a Register of Beneficial Owners. They must also report the same information to the relevant registrar. The Resolution also requires that nominee directors identify themselves to the legal person for which they serve as director, and this information must also be included in the legal person’s Register.

          There are certain limited exemptions to this requirement. For example, legal persons that are publicly traded on a stock exchange, or that are owned by such a company, do not have to identify or report their beneficial owners because of other transparency-related measures and obligations associated. In addition, if no individual meets the threshold by owning at least 25% of a legal person, that entity can report an individual who controls the entity (such as its managing director) instead of a true beneficial owner.

          Together, these requirements aim to ensure that customers that are legal persons established and registered under the laws of the UAE must identify their beneficial owners and must always have up-to-date information on these individuals available. LFIs cannot rely solely on customers’ statements and must verify the identity of beneficial owners independently. But a UAE-based legal person customer that claims to be unfamiliar with the requirements, or represents that it has never been required to identify its beneficial owners, may not be in compliance with the law and should be treated as at least high risk.

        • 3.2. Legal Arrangements Under UAE Law

          Two types of legal arrangements can be formed under UAE law:

           Trusts can be formed in the Mainland as well as in the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM). In a trust arrangement, the owner of certain funds, known as the settlor, places these funds under the control of a trustee for the interest of a beneficiary or for a specified purpose. These assets constitute funds that are independent of the trustee's own estate, and the rights to the trust assets remain in the name of the settlor or in the name of another person on behalf of the settlor.
           Awqaf (singular waqf), also known as endowments, can be created on the Mainland. Awqaf are a form of legal arrangement created according to shari’a law. A waqf allows a property owner to endow certain assets (often real property, but also shares or other income-producing assets) for the benefit of family members or a charitable cause. The endower loses control and ownership of the assets, which are registered as endowed and managed by a supervisor or trustee. Many awqaf are directly managed by the General Authority for Islamic Affairs and Endowments, but others are privately superintended.
           

          Under AML-CFT Decision, Articles 9 and 37, trustees of legal arrangements, or persons holding analogous positions in other legal arrangements, are required to hold accurate and up-to-date information on the beneficial owners of the trust or other legal arrangement. For legal arrangements, the beneficial owners are defined as the settlor, the trustee, and the beneficiaries or identifiable class of beneficiaries, along with any other individual exercising ultimate effective control over the legal arrangement. Under Article 9 of AML-CFT Decision, LFIs must identify these individuals as the beneficial owners of their legal arrangement customers.

          In both cases, it is important for financial institutions to be aware that these legal arrangements allow for an individual to legally hold and control funds that he or she does not own and does not have the right to benefit from. A trustee of a trust or waqf may open an account for trust funds under his or her own name, so that the account appears to belong to an individual rather than a legal arrangement. Although trustees are required to disclose their status, LFIs, as part of Customer Due Diligence (CDD), should take a proactive approach to identifying whether a customer is a trustee. This may include directly asking customers whether they are acting as trustees.

        • 3.3. Economic Substance Requirements

          Under Cabinet Resolutions (31) of 2019, (7) of 2020, and (57) of 2020, UAE legal persons operating in certain sectors with relevant income must meet requirements related to the level of core business activities that they carry out in the UAE (the Economic Substance Test). All firms conducting any of the following activities must pass the annual Economic Substance Test:

           Banking;
           Insurance;
           Investment Funds Management;
           Lease-Finance;
           Headquarters operations;
           Shipping;
           Holding Company activities;
           Intellectual Property;
           Distribution and service centres.
           

          In order to pass the test, these firms are required to make an annual report, the Economic Substance Report, to their registrar showing that they in fact carry out core income-generating activities within the UAE, that these activities are directed and managed from the UAE, that the firms maintain an appropriate number of employees, and that the firms have appropriate physical premises. The report is then reviewed by the Federal Tax Authority, which makes a determination as to whether the criteria for economic substance have been satisfied. The Economic Substance Report is not currently available to financial institutions directly, but LFIs may request an attested copy of the Report from their customer or prospective customer.

          The Economic Substance Test could help reduce the likelihood that UAE companies in these sectors are shell companies. The Economic Substance Test is retroactive, however, with companies required to submit Reports at the end of the twelve-month period in which the qualifying activity took place. In addition, Reports may not be promptly reviewed. LFIs should not rely on a customer’s assertion that it has passed the Economic Substance Test and must conduct appropriate customer due diligence, as discussed in section 4.3 below. This may include requesting the customer’s Economic Substance Report from the customer itself.

      • 4. Mitigating Risk

        Legal persons and arrangements are an important part of LFIs’ customer base and of economic activity in the UAE. However, legal persons and arrangements create real, and diverse, risks for financial institutions. LFIs are not expected to prohibit legal person and arrangement customers. Instead, they must understand, manage, and mitigate the risk through the appropriate application of preventive measures required under AML-CFT Decision and CBUAE directives and guidance documents.

        This section describes LFIs’ obligations under UAE Law with specific reference to legal persons and arrangements. It is not a comprehensive discussion of all requirements imposed on LFIs. LFIs should consult the Laws and regulations including AML-CFT Decision and the CBUAE’s Anti-Money Laundering the Combating the Financing of Terrorism and Illegal Organizations Guidelines. The controls discussed below must be integrated into the LFI’s larger AML/CFT compliance program, and supported with appropriate governance and training.

        • 4.1. Requirements for Legal Person and Arrangement Customers Under AML-CFT Decision

          Under Article 8(b) of AML-CFT Decision, when conducting CDD on legal persons and arrangements, LFIs must collect the following information and verify it based on documents from a reliable and independent source:

           The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association;
           Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State;
           Articles of Association or any similar documents, approved by the relevant authority within the State;
           Names of relevant persons holding senior management positions in the legal person or legal arrangement.
           

          Legal persons and arrangements, by definition, cannot take action on their own and must be represented by a natural person. Therefore, for all legal persons and arrangements the LFI must verify that the individual acting on behalf of the customer is authorized to do so, and conduct CDD on that person as required by Article 8(a) of AML-CFT Decision.

          In addition to the information described above, under Article 9 of AML-CFT Decision, the LFI must take reasonable measures to identify the beneficial owner(s) of all legal person and legal arrangement customers.

           For legal persons, LFIs must at least obtain and verify the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer.
           For legal arrangements, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement. LFIs must also obtain sufficient information on the beneficial owners of a legal arrangement to enable verification of the beneficial owner when paying trust funds to the beneficial owner, or when the beneficial owner begins to exercise his or her legally acquired rights. (This may take place, for example, when a beneficiary of a trust reaches his or her majority and takes full control and ownership of the trust funds.)
           

          As stipulated by Article 10 of AML-CFT Decision, LFIs may omit collecting information from the customer to identify the beneficial owner of a legal person or arrangement customer only in two narrowly defined circumstances, which both apply to legal persons only:

           a)The customer is a company listed on a regulated stock exchange and subject to disclosure requirements that ensure adequate transparency with regards to the customer’s beneficial owner(s);
           b)A subsidiary whose majority shares or stocks are held by the shareholders of the holding company.
           

          In both cases, LFIs must still identify the beneficial owner(s) using reliable public sources. LFIs must also verify that the customer does in fact qualify for the exemption. LFIs remain responsible for using a risk-based approach and for ensuring that they understand their customer. LFIs should not seek to take advantage of this exemption if they cannot identify the beneficial owner(s) using reliable public sources. LFIs are unlikely to find reliable public information on the beneficial owners of privately-held holding companies.

          In all cases, LFIs are also required by Article 8.4 of AML-CFT Decision to understand the customer’s ownership and control structure.

        • 4.2. The Risk-Based Approach, Customer Risk Rating, and the Institutional Risk Assessment

          LFIs should take a risk-based approach to the preventive measures they put in place for all customers, including legal persons and arrangements. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision.

          The risk-based approach has three principal components:

          1. Conducting an enterprise risk assessment, as required by Article 4.1 of AML-CFT Decision.

          The enterprise risk assessment should reflect the presence of legal persons and arrangements in an LFI’s customer base. The risk assessment should consider the most common forms of legal persons and arrangements in the LFI’s customer base and should assess the risks of each form. This assessment should carefully consider and incorporate the ML/TF risks legal persons and arrangements pose to LFIs discussed above (section 2.1), although LFIs may have legal person and arrangement customers from outside the UAE whose risks will also need to be assessed. These assessments should in turn be reflected in the LFI’s inherent risk rating.

          In addition, the LFI’s risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its legal person and arrangement customers, including the preventive measures discussed below.

          2. Identifying and assessing the risks associated with specific customers.

          The LFI should assess the risk of each customer to identify those that require enhanced due diligence (EDD). Customer risk assessment for legal person and arrangements should incorporate at least all elements of the customer risk assessment for individuals, but should apply them both to the legal person or arrangement customer itself and to the individuals prominently associated with it. For example, the assessment of the legal person or arrangement’s jurisdictional risk should take into consideration not just the customer’s jurisdiction of establishment, but also the residence and nationality of the beneficial owners, senior manager, and directors.

          Other risk assessment considerations that are unique to legal person and arrangement customers include:

           The legal form of the customer, and the controls in place to ensure transparency;
           The status of the beneficial owners and senior management. For example, if a beneficial owner or senior manager of a customer is a PEP, as defined in Article 15 of AML-CFT Decision, the customer may also need to be treated as PEP, depending on the extent of the PEP’s ownership and control and his or her relationship to the other beneficial owners or managers.
           
          3.Applying EDD and other preventive measures to customers the LFI determines to be higher-risk, as required by Article 4.2(b) of AML-CFT Decision, or to specific customer types, no matter their risk rating, as required by AML-CFT Decision.
           

          Many EDD measures for legal persons and arrangements are the same as those applied to individual customers. EDD measures that are specific to legal person and arrangement customers are discussed in section 4.3 below.

          Under AML-CFT Decision, the legal person customer types for which enhanced or special due diligence is required are:

           Legal persons based in high-risk countries (Article 22);
           
           Financial institutions with which the LFI proposes to enter into a correspondent relationship (Article 25);
           
           Legal person customers that are fully owned or controlled by PEPs, their direct family members, or their close associates (Article 15). If a PEP, a direct family member, or an associate is a partial owner of a customer, LFIs may take a risk-based approach to applying EDD to the customer.
           
           Non-Profit Organisations (Article 33).
           
        • 4.3. Customer Due Diligence and Enhanced Due Diligence

          CDD, and, where necessary, EDD are the core preventive measures that help LFIs manage the risks of legal person and legal arrangement customers. Because of this, LFIs are prohibited from maintaining anonymous accounts, and from onboarding any account or customer with fictitious names or characteristics. LFIs must perform CDD on every customer.

          The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Therefore, the LFI must identify customers that are legal persons and legal arrangements. When the customer is a legal person or arrangement, the process of understanding the customer (“knowing your customer”) is more complex and requires additional steps.

          Where an LFI cannot satisfy itself that it understands a legal person or legal arrangement-including when it has doubts that it has identified the individuals who truly own and control the legal person or legal arrangement—then it must not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report, as discussed 4.4 below.

          • 4.3.1. Core Elements of Customer Due Diligence

            LFIs are reminded that all elements of CDD (and EDD) apply to customers that are legal persons and legal arrangements. LFIs should refer to the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions for a full discussion of CDD obligations. CDD obligations include, but are not limited to, the requirement that LFIs, using a risk-based approach:

             Identify the customer and verify if the customer’s identity is reliable by using independent sources (discussed in this section);
             Identify beneficial owners of the customer (discussed in section 4.3.2 below);
             Assess and understand customer risk (discussed in section 4.2 above);
             Obtain information on the purpose and intended nature of the account (discussed in section 4.3.3 below); and
             Ensure ongoing due diligence is conducted and that the business relationship and transactions are scrutinized in the course of the relationship (discussed in section 4.3.4 below).
             

            LFIs must maintain records of the customer information obtained through CDD to enable the LFI to demonstrate compliance to CBUAE and to comply with requests for information from competent authorities.

            As discussed above in section 4.1, LFIs must identify legal person customers by collecting the following information and verifying it using independent, reliable sources:

             The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association;
             Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State;
             Articles of Association or any similar documents, approved by the relevant authority within the State;
             Names of relevant persons holding senior management positions in the legal person or legal arrangement.
             

            Verification of information collected to identify the customer should be risk-based. In standard cases, verification should rely on government-issued or certified documents, such as business licenses and notarized copies of the legal person’s memorandum of association. Where risks are lower, LFIs may consider using non-documentary sources, such as public registries, including the registries maintained by company registrars in the UAE. Consulting a registry, however, is not a replacement for collecting the documents specifically required by the AML-CFT Decision, even if the customer was required to submit the same documents to the registry.

          • 4.3.2. Identification of Beneficial Owners and of Ownership and Control Structure

            • 4.3.2.1. UAE Requirements

              As discussed in section 4.1 above, the UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual holding the senior management position in the entity.

              The AML-CFT Decision does not define “senior management position,” and LFIs should make a judgment, based on the specific facts and circumstances, as to the individual who meets this description. The senior management official should be a single individual with significant responsibility to control, manage, or direct a legal person customer. This may include the entity’s Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Director, General Partner, or President.

              LFIs should consider whether the individual’s background, experience, and expertise make it plausible that they would indeed hold a position of responsibility at a legal person of the customer’s size. Where a customer identifies a relatively young or inexperienced individual as its senior manager, that may be a sign that the individual does not in fact control the customer and instead takes orders from another individual who wishes to obscure his or her identity.

              For legal arrangement customers, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement.

              The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until it discovers all individuals who own or control at least 25% of the LFI’s customer.

              When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision. Where the customer is a UAE legal person, LFIs may require the customer provide the beneficial ownership report it has submitted to its company registrar as per Cabinet Decision (58). This should not be a substitute, however, for independent identification of beneficial owners by the LFI.

              LFIs are also required to understand the customer’s ownership and control structure. This means that LFIs must be aware of who owns the customer, even if they have not verified the identity of the individuals owning every company in the customer’s ownership chain. LFIs should have confidence that they fully understand who has the power to direct and control their customer’s actions.

            • 4.3.2.2. Applying a Risk Based Approach

              It is important to note that the legal requirements mentioned above (section 4.3.2.1) are baseline obligations rather than definitions of beneficial ownership. A beneficial owner, as defined in AML-CFT Decision, is any individual who owns or controls all or part of a legal person. This means that a legal person can have several beneficial owners, not all of whom are required to be identified under the law. LFIs should always identify and verify the identity of all individuals owning or controlling at least 25% of a legal person, but they should also make a risk-based decision as to whether to identify and verify the identity of additional beneficial owners. For legal person customers that require EDD, whether as a function of law or because they are higher risk, LFIs should always consider lowering the ownership threshold below 25%.

              LFIs should be aware that even minority owners of a legal person customer can exercise control over the legal person through information arrangements, family relationships, and specific governance arrangements (e.g. preferred stock), among other methods. Customers whose minority owners include individuals that are subject to United Nations or UAE sanctions may also create serious risks for LFIs, even if the individual only owns a small share of the customer (see section 4.5 below). Thus, particularly in higher risk scenarios, LFIs should consider completing an ownership and control chart that includes at least the names of all beneficial owners of every legal customer, or all individuals owning at least 5% of the customer. Collecting the names of beneficial owners is distinct from identifying them and verifying their identity and does not require the LFI to collect identifying information. LFIs must still identify and verify the identity of all individuals owning at least 25% of legal person customers.

              Beyond lowering the ownership threshold, EDD methods related to identification of ownership and control can include requiring the beneficial owners of customers to verify their ownership by presenting share certificates or contracts.

              Example 1: Company A is a UAE-based company that leases office space. Company A applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company A is 50% owned by Mr. Y and 40% owned by Ms. W. Bank Lion is aware that Company A has additional owners, but knows they own less than 10% of Company A.

              Because Company A is a low-risk domestic firm, Bank Lion is not required to identify the additional owners of Company A.

              Example 2: Company B is a Cayman Islands-based company with no business operations and a letterbox address on the premises of a known Cayman Islands TCSP. Company B applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company B is 50% owned by Mr. Y, a citizen of Russia and 40% owned by Ms. W, a citizen of Malta.

              Company B is likely a shell company, and its known beneficial owners are from high-risk jurisdictions. Therefore, Bank Lion decides to take the step of identifying and verifying the identity of the individuals who owns the remaining 10% of the company before accepting Company B as a customer. It discovers that the remaining 10% of shares are owned by Mr. Y’s father, a well-known Russian businessman. Because Mr. Y is only 22 and a recent university graduate, Bank Lion suspects that Mr. Y is a nominee and that his father may be the true controlling owner of Company B.

               

            • 4.3.2.3. Legal Persons – Common Situations

              In many cases, identifying the beneficial owners of a legal person customer will be a straightforward process. A customer may be directly owned by one or two individuals:

                             4.3.2.3-1

              In such cases, an LFI is obliged to identify and to verify the identity of both individuals, Mr. X and Ms. Y.

              Legal persons may have more complex ownership structures, however, in which other legal persons are involved in the ownership chain. In such cases, LFIs must continue up the chain until they identify an individual:

                4.3.2.3-2

              In this situation, the owners of Company A are as follows:

              OwnerShareOwnership Type
              Mr. X30%Direct
              Ms. Y30%Direct
              Ms. E28%Indirect - Ms E owns 70% of Company B, which in turn owns 40% of Company A
              Mr. D12%Indirect - Mr. D owns 30% of Company B, which in turn owns 40% of Company A

               

              Mr. X, Ms. Y, and Ms. E must all be identified under UAE law, as they own at least 25% of Company A. Mr. D owns 12%, so he is not required to be identified. But the LFI should make a risk-based decision as to whether to identify him.

              Illicit actors may seek to use complex ownership structures to hide the fact that they own 25% or more of the customer. This is why it is important for LFIs to use a risk-based approach and to be confident that, at the end of the process, they fully understand who controls their customer.

              4.3.2.3-3

              In this situation, although it at first appears that Ms. Y and Mr. X each own less than 25% of Company A, in fact between them they own 100% of the company. Their ownership interests can be calculated as follows:

              Mr. X:

               20% of Company B, which owns 40% of Company A: 20% of 40% is 8%; plus
               100% of Company E, which owns 75% of Company C, which owns 60% of Company A: 100% of 75% of 60% is 45%.
               Mr. X owns 53% of Company A.
               

              Ms. Y:

               25% of Company C, which owns 60% of Company A: 25% of 60% is 15%; plus
               100% of Company D, which owns 80% of Company B, which owns 40% of Company A: 100% of 80% of 40% is 32%.
               Ms. Y owns 47% of Company A.
               

              Both Mr. X and Ms. Y must be identified under UAE law. In addition, LFIs should be aware that Mr. X and Ms. Y are likely associated parties and should question whether there is a legitimate economic purpose for the ownership structure of Company A.

            • 4.3.2.4. Legal Arrangements - Common Situations

              Legal arrangements may not present the layered ownership structures seen in legal persons. This does not mean, however, that identifying the beneficial owners of legal arrangements is always straightforward. In particular, the very different forms of legal arrangements that may be formed in different jurisdictions can make it difficult to identify the individuals who hold roles analogous to settlor, trustee, and beneficiary. LFIs should always identify the following individuals:

               The legal entities or individuals who have the power to control the property of the legal arrangements. These legal entities or individuals are analogous to trustees. If a legal entity (such as a financial institution) acts as trustee, LFIs must identify the beneficial owners of that legal entity.
               The legal entities or individuals for whose present or future benefit the trustees are safeguarding the legal arrangement property. These legal entities or individuals are analogous to the beneficiaries.
                oBeneficiaries may be defined as a class which can change over time (e.g., “all the underage grandchildren of the settlor”).
                oLFIs should identify the class of beneficiaries, and all beneficiaries currently in existence, at the time of onboarding the customer. During periodic CDD refresh, they should ascertain whether additional identifiable individuals have joined or left the beneficiary class (e.g. a new child has been born, a beneficiary has come of legal age).
                oIf a legal entity is the named beneficiary, LFIs must identify the beneficial owners of that legal entity.
               The legal entities or individuals who assigned control of the legal arrangement property to the trustees (or individuals holding a similar position). This individual or legal entity is analogous to the settlor. A settlor may or may not retain underlying legal ownership of the legal arrangement property. If a legal entity acts as settlor, LFIs must identify the beneficial owners of that legal entity.
               

              In addition, where trustees are financial institutions, lawyers or any other professional with secrecy rules in a foreign jurisdiction, it may be difficult to obtain the information LFIs need. LFIs should be aware that if they cannot obtain this information, they should not establish the business relationship or continue an existing relationship.

              Legal arrangements may also be part of the ownership structures of other legal persons or arrangements. Because trusts do not have shares or equity, LFIs should treat all participants in a trust or similar legal arrangement as if they own 100% of the legal arrangement.

              4.3.2.4-1

               

              In the example above, Company A is 40% owned by Company B, which is in turn wholly owned by a trust established in the Isle of Jersey. Ms. Y and Mr. X are beneficiaries of the trust and also indirectly own shares of the Company A through Company C. Mr. X has to be identified and verified based solely on his indirect 45% ownership of Company A through Company E. Ms. Y and Mr. Z, must also be identified and verified because they are beneficial owners of a legal arrangement that owns 40% of Company A.

          • 4.3.3. Understanding the Purpose of the Account and Nature of the Customer’s Business

            For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s services. Because almost all legal persons and arrangements are created to make it easier to do business, invest assets, or engage in some form of organized activity, this element of CDD is critical to understanding customers who are legal persons and arrangements.

            Legal persons and arrangements engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a taxi firm will be completely different from that of an investment vehicle or of a waqf that collects revenues from real property and distributes them to charitable causes. But specific legal person and arrangements customers are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour. For example:

             A taxi company is likely to see substantial cash inflows and make regular, predictable transfers to cover payroll and to a limited set of suppliers (e.g. mechanics, gas stations). If a taxi company starts making transfers to a foreign jurisdiction, even a low-risk one, that behaviour may not fit the expected pattern and if so would require investigation.
             A waqf managing an apartment building should receive very regular monthly rent payments from residents, whether by cash, check or Automated Clearing House. The waqf should have regular expenses for maintenance and property taxes, as well as predictable payments to the beneficiaries of the waqf. If the waqf suddenly doubles its cash deposits, the LFI will need to investigate to understand why the customer’s behaviour has changed.
             

            Understanding the nature of the customer’s business can be a straightforward process. Most legal person customers will be engaged in familiar, easily identifiable activities in recognized sectors: manufacturing, retail, agricultural production, etc. In other cases, it may not be so simple. A legal person customer may be formed solely to facilitate a complex financial transaction. In other cases, the legal person may not have fully determined their business model or may plan to engage in a business activity that is out of keeping with the owners’ and managers’ resources and expertise, or that don’t seem to make economic sense. Finally, a customer may try to conceal its actual business; for instance, a company that is engaged in computer hacking and fraud may describe itself as a software engineering firm or a call centre.

            As LFIs advance efforts to understand their customer’s business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:

             The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory).
             The customer is engaged in a high-risk sector. High-risk sectors can include, but are not limited to:
              oSectors with high flows of cash;
              oOther financial sectors (e.g. customers who are MSBs or payment processors);
              oSectors that involve the import or export of dual-use technology (technology that may be used for proliferation);
              oSectors that are at high risk for human trafficking (bars and dance venues; construction; cleaning);
              oCharitable activities, especially those involving high-risk jurisdictions.
             The customer is a state-owned-enterprise (SOE). SOEs engage in a wide variety of business activities; their close relationship to government and government officials means that they may be at higher risk for corruption-related transactions.
             The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets.
             The LFI does not fully understand the customer’s business model or activities. Customers that generate revenue, but that have no apparent business activities, are perhaps the highest risk.
             

            When conducting EDD on the business activities and account use of legal persons and arrangements, LFIs should use techniques designed to manage the specific risks of the customer. These may include, but are not limited to:

             Requiring the customer to provide invoices documenting incoming and outgoing transfers;
             Requiring the customer to provide its Economic Substance Report;
             For customers operating in licensed sectors, requiring the customer to provide proof that it has a valid business license;
             Inspecting payroll documents and other business records;
             Visiting the customer’s business premises and interviewing its personnel;
             Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
             
          • 4.3.4. Ongoing Monitoring

            Like all customers, legal persons and arrangements must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

            • 4.3.4.1 CDD Updating

              LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of legal person and arrangement customers, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction.

              LFIs should update CDD on legal person and arrangement customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers, including legal persons and arrangements, should involve more frequent CDD updates.

              CDD updates should include a refresh of all elements of initial CDD, and in particular must ascertain that:

               The customer’s beneficial owners remain the same;
               The customer continues to have an active status with a company registrar (this may not apply to legal arrangement customers);
               The customer has the same legal form and is domiciled in the same jurisdiction;
               The customer is engaged in the same type of business, and in the same geographies;
               The customer’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established.
               

              If any of the above characteristics have changed, the LFI should risk-rate the customer again.

              The LFI should conduct EDD when the revised risk rating demands it or if the customer’s history of transactions is not consistent with its profile and with the expectations established at account opening. LFIs must always conduct EDD when this is required by law (a beneficial owner of the customer is a PEP, as defined in Article 15 of AML-CFT Decision, or the customer or its beneficial owner is domiciled in a high-risk jurisdiction).

              LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but must still update CDD on a schedule appropriate to the customer’s risk rating.

            • 4.3.4.2. Transaction Monitoring

              As with all customers, LFIs must monitor activity by legal person and arrangement customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (see section 4.4 below). Legal persons, especially those that engage in commerce, are likely to engage a wider range of financial activity than are individual and most legal arrangement customers. This can make identifying suspicious behaviour by legal persons difficult.

              As with other customer types, LFIs that use automated monitoring systems should apply rules that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.

              Where possible, monitoring systems should also flag unusual behaviour that may indicate that a legal person customer’s business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business model in such a way as to require a higher risk rating.

              A list of red flags for illicit behaviour involving legal persons and arrangements is provided in the Annex to this Guidance.

        • 4.4. Suspicious Transaction Report Filing

          As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAE FIU) when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, the proceeds of crime, is related to a crime, or is intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE FIU, LFIs alert law enforcement about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs.

          In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations involving legal persons or arrangements:

           A potential legal person or arrangement customer decides against opening an account or purchasing other financial services after learning about the LFI’s CDD requirements;
           A current legal person or customer cannot provide required information about its business or its beneficial owners;
           A legal person or arrangement customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty;
           The LFI is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the legal person or arrangement. In such cases, the LFI should not establish the business relationship, or continue an existing business relationship, and should also consider filing an STR.
           

          Please consult the CBUAE’s Guidance on Suspicious Transaction Reporting for further information.

        • 4.5. Implementation of Targeted Financial Sanctions - Special Considerations for Legal Persons and Arrangements

          Key Terms for Targeted Financial Sanctions
           

          Affiliate is an entity owned by another entity by more than 25% and less than 50% of its capital.

          Controlling shareholder is a shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board of directors, or the decisions made by the board.

          Listed Person is a person or organization listed by the UN Security Council on the Sanctions List, or listed by the Cabinet on Local Lists, as the case may be.

          Subsidiary is an entity owned by another entity by more than 50% of its capital or under full control of that entity regarding appointment of the Board of Directors.

           

          Legal persons can be included on international sanctions lists. In addition, the obligation to freeze the funds of a listed person, imposed by AML-CFT Decision and by articles 15 and 21 of Cabinet Decision (74) of 2020, extends to funds that a Listed Person owns or controls through ownership or control of a legal person or through a legal arrangement.

          Listed individuals and legal persons are known to seek to evade sanctions by hiding their interest in a transaction via complex layers of control and ownership, through informal nominee arrangements, and through the assistance of complicit professionals. Listed Persons may also use front companies-companies mixing legitimate and illicit economic activity—to conceal their activities. For this reason, identification of beneficial ownership through the entire corporate ownership structure is critical for effective sanctions implementation, as is fully understanding the nature of the customer’s business.

          LFIs that employ automated screening technologies to identify matches to sanctions lists must ensure that their screening tools include all individuals associated with a legal person customer, including beneficial owners, authorized signatories, directors, and senior management.

          Legal persons and arrangements that are directly or indirectly (i) owned 50% or more in the aggregate, or (ii) controlled, by one or more Listed Person, including subsidiaries of a Listed Person, and entities where a listed person is a controlling shareholder, are subject to the same prohibitions as the Listed Person, even if such entities are not specifically listed by the UAE or the United Nations.

          Financial institutions should observe caution when considering a transaction with an entity that is not a Listed Person in which one or more Listed Persons have a significant ownership interest that is less than 50 percent or which one or more Listed Persons may control by means other than a majority ownership interest. Such non-listed entities, to include affiliates, may become the subject of future designations or enforcement actions. As discussed above, LFIs should make a risk-based decision as to whether to identify beneficial owners who own or control less than 25% of the legal persona or arrangement. LFIs are not required to identify every beneficial owner in order to conduct sanctions screening. But should an LFI, in the course of enhanced due diligence, discover that a Listed Person owns a minority interest in a legal person, this information must be taken into consideration in risk-rating that customer.

          Please see the Guidance on Targeted Financial Sanctions for more information on this issue.

          LFIs should consult the CBUAE and the Supreme Council for National Security if they have any questions regarding implementation of UN or UAE sanctions. LFI employees must be trained on these issues as part of comprehensive ongoing training.

          Example: Listed individual Ms. Y owns 25% of foreign Company A. Foreign Company A owns 30% of UAE Company B. Company B is a customer of UAE LFI Lion Bank. Ms. Y has no other ownership interests in Company B. Ms. Y therefore ultimately owns 7.5% of Company B.

          Ms. Y’s minority interest may not in itself give her ownership or control Company B. But Lion Bank should also consider the following factors when determining whether Ms. Y exercises control over Company B:

           The other beneficial owners of Company B are known close associates of Ms. Y’s; and
           Ms. Y has loaned Company B a sum equal to 100% of its operating revenue in the previous financial year, and under the terms of the loan agreement, if Company B does not repay the loan Ms. Y will acquire an additional 35% of Company B.
          .../...

          .../...

          When these factors are considered, it becomes likely that Ms. Y does in fact exercise control over Company B, despite her relatively small ownership stake, and transactions with Company B may therefore be prohibited under Cabinet Decision (20) of 2019.

          Alternatively, if Company B operates in the high-tech manufacturing sector, and Ms. Y has been listed for proliferation activities, the LFI may conclude that the sanctions evasion risk posed by Company B is too great to permit accepting it as a customer, even if Ms. Y does not exercise control of the company.

           

        • 4.6. Training

          As will all risks to which the LFI is exposed, the AML/CFT training program must ensure that employees are aware of the risks of legal persons and arrangements, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls.

      • 5. Lessons Learned and Examples from Amld Supervision

        The CBUAE’s examinations of LFIs have found that some LFIs struggle with key aspects of the preventive measures regime for legal persons. LFIs should take care to implement effective compliance programs, including by avoiding common deficiencies such as:

         Incomplete and out of date CDD: CBUAE has identified instances where CDD files are missing key information, such as the country of operation, the nature of the business, and the nationality of beneficial owners, shareholders, and directors. Equally important, CDD files are often out of date, with expired customer information.
         
         Inadequate systems: LFIs’ systems for supporting CDD do not always mandate the collection of all required information or guide the compiler to supply complete information, such as the full name of a beneficial owner. LFIs’ core banking systems may not be capable of linking or tracking related parties, which inhibits identification of suspicious behavior. In some cases, risk-rating and identification of UBOs is done manually, which increases the likelihood of user error or manipulation.
         
         Incomplete risk-rating: LFIs’ risk rating tools for legal persons and arrangements did not always take into account critical information, such as the type of entity and the risk rating of beneficial owners.
         
      • Annex 1. Red Flags for Concealment of Beneficial Ownership

        The following are indicators that Financial Action Task Force (FATF) member states have observed in connection to abuse of legal persons and arrangements. This is not an exhaustive list of every potential indicator of illicit activity involving legal persons and arrangements, but it represents a wide range of behaviours and activities that should prompt LFIs to investigate further, to consider closing or not opening an account, and to consider filing an STR.

        Indicators Related to the Customer

         The customer is reluctant to provide personal information.
         The customer is reluctant or unable to explain:
         
          otheir business activities and corporate history
          othe identity of the beneficial owner
          otheir source of wealth/funds
          owhy they are conducting their activities in a certain manner
          owho they are transacting with
          othe nature of their business dealings with third parties (particularly third parties located in foreign jurisdictions).
         
         Individuals or connected persons:
         
          oinsist on the use of an intermediary (either professional or informal) in all interactions without sufficient justification;
          oare actively avoiding personal contact without sufficient justification;
          oare foreign nationals with no significant dealings in the country in which they are procuring professional or financial services;
          orefuse to co-operate or provide information, data, and documents usually required to facilitate a transaction
          oare politically exposed persons, or have familial or professional associations with a person who is politically exposed;
          oare conducting transactions which appear strange given an individual’s age (this is particularly relevant for underage customers);
          ohave previously been convicted for fraud, tax evasion, or serious crimes;
          oare under investigation or have known connections with criminals;
          ohave previously been prohibited from holding a directorship role in a company or operating a trust and company service provider (TCSP);
          oare the signatory to company accounts without sufficient explanation;
          oconduct financial activities and transactions inconsistent with their customer profile;
          ohave declared income which is inconsistent with their assets, transactions, or lifestyle.
         
         Legal persons or legal arrangements:
         
          ohave demonstrated a long period of inactivity following incorporation, followed by a sudden and unexplained increase in financial activities;
          odescribe themselves as a commercial business but cannot be found on the internet or social business network platforms (such as LinkedIn, XING, etc.);
          oare registered under a name that does not indicate the activity of the company;
          oare registered under a name that indicates that the company performs activities or services that it does not provide;
          oare registered under a name that appears to mimic the name of other companies, particularly high-profile multinational corporations;
          ouse an email address with an unusual domain (such as Hotmail, Gmail, Yahoo, etc.);
          oare registered at an address that does not match the profile of the company;
          oare registered at an address that cannot be located on internet mapping services (such as Google Maps);
          oare registered at an address that is also listed against numerous other companies or legal arrangements, indicating the use of a mailbox service;
          owhere the director or controlling shareholder(s) cannot be located or contacted;
          owhere the director or controlling shareholder(s) do not appear to have an active role in the company;
          owhere the director, controlling shareholder(s) and/or beneficial owner(s) are listed against the accounts of other legal persons or arrangements, indicating the use of professional nominees;
          ohave declared an unusually large number of beneficiaries and other controlling interests;
          ohave authorised numerous signatories without sufficient explanation or business justification;
          oare incorporated/formed in a jurisdiction that is considered to pose a high money laundering or terrorism financing risk;
          oare incorporated/formed in a low-tax jurisdiction or international trade or finance centre;
          oregularly send money to low-tax jurisdictions or international trade or finance centre;
          oconduct a large number of transactions with a small number of recipients’
          oconduct a small number of high-value transactions with a small number of recipients;
          oregularly conduct transactions with international companies without sufficient corporate or trade justification;
          omaintain relationships with foreign professional intermediaries in the absence of genuine business transactions in the professional’s country of operation;
          oreceive large sums of capital funding quickly following incorporation/formation, which is spent or transferred elsewhere in a short period of time without commercial justification;
          omaintain a bank balance of close to zero, despite frequent incoming and outgoing transactions;
          oconduct financial activities and transactions inconsistent with the corporate profile;
          oare incorporated/formed in a jurisdiction that does not require companies to report beneficial owners to a central registry;
          ooperate using accounts opened in countries other than the country in which the company is registered;
          oinvolve multiple shareholders who each hold an ownership interest just below the threshold required to trigger enhanced due diligence measures.
         
         There is a discrepancy between the supposed wealth of the settlor and the object of the settlement.
         Individuals, legal persons and/or legal arrangements:
         
          omake frequent payments to foreign professional intermediaries;
          oare using multiple bank accounts without good reason;
          oare using bank accounts in multiple international jurisdictions without good reason;
          oappear focused on aggressive tax minimisation strategies;
          odemonstrate limited business acumen despite substantial interests in legal persons;
          oprovide falsified records or counterfeit documentation;
          oappear to engage multiple professionals in the same country to facilitate the same (or closely related) aspects of a transaction without a clear reason for doing so.
         
         Examination of business records indicate:
         
          oa discrepancy between purchase and sales invoices;
          odouble invoicing between jurisdictions;
          ofabricated corporate ownership records;
          ofalse invoices created for services not carried out;
          ofalsified paper trail;
          oinflated asset sales between entities controlled by the same beneficial owner;
          oagreements for nominee directors and shareholders;
          ofamily members with no role or involvement in the running of the business are listed as beneficial owners of legal persons or arrangements;
          oemployees of professional intermediary firms acting as nominee directors and shareholders;
          othe resignation and replacement of directors or key shareholders shortly after incorporation;
          othe location of the business changes frequently without an apparent business justification;
          oofficials or board members change frequently without an appropriate rationale.
         
         Complex corporate structures that do not appear to legitimately require that level of complexity or which do not make commercial sense.
         Simple banking relationships are established using professional intermediaries.
         

        Indicators of shell companies

         Nominee owners and directors:
         
          oformal nominees (formal nominees may be “mass” nominees who are nominated agents for a large number of shell companies);
          oinformal nominees, such as children, spouses, relatives or associates who do not appear to be involved in the running of the corporate enterprise.
         
         Address of mass registration (usually the address of a TCSP that manages a number of shell companies on behalf of its customers).
         Only a post-box address (often used in the absence of professional TCSP services and in conjunction with informal nominees).
         No real business activities undertaken.
         Exclusively facilitates transit transactions and does not appear to generate wealth or income (transactions appear to flow through the company in a short period of time with little other perceived purpose).
         No employees (or only a single employee). Pays no taxes, superannuation, retirement fund contributions or social benefits.
         Does not have a physical presence.
         

        Indicators about the transaction

         The customer is both the ordering and beneficiary customer for multiple outgoing international funds transfers.
         The connections between the parties are questionable, or generate doubts that cannot be sufficiently explained by the client.
         Finance is provided by a lender, whether a natural or a legal person, other than a known credit institution, with no logical explanation or commercial justification.
         Loans are received from private third parties without any supporting loan agreements, collateral, or regular interest repayments.
         The transaction:
         
          ois occurring between two or more parties that are connected without an apparent business or trade rationale;
          ois a business transaction that involves family members of one or more of the parties without a legitimate business rationale;
          ois a repeat transaction between parties over a contracted period of time;
          ois a large or repeat transaction, and the executing customer is a signatory to the account, but is not listed as having a controlling interest in the company or assets;
          ois executed from a business account but appears to fund personal purchases, including the purchase of assets or recreational activities that are inconsistent with the company’s profile;
          ois executed from a business account and involves a large sum of cash, either as a deposit or withdrawal, which is anomalous, or inconsistent with the company’s profile;
          oappears cyclical (outgoing and incoming transactions are similar in size and are sent to, and received from, the same accounts, indicating that outgoing funds are being returned with little loss) (aka “round-robin” transactions);
          oinvolves the two-way transfer of funds between a client and a professional intermediary for similar sums of money;
          oinvolves two legal persons with similar or identical directors, shareholders, or beneficial owners;
          oinvolves a professional intermediary without due cause or apparent justification;
          oinvolves complicated transaction routings without sufficient explanation or trade records;
          oinvolves the transfer of real property from a natural to a legal person in an off-market sale;
          oinvolves the use of multiple large cash payments to pay down a loan or mortgage;
          oinvolves a numbered account;
          oinvolves licensing contracts between corporations owned by the same individual;
          oinvolves the purchase of high-value goods in cash;
          oinvolves the transfer of (bearer) shares in an off-market sale;
          oa loan or mortgage is paid off ahead of schedule, incurring a loss;
          oincludes contractual agreements with terms that do not make business sense for the parties involved;
          oincludes contractual agreements with unusual clauses allowing for parties to be shielded from liability but make the majority of profits at the beginning of the deal;
          ois transacted via a digital wallet.
         
         The funds involved in the transaction:
         
          oare unusual in the context of the client or customer’s profile;
          oare anomalous in comparison to previous transactions;
          oare sent to, or received from, a foreign country when there is no apparent connection between the country and the client; and/or are sent to, or received from, a low-tax jurisdiction or international trade or finance centre;
          oare sent to, or received from, a jurisdiction that is considered to pose a high money laundering or terrorism financing risk.
         
         Unexplained use of powers of attorney or other delegation processes (for example, the use of representative offices).
         Unexplained use of express trusts, and/or incongruous or unexplained relationships between beneficiaries and the settlor.
         Unexplained or incongruous classes of beneficiaries in a trust.
         
      • Annex 2. Synopsis of the Guidance

        introduction PurposeThe purpose of this guidance is to assist Licensed Financial Institutions (LFIs) understand and mitigate the risks when providing services to legal persons and arrangements, and to guide them in fulfilling their AML/CFT obligations.
        ApplicabilityThis guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:
        • national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
        • insurance companies, agencies, and brokers.
        Understanding and Assessing the Risks of Legal Persons and ArrangementsML/TF Risks of Legal Persons and ArrangementsLegal persons and arrangements are attractive to illicit actors because they can assist criminals and their associates to:
        • Hide the identify of the individuals directing a transaction or controlling an account;
        • Obscure the true nature and purpose of an account or transaction; and
        • Conceal the source of funds involved in a transaction or account.
        Features and Controls that Mitigate RisksCertain rules governing the formation and operation of legal persons and arrangements can, if enforced, reduce the risk that they will be abused by illicit actors:
        • Formation processes that deter creation of shell companies;
        • Collection of beneficial ownership information for all legal persons and arrangements;
        • Requiring legal persons and arrangements to keep certain records and make regular reports;
        • Supervision and monitoring by appropriate government authorities.
        Legal persons and

        arrangements in the UAE

        Identification of Beneficial OwnersAll legal persons and arrangements in the UAE (except those traded on a stock exchange, or owned by a company traded on a stock exchange) are required to identify all individuals who own or control at least 25% of the legal person or arrangements. Legal persons and arrangements must hold this information, and legal persons must also report it to their registrar. They must maintain and update this information when their beneficial owners change.
        Legal Arrangements Under UAE LawUAE law allows for the creation of two types of legal arrangements: trusts and awqaf. Trustees and waqf supervisors must comply with certain requirements related to identifying the individuals party to the legal arrangement.
        Economic Substance RequirementsAll companies operating in certain sectors must prove on an annual basis that they actually conduct substantive activities in the UAE by submitting certain required information to their registrar. Although this information is not directly available to LFIs, they should be aware of these requirements and can request the information from legal person customers.
        Mitigating Risk: Requirements for LFls Risk-Based ApproachLFIs must take a risk-based approach in their AML programs and to individual customers. This means that they should assess all customers, including legal person/legal arrangement customers, to determine their degree of risk.

        In assessing the risk of a legal person or arrangement customer, LFIs should consider at least the following factors:

        • The legal form of the customer;
        • The controls governing the formation of that type of customer;
        • The controls in place to ensure that the customer identifies and reports its beneficial owners;
        • Whether the customer is subject to recordkeeping and reporting requirements;
        • Whether the customer is appropriately supervised for its compliance with these requirements.
        Customer Due DiligenceFor all customers, LFIs must perform Customer Due Diligence with the following components:
        Customer Identification: For all legal person and legal arrangement customers, LFIs must collect the following information
        • The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association;
        • Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State;
        • Articles of Association or any similar documents, approved by the relevant authority within the State;
        • Names of relevant persons holding senior management positions in the legal person or legal arrangement.
        Identification of Beneficial Owners: For all legal person and legal arrangement customers, LFIs must identify the following individuals:
        • For legal persons, all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer.
        • For legal arrangements, the individuals acting as the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement.
        Understand the Purpose of the Account and the Nature of the Customer's Business: LFIs must understand the business in which their customer engages as well as the reason for creating the account. The answers to these questions can have a significant impact on the risk the customer poses for the financial institution and therefore should be reflected in the customer risk rating.
        Perform Ongoing Monitoring: For all customers, LFIs must ensure that the customer information on file is up to date and accurate, and that the customer's activities are in line with the expectations set at onboarding. If not, the customer risk rating may need to be changed.
        Suspicious Transaction ReportingFor customers of all types, LFIs must report any behavior that they reasonably suspect may be linked to money laundering, the financing of terrorism, or a criminal offence. Please consult the CBUAE's Guidance on Suspicious Transaction Reporting for further information.
        Implementation of TFSA legal person or arrangement that is not itself designated on a sanctions list may be owned by someone who is designated. LFIs should screen the beneficial owners of all legal person and legal arrangement customers against sanctions lists, and should freeze any accounts or transactions related to a legal person or legal arrangement that is more than 50% owned or controlled by a designated person.

         

    • Guidance for Licensed Financial Institutions Providing Services to the Real Estate and the Precious Metals and Stones Sectors

      Effective from 16/6/2021
      • 2. Understanding Risks

        The FATF's Mutual Evaluation Report of the UAE issued in April 2020 stated that the two sectors of real estate and precious metals and stones are weighted as highly important in terms of risk and materiality in the UAE. While the nature and extent of the risk posed by the two sectors to the LFIs providing them with accounts and other financial services is different, they do share common characteristics that LFIs should recognize and take into account:

         Attractiveness to illicit finance. The real estate and precious metals and stones sectors are important parts of the UAE's economy, and each provides important, legitimate goods and services to the UAE population and global trading partners. Nevertheless, experience shows that these sectors offer services that are particularly attractive to illicit actors.
         
         Facilitation of the international movement of value. Despite their different natures, both sectors allow individuals to move large values across international borders, sometimes with only minimal involvement from the formal financial system. For example, a courier carrying a valuable diamond can move millions of AED of value simply by taking a short international flight. In addition, the real estate and precious metals and stones sectors allow individuals to hold value in a form that retains value over time (such as gold or real property) without having to maintain an account in the formal financial system. These facilities are useful to many legitimate businesses, but are also highly sought-after by illicit actors.
         
         Varying regulatory regimes. The extent and nature of regulation on these sectors varies widely between jurisdictions. In some jurisdictions, participants such as dealers in precious metals and stones (DPMS) and real estate agents and brokers are required to be licensed or registered, and to comply with AML/CFT requirements that are similar to those imposed on LFIs. These include, at a minimum, the requirement to perform CDD on customers and to report suspicious transactions. Despite the existence of these requirements, however, sector participants are in many cases not closely supervised or monitored for compliance. Their understanding of their risk and of their compliance obligations may not be well-developed or accurate. In other jurisdictions, there are limited or no obligations placed on these actors, and they may not have any understanding of how they can be abused by illicit actors, or the steps they should take to protect themselves.
         
        • 2.1 Understanding and Assessing Risks Related to DPMS

          Dealers in precious metals and stones (DPMS) play a significant role in the economy of the UAE. DPMS engage in a wide range of activities related to precious metals and stones, from production to trading, establishing the UAE as an important regional hub for this sector. The Dubai Multi Commodities Centre specializes in providing services to precious metal dealers and exchanges, and a significant volume of transactions also goes through the Jebel Ali Free Zone. A significant amount of activity also occurs in the Dubai Gold Souk.

          Nonetheless, the precious metals and stones sector offers opportunities for criminals seeking to conceal, transfer, and/or invest their illicit proceeds. Like cash, precious metals and stones offer high value by weight, are difficult to trace and identify, and retain their value over time. DPMS, if they do not apply effective preventive measures, could be vulnerable to abuse by illicit actors engaged in laundering the proceeds of crime, financing of terrorism, arms trafficking, sanctions evasion, and other illicit activities.

          • 2.1.1 Risks of Precious Metals and Stones

            The characteristics of precious metals and stones make them uniquely appropriate as media to store, transfer, and exchange value:

             i.Precious metals and stones are generally compact, durable, odourless, and of high value.
             
             ii.Certain metals and stones (e.g., gold or diamond) are widely accepted as a method of exchange or currency.
             
             iii.Precious metals and stones retain their value over time, and have roughly the same value all over the world.
             

            In addition to these properties, precious metals and stones have characteristics that make them particularly attractive to criminals seeking to launder funds and others engaged in illicit behaviour:

             i.Differentiating precious metals and stones often requires laboratory techniques, so it can be difficult or impossible to track their movement;
             
             ii.Precious metals and stones can be transformed (through re-cutting or recycling) into different objects while retaining their value, interrupting known custody and transfer chains;
             
             iii.Purchase, sale, and exchange of precious metals and stones often takes place outside the formal financial system.
             

            For these reasons, DPMS may be targeted by illicit actors seeking to abuse their services and exploit the advantages of precious metals and stones. Although the majority of transactions involving DPMS are legal, these businesses may trade in items that could be the proceeds of crime, purchased with the proceeds of crime, and/or used to launder the proceeds of crime, unknowingly or complicitly.

            Because they are themselves at high risk of abuse, DPMS pose a risk to LFIs. Complicit DPMS may knowingly partake in illicit activities and may in turn use their business relationships with LFIs to launder the proceeds of crime or carry out other illicit activity. Even DPMS that are not knowingly involved in illicit activities may use their accounts with an LFI to deal in the proceeds of crime. For example, a DPMS may wire payment for illegally mined gold to the entity responsible for mining and processing the gold.

            Gold as a High-Risk Medium of Exchange
             

            Gold is easy to exchange and transfer, and may provide anonymity when processing transactions, as it is difficult to trace. It also has a universal price standard, a relatively stable market for investment, and may be used as a currency. Gold dealers may provide specific services to their clients, such as metal accounts, for storage or for investment properties. This may enable criminals to move gold under the guise of legitimate business.

             

          • 2.1.2 Features of DPMS that Increase Risk

            Not all DPMS pose equal risk. A DPMS is likely to be considered higher risk when it provides products or services that are attractive to illicit actors, has operations in high-risk jurisdictions, or does not apply appropriate anti-money laundering/combatting the financing of terrorism (AML/CFT) controls.

            • 2.1.2.1 Regulatory Environment

              In many jurisdictions, DPMS are not required to comply with requirements related to identification of customers and reporting suspicious activities. In other jurisdictions, these requirements are nominally in place, but DPMS are not subject to effective supervision and enforcement. Even in a jurisdiction that imposes and enforces such requirements, they frequently apply only to DPMS that engage in cash transactions above a certain value threshold. Where DPMS are unregulated or under-regulated, they are unlikely to be taking effective measures to protect themselves from abuse.

              In contrast, an effective AML/CFT framework and supervisory regime for DPMS can protect DPMS and LFIs that serve them by effectively imposing AML/CFT requirements and by detecting, deterring, and prosecuting ML/TF crimes. It is important to note that, like LFIs, certain DPMS in the UAE are required to comply with all requirements of AML-CFT Decision, including the requirement to perform Customer Due Diligence (CDD) and report suspicious transactions (see section 2.1.4).

            • 2.1.2.2 Products, Services, and Delivery Channels

              Products, services, and delivery channels that facilitate the rapid, efficient, anonymous movement of value on a large scale will be more attractive to illicit actors and may put a DPMS at a higher risk of abuse. Such products, services, and delivery channels may include:

               Products (such as bullion and uncut stones) that are particularly hard to trace, retain or even increase in value despite being transformed into new forms (melted down, re-cut, etc.), and offer high value by weight.
               Services, such as metal accounts, that allow customers to rapidly purchase and sell precious metals or stones.
               Delivery channels that allow transactions to be carried out quickly and anonymously, such as accepting cash or virtual assets and conducting transactions online or through intermediaries.
               
            • 2.1.2.3 Customer Base

              The types of customers that a DPMS serves can also impact risk. For example, a DPMS that primarily deals with PEPs may be higher risk than one that serves a lower-profile clientele.

            • 2.1.2.4 Geography

              DPMS may be based, or may trade internationally, in jurisdictions that are higher risk for money laundering, the financing of terrorism, and the financing of proliferation. Such DPMS may pose heightened risk to LFIs. Higher-risk jurisdictions may be characterized by:

               A low level of government oversight and regulation of the precious metal and stone value chain;
               
               Low economic and political stability;
               
               High use of the informal banking system;
               
               High levels of corruption;
               
               The presence of terrorist and other non-state armed groups;
               
               Weak border control measures; and/or
               
               Sanctions and embargoes
               

              Where a DPMS is based in a high-risk jurisdiction, LFIs are required by AML-CFT Decision to perform Enhanced Due Diligence.

          • 2.1.3 Typologies

            Precious metals and stones may be involved in a wide variety of illicit finance schemes. The following are some of the most common.

             Illegal mining or mining supported by the proceeds of crime. In jurisdictions where precious metals or stones are mined, illicit actors may operate small-scale ‘artisanal' mines without receiving a license or paying taxes to the state. The products of these mines are then exported to a refining or cutting hub for processing into saleable goods, like gold bullion and cut stones.
             
              In many cases, criminal organizations control a mine or a network of small-scale miners. They may invest the proceeds of other illegal activities, such as drug trafficking, into the illegal mines and take the majority share of the resulting production as a return on investment. When the resulting precious metals or stones are processed, the criminal organization can sell them on world markets. The proceeds fund further illicit activities and may also support terrorism.
             
            Example: Trading in gold to legitimise the proceeds of drug trafficking
             

            A criminal organisation in Country X was buying gold from various precious metals retailers using illicit proceeds from narcotics sales. The gold was then sold to a precious metals broker who then sold it to other businesses. The proceeds of the sale were then wired to a third party outside of Country X with links to the drug trafficking organization, thus completing the money laundering cycle.

             

             Use of precious metals and stones in sanctions evasion. The tradable nature, liquidity, wide availability, and anonymity of precious metals and stones has made them popular with individuals, organizations, and governments seeking to evade sanctions imposed by the United Nations or other jurisdictions. This activity may involve mining precious metals or stones under the control of the sanctioned person; the resulting products are then injected into legal trade using front companies and complicit DPMS, earning money for the sanctioned group. Or sanctioned actors may use precious metals and stones to disrupt a transaction chain involving the formal financial system and thus hide their interest in a transaction.
             
            Example: Large-scale sanctions evasion using precious metals
             

            According to Country A's federal indictments, a government sanctioned by Country A used front companies and complicit financial institutions to buy large quantities of gold in Country B. The gold was supposedly exported to the purchasing country, but was in fact moved by courier to the UAE, where it was sold in exchange for cash (U.S. dollars and euros). The cash was deposited with LFIs in the UAE under the names of front companies, and was made available to the sanctioned government to use in proliferation activities.

             

             Evasion of duties on precious metals and stones. Precious metals and stones are often the subject of heavy customs duties and other taxes. As a result, illicit actors will frequently seek to smuggle these goods from high-tax to low-tax jurisdictions, or may declare artificially low values for the goods by misrepresenting their quality or purity.
             
             Trade-based money laundering (TBML). The value of precious metals and stones varies highly based on their quality and purity, features which may not be apparent to the naked eye. In addition, the value of certain precious stones, particularly diamonds, can differ for different non-industry customers based on their personal preferences. This makes precious metals and stones particularly vulnerable to TBML, in which illicit actors use supposedly or actually licit trade to hide illicit finance. This can take a variety of forms:
             
              oTrading the same goods—often precious stones—repeatedly between co-conspirators to justify funds transfers between members of a criminal network, or between companies owned by the same individual(s). In these schemes, a single precious stone may be repeatedly sold between members of the network, or a single stone may be sold to multiple “purchasers” at the same time, each time with a different description.
             
              oInflation or deflation of the value of traded stones to provide justification for cross-border transfers. A merchant may sell low-value precious metals or stones to a purchaser, but invoice for higher-quality goods and thus a higher sum. The purchaser pays the full invoice price, justifying the transaction to financial institutions, and also receives illicit goods such as drugs or smuggled items.
             
             Use of precious metals and stones as security for fraudulent loans. In a typology that is often related to TBML, precious metals or stones may be repeatedly sold or falsely valued between members of a network in order to justify loans and other forms of financing.
             
            Example: Over-Valuation to Justify Illicit Transfers
             

            Mr. A, a licensed DPMS, entered Country X numerous times, each time declaring that he was carrying valuable precious stones. He was in fact carrying gems that were lower value than the ones he declared. He then substituted the lower value gems for higher value gems that were already in Country X and presented them for inspection and clearance at an official diamond exchange. Through these methods, Mr. A obtained validated official importation statements for multiple importations of high-value stones which did not actually take place. He used these statements, together with fake invoices, to facilitate international foreign currency transfers to entities abroad in the guise of payment for the imported goods. He ordered these transactions both for himself and on behalf of other DPMS wanting to receive funds abroad without having to face scrutiny by financial institutions and public authorities.

             

          • 2.1.4 Regulation and Supervision of DPMS in the UAE

            DPMS that qualify as Designated Nonfinancial Businesses and Professions (DNFBPs) are subject to AML/CFT requirements that are substantially the same as those imposed on LFIs, including the requirement to identify customers, to report suspicious transactions, and to perform a risk assessment. Under Article 3 of AML-CFT Decision, DPMS qualify as DNFBPs only if they are “carrying out any single monetary transaction or several transactions that appear to be interrelated or equal to more than AED 55,000". A DPMS that does not engage in such transactions is not required to take any preventive measures. Although cash transactions are certainly high risk, LFIs should be aware that the fact that a DPMS does not qualify as a DNFBP does not mean that it is low-risk. All DPMS, regardless of whether they qualify as DNFBPs, must have a commercial license to operate legally in the UAE. The Ministry of Economy is also responsible for identifying and classifying DPMS as DNFBPs; LFIs are not required to make this determination. But LFIs should discover, through the CDD process, whether their customer has been classified as a DNFBP by the Ministry of Economy.

            Obliged DPMS are supervised for compliance by the Ministry of Economy, which has issued guidelines for supervised entities describing their AML/CFT compliance obligations.2


            2 Available at https://www.economy.gov.ae/english/Pages/AML.aspx.

        • 2.2 Understanding and Assessing Risks Related to the Real Estate Sector

          The real estate sector is an important part of the UAE's economy, responsible for as much as 20 percent of Gross Domestic Product (GDP). The UAE real estate sector is diverse, encompassing construction and development, commercial real estate sales, and a wide variety of residential real estate, from apartments to luxury villas. A large number of professional real estate agents and brokers—over 11,500—support this sector.

          Most transactions within the sector are legitimate. Nevertheless, LFIs should be aware that the real estate sector offers opportunities for criminals seeking to conceal, transfer, and/or invest their illicit proceeds. The real estate market is a fairly liquid market in which assets generally retain stable values over time. Real estate transactions are generally large and offer criminals the opportunity to launder large values in a single transaction. And unlike other stores of value, such as cash or precious metals and stones, real estate can be enjoyed or can earn income while it is in the owner's possession.

          • 2.2.1 Risks of the Real Estate Sector

            The real estate sector is attractive to criminals and other illicit actors for many of the same reasons that it is popular with legitimate investors: real estate is a fairly liquid market, with assets that generally maintain or appreciate in value over time. Like certain forms of gold and precious metals, and unlike stores of value such as currency and stocks, real estate can be enjoyed by the owner. Indeed, the purchase of luxury real estate may in fact be the ultimate goal of the money laundering process.

            In addition, certain characteristics of the sector, while not in themselves illicit or undesirable, offer advantages for those seeking to launder funds and to move large values between individuals and across borders in a relatively short time:

             The sale or purchase of real estate is a normal, everyday transaction, and offers a simple, convenient explanation for the source of funds in a large transaction.
             
             Real estate transactions are typically high-value, allowing illicit actors to launder large sums in a single transaction.
             
             Real estate transactions of all kinds often take place between shell companies created for the sole purpose of owning real property. This practice makes it difficult to identity the true owner of the property. In addition, the ubiquity of this practice makes it difficult to distinguish licit from illicit transactions.
             
             The price of real estate is not fixed and is somewhat subjective, allowing illicit actors to inflate or deflate sales or purchase prices to better suit to their schemes.
             
             Real estate is frequently sold and re-sold in fairly quick succession, making it less suspicious when a criminal engages in similar behaviors in order to layer laundered funds.
             
             In some jurisdictions, the ownership of real estate gives the owners access to residency rights. Illicit actors may take advantage of these rights to expand their criminal networks to new jurisdictions, to escape criminal investigation in their home countries, and to hold assets offshore without alerting their home authorities.
             

            The real estate sector may be abused at any stage of the laundering process

             Placement: A criminal may invest illicit funds into the sector through an initial purchase in cash.
             Layering: A criminal may conceal the true origin of illicit funds by selling and purchasing a number of properties, extending the distance between current assets and the original placement of the funds.
             Integration: A criminal may sell a property and invest the funds in stocks, using the paperwork from the sale to demonstrate an apparently acceptable source of funds.
             
          • 2.2.2 Features of the Real Estate Sector that Increase Risk

            Certain features of the real estate sector in different jurisdictions can increase the attractiveness of the sector to illicit actors. Although these features are not in themselves negative or undesirable, they have the effect of increasing the ease with which illicit actors can use the sector to launder funds.

             Varying regulation and supervision of real estate professionals. Real estate agents and brokers are well placed both to detect and to collude in suspicious transactions. Agents and brokers are able to observe suspicious client behaviour, as well as aspects of a transaction that do not have a reasonable explanation. Conversely, complicit real estate professionals may advise a client on how to avoid scrutiny from LFIs and government authorities. This risk is increased in jurisdictions where agents handle client funds, such as in escrow or trust accounts.
             
              Because of the special role played by real estate professionals, the FATF Recommendations require that many such professionals be regulated and supervised, with AML/CFT obligations like those imposed on financial institutions. Where these obligations are not imposed and enforced, and where real estate professionals are not monitored for their compliance, the sector may be higher risk.
             
             Widespread use of cash. In certain jurisdictions, real estate transactions are frequently executed entirely or partially in cash. This allows a transaction to take place without involving the formal financial system. In addition, criminal activities often produce high volumes of cash, and placement of cash derived through illegal activities is often the first step in the money laundering process. Even if a particular transaction is executed through bank cheque or other similar means, if the property was purchased for cash in the recent past it can be difficult or impossible to fully understand the chain of ownership and thus to identify whether a transaction is part of the money laundering process (e.g., the property was purchased in cash by A, sold to B to launder the original purchase funds, and is now being re-sold to A).
             
             Lack of transparency on beneficial owners. As discussed above, illicit actors, like many purchasers of real estate, often engage in transactions using shell companies, and engage intermediaries such as law firms to represent them and obscure their interest in a property transaction. Where a jurisdiction does not collect beneficial ownership information for such companies or for real property in general, and permits foreign companies to own real estate, it increases the likelihood that law enforcement and LFIs will not be able to identify the individuals behind a purchase or sale.
             
             Openness to foreign purchasers. A real estate sector that is entirely open to non-residents and non-citizens is likely to be more liquid than a closed sector. In addition, an open sector is exposed to illicit funds generated all over the world. Jurisdictions that offer residency or citizenship rights to foreign purchasers of domestic real estate may be particularly attractive to foreign illicit actors.
             
             High liquidity and rising prices. Illicit actors, like licit investors, want assurance that they will be able to sell an investment property for an amount that recoups their investment or offers a profit. Although they may be willing to tolerate a modest loss on the investment as the cost of money laundering, they may be more likely than most purchasers to seek to ‘flip' properties, buying and selling them in quick succession. A highly liquid market facilitates flipping and increases the likelihood that the sale price will meet or exceed the purchase price. In addition, rising prices and a ‘hot' market make it easier to disguise certain typologies, such as making small renovations to a property and then reselling it to an associate for a steeply increased price. The difference between the purchase price and the market value is then secretly refunded to the buyer in cash.
             
          • 2.2.3 Typologies

            Illicit actors may use a wide variety of strategies to launder the proceeds of crime through the real estate sector. Many of these strategies are not specific to the real estate sector and appear in a variety of contexts.

            The following are some of the most common.

             Placement of cash. There are a variety of ways that the real estate sector can be used to place the cash proceeds of crime.
             
              oPerhaps the simplest is purchasing a property in cash and then selling it, with the purchase price paid via wire or bank cheque. The criminal can identify a clear source of funds for the funds received, and can proceed to layer them using other techniques.
             
              oThis basic typology is subject to a number of variations. A property owner may pay for renovations in cash that represents the proceeds of crime, thus increasing the property's value. When the property is sold, the purchase price will include the value of illicit funds spent on renovations.
             
              oAn illicit actor may receive a bank loan to purchase the property, and then pay the loan back early in cash, or make payments in cash.
             
              oReal estate investments, such as rental properties, may also be cash-intensive businesses. In jurisdictions where it is common to pay rent in cash, these properties can be used to commingle licit with illicit funds.
             
             Use of shell companies or other legal entities to obscure ownership. As discussed above, the use of shell companies—legal persons with no operations or employees—to hold real property is a common feature of real estate sectors all over the world. This practice facilitates investment and business (e.g. owning a shopping mall and collecting rent from tenants) and also preserves privacy (e.g. a prominent individual purchasing a home using a shell company to avoid her address becoming public knowledge).
             
              Despite the legitimate uses of this technique, however, it can also be used to hide ownership when the true owner is an individual who does not want to be linked to the purchase. This may include Politically Exposed Persons (PEPs) who are purchasing properties that are inconsistent with their known sources of wealth; individuals who have past convictions for proceeds-generating offenses or are associated with negative news; and sanctioned individuals.
             
              In place of or in addition to shell companies, illicit actors may use complex ownership structures, legal arrangements, and nominee arrangements to conceal their ownership interest in a real estate transaction. Please see the CBUAE's Guidance for Licensed Financial Institutions providing services to Legal Persons and Arrangements3 for more information on the risks of legal persons and arrangements.
             
             Use of intermediaries to obscure ownership. Similarly, individuals who wish to hide their connection to a real estate purchase or sale may rely on professional intermediaries—such as real estate brokers, lawyers, and accountants—to engage directly with financial institutions. Such intermediaries may be directly complicit in the concealment and aware that the true identity of their customer would raise questions about the transaction. Or they may simply be following professional rules that mandate professional secrecy regarding their clients.
             
             Manipulation of property values. Although real estate pricing is somewhat predictable, prices are sufficiently subjective to justify inflated or deflated pricing in service of laundering schemes.
             
              oTwo co-conspirators may arrange a sale of a property for a sum that does not represent its market value, with the difference being paid in cash: for example, the sale price is 20% higher than the market value, and the seller repays the buyer in cash. A purchase price higher than market value may be justified to authorities on the grounds that the property was perfect for the buyer's needs, or the buyer was anxious to complete the sale quickly. Similarly, a purchase price below market value may be justified on the grounds that the seller wanted a quick sale, or the property had structural issues. 
             
              oIllicit actors may conspire with corrupt officials or bank employees to inflate the assessed value of a property, facilitating these schemes.
             
              oA criminal may also disguise illicit transfers as loans raised using the property as security. The higher the value of the property, the more money that can be laundered using this technique.
             
             Sequential selling. The repeated selling of real estate by a group of conspirators, or by a single individual using multiple shell companies, in an attempt to separate the ultimate owner from the criminal proceeds originally used to purchase the property. In many cases, the same individual(s) will buy the property or sell the property multiple times.
             

            3 Available at https://www.centralbank.ae/en/cbuae-amlcft.

          • 2.2.4 Regulation and Supervision of the Real Estate Sector in the UAE

            • 2.2.4.1 Regulation of the Real Estate Sector

              Regulation of the real estate sector as a whole—as opposed to regulation of real estate professionals—is the responsibility of each of the emirates and as a result varies across the UAE. This section discusses key aspects of regulation of the sector in Dubai and Abu Dhabi, the two largest property markets. Section 2.2.4.2 discusses regulation of real estate agents and brokers.

              • 2.2.4.1.1 Openness to Foreign Purchasers

                 Dubai: With the exception of nationals of the Gulf Cooperation Council (GCC), non-residents and non-citizens of the UAE are permitted to own real estate in Dubai only in one of the designated real estate investment areas. In general, foreign purchasers must be individuals; legal persons are not able to purchase real estate in the investment areas unless they make the purchase through a subsidiary incorporated in a Free Zone. Foreign trusts and other legal arrangements, including trusts or legal arrangements established in the Free Zones, are also not permitted to purchase real estate anywhere in the Emirate.
                 
                 Abu Dhabi: As in Dubai, foreigners are permitted to purchase real estate in Abu Dhabi only in one of nine designated real estate investment areas. Within these areas, there are no restrictions on the type of property they can own or the period of time for which they can own it. Outside of these areas, foreigners cannot exercise freehold ownership of property, although they can exercise other forms of long-term ownership, such as leaseholds and usufruct rights.
                 
              • 2.2.4.1.2 Residency Rights

                Owners of freehold properties above a certain value may obtain an investor visa that grants them limited residency rights in the UAE. The larger the value of the property, the longer the length of the visa. Visa rules are set by the UAE federal government through Cabinet Resolution (56) of 2018 on Regulating the Residence Permits for Investors, Entrepreneurs and Specialised Talents, and thus apply to all emirates:

                 Ownership of a property worth at least AED 1 million comes with a six-month multi-entry visa. Dubai will grant a three-year renewable residency visa in such circumstances.
                 
                 An individual who purchases a property of at least AED 5 million and retains it for three years is entitled to a five year residency visa.
                 
                 An individual who purchases a property of at least AED 10 million without a mortgage or other loan and retains it for three years is entitled to a ten year residency visa.
                 
              • 2.2.4.1.3 Use of cash

                There are no legal restrictions on use of cash to purchase real estate or property in Dubai or Abu Dhabi.

            • 2.2.4.2 Regulation and Supervision of Real Estate Professionals

              Real estate agents and brokers in the UAE are required to be licensed. The Land Departments or municipality of each emirate and CFZ are responsible for granting licenses in the Mainland and CFZs; the Financial Services Regulatory Authority (FSRA) and Dubai Financial Services Authority (DFSA) license real estate agents in the FFZs.

              Under Article 3 of AML-CFT Decision, real estate agents and brokers qualify as DNFBPs when they “conclude operations for the benefit of their Customers with respect to the purchase and sale of real estate." When they qualify as DNFBPs, real estate agents and brokers must comply with the same AML/CFT preventive measures as LFIs, including the requirements to conduct a risk assessment, perform CDD, and report suspicious transactions.

              The Ministry of Economy supervises real estate professionals in the mainland and CFZs for compliance with AML/CFT obligations, and the FSRA and DFSA supervises them in the FFZs. The Ministry of Economy has issued guidelines for supervised entities describing their AML/CFT compliance obligations.4


              4 These guidelines may be found at https://www.economy.gov.ae/english/Pages/AML.aspx.

      • 3 Mitigating Risks

        Although LFIs should judge their own risk tolerance and risk management capabilities, the CBUAE does not expect or encourage LFIs to broadly prohibit or exit customer relationships with the real estate and precious metals and stones sectors. These sectors are important parts of the UAE economy, and they need access to financial services to conduct their legitimate business. The CBUAE does expect, however, that LFIs understand their risk and take effective, risk-based steps to protect themselves from abuse and from illicit actors and transactions. Effective risk mitigation is therefore critical to protecting the LFI, complying with its legal obligations, and meeting supervisory expectations.

        The sections below discuss how LFIs can apply specific preventive measures to identify, manage, and mitigate the risks associated with the real estate and precious metals and stones sectors. It is not a comprehensive discussion of all AML/CFT requirements imposed on LFIs. LFIs should consult the UAE legal and regulatory framework currently in force. The controls discussed below should be integrated into the LFI's larger AML/CFT compliance program, and supported with appropriate governance and training.

        • 3.1 Risk-Based Approach

          • 3.1.1 Overarching common requirements

            LFIs must take a risk-based approach to the preventive measures they put in place for all customers, including customers in the real estate and precious metals and stones sectors. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision.

            The risk-based approach has three principal components:

            • 3.1.1.1 Conducting an enterprise risk assessment, as required by Article 4.1 of AML-CFT Decision.

              The enterprise risk assessment should reflect the presence of higher-risk customers, including DPMS and real estate sector participants in an LFI's customer base. This assessment should include higher-risk customers from outside the UAE whose risks will also need to be assessed. These assessments should in turn be reflected in the LFI's inherent risk rating. In addition, the controls risk element of the LFI's enterprise risk assessment, as required by section 4.2.1 of the Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Financial Institutions, should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its higher-risk customers, including the preventive measures discussed below.

            • 3.1.1.2 Identifying and assessing the risks associated with specific customers.

              The LFI should assess the risk of each customer to identify those that require enhanced due diligence (EDD) and to support its entity risk assessment. In assessing the risks of a DPMS or real estate sector participant, LFIs should consider:

               i.Geographic Risk: The risks associated with the jurisdictions in which the customer lives (for individuals) or is registered/headquartered (for legal persons) and where it operates, including the jurisdictions where it has subsidiaries, where it sources its products (where relevant), and where its main counterparties are based. These may include the overall risk of money laundering, terrorist financing, and financing of proliferation, as well as what is known regarding the prevalence of abuse of entities in these sectors.
               
                There are a number of sources that LFIs can use to develop a list of high-risk countries, jurisdictions, or regions. LFIs should consult any publications issued by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (NAMLCFTC)5, UAE FIU and by the FATF, including the FATF's list of jurisdictions subject to countermeasures and to increased monitoring. LFIs may also use public free databases such as, for example, the Basel AML Index6 or the Transparency International Corruption Perceptions Index.7 LFIs should not rely solely on public lists, however, and should consider their own experiences and the nature of their exposure to each jurisdiction when assessing the risk of that jurisdiction.
               
               ii.Customer Risks: For real estate agents and brokers and DPMS, customer risk can be assessed as the proportion of higher-risk customer types (e.g. PEPs, legal persons, and customers from high- risk jurisdictions) within a customer's customer base.
               
               iii.Product, Service, and Delivery Channel Risk: LFIs should assess risk in this category on two dimensions:
               
                a.The products and services that the customer offers to its customers, and the delivery channels through which it offers these products and services. Products, services, and delivery channels that promote the rapid, anonymous transfer of high values are particularly attractive to illicit actors. These may include, but are not limited to:
               
                 i.Online/non-contact sales: Non-face to face transactions make it easier for criminals to hide their identifies.
               
                 ii.Accepting cash for high-value purchases. Cash is very difficult to trace and can be exchanged without involving the formal banking system, and thus is particularly attractive to criminals.
               
                 iii.Accepting virtual assets: Virtual assets, like cash, are anonymous and difficult to trace to their users. Unlike cash, virtual assets allow parties to carry out transactions even when they are at a distance from one another. These qualities, combined with the lack of consistent regulation of entities that deal in virtual assets, make virtual assets high risk for abuse by illicit actors.
               
                 Specific high-risk products and services offered by each customer type are discussed below in sections 3.1.2 and 3.1.3.
               
                b.The LFI products and services that the customer intends to use, and the delivery channels through which the LFI will provide these services. LFIs should draw on their entity risk assessment to assess the risk of the products and services each customer uses or intends to use. (This subject is also discussed in section 3.2.1.3.2 below in relation to understanding the nature and purpose of the business relationship.)
               
               iv.Controls Risk: LFIs should seek to understand the regulatory requirements in place for the customer, as well as how well they are enforced. This assessment is particularly important for those DPMS and real estate brokers that qualify as DNFBPs and therefore are also subject to such requirements. Other participants in the real estate sector, such as developers, are not required to comply with AML/CFT preventive measures. In addition, participants in the precious metals and stones sector may also be required to comply with UAE requirements or global standards related to sourcing precious metals and stones and transparency of supply chains. Where relevant to a customer's business, LFIs should consider whether its customer conducts appropriate supply chain due diligence.
               

              Questions that an LFI may ask to determine customer risk profile include, but are not limited to:

               Where is the customer incorporated? Where does it operate? Are these high-risk jurisdictions?
               What products and services does the customer provide?
               What is the trading volume of the business?
               What customer base does the customer serve?
               What is the regulatory environment in the jurisdiction(s) where the customer is incorporated/has operations?
               Is there an authority that actively enforces the requirements?
               Is the customer required to perform CDD on cash customers above a certain threshold in all jurisdictions where it operates? In such scenarios, is it required to identify the beneficial owners of legal person customers?
               Is the customer required (as are DNFBPs in the UAE) to conduct a regular independent audit? Did the most recent audit have any material findings?
               Does the customer perform sanctions screening?
               What is the main channel (in-person vs. online) and methods (cash, wire transfers, checks, etc.) of conducting transactions and in which currency (or multiple currencies)?
               

              In addition to risk rating customers, LFIs should also consider the risks of specific transactions, especially high-value transactions, those involving high-risk jurisdictions, and those that represent departures from a customer's standard or expected behavior. LFIs should be aware of sectoral risks when reviewing large transactions associated with the DPMS or real estate sectors, or transactions of any size that do not have a clear licit economic purpose.


              5 Available at: https://www.namlcftc.gov.ae/en/high-risk-countries.php
              6 Available at: https://baselgovernance.org/basel-aml-index
              7 Available at: https://www.transparency.org/en/cpi/2020/index/nzl

            • 3.1.1.3 Applying EDD and other preventive measures

              LFIs must apply EDD and other preventive measures to customers determined to be higher-risk, as required by Article 4.2(b) of AML-CFT Decision, or to specified higher-risk customer types, no matter their risk rating, as required by AML-CFT Decision. EDD measures should be designed to mitigate the specific risks identified with particular customers. Examples of EDD measures are offered below in section 3.2.

          • 3.1.2 Key Considerations for DPMS

            Beyond the general considerations discussed above, in assessing the risk of a DPMS customer LFIs should consider:

             Geographic Risk: Whether the jurisdiction(s) in which the customer is based or operates are known centres for illegal or unregulated mining of precious metals and stones.
             
             Product, Service, and Delivery Channel Risk: The following products and services are particularly high risk:
             
              oTrade in gold bullion and diamonds: The high inherent value of these substances, their ability to retain value for a long period of time, the size and stability of the market, relative ease of exchange, high value by weight, and the difficulty of tracing them makes gold and diamonds particularly attractive to criminals.
             
              oMetal accounts: Metal accounts are accounts held by a custodian institution and denominated in precious metals (such as gold, silver, or platinum) rather than in fiat currencies. They allow the account holder to quickly buy and sell precious metals without needing to have a face-to-face interaction with a DPMS.
             
          • 3.1.3 Key Considerations for the Real Estate Sector

            Beyond the general considerations discussed above, in assessing the risk of a customer who is a participant in the real estate sector, LFIs should consider:

             Controls Risk: In the case of transactions or customers related to the real estate sector, an assessment of controls risk should also include the regulations governing the real estate sector as a whole, and not just regulations governing the sector participants (real estate agents and brokers). LFIs should assess whether regulations governing property transactions are likely to make the sector more or less attractive to illicit actors. As discussed above in section 2.2.2, these may include the openness to foreigners, the widespread use of cash and shell companies, and the intensity of scrutiny of real estate transactions.
             

            In many cases neither party to a real-estate related-transaction will be a business or individual whose primary activity is related to the real estate sector (e.g., the sale of a private home). In such cases, in addition to the risk of the specific customer involved, LFIs should consider aspects of the transaction itself, including:

             The jurisdiction in which the real property that is the subject of the transaction is located;
             The jurisdiction in which the customer's counterparty is located;
             If the LFI's customer is the purchaser, whether the purchase price is consistent with the purchaser's known means and income;
             Whether the purchase price is generally consistent with the market price for roughly similar properties;
             Whether all parties to the transaction are resident in jurisdictions other than the jurisdiction in which the property is located;
             Whether the seller of the property has owned it only for a short period of time;
             Whether shell companies or other legal structures are involved in the purchase in such a way as to obscure the true owner of the property; and
             Whether the parties to the transaction appear to be related (e.g. are represented by the same law firm or real estate broker, share corporate directors, or share an address), but the relationship between them is unclear.
             
        • 3.2 Customer Due Diligence and Enhanced Due Diligence

          CDD, and where necessary EDD, are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers. As discussed below, each stage of the CDD process gives LFIs an opportunity to collect the information they need to identify and manage the specific risks of higher- risk customers.

          The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Where an LFI cannot satisfy itself that it understands a customer, then it should not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report (STR), as discussed in section 3.3 below.

          Under Article (5) of AML-CFT Decision, LFIs must conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a Customer with whom there is no business relationship. Although Article 5 permits CDD to be delayed in circumstances of lower risk, the higher risk of the DPMS and real estate sectors makes it very unlikely that delayed CDD will be appropriate in the context of onboarding such customers.

          LFIs should consult the UAE legal and regulatory framework currently in force for a full discussion of their CDD obligations and of the CBUAE's expectations for CDD procedures.

          • 3.2.1 Overarching common requirements

            The following elements of CDD should be carried out for all customers, no matter the customer type.

            • 3.2.1.1 Customer Identification and verification

              Under Article 8 of AML-CFT Decision, LFIs are required to identify and verify the identity of all customers.

              In most countries, including the UAE, anyone operating a business, whether as an individual or a legal person, must have a business license. Such persons may also need to be registered with their country's ministry of commerce or economy. Among other documents required for customer identification and verification, LFIs should ensure that they collect proof of an active license and/or registration from all business customers. Where a license is required, lack of one may indicate that a customer is attempting to avoid regulation and supervision by the authorities in the UAE or in its home jurisdiction.

            • 3.2.1.2 Beneficial Owner Identification

              The majority of DPMS and real estate sector customers will be legal persons. The UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual(s) holding the senior management position in the entity.

              Legal arrangements may be involved in transactions related to real estate. For legal arrangement customers, LFIs must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights.

              The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until they discover all individuals who own or control at least 25% of the LFI's customer.

              When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision.

              Please see the CBUAE's Guidance for Licensed Financial Institutions providing services to Legal Persons and Arrangements8 for more information on identification of beneficial owners.


              8 Available at https://www.centralbank.ae/en/cbuae-amlcft

              • 3.2.1.2.1 EDD: Beneficial Ownership

                If the LFI is not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the LFI should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25% ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10% or even the 5% level. It may also involve requiring the customer to provide the names of all persons who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks.

            • 3.2.1.3 Nature of the Customer’s Business and Nature and Purpose of the Business Relationship

              For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer's business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI's services. This element of CDD will have important implications for the customer risk rating. This is particularly true of the nature of the customer's business, which will likely be the critical determinant of risk for customers of the types addressed in this Guidance.

              • 3.2.1.3.1 Nature of the Customer’s Business

                Understanding the nature of the customer's business involves first i) identifying that the customer is a participant in a higher-risk sector; and ii) collecting all the information necessary to assess the risk factors for that specific customer type, as described in section 3.1 above. Customers may not identify themselves explicitly as DPMS or real estate sector participants. In some cases, the nature of the customer's business will be clear based on the customer's own statements; in others, the LFI may need to ask additional questions to ascertain whether or not the customer carries out any of the qualifying activities. For example, an importer/exporter may qualify as a DPMS if it trades in precious metals and stones among other products, or a department store may qualify if it sells fine jewelry.

                Following the determination of the customer's sector, the LFI should collect the information necessary to understand the products and services the customer offers, where it operates, and who its customers are. The exact information collected will depend on both the nature of initial findings and on the risk level of the entity. For example:

                 Company A is a large commercial real estate broker licensed in Sharjah and supervised as a DNFBP by the Ministry of Economy. Company A applies for a general purpose business account with Bank C, an LFI. Bank C interviews Company A regarding its business activities and customer base, and asks Company A to supply a copy of its institutional risk assessment and its CDD and STR policies.
                 
                 Company B, a small business based in Dubai, seeks to establish a checking account with Bank C, an LFI. Company B represents that it primarily sells furniture and curios, but in response to questions from Bank C during the CDD process discloses that it sells gold and silver coins and also that it accepts cash payments. Company B is not licensed as a DPMS and is not registered by the Ministry of Economy. Bank C decides to make an unannounced site visit to Company Band discovers that gold objects make a up a large part of its inventory. Bank C declines to consider opening the account until Company B is licensed and registered as a DPMS.
                 
              • 3.2.1.3.2 Nature and Purpose of the Business Relationship

                The risk to which the LFI may be exposed can vary based on the purpose of the account and the types of financial products and services the customer wishes to use. Nevertheless, if other risk factors are present a customer may still qualify as high risk even if they use only low-risk products and services.

                 Certain aspects of a customer's business may be higher risk than others. For example, an account used for payroll may be lower risk than an account used to pay suppliers or that receives payments directly from customers.
                 
                 Certain LFI products and services may expose the LFI to higher risk. These include cash management services or large-scale cash deposits, and international wires, especially wires to or from high-risk or secrecy jurisdictions. These services are higher risk because they facilitate rapid movements of value across borders, or (in the case of cash) because they are conducive to anonymity. The LFI's entity risk assessment should identify its higher-risk products and services, and a customer that intends to use such services should be risk-rated accordingly.
                 

                For example:

                 Company X is a small DPMS operating in the Dubai Gold Souk that applies for a general purpose checking account with Bank C, an LFI. Company X tells Bank C that it sells gold jewelry. It claims that it does not accept cash and has not registered as a DNFBP, but tells Bank C to expect weekly cash deposits. The relationship manager visits the store and observes a sign by the cash register saying “Payment by Cheque or Credit Only.” Bank C decides to prohibit cash deposits into the account with prior authorization, and to restrict such deposits to a low monthly total.
                 
              • 3.2.1.3.3 Developing a Customer Profile

                Businesses, including those in the DPMS and real estate sectors engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a small DPMS is likely to be completely different from that of a large- scale commercial developer. At the same time, specific businesses are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour.

              • 3.2.1.3.4 EDD: Customer’s Business and the Business Relationship

                As LFIs advance efforts to understand their customer's business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:

                 The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory).
                 The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets.
                 The LFI does not fully understand the customer's business model, or the customer has no clear business activities that would justify its expected to use of the account.
                 

                EDD on the business activities and account use of business like DPMS and real estate sector participants can involve the following:

                 Requiring the customer to provide invoices documenting incoming and outgoing transfers;
                 Inspecting payroll documents and other business records;
                 Visiting the customer's business premises and interviewing its personnel;
                 Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
                 
            • 3.2.1.4 Ongoing Monitoring

              All customers must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

              • 3.2.1.4.1 CDD Updating

                LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of customers that are companies, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction. For example:

                 Mr. Y and Sons is a highly-reputable dealer in uncut diamonds that has been banking with Bank C for more than 40 years. Bank C's account manager reads in the newspaper that Mr. Y has recently passed away and calls on Mr. Y's sons to express his condolences. During the course of the conversation, the account manager asks which son will be in charge of the business going forward. They inform him that they have just sold the business to a consortium of investors who wished to remain anonymous but who were represented by a global law firm with offices in the Free Zone. Once it has become aware of this fact, Bank C should rapidly identify the new beneficial owners of the customer. If it cannot do so promptly, it should suspend activity on the account.
                 

                LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

                CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:

                 The customer's beneficial owners remain the same;
                 The customer continues to have an active status with a company registrar;
                 The customer has the same legal form and is domiciled in the same jurisdiction;
                 The customer is engaged in the same type of business, and in the same geographies;
                 

                In addition to a review of the customer's CDD file, the LFI should also review the customer's transactions to determine whether they continue to fit the customer's profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established. This type of transaction review is distinct from the ongoing transaction monitoring discussed in section 3.2.1.4.2 below. The purpose of the review is to complement transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules. For example:

                 Bank C is conducting its scheduled CDD review for Company A, a commercial real estate brokerage firm. When reviewing the customer's transactions over the past year, Bank C notices that Company A has begun making fairly regular payments to a counterparty in Country 1. Previously, Company A had engaged in extremely limited cross-border activity. The payments do not exhibit any red flags and therefore were not flagged by Bank C's automated transaction monitoring system. Bank C contacts Company A and learns that it is has recently entered into a referral agreement with a private bank in Country 1. The bank refers customers looking to invest in the real estate sector, in Country 2, to Company A and in return receives a percentage of any commission Company A makes on a resulting sale. Bank C decides to conduct additional due diligence to learn more about the customer base referred to Company A by the bank in Country 1.
                 

                The techniques used for transaction review will vary depending on the client. For lower-risk clients, a review of alerts, if any, is likely to be sufficient. For higher risk clients, a more intensive review may be necessary. For clients with a large volume of transactions, LFIs may use data analysis techniques to identify unusual behaviour.

                If the review finds that the customer's behaviour or information has materially changed, the LFI should risk- rate the customer again. New information gained during this process may cause the LFI to believe that EDD is necessary, or may bring the customer into the category of customers for which EDD is mandatory (i.e. customers that are PEPs, or owned or controlled by PEPs, or their family members or associates; and customers that are based in high-risk jurisdictions).

                LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but should still update CDD on a schedule appropriate to the customer's risk rating.

              • 3.2.1.4.2 Transaction Monitoring

                LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of an STR (see section 3.3 below). As with all customer types, LFIs that use automated monitoring systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.

                Where possible, monitoring systems should also flag unusual behaviour that may indicate that a customer's business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business activities in such a way as to require a higher risk rating.

                Sample red flags for illicit behaviour involving DPMS and the real estate sector are provided in the Annex to this Guidance.

              • 3.2.1.4.3 EDD: Ongoing Monitoring

                When customers are higher risk, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, , such as every six or nine months for very high-risk customers. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:

                 Manually reviewing all transactions on the account on a quarterly basis, rather than a sample of transactions (as discussed above, such manual review should be in addition to automated transaction monitoring). Manual review can take the form of reviewing individual transactions, or of using data analysis to determine information about the customer's activity (e.g., overall percentage of counterparties in high-risk jurisdictions; new jurisdictions of activity compared to last quarter; overall percentage of transactions that are round numbers, etc.) that would not be apparent to automated transaction monitoring systems;
                 
                 Conducting site visits at the customer's premises and requesting a meeting with the customer's managing director or Chief Financial Officer;
                 
                 Conducting searches of public databases, including news and government databases, to independently identify material changes in a customer's ownership or business activities or to identify adverse media reports. Searches for adverse media should include relevant key words, including, but not limited to, allegation, fraud, corruption, and laundering.
                 

                In addition, higher-risk customers should be subject to more stringent transaction monitoring, such as lower thresholds for alerts and more intensive investigation.

          • 3.2.2 Key Considerations for DPMS

            All of the requirements above apply fully to DPMS customers. This section describes specific or additional considerations that LFIs should have in mind when carrying out CDD on such customers.

             Nature of the Customer’s Business: Understanding the nature of the customer's business is particularly important in the context of DPMS, as risk is largely driven by the nature of the entity's business activities. LFIs should consider factors such as:
             
              oWhether the customer qualifies as a DNFBP, and, if so, whether it is registered as such with the appropriate authority in its home jurisdiction (in the UAE, this is the Ministry of Economy, see section 2.2.4);
             
              oThe DPMS-specific risks of the countries where the customer does business (see section 3.1.1.2 (i)). Certain countries that may not be considered extremely high risk in other contexts may be very high risk in the DPMS sector, such as countries where illegal mining takes place on a significant scale, or countries were smuggling of gold and precious stones is particularly common;
             
              oThe products and services the customer provides, and their attractiveness to illicit actors.
             
              oExample: Customer, a large Abu Dhabi luxury goods store, seeks to establish a general purpose business account with Bank B, an LFI. Customer sells fine jewelry to a clientele that includes a number of PEPs. Bank B collects additional information about sales and policies from Customer, and determines that all purchases of fine jewelry must be made using a credit card, and that fine jewelry accounts for less than 10% of Customer's annual turnover. Bank B decides that EDD is not necessary at this point, but decides to review activity on the account after six months to determine whether it presents any red flags.
             
             Ongoing Monitoring: Because DPMS risk varies with their business activities, it is particularly important that LFIs monitor DPMS accounts for any unexpected changes in activity. A change in activity is not necessarily a sign of illicit behaviour, but it may indicate that a DPMS has changed its activity profile in ways that affect its risk rating.
             
              oExample: When conducting its scheduled review of activity on the account of Customer, a large Abu Dhabi luxury goods store, Bank B notices that Customer has recently begun to receive large transfers from Iraq. When Bank B contacts Customer, the store explains that they've just begun conducting ‘trunk shows' of fashion and fine jewelry for customers in Iraq and as a result have substantially increased the business they do with customers there. Based on this information, Bank B increases Customer's risk rating and considers placing other controls on the relationship.
             
          • 3.2.3 Key Considerations for the Real Estate Sector

            Customers that are overall low-risk, and whose business is unrelated to the real estate sector, can nonetheless engage in high-risk transactions related to the sector. For example, a retired businesswoman who has been a customer of an LFI for twenty years may sell her luxury villa to a foreign PEP. In such cases, the CDD that has been performed on the customer may not be sufficient to manage the risk of this particular transaction, and LFIs may need to perform additional transactional due diligence. Transactional due diligence may also be necessary to comply with the requirements of Article 7.1 of AML-CFT Decision, which requires LFIs to audit transactions carried out throughout the business relationship to ensure that the transactions are consistent with the customer's risk profile.

            Transactional due diligence should at least involve collecting additional information about the underlying activity and the customer's counterparty. Information that an LFI may request in the context of transactional due diligence on real estate transactions includes:

             Sufficient information about the property to support an assessment that the purchase/sale price is reasonable and generally consistent with values for similar properties. This may include its official valuation for property tax purposes (where one exists); cadastral maps for the area where the property is located; floor plans; photographs; and recent sales information for similar properties. Where the LFI is financing a purchase, or has previously financed the purchase of the same property, it likely has this information on hand already.
             
             Information about the customer's counterparty. Where the counterparty is an individual, this should include sufficient information to perform adverse media, sanctions and PEP screening. Adverse media searches should include searches of public records and databases using relevant key words, including but not limited to, allegation, fraud, corruption, laundering.
             
             Where the counterparty is a legal person, it should include the jurisdiction in which the counterparty is registered/headquartered; identifying information on the counterparty's beneficial owners and line of business.
             
             Information on source of funds and source of wealth. LFIs should be able to identify the source of funds for every large transaction related to the real estate sector. Where a transaction is financed, the source of funds will often be a bank loan, but for unfinanced transactions the determination may be more difficult. For high-risk customers or counterparties, such as PEPs, LFIs should also understand the source of overall wealth, in addition to the source of the specific funds used to purchase the property.
             
        • 3.3 STR Reporting

          As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a STR with the UAE Financial Intelligence Unit (UAE FIU) when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, the proceeds of crime, is related to a crime, or is intended to be used in a crime. STR filing is a legal obligation and a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE FIU, LFIs help to alert law enforcement about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs.

          In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations:

           A potential customer decides against opening an account or purchasing other financial services after learning about the LFI's CDD requirements;
           A current customer cannot provide required information about its business or its beneficial owners;
           A customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty; or
           The LFI is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the customer. In such cases, the LFI should not establish the business relationship, or continue an existing business relationship.
           

          Please consult the CBUAE's Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting9 for further information.


          9 Available at https://www.centralbank.ae/en/cbuae-amlcft

        • 3.4 Governance and Training

          The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. The core of an effective risk-based program is an appropriately experienced AML/CFT compliance officer who understands the LFI’s risks and obligations and who has the resources and autonomy necessary to ensure that the LFI’s program is effective.

          As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks of DPMS and real estate sector customers, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls. Training should be tailored and customized to the LFI's risk and the nature of its operations. For example, an LFI that has a large number of DPMS customers should offer training that includes an in-depth discussion of risk factors and red flags related to such customers.

      • Annex 1. Red Flags

        • Red Flags for DPMS

          Trade practices

           Precious metals and stones originate from a country where there is limited production or no mines at all.
           
           Trade in large volumes conducted with countries which are not part of a specific precious metals and stones pipeline.
           
           An increase of the volume of the activity in a DPMS account despite a significant decrease in the industry-wide volume.
           
           Selling or buying precious metals and stones between two local companies through an intermediary located abroad (lack of business justification. uncertainty as to actual passage of goods between the companies).
           
           Volume of purchases and/or imports that grossly exceed the expected sales amount.
           
           Sale of gold bars, coins, and loose diamonds from a jewelry store (retail).
           
           Payments related to the appearance of rare or unique precious stones in the international market outside of known trading procedures (e.g., Argyle's rare pink diamond appearing in the international marketplace outside of the annual tender process). This to the best knowledge of the financial institution.
           
           A single bank account is used by multiple businesses.
           

          Transactions/financing of precious metals and stones trade

           Unusual forms of payment in the trade, for example, use of travelers cheques (all stages according to the accepted forms of payments).
           
           Date of payment not customary in the trade, (e.g. receiving/sending funds for a precious metal and stone deal conducted a very long time ago (outside accepted payment terms). Or, a customer paying upfront where the customary payment date is within a 120 days term.
           
           Financial activity is inconsistent with practices in the precious metal and stone trade. For example,
           
            oForeign currency deposits followed by currency conversion and cash withdrawal in local currency.
           
            oCheque deposits followed by immediate cash withdrawals in slightly lower amounts (possible use of the DPMS account for cheques discounting).
           
            oTransfers of foreign currency and/or foreign currency cheques deposits, followed by currency conversion and immediate withdrawal from the account (possible use of the DPMS account for exchange services)
           
           No economic rationale for transactions involving an individual or company in the precious metal and stone industry.
           
           Deposits immediately followed by withdrawals, atypical of practices in the precious metal and stone trade, including but not limited to:|
           
            oCircular transaction related to import/export of precious metals and stones.
           
            oCircular transactions related to local trade (between local bank accounts).
           
            oCircular financial transactions between a precious metal and stone company's account and the private account of the company's shareholder/director, without business or economic reason.
           
            oHigh turnover of funds through an account with a low end of day balance.
           
           Deposits or transfers to a precious metal and stone dealer's account from foreign companies followed by immediate transfer of similar amounts to another jurisdiction.
           
           Immediately after a precious metal and stone dealer's related account is opened, high-volume and high-value account activity is observed.
           
           Transactions between accounts of different companies which are affiliated with the same customer, particularly to or from Free Trade Zones or countries with tax leniencies 119 (may be an indication of transfer pricing or trade mispricing).
           
           Open export is settled by offsetting to, and receiving payment from, a third party.
           
           Open export is settled abroad by offset in front of the importer.
           
           Settling an open export invoice with unrelated companies that engage in a specific precious metal and stone and not through value/return from abroad or return of goods to the precious metal and stone merchant.
           
           Details of the transaction are different from the details of the commercial invoice presented by the DPMS to the bank (name of importer/exporter, sum, place etc.)
           
           High-value funds deposited or transferred to an account described as short-term loans with no transactions showing repayment of loans.
           
           Early repayment of DPMS loan (a loan for 25 years is repaid after five month) with no reasonable explanation.
           
           Sale of diamonds and jewelry at small incremental amounts (retail).
           
           Multiple cheques drawn on the same DPMS' account on the same day.
           
           Origin/destination of funds is different from the destination/origin of the specific precious metal and/or stone.
           
           DPMS is credited by transactions with no evidence of sales.
           
           Numerous returns of advanced payments.
           

          Customers

           Activity does not match KYC, for example:
           
            oActual trade volumes are significantly larger than the expected volume.
           
            oCustomers and/or suppliers of the customer do not correspond to the stage of the trade initially declared.
           
           DPMS is not familiar with trade practices.
           
           DPMS maintains high level of secrecy.
           
           DPMS conducting activity in a branch not specializing in precious metals and stones (where such branches exist).
           
           Use of a bank account in the name of a charity to transfer funds to/from DPMS.
           
           Frequent changes in company name and contact person for a business in the industry (mainly wholesale)
           

          Use of third parties

           Customer consults a third party while conducting transactions.
           
           Receiving/transferring funds for import/export activity to/from entities that are not known to be involved in the precious metals and stones trade (either an individual or a legal entity).
           
           Return of an advanced payment from a third party.
           
           Receiving/transferring funds for import/export where the ordering customer/beneficiary is an MSB.
           
           Use of third parties to deposit funds into single or multiple DPMS' accounts.
           
           Return of an advanced payment from a third party.
           
           Name of sender in the payment transfer to the DPMS is not the importer/buyer (mainly rough and polished trade).
           
           Name of receiver in the payment from the DPMS is not the exporter/supplier.
           
           A single bank account with multiple deposit handlers (retail and wholesale).
           

          Use of missing/suspicious/falsified documents

           For diamond dealers, Kimberly Process (KP) certificate is or seems to be forged.
           
           Long validity of a KP certificate
           
           Transfers of funds or an attempt to transfer funds through a DPMS company's account without producing appropriate documentation.
           
           DPMS claims funds received/transferred are an advanced payment without producing any appropriate export/import invoice to support it.
           
           Transfers between a DPMS and a private account that are reported to the bank as precious metal and/or stone transactions, without presenting appropriate documentation.
           
           Invoice presented by the DPMS appears to the bank as unreliable/fake.
           
           Failing to provide a customs declaration in relation to a foreign currency cash deposit resulting from selling precious stones abroad.
           
        • Red Flags for the Real Estate Sector

          Natural persons

           Transactions involving individuals residing in tax havens or risk territories, when the characteristics of the transactions match any of those included in the list of indicators.
           Transactions carried out on behalf of minors, incapacitated persons or other persons who, although not included in these categories, appear to lack the economic capacity to make such purchases.
           Transactions involving persons who are being tried or have been sentenced for crimes or who are publicly known to be linked to criminal activities involving illegal enrichment, or there are suspicions of involvement in such activities and that these activities may be considered to underlie money laundering
           Transactions involving persons who are in some way associated with the foregoing (for example, through family or business ties, common origins, where they share an address or have the same representatives or attorneys, etc.).
           Transactions involving an individual whose address is unknown or is merely a correspondence address (for example, a PO Box, shared office or shared business address, etc.), or where the details are believed or likely to be false.
           Several transactions involving the same party or those undertaken by groups of persons who may have links to one another (for example, family ties, business ties, persons of the same nationality, persons sharing an address or having the same representatives or attorneys, etc.).
           Individuals who unexpectedly repay problematic loans or mortgages or who repeatedly pay off large loans or mortgages early, particularly if they do so in cash.
           

          Legal persons

           Transactions involving legal persons or legal arrangements domiciled in tax havens or risk territories, when the characteristics of the transaction match any of those included in the list of indicators.
           Transactions involving recently created legal persons, when the amount is large compared to their assets.
           Transactions involving legal persons or legal arrangements, when there does not seem to be any relationship between the transaction and the activity carried out by the buying company, or when the company has no business activity.
           Transactions involving foundations, cultural or leisure associations, or non-profit-making entities in general, when the characteristics of the transaction do not match the goals of the entity.
           Transactions involving legal persons which, although incorporated in the country, are mainly owned by foreign nationals, who may or may not be resident for tax purposes.
           Transactions involving legal persons whose addresses are unknown or are merely correspondence addresses (for example, a PO Box number, shared office or shared business address, etc.), or where the details are believed false or likely to be false.
           Various transactions involving the same party. Similarly, transactions carried out by groups of legal persons that may be related (for example, through family ties between owners or representatives, business links, sharing the same nationality as the legal person or its owners or representatives, sharing an address, in the case of legal persons or their owners or representatives, having a common owner, representative or attorney, entities with similar names, etc.).
           Formation of a legal person or increases to its capital in the form of non-monetary contributions of real estate, the value of which does not take into account the increase in market value of the properties used.
           Formation of legal persons to hold properties with the sole purpose of placing a front man or straw man between the property and the true owner.
           Contribution of real estate to the share capital of a company which has no registered address or permanent establishment which is open to the public in the country.
           Transactions in which unusual or unnecessarily complex legal structures are used without any economic logic. Natural and legal persons
           Transactions in which there are signs, or it is certain, that the parties are not acting on their own behalf and are trying to hide the identity of the real customer.
           Transactions which are begun in one individual's name and finally completed in another's without a logical explanation for the name change. (For example, the sale or change of ownership of the purchase or option to purchase a property which has not yet been handed over to the owner, reservation of properties under construction with a subsequent transfer of the rights to a third party, etc.).
           Transactions in which the parties:
            oDo not show particular interest in the characteristics of the property (e.g. quality of construction, location, date on which it will be handed over, etc.) which is the object of the transaction.
            oDo not seem particularly interested in obtaining a better price for the transaction or in improving the payment terms.
            oShow a strong interest in completing the transaction quickly, without there being good cause.
            oShow considerable interest in transactions relating to buildings in particular areas, without caring about the price they have to pay.
            oTransactions in which the parties are foreign or non-resident for tax purposes and: o Their only purpose is a capital investment (that is, they do not show any interest in living at the property they are buying, even temporarily, etc.).
            oo They are interested in large-scale operations (for example, to buy large plots on which to build homes, buying complete buildings or setting up businesses relating to leisure activities, etc.).
           
           Transactions in which any of the payments are made by a third party, other than the parties involved. Cases where the payment is made by a credit institution registered in the country at the time of signing the property transfer, due to the granting of a mortgage loan, may be excluded. Intermediaries
           Transactions performed through intermediaries, when they act on behalf of groups of potentially associated individuals (for example, through family or business ties, shared nationality, persons living at the same address, etc.).
           Transactions carried out through intermediaries acting on behalf of groups of potentially affiliated legal persons (for example, through family ties between their owners or representatives, business links, the fact that the legal entity or its owners or representatives are of the same nationality, that the legal entities or their owners or representatives use the same address, that the entities have a common owner, representative or attorney, or in the case of entities with similar names, etc.).
           Transactions taking place through intermediaries who are foreign nationals or individuals who are non-resident for tax purposes.
           

          Means of Payment

           Transactions involving payments in cash or in negotiable instruments which do not state the true payer (for example, bank drafts), where the accumulated amount is considered to be significant in relation to the total amount of the transaction.
           Transactions in which the party asks for the payment to be divided in to smaller parts with a short interval between them.
           Transactions where there are doubts as to the validity of the documents submitted with loan applications.
           Transactions in which a loan granted, or an attempt was made to obtain a loan, using cash collateral or where this collateral is deposited abroad.
           Transactions in which payment is made in cash, bank notes, bearer cheques or other anonymous instruments, or where payment is made by endorsing a third-party's cheque.
           Transactions with funds from countries considered to be tax havens or risk territories, according to anti-money laundering legislation, regardless of whether the customer is resident in the country or territory concerned or not.
           Transactions in which the buyer takes on debt which is considered significant in relation to the value of the property. Transactions involving the subrogation of mortgages granted through institutions registered in the country may be excluded. Nature of the Transaction
           Transactions in the form of a private contract, where there is no intention to notarise the contract, or where this intention is expressed, it does not finally take place.
           Transactions which are not completed in seeming disregard of a contract clause penalising the buyer with loss of the deposit if the sale does not go ahead.
           Transactions relating to the same property or rights that follow in rapid succession (for example, purchase and immediate sale of property) and which entail a significant increase or decrease in the price compared with the purchase price. Transactions entered into at a value significantly different (much higher or much lower) from the real value of the property or differing markedly from market values.
           Transactions relating to property development in high-risk urban areas, in the judgement of the company (for example, because there is a high percentage of residents of foreign origin, a new urban development plan has been approved, the number of buildings under construction is high relative to the number of inhabitants, etc.).
           Recording of the sale of a building plot followed by the recording of the declaration of a completely finished new building at the location at an interval less than the minimum time needed to complete the construction, bearing in mind its characteristics.
           Recording of the declaration of a completed new building by a non-resident legal person having no permanent domicile indicating that the construction work was completed at its own expense without any subcontracting or supply of materials.
           Transactions relating to property development in high-risk urban areas based on other variables determined by the institution (for example, because there is a high percentage of residents of foreign origin, a new urban development plan has been approved, the number of buildings under construction is high relative to the number of inhabitants, etc.).
           
      • Annex 2. Synopsis of the Guidance

        Purpose of this Guidance (1)PurposeThe purpose of this Guidance is to help Licensed Financial Institutions (LFIs) understand and mitigate risks when providing services to the dealers in precious metals and stones (DPMS) and real estate (RE) sectors, and to guide them in fulfilling their AML/CFT obligations. The FATF's Mutual Evaluation Report of the UAE issued in April 2020 stated that the two sectors are weighted as highly important in terms of risk and materiality in the UAE.
        ApplicabilityThis Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories:
        • national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
        • insurance companies, agencies, and brokers.
        Understanding and Assessing the Risks of DPMS(2.1)ML/TF Risks of DPMSDPMS present higher risks to LFIs because their services and products are attractive to illicit actors as the trade in precious metals and stones permits illicit actors to move large quantities of value in a liquid, fungible format across borders outside of the traditional financial system.
        Features of DPMS that Increase RiskNot all DPMS pose equal risk to LFIs. DPMS with the following characteristics may be higher risk:
        • Operating in jurisdictions with lax or non-existent regulation or that are high risk for crime and terrorism;
        • Offer products and services—such as the sale of gold bullion or of uncut stones—that allow customers to access a widely traded, fungible, anonymous form of value; or
        • Serve a high-risk customer base, such as a high proportion of PEPs.
        Supervision of DPMS in the UAEDPMS in the UAE may qualify as DNFBPs when they carry out any single monetary transaction or several transactions that appear to be interrelated or equal to more than AED 55,000. If so, they are required to apply AML/CFT controls like those used by LFIs. They are supervised by the Ministry of Economy, which has issued guidelines for supervised entities describing their AML/CFT compliance obligations.
        Understanding and Assessing the Risks of the RE sector (2.2)ML/TF Risks of the RE SectorThe RE sector presents a higher risk to LFIs because the sector offers an attractive way for illicit actors, criminals, and corrupt officials to move and store value while hiding their identity.
        Features of RE Sectors that Increase RiskNot all customers and transactions related to the RE sector (in the UAE or elsewhere) pose equal risk to LFIs. Sectors with the following characteristics may be higher risk:
        • Weak regulation and/or supervision of real estate brokers and agents;
        • Widespread use of cash to purchase real property;
        • Lack of transparency on beneficial owners of real estate;
        • Openness to foreign purchasers, including 'golden visa' programs; and
        • High liquidity and rising prices.
        Supervision of the RE Sector in the UAEReal estate agents and brokers qualify as DNFBPs when they conclude operations for the benefit of their customers with respect to the purchase and sale of real estate. When they qualify, they are required to apply AML/CFT controls like those used by LFIs. They are supervised by the Ministry of Economy, which has issued guidelines for supervised entities describing their AML/CFT compliance obligations.
        Mitigating Risk: Requirements for LFIs (3)Risk-Based Approach

        LFIs must take a risk-based approach in their AML programs and to individual customers. This means that they should assess all customers, including DPMS and RE sector customers, to determine their degree of risk.

        In assessing the risk of a DPMS and RE sector customers, LFIs should consider at least the following factors:

        • The jurisdiction(s) in which the customer is based or does business, including both the jurisdictional risk of crime and terrorism but also the regulation in place on the DPMS and real estate sectors;
        • The products and services the customer supplies to its customers;
        • The customer's customer base;
        • The quality of the customer's AML/CFT controls, where they exist.
        Customer Due DiligenceFor all customers, including DPMS and RE Sector customers, LFIs must perform Customer Due Diligence with the following components:
        Customer Identification: DPMs and RE sector customers will often be businesses, and LFIs should ensure that their customer has the required licenses.
        Identification of Beneficial Owners: DPMs and RE sector customers will often be legal persons. For all legal person customers, LFIs must identify all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer.
        Understand the Purpose of the Account and the Nature of the Customer's Business: The purpose of the account and the nature of the customer's business are critical drivers of risk for DPMS and RE sector customers. LFIs should fully understand how their customer makes money and what types of transactions it expect to carry out through the LFI's account. As they seek to understand the customer's business, LFIs should collect all information necessary to assess customer risk.
        Perform Ongoing Monitoring: For all customers, LFIs must ensure that the customer information on file is up to date and accurate, and that the customer's activities are in line with the expectations set at onboarding. If not, the customer risk rating may need to be changed.
        Special Considerations for RE transactions: Many transactions related to the RE sector will be between persons who are not themselves members of the sector. LFIs should perform due diligence on all transactions that are outside of a customer's normal behavioral profile. If LFIs discover that a transaction is related to the purchase or sale of real estate, it may be necessary to perform additional due diligence.
        Suspicious Transaction ReportingFor customers of all types, LFIs must report any behavior that they reasonably suspect may be linked to money laundering, the financing of terrorism, or a criminal offence. Please consult the CBUAE's Guidance on Suspicious Transaction Reporting for further information.
        Governance and TrainingThe measures discussed above should be supported by a larger AML/CFT program with effective governance arrangements, including a sufficiently empowered Compliance Officer, and training that educates LFI staff on the risks of these sectors.

         

    • Guidance for Registered Hawala Providers and Licensed Financial Institutions Providing Services to Registered Hawala Providers

      Effective from 15/8/2021
      • Part I: Registered Hawala Providers and Licensed Financial Institutions

        • 1 Introduction

          • 1.2 Applicability

            Unless otherwise noted, this Guidance applies to all natural and legal persons which are licensed and/or supervised by the CBUAE in the following categories:

              Registered Hawala Providers (``RHP'');
              National banks, branches of foreign banks; and
              Exchange houses.
             
            Key Definitions and Acronyms
             

            AML/CFT: Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations.

            Beneficial owner: The natural person who owns or exercises effective ultimate control, directly or indirectly, over a client; or the natural person on whose behalf a transaction is being conducted; or the natural person who exercises effective ultimate control over a legal person or legal arrangement.

            Beneficiary Hawala Provider: The beneficiary's Hawala Provider, or receiving Hawala Provider, that receives the funds or equivalent value from the Originating Hawala Provider.

            CBUAE Regulations: Any resolution, regulation, circular, rule, instruction, standard or notice issued by the CBUAE.

            Hawala Activity: The arrangements for transfer and receipt of funds or equivalent value and settlement through trade and cash.

            Hawala Provider Certificate: The Certificate issued by the CBUAE for carrying on Hawala activity in the UAE.

            Legal person: Any entities other than natural persons that can establish in their own right a permanent customer relationship with a financial institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations, along with similar entities.

            Money or Value Transfer Service (MVTS): financial services that involve the acceptance of cash, cheques, other monetary instruments or other stores of value and the payment of a corresponding sum in cash or other form to a beneficiary by means of a communication, message, transfer, or through a clearing network to which the MVTS provider belongs.

            Originating Hawala Provider: The originator's Hawala Provider, or sending Hawala Provider, that initiates and carries out the transfer of funds or equivalent value to the Beneficiary Hawala Provider.

            Registered Hawala Provider: Any natural person holding a valid residency visa or Legal Person, who is registered in the CBUAE's Hawala Providers Register in accordance with the provisions of its Circular No. 24/2019, including its agents or a network of agents.

            Registered Hawala Provider Agent: Any natural or legal person carrying out activity outside the UAE on behalf of a Registered Hawala Provider.

             

          • 1.4 Organization of this Guidance

            The FATF's Mutual Evaluation Report of the UAE issued in April 2020 stated that the MVTS sector, including the Hawala service providers, is weighted as highly important in terms of risk and materiality in the UAE. This Guidance is addressed to the i) RHP and ii) LFIs that provide accounts or financial services to RHP. Part I of this Guidance applies to both RHP and LFIs, whereas Part II applies specifically to RHP and Part III specifically to LFIs.

        • 2 Overview of Hawala activity

          The FATF defines hawala providers (and other similar service providers) as money transmitters, particularly with ties to specific geographic regions or ethnic communities, that arrange for transfer and receipt of funds or equivalent value and settle through trade, cash, and net settlement over a long period of time. While hawala providers-also known as hawaladars-often use banking channels to settle between them, what makes them distinct from other money transmitters is their use of other settlement methods, including trade, cash, and long-term net settlement.2 Hawala is an activity based on trust and was established to avoid high charges by people who cannot afford them, the ability to reach beneficiaries in remote places quickly where banks do not operate, and the existence of strict currency controls in some countries. Because communication is often by text message and there is no need for funds to clear, hawala transfers may also be available faster than the ones made using the formal financial system. Although hawala providers generally specialize in transferring money between certain jurisdictions, they are also part of larger networks that can arrange transfers to almost any part of the world. Such transfers are likely to be slower and more expensive than transfers within the corridors in which the provider specializes. Although the hawala system minimizes use of the formal financial system, including use of international wires, it is important to note that almost all hawaladars will ultimately seek to conduct transfers, particularly international transfers through LFIs, and possibly to use other financial services. In doing so, they could expose the LFI with which they do business with to the risks of their own business activities and customers.

          Common Attributes of Hawala Providers
           
          Fees for funds transfers are less than other channels and funds are available faster.
          Operates in communities in which the Hawala Provider is known, visible and accessible to the customers.
          Operates in areas with high numbers of expatriates/migrant workers of a specific ethnic group by providing cultural convenience with absence of language barriers, trust among community members, and solidarity among migrants with limited education levels and literacy.
          Operates with jurisdictions and regions underserved by other types of financial service providers, such as high-risk areas experiencing wars, civil unrest, conflicts, economic crisis, or weak or non-existent banking systems.
          Operates as a hawala provider to facilitate remittance services as a side business to other business activities.
          Provides one-off remittance services and communicates with the customer only as much as needed to conduct the transaction.

           

          Sample Hawala Transaction:3

          Sample Hawala Transaction


          See also the FATF report The Role of Hawala and Other Similar Service Providers in ML/TF (fatf-gafi.org)
          Source: IMF III Features of the Informal Hawala System : Informal Funds Transfer Systems : An Analysis of the Informal Hawala System: (imf.org)

        • 3 Global risks of Hawala activity

          Hawaladars' business model is built around satisfying customers' needs to move money rapidly across borders, a service that may also be misused by criminals as is to individuals seeking to conduct legitimate personal remittances. In recent years hawala providers have been repeatedly abused to transfer illicit funds, including funds involved in terrorist financing. Certain providers have been found to be fully complicit in these schemes, and even to operate as professional money launderers. In addition, hawala providers generally have the greatest competitive advantage in areas where more formal MVTS providers do not operate or have limited infrastructure, often because these jurisdictions are remote or classified as very high risk. Although this certainly does not mean that every transaction to those areas is illicit, it does suggest that the institutional risk profile of the average hawala provider is likely to be higher than that of other MVTS providers. In many jurisdictions, hawala providers operate underground, because they are providing an illegal service or because they and their customers don't want to be required to comply with rules related to taxes, currency controls, and AML/CFT compliance. This is especially common among hawala providers operating in jurisdictions where hawala is prohibited, unregulated, or illegal.

          The inherent risk of hawala providers is influenced primarily by the regulatory environment and illicit finance risks in the jurisdictions in which they do business, the products and services they provide, and their customer base:

           1.Regulatory Environment
           

          The regulatory environment for hawala providers clearly varies across jurisdictions. In some jurisdictions, they are not able to maintain a license or registration and therefore operate entirely underground. While operating underground is generally prohibited under the laws of the country where the hawala provider operates, it does not necessarily mean that a provider is a money launderer. Still, underground providers will seek to conceal their activities from financial institutions, and are extremely unlikely to comply with any AML/CFT obligations. Such entities may present themselves to LFIs as ``general trading companies'' or describe other business types that can justify regular international transfers, including dealing in precious metals or stones, trading in used cars, or in high value carpets.

          Even in jurisdictions where hawala is legal and regulated such as the UAE, hawala providers may have only a basic understanding of their financial crime risks and obligations, and may not use systems and technologies that support compliance with those obligations. Furthermore, because hawaladars may lack strong AML/CFT preventive measures, they may be sought out by customers specifically hoping to take advantage of this possible weakness. As a result, hawala providers are almost always found to be classified as very high-risk customers by banks. A hawala provider can strive to manage this risk by applying strong, targeted controls and maintaining an effective AML/CFT program that meets or exceeds UAE requirements and global standards (see Part II section 3 below).

           2.Geography
           

          Hawala providers, like all financial institutions, are heavily exposed to the risks prevalent in the geographies where they operate. The risk of a hawala provider, therefore, will depend in part on the illicit finance risks--including ML/TF and sanctions evasion--in the jurisdictions where it is established or has subsidiaries. In addition, a provider's risk will also be impacted by the jurisdictions with which it most frequently does business. For example, the risk of a hawaladar operating in the UAE and primarily executing transfers to and from Country X should be assessed based on the illicit finance risk in both the UAE and Country X.

           3.Products, Services, and Delivery Channels
           

          Hawala providers, by definition, all provide money or value transfer services using hawala networks, which is subject to higher risks. The risk of hawala transactions may be increased or decreased by the size and purpose of the transaction. Some hawaladars only carry out low-value personal remittances, while others service businesses by supporting commercial operations, which may involve relatively high-value transactions. Low-value personal remittances may be considered lower-risk, although low-value remittances to jurisdictions at high-risk for terrorist financing should be treated as equally high risk. RHP in the UAE may perform only limited services (listed in section 4.1 below), but hawala providers established elsewhere may not have such restrictions on their activity.

          The risk involved in providing the hawala service is further impacted by the delivery channels through which it is offered. Channels that promote anonymity (accepting transaction orders by text or telephone; accepting cash; allowing agents or third parties to order transactions on behalf of the originator) increase the risk of the service. Some international law enforcement agencies have reported cases of hawala providers operating in virtual currencies; although still rare, such a delivery channel would be extremely high risk, as it would combine the general risks of hawala providers with those of virtual currencies, which offer illicit actors anonymity and access to a practically unregulated financial sector.

          In addition, hawala services may not be the only financial product hawala providers offer. In many jurisdictions providers also offer small loans (often with pawned items as security) and sell stored value cards, or provide safekeeping services for cash. They may also engage in non-financial lines of business such as selling calling cards, mobile phones and SIM cards. All of these lines of business are cash intensive4 and high-risk, and are generally not subject to AML/CFT controls. Even in a jurisdiction where hawala providers are regulated, they may commingle cash proceeds of these other services with hawala funds. This means that a hawala provider with an account at an LFI could use that account to support all aspects of its business, not simply provision of hawala services.

           4.Customer Base
           

          Most hawala providers are likely to serve a customer base made up of lower-income individuals seeking to conduct or receive fairly low-value transfers. Such a customer base is not necessarily low-risk, especially when customers have ties to jurisdictions that are at high risk for terrorist financing. The risk of the provider's customer base, however, will be further increased if the provider conducts larger transfers on behalf of business entities (e.g. trade-based transactions), if it has a high proportion of legal person customers, or if its customers include politically exposed persons.


          The CBUAE will issue Guidance for LFIs providing services to Cash Intensive Businesses.

        • 4 Regulation and Supervision of RHP in the UAE

          The CBUAE permits legitimate Hawala Activity as an important element of its continuous efforts to support financial inclusion and bring the unbanked population into the regulated financial system. To this end, Hawala is regulated by the Registered Hawala Providers Regulation issued by the CBUAE (``Circular No. 24/2019''). As per its articles 2.1 and 7.1 and Article 26 of the AML-CFT Decision, all providers carrying on Hawala Activity in the UAE must hold a Hawala Provider Certificate issued by the CBUAE; it is not permitted to carry on Hawala Activity without being registered with the CBUAE.

           

          RHP are supervised by the CBUAE, who has the right to examine the business of RHP and their agents and customers whenever it deems appropriate to ensure proper compliance with their statutory obligations under the legal and regulatory framework in the UAE, or impose supervisory action or administrative and financial sanctions for violations. Similar to its all LFIs, the CBUAE applies the principle of proportionality in its supervision and enforcement process, whereby small RHP may demonstrate to the CBUAE that the objectives are met without necessarily addressing all of the specifics cited in the legal and regulatory framework in the UAE.

          • 4.1 Permitted and non-permitted services by RHP

            RHP are only permitted to provide well-defined services, which include non-commercial personal remittances and money transfer services to support commercial operations (such as trade transactions with jurisdictional corridors serviced by the hawala community).

            RHP are not permitted to engage in any of the following transactions:

              Take deposits, exchange currencies or sell and purchase travellers' cheques;
              Provide any financial services other than money transfers (e.g. exchange of virtual assets/cryptocurrencies, loans, purchase of debts); or
              Execute transactions involving or on behalf of any other hawala provider in the UAE (as they are required by Circular No. 24/2019 to manage their business personally and never assign such task to another person, also known as "nesting''). This excludes the agents of the RHP in a foreign country (see also Part II section 3.3.5 below).
             
      • Part II: Guidance for RHP

        • 1 Sanctions Obligations and Freezing Without Delay

          Targeted Financial Sanctions (TFS) are legal restrictions on financial activity imposed by the United Nations Security Council (UNSC) or the UAE. An individual or legal person subject to TFS cannot send or receive money, or engage in any other kind of financial activity, without specific permission from the government of the UAE. The names of individuals or legal persons that are subject to TFS are included in lists published by the UN and the UAE (also known as "listed persons'' or "sanctioned persons.'')

          RHP are required to fully comply with the obligation to implement all necessary measures without delay as described in the Cabinet Decision No. (74) of 2020, the ''Guidance on TFS for FIs and Designated Non-Financial Business and Professions (DNFBPs)'' issued by the Executive Office of the Committee for Goods & Material Subject to Import and Export Control (''Executive Office''), the ''Guidance for LFIs on the implementation of TFS'' issued by the CBUAE, the CBUAE Notice No. 3895/2021, and any of their amendments or updates thereof.5 RHP should be aware that it is a crime in the UAE to provide funds or financial services, including money transmissions services, to a person subject to TFS. This means that if a person is subject to TFS, the RHP cannot do any of the following:

            Send that person money on behalf of a customer, no matter where in the world they are;
            Provide that person with money that another person has sent them; or
            Carry out a transaction of any kind for that person.
           

          Appropriate implementation of TFS has four key steps, which RHP must follow to ensure they are compliant:

           1.Maintain awareness of UNSC and UAE sanctions lists, and rapidly become informed of changes to these lists.
           

          RHP should rely on the official website of the UNSC for the most updated UN Consolidated List:

           https://www.un.org/securitycouncil/content/un-sc-consolidated-list
           

          RHP should rely on the official website of the Executive Office to obtain the most recent publication of the UAE sanctions List (Local Terrorist List) List issued by the UAE Cabinet:

           https://www.uaeiec.gov.ae/en-us/un-page
           https://www.uaeiec.gov.ae/ar-ae/un-page
           

          In addition, under Article 21 of Cabinet Decision 74, RHP must register on the Executive Office's website in order to receive automated email notifications with updated and timely information about the listing and de-listing of individuals or entities in the Local Terrorist List and in the UN Consolidated List.

           2.Check the names of customers against the lists of sanctioned persons.
           

          Every time an RHP carries out a transaction, it must check before it sends or receives any money to make sure its customer, counterparty, or anyone else involved in the transaction is not listed on the UN or UAE sanctions lists. This process is known as 'screening process.' The RHP must screen the customer and the person to or from whom the customer is sending or receiving money. Where the customer is a legal person, it must screen the customer's beneficial owners (see section 3.3.3 below) and senior managing official. The RHP must also screen its counterparty who is executing the transaction at the other end. The result of the screening process can have the following results:

           A ''confirmed match''; i.e. a customer or a customer's counterparty has the same full name as a sanctioned person; or
           A ''potential match''; i.e. a customer or a customer's counterparty has a similar or partially matching name as a sanctioned person; in those cases, the RHP should use additional information, such as the person's date of birth, address, and nationality, to distinguish the two persons.
           

          In addition, every time there is a change to the sanctions lists, the RHP must compare the newly listed persons against its list of past customers. If an RHP finds that it previously carried out a transaction involving a person who was not listed at the time but is now listed, it has not done anything wrong. But it must report the transaction so that the authorities are aware (see step 4 below).

           3.Immediately freeze any funds in the possession or under the control of the RHP that may belong to a listed person and cancel (where possible) any transactions involving a listed person.
           

          When a ''confirmed match'' is found through the screening process, RHP must immediately, without delay and without prior notice, freeze all funds.

           i.''Freeze all funds'' means that you must hold the funds. You cannot send them or give them to anyone except to a UAE authority. You cannot return them to the person who gave them to you. If the funds are cash, you should place the funds in a safe place, separate from other funds, until the authorities can collect them. If the funds are held in a financial institution, such as a bank, you should notify the financial institution, who will place them in a special account. If an RHP has recently completed a transaction that involves a listed person, the RHP should notify its counterparty so that they can freeze the funds at the other end if possible. It must keep records of the information that it used to confirm this.
           ii.''Without delay'' means within 24 hours of the listing decision being issued by the UNSC, the Sanctions Committee or the UAE Cabinet, as the case may be. This means that you must take active efforts to become aware of changes to the sanctions lists by registering on the Executive Office's website in order to receive automated email notifications, and that once a change has been made, you must immediately put it into effect by refusing to carry out any transactions for or with a listed person.
           iii.''Without prior notice'' means that you must not tell the customer, or the person whose funds are being frozen, what the RHP is going to do.
           

          When a ''potential match'' is found through the screening process, the RHP must suspend without delay any transaction and refrain from offering any funds or services. It must keep records of the information that it used to confirm this.

           4.Report any listed persons and the actions the RHP has taken to the appropriate authorities
           

          With regards to LFIs obligation for TFS reporting, the CBUAE in coordination with the Executive Office, has established a unified mechanism to report TFS obligations utilizing the UAE Financial Intelligence Unit's (FIU) online reporting platform (goAML).

          In case of any ''confirmed match'' to a listing of names of individuals or legal persons to the Local Terrorist List and the UN Consolidated List, the RHP are required to report any freezing measures, prohibition to provide funds or services or any attempted transactions via the goAML platform within two business days by selecting the Fund Freeze Report (FFR). The RHP must also ensure all the necessary information and documents are submitted.

          In case of any ''potential match'' to a listing of names of individuals or legal persons to the Local Terrorist List or UN Consolidated List, the RHP are required to report the potential match via the goAML Platform by selecting the Partial Name Match Report (PMNR). The RHP must also ensure all the necessary information and documents are submitted. In addition, the RHP must uphold suspension measures related to the ''potential match'' until further instructions are received via the goAML Platform on whether to cancel the suspension or implement freezing measures.

          The TFS related reports (FFR or PMNR) submitted via the goAML Platform will be received simultaneously by the CBUAE and the Executive Office. RHP should also consult the CBUAE's6 and the Executive Office's7 websites respectively as updated from time to time.


          Available at https://www.centralbank.ae/en/cbuae-amlcft.
          Available at: https://www.centralbank.ae/en/cbuae-amlcft
          Available at: https://www.uaeiec.gov.ae/en-us/un-page

        • 2 Registration and other Requirements

          • 2.1 Registration

            Under Article 2 of Circular No. 24/2019, a resident natural person or legal person may not carry on Hawala Activity in the UAE unless the applicant holds a Hawala Provider Certificate issued by the CBUAE and registered in the CBUAE Hawala Providers Register. Any resident natural person or legal person may apply for registration and obtain a Hawala Provider Certificate from the CBUAE. The applicant should not be of UAE nationality, should be legally competent, and officially residing in the UAE. The said application shall be made on the CBUAE's prescribed forms on the CBUAE's website.8


            8 Available at https://www.centralbank.ae/en/cbuae-amlcft.

          • 2.2 CBUAE Notification of Approval/Rejection

            Under Article 3 of Circular No. 24/2019, the CBUAE may agree or decline an application for a Hawala Provider Certificate. In case of approval, the CBUAE shall issue a Hawala Provider Certificate valid for one year, renewable for similar periods. The CBUAE shall notify the applicant in writing, and may include in the Hawala Provider Certificate whatever terms and conditions it deems appropriate. In case of rejection, the CBUAE shall notify the applicant in writing indicating reasons for rejection.

          • 2.3 Re-Registration

            Under Articles 2 and 4 of Circular No. 24/2019, RHP should submit to the CBUAE an application for renewal of the Hawala Provider Certificate within a period of not less than two months from the date of expiry of the original certificate or any renewals thereof. The said application should be made on the CBUAE's prescribed form titled ''Application to Re-register Hawala Providers'' on the CBUAE's website.

          • 2.4 Requirements for Trade License, Security and Reporting Systems

            As per Article 2 of Circular No. 24/2019 and the respective application requirements, RHP must complete the following requirements within 90 days from the date mentioned in the final registration certificate as well as submit proof of completion to the Licensing Division of the CBUAE:

              Add Hawala Activity to the commercial trade license.
              Install security systems; i.e. CCTV and police connections.
              Register in the relevant Services Access Control Manager (SACM) and subsequently to the UAE FIU's goAML portal by following the steps in the registration guides issued by the FIU previously sent to RHP. Registration on SACM is a prerequisite for goAML registration;
              Register in the relevant SACM and subsequently to the CBUAE's Remittance Reporting System (RRS) for the daily reporting and Integrated Regulatory Reporting System (IRR) for the quarterly reporting (see Part II section 4 below). Registration in SACM is a prerequisite for RRS & IRR registration. In order to register in SACM, RHP will be required to provide the following information to the CBUAE via e-mail on hawala@cbuae.gov.ae:
              Trade name of the RHP;
              First and last name of the user;
              Emirates ID number and copy of Emirates ID;
              Email address; and
              Mobile phone number.
             RHP should register for the Integrated Enquiries Management System (IEMS) by referring to the IEMS User Guide available at the relevant link in FIU's website.9
             

            Failure to submit the above within the specified period may result in a registration certificate withdrawal.


            9 Available at: https://www.uaefiu.gov.ae.

          • 2.5 Requirement for a Bank Account

            As per Article 2 of Circular No. 24/2019 the RHP must maintain an account with a bank operating in the UAE to be used for settlement and provide the CBUAE with details of such account. In addition, they should inform their account manager at the bank of their intention to use the account to carry out Hawala Activity.

        • 3 AML/CFT Program

          As per Articles 4, 20, 21 and 26 of the AML-CFT Decision, RHP are required to establish and maintain effective AML/CFT compliance programs designed to prevent them from being misused to facilitate money laundering or terrorist financing (ML/TF). The program must be risk-based and appropriate to the risk of the RHP, taking into consideration its:

            Size;
            Volume of transactions;
            Types of remittances offered (personal only or personal and commercial);
            Complexity;
            The nature and volume of its Hawala Activity;
            The nature of its customer base; and
            The geographic areas in which it operates.
           

          This means that where an RHP engages in higher-risk activities (as discussed below in section 3.2), or does a higher volume of business, it must have a more sophisticated AML/CFT program and employ more intensive measures to manage this risk. The section that follows discusses the mandatory minimum elements of an AML/CFT program under the legal and regulatory framework in the UAE as well as ways that RHP can make adjustments to respond to their risk. It is divided into four parts, as follows:

            1.The AML/CFT Program and the Compliance Officer. This part discusses the content of the AML/CFT program and how it should be implemented by the RHP.
            2.Understanding Risks. This section discusses how to identify the RHP's ML/TF risks so that the RHP can build an appropriate AML/CFT program.
            3.Customer Due Diligence. This section discusses the mandatory procedures for identifying and understanding the RHP's customers and counterparties.
            4.Record Keeping. This section discusses the records of activity that the RHP must maintain and provide to law enforcement authorities and counterparties.
           
          • 3.1 The AML/CFT Program and the Compliance Officer

            As per Article 21 of the AML-CFT Decision, each RHP must have a specific person, the Compliance Officer, who is responsible for day-to-day compliance with the legal and regulatory framework in the UAE and the management of the AML/CFT program. This person must be an employee, manager, or owner of the RHP. In large RHP, with multiple employees and substantial revenues from Hawala Activity, the CBUAE expects that the Compliance Officer will be a full-time position without any other responsibilities for managing the business. In small RHP, however, the CBUAE recognizes that the Compliance Officer is likely to have other responsibilities beyond management of the compliance program. If the RHP is owned and operated by a single person, that person will be the Compliance Officer.

            The Compliance Officer is responsible for the following:

              Ensure full compliance with the legal and regulatory framework in the UAE and this Guidance.
              Making sure that other employees of the RHP (where relevant) comply with the legal and regulatory framework in the UAE and this Guidance, and abide by the RHP's own policies and procedures; and
              Implementing the compliance program elements described in this Guidance, including conducting the risk assessment.
             

            The RHP's AML/CFT compliance program must include all the measures discussed in the following sections as well as the following components:

              Provide education and training to appropriate personnel. RHP employees who participate in Hawala Activity must be trained to understand how to comply with the legal and regulatory framework in the UAE and this Guidance, and abide by the RHP's policies and procedures. It is not acceptable for an untrained employee to have responsibility for collecting or disbursing customer funds and initiating transactions.
              Conduct a periodic audit of the AML/CFT program. RHP are required to arrange for a regular independent audit of their program by hiring an external qualified independent auditor approved by the CBUAE. Small RHP should be audited once every two or three years, while large RHP once every year. It is important to note that the audit must be independent; i.e. an RHP may not audit itself.
             
          • 3.2 Understanding Risks

            According to Article 16 of the AML-CFT Law and Article 4 of the AML-CFT Decision, RHP must identify, assess and understand the ML/TF risks to which they are exposed, and how they may be affected by those risks, in order to determine the nature and extent of AML/CFT resources necessary to mitigate and manage those risks. The sophistication of an RHP's risk assessment process depends on the RHP's size and operations. A large RHP is expected to produce an extensive risk assessment that complies fully with the standards outlined in the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof. This assessment may be done by an external consultant, but the RHP retains ultimate responsibility for its content and its compliance with the standard set in the Guidelines. The CBUAE recognizes, however, that a small RHP has limited services and resources. RHP of this type can follow the risk assessment process discussed below. All RHP must document their risk assessment, even if it is in the form of notes, to demonstrate that they have thoughtfully completed this process. They must be able to understand their findings and explain them if called upon to the CBUAE.

            The Compliance Officer should begin the risk assessment process by carefully reading and understanding Parts I and II of this Guidance, which contain essential information about the risks faced by an RHP. The Compliance Officer should then consider the RHP's risk in the following risk categories. The discussion below does not cover every factor that increases or decreases risk and RHP should consider any other factors based on their knowledge and experience.

             1.Customer Risk. This is the risk that your customers may be involved in ML/TF. By receiving money from a customer who is involved in illegal activities, the RHP itself can unwittingly become involved in those activities. Some examples of questions that RHP can use to assess customer risk include:
             
              a.Are my customers mostly individuals, or do I have many customers that are legal persons? When you provide services to a company, you don't always know who you're really dealing with. So having many legal person customers may increase your risk.
             
              b.Are my customers only sending remittances to family, or are they engaging in business? Business activities are generally considered to be higher risk for ML/TF because amounts are higher and it's harder for the RHP to understand the true purpose of the transaction.
             
             2.Geographic Risk. Some countries are high risk for illicit activity, whether because they have a high volume of crime and terrorism, or because their financial sector doesn't have controls to prevent the movement of illicit funds. If an RHP operates in those countries, either because it has agents there or because it frequently sends or receives money there, then it is exposed to that risk. Questions an RHP can ask to assess its geographic risk include:
             
              a.Do I regularly do business in or with countries that have an ongoing insurgency? Where terrorist attacks are frequent? These countries will be very high risk.
             
              b.Do I regularly do business in or with countries listed on the FATF list of monitored jurisdictions?10
             
             3.Products and Services Risk. RHP are permitted to offer only limited products and services (see Part I section 4.1 above). Within the group of permitted products, transfers connected to commercial activity are generally considered to be higher risk than those connected to personal remittances.
             
             4.Delivery Channel Risk. The way an RHP delivers its products and services will also impact its risk, because some delivery channels make it difficult to understand and observe the customer. For example, if an RHP accepts orders for remittances via text message or phone call, or allows customers to initiate a transaction by giving money to an associate, who then delivers it to the RHP, this will make their activities higher risk.
             

            Based on the considerations above, RHP should give themselves an overall score of Low, Medium, or High risk. RHP should complete the risk assessment process at least once a year. RHP should understand their risk assessment, its findings, and what it means for their business. They should consider their risk assessment when designing and implementing their AML/CFT program. Where they assess themselves as higher risk, they should take additional precautions.

             


            10 The FATF list can be found at https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/?hf=10&b=0&s=desc(fatf_releasedate).

          • 3.3 Customer Due Diligence

            Customer due diligence (''CDD'') is the process by which an RHP identifies and understands its customer. CDD is required by Article 5 of the AML-CFT Decision and is essential to protecting the RHP from abuse, and to deterring and detecting ML/TF schemes. In specific cases outlined below, and whenever the RHP believes that higher risks are present, the RHP must perform Enhanced Due Diligence (''EDD''). EDD involves more intensive measures to discover information about the customer.

            The RHP must perform Customer Identification Diligence (''CID''), CDD or EDD prior to conducting each and every transaction, even if the customer is a repeat customer (see sections 3.3.1 to 3.3.4 below for their details). An RHP must not conduct a transaction if the appropriate diligence has not been performed or completed.

            When to Use CID, CDD and EDD
            TransactionWhat is Required
            A natural person sends or receives a transfer between AED 1 and AED 3,499CID, unless higher risks are present, in which case CDD & EDD as well.
            A natural person sends or receives a transfer of between AED 3,500 to AED.54,999CDD, unless higher risks are present, in which case EDD as well.
            A natural person sends or receives a transfer of AED 55,000 or greater.CDD and EDD
            A natural person from a high-risk jurisdiction sends or receives a transfer of any value.CDD and EDD
            A natural person who is a politically exposed person sends or receives a transfer of any value.CDD and EDD
            A legal person sends or receives a transfer of any value.CDD and EDD

             

            • 3.3.1 Customer Identification Diligence

              The CID process must be applied for a natural person who sends or receives a transfer between AED 1 and AED 3,499. The CID process is the verification of the original identification documents of the customer who is a natural person and the systematic recording of basic customer information in the point of sale system without the need to retain copies of the identification documents. The customer's full name, address, mobile number, nationality, date of birth, ID type (Emirates ID, or passport number when Emirates ID is not available) and ID number must be recorded in the point of sale system and printed on receipts.

            • 3.3.2 Customer Due Diligence for Natural Persons

              Article 4 of Circular No. 24/2019 requires RHP to identify and verify the identity of their customers, including remitters and beneficiaries, by using Emirates ID, or passport when Emirates ID is not available. RHP must collect at least the following information for each customer:

                Name,
                Emirates ID number or passport number when Emirates ID is not available;
                Date of birth and nationality;
                Address;
                Mobile number;
                Occupation; and
                The name of the person from whom the customer is receiving money, or the person to whom the customer is sending money and their country.
               

              This information must be printed on customer receipts. RHP must record this information and store it in their files for five years. RHP must also take a clear photo or photocopy of the customer's identification document and retain it for five years.

              The CDD process should also be applied when it appears that a natural person may be deliberately splitting up a larger transfer to evade the CDD requirement (for example by repeatedly once in a week transfer value below AED 3,500 per transaction).

              Using this information, as discussed in Part II section 1 above on sanctions obligations, RHP should screen their customers, including the sender/beneficiary as appropriate, and the transaction against the UN Consolidated List and the Local UAE Terrorist List. Screening must be performed before carrying out any transaction for the customer. If there is a match, the RHP should carefully consider whether the other data collected (date of birth, country of birth) match the information available for the listed person in question. The RHP may continue with the transaction only if it is confident that its customer or the person on the other end of the transaction is not a listed person. In addition, if the RHP discovers that any party to the transaction is listed on the UN Consolidated List and the Local Terrorist List, it must not return the customer's funds or provide the customer with funds that have been sent to him, but must instead freeze the funds.

              Furthemore, RHP should obtain a clear understanding of the intended purpose and nature of the transaction and ensure that it does not breach the permitted services by RHP listed in Part I section 4 above. RHP should consider whether it is consistent with what they know about the customer. Some examples of transactions that may require further investigation include:

               A customer who says he works as a labourer wishes to transfer a sum that is greater than the average yearly income for someone in his position.
               
               A customer visits the RHP on a regular basis and makes small or moderate-sized transfers, but the sum of the amounts he transfers over the course of the year is greater than the yearly income for someone in his position.
               
               A customer says that he has no occupation, but continues to make transfers or transfers a large sum.
               
               A customer who is from country A states that he is sending funds to a family member, but the beneficiary is located in country B.
               
               A customer from country A makes regular transfers to people he says are family members in that country, but they appear to live in different regions of country A and their relationship to the customer is not clear.
               

              These transactions are not necessarily illicit, but they suggest that the RHP needs to collect additional information. For example, a customer may actually be acting on behalf of a business. In that case, the RHP's customer is actually the business, and it must perform CDD on the business as described in section 3.3.3 below. If the RHP has any additional concerns, it should follow the EDD procedures discussed in section 3.3.4 below.

              RHP must cease and reject any transaction if they cannot collect any of the information required above, or if they cannot comply with any of the above requirements.

            • 3.3.3 Customer Due Diligence for Legal Persons

              When a legal person like a company uses an RHP to conduct a transaction, the RHP's customer is the company itself, not the individual representing the company. A legal person conducts a transaction when the funds involved belong to the legal person, and when the transaction is made as part of carrying out the legal person's business. If the customer is a legal person, it must be registered and based in the UAE to carry out transactions through a RHP. Legal persons such as companies, bodies corporate, foundations, partnerships, or associations, along with similar entities do not have bio-data like individuals and can transact under their own names while being controlled by other individuals. This means that they require specific CDD procedures. As per Articles 8 and 9 of the AML-CFT Decision RHP must perform the following actions for a legal person customer:

               1.Collecting and recording the following information about the legal person customer:
                a.The legal person's name;
                b.The legal person's legal form (e.g., limited liability company);
                c.The address of the legal person's main office or headquarters;
                d.The legal person's trade license; and
                e.The name of the legal person's senior managing official.
               2.Conducting CDD as described in section 3.3.2 above on the individual representing the customer (the individual who is directly ordering the transaction).
               3.Determining that the representative is authorized to conduct the transaction via a valid authorization, such as the trade license and/or a letter from the legal person customer's management on its letterhead.
               4.Identifying and verifying the identity of the customer's beneficial owners.
                a.Beneficial owners are the individuals who own and control the legal person. In many cases, the managing director or other similar top official will also be the beneficial owner, but not always.
                b.RHP must identify every individual who owns 25% or more of the legal person customer. They must collect their names, and then perform CDD on them as required by section 3.3.2 above.
                c.RHP can collect the names of beneficial owners, and thus determine who to perform CDD on, by asking the customer's representative. If they are concerned about the information provided by the representative, they should ask for documentation to prove ownership.
                d.If no individual owns 25% of the legal person customer, RHP must identify, and conduct CDD on the individual who is the customer's senior managing official.
                e.Beneficial owners cannot be other legal persons. If a legal person customer is owned by other legal persons, the RHP must understand their ownership as well until it identifies all individuals owning at least 25% of its customer.
               5.Understanding the customer's ownership and control structure. The RHP must understand who owns the customer, who exercises control over it and how.
               6.Understanding the nature of the customer business. The RHP must understand what sort of business the customer engages in and how the customer makes its money. If the customer's business doesn't make sense, or if the customer has no apparent business activities, that calls into question whether the funds involved in the transaction actually came from legitimate business activities.
               Conducting sanctions screening on all related parties. The RHP must at least screen the following names against sanctions lists:
                a.The name of the legal person customer;
                b.The name of the customer's representative;
                c.The name of the beneficial owner(s);
                d.The name of the customer's senior managing official; and
                e.The customer's address.
               

              As with CDD for natural persons, RHP must take a clear, readable photo or photocopy of documents obtained from the customer during CDD, and must retain those documents for five years after the transaction.

            • 3.3.4 Enhanced Due Diligence

              Sometimes CDD alone as described above is not sufficient to fully understand a customer. In addition, for certain customers, an extra level of due diligence is required. In those cases, the RHP must perform EDD in the following circumstances:

               1.The customer is a legal person. In these cases, the RHP must perform all the steps listed in section 3.3.3 above, plus additional due diligence as described here.
               
               2.The customer is a natural person carrying out a transfer worth AED 55,000 or above. In those cases, the RHP must perform all the steps listed in section 3.3.2 above, plus additional due diligence as described in this section below.
               
               3.The customer is a politically exposed person. During CDD, the RHP must collect information regarding the occupation of a natural person customer, and the beneficial owners of a legal person customer. If the customer, or the beneficial owners of a legal person customer, indicates that he or she is a government official with any government, the RHP must ask additional questions to understand that individual's rank and status. If the individual holds a high-ranking position in any government, then EDD is required for the customer. This is to make sure that the funds involved are not related to corruption or abuse of the customer's position.
               
               4.The customer is from, or is sending a remittance to, a high-risk jurisdiction. As discussed in section 3.2 above, high-risk jurisdictions are those with a higher risk of ML/TF.
               

              RHP should consider performing EDD when there are other high risks associated with the transaction, such as concerns about the customer's behaviour or about the source of the funds involved in the transaction.

              When performing EDD, RHP must follow the following mandatory steps:

                Seek approval from the manager of the RHP to carry out the transaction. If the RHP is owned and operated by a single person, this step is not necessary.
                Collect additional information to understand the source of funds involved in the transaction and the customer's overall source of funds (i.e. source of wealth). For instance, the RHP may ask for a pay slip to verify the customer's income.
                Collect additional information about the customer's business. For example, if a transaction is linked to the sale of goods, the RHP may request to see the invoice.
               
            • 3.3.5 Agent Due Diligence

              RHP may use agents in a foreign country to carry out activity on their behalf in that foreign country. This generally entails the corresponding agent in the foreign country executing payments on instructions from the RHP, or the agent sending instructions to the RHP to execute payments domestically. It should be noted that RHP are not permitted to use agents to carry out activity on their behalf in the UAE (as they are required by Circular No. 24/2019 to manage their business personally and never assign such task to another person, also known as ''nesting''.)

              RHP are exposed to risks when their agents engage in transactions that create risks for ML or TF. RHP must identify and assess the ML/TF risks they may be exposed to from the use of agents to provide activity on their behalf in a foreign country. RHP should ensure that they understand who their agents are, and that they are not breaching any applicable AML/CFT laws and regulations. In order to reduce their exposure to ML/TF risks, RHP are required to perform appropriate due diligence on their agents, to ensure they thoroughly know their agents and monitor their transactions to ensure that they are legitimate. The required elements of due diligence on agents are as follows:

               When entering into a business relationship with an agent, as a first step, the RHP should identify and verify the identity of the agent, using reliable, independent source documents, data or information.
               RHP should also identify and take reasonable measures to verify the identity of the beneficial owner(s) and understand the ownership and control structure of the agent, such that the RHP is satisfied that it knows the beneficial owner(s) and that the agent is not a shell bank.
               RHP should gather sufficient information to understand the purpose and intended nature of the business relationship, which includes understanding what types of customers the agent intends to service through the business relationship, how it will offer services, the transaction volume and value, and the extent to which any of these are assessed as high risk.
               RHP should also gather sufficient information and determine from publicly available information the reputation of the agent, including whether it has been subject to a ML/TF investigation or regulatory action. In addition, RHP should ensure that the agent has proper AML/CFT controls.
               RHP should conduct ongoing due diligence of the business relationship, including periodical reviews of the CDD information on the agent, and ongoing monitoring to detect any changes in the agents' activity pattern that may indicate unusual activity.
               

              RHP should keep up-to-date agent lists and retain them for a period of five years. RHP must provide the CBUAE current lists of their agents and the countries in which they operate. In addition, RHP should make current lists of their agents available to the relevant authorities within the country in which they operate. RHP should ensure that their agents fully adhere to the procedures of record keeping as described in this Guidance and that they make those records available to the RHP immediately upon request.

          • 3.4 Record Keeping

            Under Article 16 of AML-CFT Law and Article 24 of the AML-CFT Decision, RHP, as remittance providers, have very important obligations relating to the records they maintain about the remittances they execute.

            • 3.4.1 Record Keeping Related to Remittances

               1.Sending a Remittance
               

              When the RHP's customer is the person originating a transaction, the RHP must collect the following information through the CID and CDD process:

                The sending customer's name;
                His or her Emirates ID, or passport number when Emirates ID is not available;
                His or her date and nationality;
                His or her address;
                Mobile number;
                Occupation; and
                The name of the beneficiary of the transaction and the country it is sent to.
               

              The RHP must assign the transaction a unique ID number that allows the RHP to quickly identify and track the transaction. The RHP must provide all of this information to the hawala provider at the other end of the transaction and keep the relevant record. The RHP must not carry out the transaction if it has not supplied this information.

               2.Receiving a Remittance
               

              When the RHP's customer is the person receiving the remittance, the RHP must conduct CDD on the beneficiary and make sure that its customer's information matches that of the beneficiary identified in the information provided by the Originating Hawala Provider and keep the relevant record. The information must include:

                The receiving customer's name;
                His or her Emirates ID, or passport number when Emirates ID is not available;
                His or her date and nationality;
                His or her address;
                Mobile number;
                Occupation; and
                The name of the sender of the transaction and the country it is sent from.
               

              The RHP's partners and agents outside the UAE should comply with the requirements under ``Sending a Remittance'' above even though they are not subject to UAE laws. If a RHP receives a transaction order from a hawala provider outside the UAE that does not contain the information required under ``Sending a Remittance'' above, it cannot perform required sanctions screening or identify whether the transaction is suspicious and needs to be reported to the FIU. Therefore, the RHP should require its agent or counterpart to provide the information listed before it releases the funds to the beneficiary.

            • 3.4.2 Other Types of Record Keeping

              According to the AML-CFT Law and the AML-CFT Decision, RHP must keep all records obtained through the CDD process; copies of personal identification documents provided during CDD; and copies of Suspicious Transaction Reports (STR) filed with the FIU. Under Article 4 of Circular No. 24/2019, RHP are required to have forms in which the customers fills in the necessary information to originate the transaction; RHP must retain these forms as well.

              RHP must also maintain records of transactions. These records must be sufficiently detailed to allow authorities to reconstruct and understand the transaction. They must at least include the names of the sender and beneficiary, the date of the transaction, and the amount of the transaction, and be organized in such a way so that the RHP and authorities can easily find the records they need for a specific transaction.

              RHP must make the records described here, or any other records, available to the competent authorities immediately upon request. All the records described in this section must be kept for at least five (5) years, from the date of completion of the transaction, or for longer if directed by the CBUAE or other authority.

        • 4 Reporting Obligations

          • 4.1 Daily Reporting

            Under Article 4 of Circular No. 24/2019, RHP are required on a daily basis to upload electronically to the CBUAE, via its Remittance Reporting System (``RRS'') and/or other applicable system, the data and details of all transfers, remitters and beneficiaries as per the forms prepared by the CBUAE for this purpose.

          • 4.2 Quarterly Settlement Statements

            Under Article 4 of Circular No. 24/2019, RHP should submit to the CBUAE statements of their settlement accounts on a quarterly basis along with other required forms, as well as provide the CBUAE with any data, information, or statistics it may require at any time and for any specific period.

          • 4.3 Reporting Suspicious Transactions and Registration to GoAML

            RHP must monitor transactions that they carry out to identify those that may be suspicious and where a Suspicious Transaction Report (``STR''), or suspicious activity report ("SAR") or other report types may need to be filed with the FIU. Monitoring begins at the CDD stage, but does not end there. RHP must keep records of customer activity so that they can examine it to identify patterns over time that may be cause concern. RHP must take into account all information available, including regarding the originator and beneficiary(ies) of a transaction, in order to determine whether an STR is to be filed.

            Situations in which it may be necessary to file an STR/ SAR include:

             A customer begins the CDD process, but cancels the transaction and leaves when he discovers the information that the RHP is required to collect.
             
             The RHP completes CDD on a customer, but still has doubts as to whether the transaction was legitimate or whether the customer's stated reason for the transaction was the true one.
             
             A customer carries out transactions larger than his stated income without providing a valid justification.
             
             A natural person customer regularly orders transactions just below the AED 55,000 threshold for when EDD is required (i.e. either tied to the threshold or if there are other risk factors that may trigger EDD).
             
             Multiple customers send money to, or receive money from, the same person, and there is no clear connection between the customers.
             
             The RHP suspects that a customer is carrying out transactions that are disallowed under Part I, section 4.1 of this guidance.
             

            Under Article 15 of the AML-CFT Law and Article 17 of the AML-CFT Decision, if the RHP suspects that a transaction, attempted transaction, activity, or funds (including agents' transactions), constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime, they must submit an STR, SAR or other report types to the FIU using the ``goAML'' portal. RHP must submit this report without delay, meaning as soon as reasonably possible after the transaction takes place or their suspicions develop. All RHP must register with the goAML portal so that they can easily file these reports.

            Reporting a suspicious transaction is not an admission of guilt or wrongdoing. STRs filed by RHP help law enforcement authorities identify and track potential criminal behaviour. As long as the RHP complies with the procedures in this guidance document, it will not generally be held responsible for a transaction that turns out to have been involved in a crime. But a failure to report a transaction that an RHP should know to be suspicious can result in penalties.

            For more detail and information, please refer to the ``CBUAE Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting.''

      • Part III: Guidance for LFIs

        • 1 Understanding Risks

          Please refer to Part I, Section 3 for a description of the risks of Hawala Activity.

          The Circular No. 24/2019 requires that RHP must maintain an account with a bank operating in the UAE to be used for settlement and provide the CBUAE with details of such account. The CBUAE expects LFIs to accept RHP customers, but LFIs must manage the risk that these transactions create through the use of appropriate controls (see Part III, section 2 below). LFIs must not accept as customers unregistered hawala providers based in the UAE, and must immediately report an STR to the FIU, inform CBUAE when they are detected, and closely monitor the relationship. Please see Part III, sections 2.2 and 2.3 below for guidance on detecting unregistered MVTS.

           

        • 2 Mitigating Risks

          The sections below elaborate on how LFIs can apply specific preventive measures to identify, manage, and mitigate the risks associated with hawala providers customers. These are not exhaustive and LFIs should consult the legal and regulatory framework in force in the UAE for the measures to be taken. The controls mentioned below should be at the minimum integrated into the LFI's larger AML/CFT compliance program, and supported with appropriate governance and training.

          • 2.1 Risk-Based Approach

            LFIs should take a risk-based approach to the preventive measures they put in place for all customers, including hawala providers. The risk-based approach has three principal components:

            • 2.1.1 Conducting an Enterprise Risk Assessment

              As required by Article 4.1 of the AML-CFT Decision, the enterprise risk assessment should reflect the presence of higher-risk customers, including hawala providers, in an LFI's customer base. These assessments should in turn be reflected in the LFI's inherent risk rating. In addition, the LFI's controls risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its hawala providers customers, including the preventive measures discussed below.

            • 2.1.2 Identifying and Assessing the Risks Associated with Specific Customers

              The LFI should assess the risk of each customer to identify those that require EDD and to support its entity risk assessment. As discussed in Part I section 3 above, the regulatory environment and illicit finance risks in the jurisdictions in which they do business, the products and services they provide and its customer base, are critical determinants of a hawala provider's inherent risk. In assessing the risks of a hawala provider customer, LFIs should consider:

              i.Controls Risk: LFIs should seek to understand the regulatory requirements in place for the customer, as well as how well they are enforced. The regulatory requirements placed on hawala providers vary markedly across jurisdictions.
               
              ii.Geographic Risk: The risks associated with the jurisdictions in which the provider lives (for individuals) or is registered/established (for legal persons) and where it operates, including the jurisdictions where its main counterparties are based and where it has subsidiaries.
               
              iii.Product, Service, and Delivery Channel Risk: LFIs should assess risk in this category on two dimensions:
               
               a.The products and services that the hawala provider offers to its customers, and
               
               b.The delivery channels through which it offers these products and services.
               
               Products, services, and delivery channels that promote the rapid, anonymous transfer of high values are particularly attractive to illicit actors.
               
              iv.Customer Risks: For hawala provider customers, customer risk can be assessed as the proportion of higher-risk customer types (e.g. politically exposed persons, legal persons, and customers from high-risk jurisdictions) within the provider's customer base.
               

              Questions that an LFI may ask to determine the risk profile of a hawala provider customer include, but are not limited to:

                Where is the provider incorporated? Where does it operate? Are these high-risk jurisdictions?
                What products and services does the provider offer its customers?
                What volume of transactions does the provider carry out?
                What customer base does the provider serve?
                What is the regulatory environment in the jurisdiction(s) where the provider is incorporated/has operations?
                Is there an authority that actively enforces the requirements?
                Does the provider perform appropriate CDD, transaction monitoring, record keeping, and sanctions screening?
                Does the provider intend to use its account to execute transactions on behalf of its customers?
               

              In addition to risk rating hawala providers, LFIs should also consider the risks of specific transactions, especially high-value transactions, those involving high-risk jurisdictions, and those that represent departures from a customer's standard or expected behaviour.

            • 2.1.3 Applying EDD and Other Preventive Measures

              Where the LFI determines a customer to be higher-risk, Article 4.2(b) of the AML-CFT Decision requires that the LFI apply EDD. Specific EDD steps are also required for hawala providers customers that are politically exposed persons, or are owned or controlled by a politically exposed person, or are based in a higher-risk jurisdiction.

          • 2.2 Customer Due Diligence and Enhanced Due Diligence

            The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI's services. Where an LFI cannot satisfy itself that it understands a customer, then it must not accept the customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing an STR, SAR or other report types to the FIU as discussed in section 2.3.2 below. This guidance is not an exhaustive list of LFIs' CDD obligations and LFIs should consult the legal and regulatory framework in force in the UAE for the measures to be taken.

            • 2.2.1 Customer Identification and Verification

              Under Article 8 of AML-CFT Decision, LFIs are required to identify and verify the identity of all customers. Please see also the AML/CFT Guidelines for Financial Institutions for full information on customer identification. In particular, when verifying the Emirates ID card, LFIs must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the Emirates ID and its digital verification.

              Hawala providers based in the UAE are required to have an active registration certificate issued by the CBUAE and a commercial trade license that includes Hawala Activity. In particular, when opening any accounts for hawala providers, LFIs must physically check the original hawala provider registration certificate issued by the CBUAE and keep a copy thereof. LFIs should not form business relationships or conduct transactions with hawala providers without an active registration certificate issued by the CBUAE (unregistered hawala providers). In addition, if an LFI determines that a customer or prospective customer has materially misrepresented itself or its business, it must not accept the customer, must exit the relationship if one has been established, should add the customer, its beneficial owners, directors and managers to its internal watchlists, and should file an STR with the FIU.

            • 2.2.2 Beneficial Owner Identification

              Where the hawala provider customers is a legal person, please consult the CBUAE's Guidance for LFIs providing services to Legal Persons and Arrangements for details on the identification of beneficial owners.11


              11 Available at https://www.centralbank.ae/en/cbuae-amlcft.

            • 2.2.3 Customer's Business and Business Relationship

              For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer's business. This element of CDD will have important implications for the customer risk rating. This is particularly true of the purpose of the account, which will likely be an essential determinant of risk for hawala provider customers. It is critical that LFIs have processes and controls in place to ensure that they are able to identify hawala customers. LFIs must ensure that they fully understand their customers' source of funds and the business in which they are engaged. In addition to interviewing the customer, requesting financial records, and reviewing invoices, LFIs should also search company databases and consider visiting the customer's business premises.

              Underground hawala providers often try to evade detection by creating new companies and/or frequently switching to new financial institutions. In addition, even those that operate legally, may seek to misrepresent the purpose of the relationship in order to evade scrutiny and controls imposed by the LFI. It can be particularly difficult for an LFI to establish the bona fides and business activities of a newly established company, which is likely to not have any customers or inventory, especially when that company's line of business (e.g. import/export) is vague. LFIs should screen the names of new customer's beneficial owners, directors, and managers against its internal watchlists of customers previously exited by the LFI.

              When a customer provides information indicating it is a hawala provider, LFIs must collect sufficient information during the CDD process to understand the full scope of the customer's business, including not only its provision of hawala services but also any other business activities in which the customer engages. LFIs should pay particular attention to the jurisdictions with which their hawala provider customers does business, and must understand whether their customer offers financial services to other hawala providers (e.g. participates in clearing networks or makes transfers on behalf of the customers of another provider who lacks a network in certain jurisdictions). Furthermore, LFIs must fully understand the intended use of the account and the expected activity on the account, to the extent that it can generally predict activity on the account and identify activity that does not fit the profile. This may be many small cash deposits followed by large cross-border transfers or volume of activity that does not fit the customer's business. They must also understand whether the hawala provider may be using the LFI's accounts to conduct business and to move funds on behalf of customers while attempting to conceal this activity from the LFI. Section 2.3.1 contains red flags for concealed activity.

            • 2.2.4 Ongoing Monitoring

              All customers must be subject to ongoing monitoring throughout the business relationship to ensure that transactions are reasonable, and legitimate. Ongoing monitoring is particularly important in the context of business relationships with hawala providers, where the risks these relationships create for the LFI can change significantly based on the hawala provider's business activities. LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

              In addition to a review of the customer's CDD file, the LFI should also review the customer's transactions to determine whether they continue to fit the customer's profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established. This type of transaction review is distinct from the ongoing transaction monitoring discussed in 2.3.1 below. The purpose of the review is to complement ongoing transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules. For example:

               Company M, a hawala provider, opens an account with Bank B, an LFI. At onboarding, Company M tells Bank B that it operates as a money transfer service to Country X. A year after the account is opened, Bank B conducts a scheduled CDD review and discovers that, six months after onboarding, Company M began to make and receive periodic transfers to and from Country Y. Bank B makes inquiries and discovers that Company M is now providing money transfer services to Country Y as well. Bank B decides to put a restriction on the account requiring prior authorization to make transfers beyond Country X and Country Y, requires Company M to sign a warrant that it will inform Bank B in advance of any future changes to its business model, and raises the customer risk-rating.
               

              When customers are higher risk, including hawala provider customers, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, such as twice a year. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:

               Reviewing all transactions on the account, rather than a sample of transactions;
               
               Conducting site visits at the customer's premises and requesting a meeting with the customer;
               
               Conducting searches of public databases, including news and government databases in order to independently identify material changes in a customer's ownership or business activities. Such searches should include adverse media searches of public records and databases, using relevant key words, including but not limited to, allegation, fraud, corruption, laundering.
               
          • 2.3 Transaction Monitoring and STR Reporting

            • 2.3.1 Transaction Monitoring

              Where possible, transaction monitoring systems used to monitor activity in the accounts of the RHP should also be equipped to identify breaches of the permitted services by RHP listed in Part I section 4.1. The transaction monitoring system used by LFIs should also be equipped to identify RHP that are using the LFI's accounts to conduct their business and to move funds on behalf of customers while attempting to conceal this activity from the LFI. Red flags for concealed activity appear below. If an LFI's automated transaction monitoring system is not capable of alerting on these red flags, LFIs should have in place manual monitoring, such as management information systems that are capable of doing so. Frequent deposits by multiple individuals into a single bank account, followed by international wire transfers and /or international withdrawals through ATMs.

                Money being transferred at regular intervals to international locations known to be clearing houses for remittances.
                An account being used as a temporary repository with the funds quickly transferred.
                Usage of third-party accounts to disguise and to avoid detection by authorities.
                Wire transfers frequently sent by traders to foreign countries that do not seem to have any business connection to the destination countries.
                Business accounts used to receive or disburse large sums of money but show virtually no reasonable business-related activities such as payment of payrolls, invoices etc.
                Frequent deposits of third-party checks and money orders into business or personal accounts.
                Frequent international wire transfers from bank accounts that appear inconsistent with stated business activities.
                Sudden change in pattern of financial transactions from low value international fund transfers to large value transfers.
               
            • 2.3.2 STR Reporting

              As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file an STR, or SAR or other report types with the FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE's effort to combat financial crime and protect the integrity of its financial system. STR filings are essential to assist concerned UAE authorities, such as law enforcement, in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system.

              In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations:

                A potential customer decides against opening an account or purchasing other financial services after learning about the LFI's CDD requirements;
                A current customer cannot provide required information about its business or its beneficial owners;
                A customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty;
                The LFI is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the customer. In such cases, the LFI should not establish the business relationship, or continue an existing business relationship; or
                If the LFI believes that a customer may be acting as an unregistered hawaladar.
               

              Please see also the CBUAE's Guidance for LFIs on Suspicious Transaction Reporting for further information.

          • 2.4 Governance and Training

            The specific preventive measures mentioned above must take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. The core of an effective risk-based program is an appropriately experienced AML/CFT compliance officer who understands the LFI's risks and obligations and who has the resources and autonomy necessary to ensure that the LFI's program is effective. As with all risks to which the LFI is exposed, the AML/CFT training program must ensure that employees are aware of the risks of hawala provider customers, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the LFI's risk and the nature of its operations. For example, an LFI that has a large number of hawala provider customers should offer training that includes an in-depth discussion of risk factors and red flags related to such customers.

      • Annex 1. Synopsis of the Guidance

        PART I: REGISTERED HAWALA PROVIDERS AND LICENSED FINANCIAL INSTITUTIONS
        IntroductionPurposeThe purpose of this Guidance is to assist the understanding and effective performance by the Registered Hawala Providers and other Licensed Financial Institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE.
        ApplicabilityThis Guidance applies to all natural and legal persons which are licensed and/or supervised by the CBUAE in the following categories: Registered Hawala Providers ("RHP"), National banks, branches of foreign banks, and Exchange houses.
        Legal BasisThis Guidance builds upon the provisions of UAE laws and regulations, including the AML-CFT Law, the AML-CFT Decision, the Cabinet Decision 74 of 2020 and the Registered Hawala Providers Regulation issued by the CBUAE ("Circular No. 24/2019").
        Overview of Hawala

        activity

        Hawala is an activity based on trust and was established to avoid high charges by people who cannot afford them, the ability to reach beneficiaries in remote places quickly where banks do not operate, and the existence of strict currency controls in some countries. While hawala providers, also known as hawaladars, often use banking channels to settle between them, what makes them distinct from other money transmitters is their use of other settlement methods, including trade, cash, and long-term net settlement.
        Global risks of Hawala ActivityHawaladars' business model is built around satisfying customers' needs to move money rapidly across borders, a service that may also be misused by criminals as it is to individuals seeking to conduct legitimate personal remittances. The risk of a hawala provider is influenced by the regulatory environment and illicit finance risks in the jurisdictions in which they do business, the products and services they provide, and their customer base.
        Regulation in the UAEThe CBUAE permits legitimate Hawala Activity as an important element of its continuous efforts to support financial inclusion and bring the unbanked population into the regulated financial system. To this end, Hawala is regulated by the Registered Hawala Providers Regulation issued by the CBUAE. All providers carrying on Hawala Activity in the UAE must hold a Hawala Provider Certificate issued by the CBUAE; it is not permitted to carry on Hawala Activity without being registered with the CBUAE. Registered Hawala Providers (RHP) are only permitted to provide well-defined services that include non- commercial personal remittances and money transfer services to support commercial operations. RHP are not permitted to engage in any of the following transactions: Take deposits, exchange currencies or sell and purchase travellers' cheques; Provide any financial services other than money transfers (e.g. exchange of virtual assets/cryptocurrencies, loans, purchase of debts); or Execute transactions involving or on behalf of any other hawala provider in the UAE. This excludes the agents of the RHP in a foreign country.
        PART II: GUIDANCE FOR REGISTERED HAWALA PROVIDERS
        Sanctions ObligationsTargeted Financial Sanctions (TFS)are legal restrictions on financial activity imposed by the United Nations Security Council (UNSC) or the UAE. RHP are required to fully comply with the obligation to implement all necessary measures without delay as described in the Cabinet Decision 74 of 2020, the "Guidance on TFS for FIs and Designated Non-Financial Business and Professions (DNFBPs)' issued by the Executive Office of the Committee for Goods & Material Subject to Import and Export Control, the CBUAE's Guidance for LFIs on the implementation of TFS, the CBUAE Notice No. 3895/2021, and any of their amendments or updates thereof. RHP should be aware that it is a crime in the UAE to provide funds or financial services, including money transmissions services, to a person subject to TFS.

        Appropriate implementation of TFS has four key steps, which RHP must follow to ensure they are compliant:

        1. Maintain awareness of UNSC and UAE sanctions lists, and rapidly becoming informed of changes to these lists.
        2. Check the names of customers against the lists of sanctioned persons.
        3. Immediately freeze any funds in the possession or under the control of the RHP that may belong to a listed person, and cancelling (where possible) any transactions involving a listed person.
        4. Report any listed persons and the actions the RHP has taken to the appropriate authorities (via the goAML Portal).
        Registration and other RequirementsRegistrationA resident natural person or legal person may not carry on Hawala Activity in the UAE unless the applicant holds a Hawala Provider Certificate issued by the CBUAE and is registered in the CBUAE Hawala Providers Register.
        CBUAE Notification of Approval/RejectionThe CBUAE may agree or decline an application for a Hawala Provider Certificate and will notify the applicant in writing of its decision.
        Re-RegistrationRHP should submit to the CBUAE an application for renewal of the Hawala Provider Certificate within a period not less than two months from the date of expiry of the original certificate or any renewals thereof.
        Requirements for Trade License, Security and Reporting SystemsRHP are required to complete the following requirements within 90 days from the date mentioned in the final registration certificate as well as submit proof of completion to the Licensing Division of the CBUAE:
        • Add Hawala Activity to the commercial trade license.
        • Install security systems i.e. CCTV and police connections.
        • Register o the UAE Financial Intelligence Unit's (FIU)goAML portal.
        • Register to the CBUAE's Systems for the daily and quarterly reporting.
        • RHP should register for the FlU's Integrated Enquiries Management System.
        Requirement for a Bank AccountRHP must maintain an account with a bank operating in the UAE to be used for settlement and provide the CBUAE with its details. In addition, they should inform their account manager at the bank of their intention to use the account to carry out Hawala Activity.
        AML/CFT programAML/CFT Program and Compliance OfficerRHP are required to establish and maintain effective AML/CFT compliance programs designed to prevent them from being misused to facilitate money laundering or terrorist financing. The program must be risk-based and appropriate to the risk of the RHP, taking into consideration its size, volume of transactions, types of remittances offered (personal only or personal and commercial), complexity, the nature and volume of its Hawala Activity, the nature of its customer base and the geographic areas in which it operates. Each RHP must have a specific person, the Compliance Officer, who is responsible for day-to-day compliance with the legal and regulatory framework in the UAE and the management of the AML/CFT program. This person must bean employee, manager, or owner of the RHP depending on the size of the RHP. They should also provide education and training to appropriate personnel and conduct a periodic audit of the AML/CFT program.
        Understanding RisksThe Compliance Officer should begin the risk assessment process by carefully reading and understanding Parts 1 and II of this Guidance, which contain essential information about the risks faced by an RHP and consider the customer, geographic, products and services, and delivery channel risks. RHP should complete this risk assessment process at least once a year. Where they assess themselves as higher risk, they should take additional precautions.
        AML/CFT ProgramCustomer and Agent Due DiligenceCustomer due diligence ("CDD") is the process by which an RHP identifies and understands its customer; it is required by law. The RHP must perform Customer Identification Diligence ("CID"), CDD or Enhanced Due Diligence ("EDD") prior to conducting each and every transaction, even if the customer is a repeat customer. An RHP must not conduct a transaction if the appropriate diligence has not been performed or completed depending on their nature as follows:
        • CID: When natural persons sends or receives a transfer between AED 1-3, 499 and no higher risks are present.
        • CDD: In all other cases between AED 3,500-54,999.
        • EDD: When the customer is a natural person carrying out a transfer above ED 55,000, or when the customer is from/sending a remittance to a high-risk jurisdiction, or when the customer is a politically exposed person or a legal person, or when other higher risks are present.

        RHP may use agents in a foreign country to carry out activity on their behalf in that foreign country. RHP are not permitted to use agents to carry out activity on their behalf in the UAE (also known as "nesting"). RHP are required to perform appropriate due diligence on their agents and monitor their transactions to ensure that they are legitimate, keep up-to-date agent lists for a period of five years and provide them upon request to the CBUAE and/or to relevant authorities within the country in which they operate.

        Transaction Monitoring and Record KeepingWhen an RHP's customer is originating a transaction, the RHP must collect and keep certain information for every transaction. When RHP's customer is receiving the remittance, they must in addition conduct CDD on the beneficiary and make sure that its customer's information matches that of the beneficiary identified in the information provided by the originating hawala provider. RHP must keep all records obtained through the CDD process and maintain records of all transactions for at least five years from the date of completion of the transaction or longer if directed by the CBUAE or any other authority.
        Reporting ObligationsDaily ReportingRHP must upload electronically to the CBUAE's reporting systems on a daily basis the data and details of all transfers, remitters and beneficiaries as per the forms prepared by the CBUAE for this purpose.
        Quarterly Settlement StatementsRHP must further submit to the CBUAE statements of their settlement accounts on a quarterly basis along with other required forms, as well as provide the CBUAE with any data, information, or statistics it may require.
        Reporting Suspicious Transactions to the FIUIf the RHP suspects that a transaction, attempted transaction, activity, or funds (including agents' transactions), constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime, they must submit a Suspicious Transaction Report (STR), Suspicious Activity Report (SAR) or other report types to the FIU using the goAML portal. RHP must submit this report without delay, meaning as soon as reasonably possible after the transaction takes place or their suspicions develop. Please see also the CBUAE's Guidance for LFIs on Suspicious Transaction Reporting fox further information.
        PenaltiesViolation of any statutory obligations may be subject to supervisory action, administrative and financial sanctions and penalties as deemed appropriate by the CBUAE.
        PART III: GUIDANCE FOR LFIs
        Understanding RisksCircular 24/2019 requires that RHP must maintain an account with a bank operating in the UAE to be used for settlement and provide the CBUAE with its details. The CBUAE expects LFIs to accept RHP customers, but LFIs must manage the risk that these transactions create through the use of appropriate controls. LFIs must not accept as customers unregistered hawala providers based in the UAE, and must immediately report an STR to the FIU, inform CBUAE when they are detected, and closely monitor the relationship.
        Mitigating RisksRisk-Based ApproachLFIs should take a risk-based approach to the preventive measures they put in place for all customers, including hawala providers. The approach should include at the minimum the conduct of an enterprise risk assessment, identification and assessment of the risks associated with specific customers, and the application of EDD and other preventive measures.
        CDD and EDDCustomer Identification and verification: LFIs are required to identify and verify the identity of all customers. Among other requirements, LFIs must physically check the original hawala provider registration certificate issued by the CBUAE and keep a copy thereof. LFIs should not form business relationships or conduct transactions with hawala providers without a valid registration certificate issued by the CBUAE (unregistered hawala providers).
        Beneficial Owner Identification: Where the hawala provider customers is a legal person, please consult the CBUAE's Guidance for LFIs providing services to Legal Persons and Arrangements for details on the identification of beneficial owners.
        Customer's Business and Business Relationship: It is critical that LFIs have processes and controls in place to ensure that they are able to identify hawaladar customers. LFIs must ensure that they fully understand their customers' source of funds and the business in which they are engaged, the intended use and expected activity on the account, to the extent that they can generally predict and identify activity that does not fit the profile.
        Ongoing Monitoring: All customers must be subjectto ongoing monitoring throughout the business relationship to ensure that transactions are reasonable and legitimate. LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to- date. When customers are higher risk, including hawala provider customers, monitoring should be more frequent, intensive, and intrusive.
        Transaction Monitoring and Suspicious Transaction ReportingWhere possible, transaction monitoring systems used to monitor activity of the RHP should also be equipped to identify breaches of the permitted services by RHP. The transaction monitoring system used by LFIs should also be equipped to identify RHP that attempt to conceal activity from the LFI. LFIs must file a Suspicious Transaction Report, Suspicious Activity Report or other report types with the FIU when they have reasonable grounds to suspectthat a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. Please see also the CBUAE's Guidance for LFIs on Suspicious Transaction Reporting for further information.
        Governance and TrainingThe specific preventive measures mentioned in this Guidance must take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. As with all risks to which the LFI is exposed, a training program must ensure that employees are aware of the risks of hawala provider customers, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls.

         

    • Guidance for Licensed Financial Institutions on the Risks Relating to Payments

      Effective from 1/8/2022
      • 1. Introduction

        • 1.2. Applicability

          Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories:
           
           National banks, branches of foreign banks, exchange houses, finance companies; and
           Stored value facilities, retail payment service providers, and card schemes.
           
        • 1.4. Acronyms and Definitions

          Card Scheme: a single set of rules, practices and standards that enable a holder of a payment instrument to effect the execution of card-based payment transactions within the UAE which is separated from any infrastructure of payment system that supports its operation, and includes the card scheme governing body. For the avoidance of doubt, a card scheme may be operated by a private or public sector entity.

          Correspondent Banking Relationship: the relationship between a correspondent financial institution and a respondent one through a current account or any other type of account(s) or through a service related to such an account and includes a corresponding relationship established for the purpose of securities transactions or transfer of funds.

          Nesting: defined by the FATF as the use of a bank’s correspondent relationship by a number of respondent banks through their relationships with the bank’s direct respondent bank to conduct transactions and obtain access to other financial services.

          New Payment Products and Services (NPPS): defined by the FATF as new and innovative payment products and services that offer an alternative to traditional financial services.

          Payment Sector: refers to different forms of payment that are transmitted and exchanged across various delivery channels, frequently utilizing digital platforms, systems, services and products.

          PPS: Payment Products and Services.

          Retail Payment Services: any of the following services: payment account issuance; payment instrument issuance; merchant acquiring; payment aggregation; domestic fund transfer; cross-border fund transfer; payment token; payment initiation; and payment account information.

          Stored Value Facility (SVF): a facility (other than cash) for or in relation to which a customer, or another person on the customer’s behalf, pays a sum of money (including money’s worth such as values, reward points, crypto-assets or virtual assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including money’s worth such as values, reward points, crypto-assets or virtual assets) whether in whole or in part, on the facility; and (b) the relevant undertaking. SVF includes device based SVF and non-device based SVF.

      • 2. Understanding Risks

        There is no uniform global approach to regulation of the Payment Sector and participants may be classified as different types of entities in different regulatory regimes. Some types of participants may be regulated as financial institutions in some jurisdictions but not in others. Operating within a global financial center, LFIs in the UAE may be exposed not just to participants licensed by the CBUAE, but also to those operating globally. This exposure can be direct (i.e., providing financial services directly to a participant), or indirect (e.g., when a customer initiates a withdrawal from his checking account using a foreign smartphone-based app that he has linked to that account).

        The Payment Sector is becoming increasingly diverse, and payment processes more complex. The Payment Sector is no longer solely dominated by traditional financial institutions like banks and exchange houses, which also offer new and innovative methods using the internet or mobile phone technology. A variety of new types of Payment Sector participants, such as companies that offer internet-or smartphone-based payment applications and providers of prepaid cards and devices, are involved in a growing percentage of all payment transactions. These entities allow almost anyone to accept and originate payments using a wide variety of techniques and payment routes. Whenever a customer makes a purchase or pays a bill online, these new participants are likely to be involved. These entities may also be used outside commercial contexts, such as by crowdfunding platforms or charitable organizations.

        Furthermore, as innovative technologies emerge and commerce and economic activity increasingly grows online, merchants and consumers are relying on a diverse array of New Payment Products and Services (NPPS). The FATF defines NPPS as “new and innovative payment products and services that offer an alternative to traditional financial services.” Examples of NPPS include prepaid cards, mobile payments, and internet-based payment services; these are neither exhaustive, nor exclusive as a provider of mobile money, for instance, may utilize prepaid cards or provide internet-based payment services. In contrast, payment methods such as credit cards and cheques, and bulk funds transfer systems such as national payment systems, would generally not qualify as NPPS. Because NPPS are so diverse, they do not share a single risk profile and pose money laundering and financing of terrorism (ML/FT) risks for financial institutions when they do not understand the operation or the vulnerabilities in the NPSS operational models. The provision of these NPPS is frequently implemented or facilitated by a group or network of different companies, some of them invisible to the consumer or even all the participants in the network, given the presence of multiple participants in the chain with whom not all participants will have a contractual relationship.

        The vast majority of payment transactions carried out each year across the globe are legitimate. But the Payment Sector—and NPPS in particular—has characteristics that make it both attractive and vulnerable to illicit actors. As LFIs are increasingly exposed to new participants in this sector, they must remain alert to and understand the risks this exposure creates.

        Section 2.1 below discusses the ML/FT risks of the Payment Sector with a focus on risks related to NPPS. It applies to financial institutions that are directly involved in the provision of such products and services, which includes both traditional LFIs and those that are solely engaged in providing payments. Section 2.2 discusses risks specific to LFIs that provide services to other Payment Sector participants.

        • 2.1. ML/FT Risks of the Payment Sector

          • 2.1.1. Characteristics of the Movement of Funds

            PPS, and NPPS in particular, are extremely attractive to illicit actors because of the rapid movement of funds between Payment Sector participants and across borders. The risks of a specific payment network or application however can vary based on the features that make it more or less attractive to illicit actors, such as:
             
             Transaction speed. Are transactions instantaneous, or do they take hours or days? The quicker the transaction, the easier it is for illicit actors to conduct multiple transfers, further obscuring the origin of the funds, before coming to the attention of the authorities.
             
             Transaction limits. Does the PPS have transaction caps or limits? Smaller-value payments are not without risk, especially in the terrorist financing context, but they do make it more difficult to move illicit funds on a large scale.
             
             Closed vs open loop system. PPS, primarily SVF, can be “closed” or “open” loop. In a closed loop system, the payment method can only be used for payments to a specific payee. Examples include transit passes and store gift cards. In an open loop system, the payment method can be used to pay a wide variety of payees, and can be linked to other payment methods that further expand its reach. Although it is certainly possible to use closed loop systems for ML/FT (for instance, if a terrorist group collects store gift cards and uses them to purchase equipment), the restrictions on their use makes them less attractive to illicit actors.
             
             Methods of funding and access to cash.3 The methods by which a PPS can be funded (such as by cash, through another payment service, a prepaid model, or by third-party funding from anonymous sources) may increase risk. The inputs and outputs of a given PPS are therefore an important consideration when assessing risk, including whether the funding source is located internationally such as a high-risk country. For example, illicit actors may seek to place cash in the financial system or to obscure transaction trails by converting funds in and out of cash. PPS that permit users to fund their accounts with cash, or that allow users to withdraw cash, may be higher risk. In addition, as discussed above in the context of open loop systems, the more open and porous the PPS, the higher the risk it may present. PPS that allow users to fund accounts from multiple sources, and to withdraw funds using multiple methods, are likely to be more attractive to illicit actors, and will be harder to effectively monitor.
             
             Payment transparency. NPPS often have aggregated payments and settlement accounts involving multiple parties and long payment chains thereby potentially causing LFIs to have reduced visibility into payment activity taking place through the PPS as well as obscuring an LFI’s ability to identify the ultimate payer and payee for all transactions.
             
             Ability for one person to create multiple accounts. Some PPS allow customers to create multiple accounts using the same ID. These may be individual accounts or created on behalf of minors or other family members. Illicit actors may seek to rapidly cycle funds through accounts (whether or not these take the form of virtual ‘wallets’ or other SVF) in order to obscure payment trails. They may also seek to open multiple accounts to facilitate fraud and other criminal activity. Restricting a customer to one account does not eliminate risk, since illicit actors often work in groups, but it makes it more difficult for a single person to launder funds by conducting a self-transfer.
             
             Non-face-to-face relationships. Does the payment method allow for a non-face-to-face business relationship? What are the payment method’s characteristics? Can the relationship be established through agents, online or through a mobile payment system? The absence of contact and/or anonymity may increase the risk of identity fraud or customers providing inaccurate information.
             
             Use of virtual assets.4 As interest in virtual assets grows, more and more payment methods and schemes are integrating with virtual assets. For example, a global payments firm allow users in some countries to purchase virtual assets using the funds in their account, although not to use them directly for payments. Payment methods and schemes that integrate virtual assets could expose financial institutions to the specific risks of this sector.
             

            3 For details on the vulnerabilities of cash and alternatives to cash, please consult the CBUAE’s Guidance for Licensed Financial Institutions providing services to Cash-Intensive Businesses

            4 Please note that the risks relating to Virtual Assets/Virtual Assets Service Providers are out of the scope of this guidance and addressed in a separate guidance to be issued by the CBUAE.

          • 2.1.2. Peer-to-Peer Payments

            NPPS have revolutionized the ability to make payments or transfer funds. Where cash transactions previously required face-to-face interaction and bank transfers involved transactions’ fees and an execution time in the past, NPPS allow participants to send money that will be instantly available to the beneficiary, reducing the need for trust in the relationship. As a result, the availability of convenient, inexpensive PPS has led to a decreasing use of cash, particularly in highly developed countries. Bringing transactions into the formal financial system has many advantages from the perspective of combating illicit finance. These transactions can flow through third parties that are in many cases subject to AML/CFT requirements. In most cases, the payments that involve such third parties include information on the payer and the payee and are permanently recorded by a financial institution, making it easier for law enforcement to track transactions. But the use of PPS for peer-to-peer payments also creates risk for financial institutions because it means that many smaller illicit transactions that once took place in cash are now being conducted via PPS, particularly NPPS.

          • 2.1.3. Cross-Border Movement

            One of the principal features of many NPPS is that they can be used globally for making payments or transferring funds. While the usefulness of cash and cheques is limited outside the jurisdiction where they were issued, many PPS are internet-based services and specialize in conducting transfers between countries and currencies. For example, a UAE bank that offers checking accounts to UAE residents may have no ATMs or branches outside the UAE. But, if users link their accounts to global or regional payment apps, they can conduct transactions with persons over the world and can use their smartphone as a payment instrument in countries where the bank has no presence, thus introducing new geographical exposure potentially to high-risk countries. And unlike cross-border wires, which carry full identifying information, the bank will frequently only see the customer’s transactions with the payment network itself, rather than their location or ultimate destination. Many illicit finance schemes involve the cross-border movement of funds. Criminals may seek to finance terrorism in other countries, move funds out of sanctioned jurisdictions, or evade the attention of law enforcement in the jurisdiction where a proceeds-generating offense was committed. PPS that allow or facilitate cross-border movement of funds may therefore be particularly attractive to illicit actors.

          • 2.1.4. Global Regulatory Gaps

            Countries take a variety of approaches to regulating the Payment Sector and there is no one widely accepted classification of participants. As a result, two regulators in two different jurisdictions may subject a single company to very different requirements based on each jurisdiction’s regulatory framework. The company may be regulated as a financial institution in one jurisdiction, and thus subject to AML/CFT requirements, but treated as a tech company in another with no requirement to apply preventive measures. Companies may provide services to customers in a given country without being regulated in that country at all. Even where Payment Sector participants are fully regulated and subject to stringent AML/CFT requirements, supervisors’ expectations for this sector may be lower than for traditional financial institutions such as banks. And participants, as relatively new market entrants, may lack the experience, expertise, or commitment to apply fully effective preventive measures. These entities may be less able to protect themselves and their partners, and thus vulnerable to abuse by illicit actors.

          • 2.1.5. Intermediation

            The Payment Sector may be complex with a number of participants potentially involved in a single transaction. As a result, many payment transactions will be highly intermediated, with multiple financial institutions involved in a funds transfer. Additional entities (some of which may not be financial institutions) can potentially facilitate the transaction through the exchange of information. Intermediated transactions create risk because no regulated entity participating in the transaction has the visibility necessary to fully understand the transaction and the participants. Illicit transactions may have red flags when viewed as a whole, but may appear legitimate when seen from the perspective of each of the financial institutions involved. This creates a vulnerability that illicit actors can exploit.
             
            For example, consider the hypothetical transaction below, a purchase on an online marketplace that allows individual sellers to sell items directly to customers:
             
            picture

             

            In this transaction, the customer is using a credit card to purchase goods from the merchant, but the merchant is not a participant in the credit card scheme. A number of Payment Sector participants help to bridge this gap and facilitate the transaction:
             
             The marketplace uses a payment gateway that accepts the customer’s credit card credentials, encrypts them, and validates them against data held by the credit card scheme operator. The marketplace may also integrate with providers that provide ‘one-click’ payment information to the payment gateway without requiring the customer to enter his or her credit card details. In the UAE, these providers would be classified as conducting payment account information services, but in many other jurisdictions they are not regulated as financial institutions.
             
             The credit card scheme operator validates the customer information provided by the payment gateway, conducts initial fraud checks, and informs the payment gateway that the credit account is in good standing and the credit limit has not been exceeded.
             
             The payment gateway informs the marketplace’s payment processor that a transaction of an identified value can proceed using the customer’s credit card details.
             
             The marketplace payment processor informs the merchant that the transaction has been confirmed and instructs the credit card scheme operator to debit the customer’s account for the purchase price, in favor of the marketplace.
             
             The credit card scheme operator passes this payment instruction on to the bank that issued the customer’s credit card (the issuing bank). Meanwhile, the merchant ships the customer the merchandise purchased.
             
             The issuing bank transfers funds in the purchase value to the marketplace’s bank (this transfer may in fact go through the marketplace payment processor’s account at the same bank).
             
             The marketplace bank transfers the purchase funds to the merchant’s fintech (likely a provider of SVF), which in turn transfers the funds to the merchant’s account. The marketplace’s payment processor likely facilitates this transaction by instructing the bank where to send the funds.
             
            It is unlikely that any of the Payment Sector participants in this transaction have full visibility into the funds transfer chain. The banks are unlikely to have information on anyone other than their immediate customers or correspondents. The payment gateway likely does not identify the merchant. The fintech likely does not identify the customer. The marketplace payment processor is likely aware that the customer and merchant are engaging in a transaction, but may not know where the customer’s funds are coming from or where the merchant’s funds are going. And because the marketplace payment processor does not hold funds at any point in the transaction, it may not be regulated as a financial institution in all jurisdictions. In this instance, a marketplace payment processor may apply certain conditions on what types of customers and merchants it engages. For more information on how LFIs can mitigate and manage ML/FT risks related to this sector, including the risks arising from the use of NPPS, please see section 3 “Mitigating Risks.”
          • 2.1.6. Nesting

            Nesting is a form of intermediation that presents specific risks. In most Correspondent Banking Relationships that involve nesting, the respondent financial institution is not aware of individual transactions ordered by the ultimate customer; instead, the respondent sees bulk activity in the correspondent’s account that represents aggregate customer orders and perhaps also proprietary transactions by the correspondent. As a result, the transaction is intermediated because the respondent cannot see—nor assess the risk of— the original customer.

            picture

            Although nesting can occur in the context of any financial service, some features of the Payment Sector— the long payment chains and the involvement of multiple parties—can increase the likelihood that nesting will take place. In particular, some Payment Sector participants specialize in providing financial services to dubious merchants or customers who would be rejected by larger financial institutions. A participant servicing these customers, frequently offering merchant acquiring or payment aggregation services, will establish a nested relationship with a third participant that in turn has a Correspondent Banking Relationship with a bank. Although all the parties involved must and may claim to perform appropriate merchant due diligence, in practice, the risk may be that the bank is relying on its correspondent, which is in turn relying on the nested financial institution, with the first two parties not having full visibility into the nested financial institution’s customer base or due diligence practices.

          • 2.1.7. Use of Agents and Affiliates

            Payment Sector participants often interact in a dense web of agency and affiliate relationships, with each participant playing a defined role. A large number of entities involved in the NPPS, in particular when involving several countries, may increase the ML/FT risk.
             
            For example, entities involved in the provision of SVF through a prepaid card scheme could include:5
             
             The issuer of the SVF, such as the issuer of prepaid cards, who is accountable to the customer for holding the funds they have loaded into the SVF (issuers are often banks that maintain program funds in a single program account);
             The merchant acquirer (or acquirers), who establishes a direct relationship with merchants, distributes and maintains the payment gateway, collect funds on their behalf, and distributes them to merchants;
             The program manager, who operates the network and provides services to the issuer (because all program funds are generally maintained in a single account, program managers often maintain the electronic records that track the “movement” of funds into and out of customer’s individual wallets);
             The retailer, who sells SVF devices like prepaid cards to customers;
             The network operator, who maintains the link between merchants’ point of sale devices, or other payment gateways, and the program manager; and
             Persons, who act as agents for the scheme, such as by accepting cash in exchange for topping up wallet balance.
             
            Another example includes the provision of mobile payment services. The roles of Payment Sector participants depend largely on the business model of the mobile payment service. Furthermore, various roles may be carried out by a single entity or through agents. Entities involved in the provision of mobile payments may include the following:
             
             The network operator, who provides the platform to allow access to the funds through a mobile phone.
             The distributor (including retailer), who sells or arranges for the issuance of funds on behalf of the issuer to customers.
             The issuer of the SVF, or the electronic money issuer, who issues electronic money, which is defined here as a record of funds or value available to a customer stored on a payment device, such as a prepaid card or mobile phone.
             
            This interplay between different entities can lead to risks resulting from intermediation as discussed above. But it can also give rise to risks when the participating entities have not assigned clear responsibility for compliance with AML/CFT requirements. The PPS risk’s exposure may then be dependent on multiple actors who may have a deficient understanding of AML/CFT obligations. For example, in the prepaid card scheme described above agents could facilitate money laundering by accepting large volumes of cash and breaking the value of the deposit up across several wallets, thus avoiding scrutiny related to large cash deposits. The entities acting as merchant acquirers could be aware that the merchants are providing illegal goods or services or are fraudulent, but conceal this knowledge in order to continue to receive fees related to transactions involving the merchants in its network.
             
            The risks created by the use of agents and affiliates increase when agents and affiliates are responsible for sensitive steps in the system (customer or merchant onboarding, or cash acceptance) and when there are multiple agents or affiliates between the customer and the ultimate provider of payment services. For example in card schemes, merchant acquirers will frequently work with contractors who identify merchants and bring them to the acquirer in return for a fee. Depending on the relationships involved, the financial institution that maintains the merchant accounts may not have any actual direct contact with and have a limited visibility of the merchant, as the relationship is intermediated through the merchant acquirer and also the merchant acquirer’s contractor. Since contractors do not get paid unless the financial institution accepts the merchant as a customer, they may be incentivized to help the merchant conceal the true nature of its business.

            5 Please note that one entity can hold various roles related to the provision of SVF (e.g., an issuer of the SVF can also be a program manager). The risk is extended where different agents are involved in the provisioning of a prepaid card.

          • 2.1.8. Merchant Risks

            All merchants accept payments in one form or another, and most merchants today are at least considering integrating NPPS into their financial arrangements. On the other end of the spectrum, NPPS lower the barriers for merchants to access financial services, making it easier to start and operate a small business, particularly in the e-commerce sector. These lower barriers to entry however can also create risks when merchants are not properly vetted. Globally, Payment Sector participants including providers of NPPS have been abused by or directly complicit with merchants who offer fraudulent or illegal goods or services, or whose business models pose reputational risks to financial institutions. These can for example include traffickers in narcotics who disguise their transactions as financial activity related to a supposedly legitimate small business. They can also include businesses that are legal in some jurisdictions but not others (such as gambling websites) and seek to accept payments from customers resident in jurisdictions where the business is illegal. Finally, they may include sites that are legal in many jurisdictions but that pose reputational risk, and that are therefore outside a financial institution’s risk appetite, or online marketplaces that do not thoroughly police their merchants and thus could themselves be abused by illicit actors.

            Any factors—particularly intermediation, nesting, and the use of agents and affiliates—that prevent a financial institution from understanding exactly what merchants or what types of merchants it is serving when it provides a PPS, increase the risks. Risks may be higher in cross-border networks, as businesses may be legal in some jurisdictions and illegal in others, while customers can use the PPS to purchase services that would be illegal in their jurisdiction. Relying on third parties to conduct customer due diligence (CDD) on merchants can also increase risk if the relationship is not well-governed.

        • 2.2. ML/FT Risks for LFIs Providing Services to Payment Sector Participants

          Many traditional LFIs, including banks, are full participants in the Payment Sector. Banks serve for example as issuers and acquirers in credit, debit, and prepaid card schemes, and are actively involved in developing new payment methods to better serve their customers. When banks play such roles, they are directly exposed to the determinants of risk discussed in section 2.1 above, and should thus conduct appropriate CDD on all Payment Sector participants. Banks and any other LFIs that offer services to other Payment Sector participants, or have customers who use these services, are exposed to specific forms of risk that include:

          • 2.2.1. Correspondent and Correspondent-Type Risk

            Because large-scale national clearing and settlement systems are often opened only to banks and other depository institutions, the majority of retail payments will ultimately pass through a bank generally as part of batch settlement. In order to facilitate this activity, non-bank financial institutions involved in payments, as well as unregulated Payment Sector participants, generally maintain deposit accounts with banks. These accounts can be used to safeguard customer funds (for example funds that have been deposited with a prepaid scheme) or to aggregate customer funds before disbursing them directly to customer’s account (for example when a merchant acquirer aggregates multiple payments to a merchant partner before disbursing them in a single transfer). Correspondent Banking Relationships in which the correspondent’s customers’ funds flow through an account held at the respondent financial institution are particularly high risk, because they expose the respondent institution directly to any potentially illicit activity in which the correspondent’s customers are engaged. Because banks that offer services to correspondents have limited information on these transactions, they are reliant on the correspondent to implement an effective AML/CFT program. Please see section 3.4.2 for the respective preventive measures.

          • 2.2.2. Other Risks Related to Intermediation

            Even banks that view themselves as having limited to no exposure to NPPS may in fact have indirect exposure through customers who link their bank accounts to payment apps, or use their bank accounts to fund SVF accounts or wallets (or withdraw funds received in such wallets to their accounts), or withdraw funds as cash and use it to purchase other prepaid instruments. Account activity of this type poses unique challenges for account and customer surveillance, because frequently the bank will be aware only of the immediate source or destination for the transaction, rather than the entire transaction chain. This can allow customers to deliberately thwart transaction monitoring programs and prevent the bank from understanding and assessing the activity on the customer’s account to determine whether it is in fact in line with the customer profile. Examples of how intermediation can limit a bank’s ability to identify suspicious or unusual behavior include:
             
             Many banks have automated transaction rules designed to identify possible unlicensed money transfer activity by alerting on accounts that receive multiple small deposits from different sources, followed by a single large cross-border transaction. A customer could thwart this surveillance by having associates deposit the funds to be transferred in an SVF wallet, and then moving those funds to a linked bank account in order to execute the cross-border transfer. From the bank’s perspective, it would appear that the customer received only one deposit. Relatedly, the provider of SVF could not know that the funds were ultimately transferred across borders.
             Many banks use watchlists to identify transactions that may be illegal or in violation of bank policy, such as the use of gambling websites. A customer seeking to evade these restrictions could use a foreign payment app linked to their account to purchase the assets; this transfer would likely appear on the bank’s records as a debit in favor of the operator of the payment app. The operator, in turn, may not be responsible for enforcing the laws of the jurisdictions where its foreign customers are based. It is therefore important for banks to identify foreign payment apps in order to appropriately assess the risks of the transactional activity.
             A customer that generates a high quantity of illicit proceeds in cash can evade surveillance the bank applies to cash deposits by depositing the cash with a provider of NPPS (including both SVF and any other payment app that accepts cash inputs) and then withdrawing the funds from the payment service to his/her linked bank account.
             
          • 2.2.3. Risks Related to Outsourcing

            Banks often serve as the backbones of PPS such as credit, debit, and prepaid schemes without serving as the administrator or governing body of the scheme. In these situations, banks provide their reputation, stability, ability to hold deposits, and access to national payment systems while program administrators actually manage the movement of funds throughout the scheme. Because program operators have more direct contact with customers and more insights into the movement of funds, banks involved in these schemes often outsource CDD and other elements of the AML/CFT program to the program operators. But as banks continue to be exposed to funds involved in the program, they remain responsible for implementing an effective and compliant AML/CFT program, even if transactions flow through third parties that may or may not be subject to AML/CFT requirements. LFIs should therefore adopt policies to mitigate risks arising from reliance on outside service providers, including ones that operate in high-risk countries. Where roles and responsibilities are not clearly assigned, or where the program administrator does not implement an effective program, illicit actors can exploit the cracks in the program, and the bank and the program operator together will likely be less effective than if either party were operating alone. In such cases, LFIs should maintain a contingency arrangement as necessary.

      • 3. Mitigating Risks

        LFIs, whether they are primarily Payment Sector participants or have more limited exposure, are expected to take a risk-based approach to mitigating and managing ML/FT risks related to this sector, including the risks arising from the use of NPPS. A risk-based approach means that risk mitigation should begin with, and be based on, an appropriate assessment of the LFI’s payments-related risks. This assessment should in turn be reflected in the design and operation of the LFI’s AML/CFT program, including but not limited to the particular program elements discussed below, so that the LFI devotes greater resources and attention where risks are higher.

        The sections below discuss how LFIs can apply specific preventive measures to mitigate and manage their payments-related risk. Sections 3.1-2 and 3.5-7 apply to all LFIs. Section 3.3 describes preventive measures recommended for LFIs that provide PPS directly to customers (including both consumers and merchants, or payers and payees), and section 3.4 for LFIs that provide services to other Payment Sector participants. The controls discussed should be integrated into the LFI’s larger AML/CFT compliance program and supported with appropriate governance and training. It is not an exhaustive discussion of all AML/CFT requirements and LFIs should continuously consult the UAE legal and regulatory framework currently in force.

        • 3.1. AML/CFT Obligations under CBUAE Regulations

          The CBUAE regulatory framework clearly state expectations for compliance with AML/CFT obligations. In addition to this guidance, LFIs including non-bank payment service providers should carefully review all the relevant regulations issued by the CBUAE, which provide a comprehensive coverage of all payment products, services, and systems that are issued, provided and/or operated in the UAE, to ensure they fully understand and comply with their obligations.

          • 3.1.1. Providers of Stored Value Facilities

            In November 2020 the CBUAE issued the Stored Value Facilities (SVF) Regulation (Circular No. 6/2020 issued by Notice 4834/2020). Under its Article 14, all licensees must comply with the existing legal obligations and regulatory requirements for AML/CFT of the CBUAE and address ML/FT risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, detect ML/FT activities, and report any suspicious transactions to the UAE Financial intelligence Unit (UAE FIU). Among their detailed regulatory obligations, the licensees must assess the risk level of business relationships and undertake periodic risk profiling and assessment of products based on the AML/CFT requirements.

          • 3.1.2. Retail Payment Services and Card Schemes Regulation

            In July 2021 the CBUAE issued the Retail Payment Services and Card Schemes Regulation (Circular No. 15/2021 issued by Notice 3603/2021). Under its Article 12, payment service providers must comply with the relevant UAE AML/CFT laws and regulations and address ML/FT risks through appropriate preventive measures to deter abuse of the sector as a conduit for illicit funds, detect ML/FT activities, and report any suspicious transactions to the UAE FIU. Among their detailed regulatory obligations, the licensees must conduct business relationship-specific risk assessments and undertake periodic risk profiling and assessment of retail payment service users based on AML/CFT requirements. In addition, under Article 18.14, card schemes must report transactions to the UAE FIU when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing or benefitting from a crime.

          • 3.1.3. Large Value and Retail Payment Systems Regulations

            In March 2021 the CBUAE issued the Large Value Payment Systems Regulation (Circular No 9/2020 issued by Notice 1410/2021) which covers clearing and settlement systems designated primarily to process large-value and/or wholesale payments typically among financial market participants or involving money market, foreign exchange or many commercial transactions. In tandem, the CBUAE issued the Retail Payment Systems Regulation (Circular No. 10/2020 issued by Notice 1408/2021) which covers fund transfer systems and related instruments, mechanisms, and arrangements that typically handle a large volume of relatively low-value payments in such forms as cheques, credit transfers, direct debit, card payment transactions or a regulated medium of exchange. Among their detailed regulatory obligations, all licensees are required to comply with any instructions issued by the CBUAE and any relevant international standards.

        • 3.2. Risk Assessment

          Under Article 4 of the AML-CFT Decision, LFIs are required to identify, assess, and understand the ML/FT risks to which they are exposed and how they may be affected by those risks, in order to determine the nature and extent of AML/CFT resources necessary to mitigate and manage those risks. In addition, under Article 23 of the Decision, LFIs are required to identify and assess the ML/FT risks of that may arise when developing new products and new professional practices, including means of providing new services and using new or under-development techniques for both new and existing products. An appropriate risk assessment should consider all the PPS that an LFI provides, and the LFI’s direct relationships to Payment Sector participants, both domestic and foreign.
           
          When assessing its direct exposure to the Payment Sector, whether in the form of PPS it offers, or relationships it maintains with other participants, the LFI should consider the risk factors discussed in section 2 above. The risk assessment should take into consideration:
           
           Movement of Funds. What are the financial flows through the PPS and through the LFI’s accounts? What is the speed of transactions? Is there a cap on transaction value? Is there a daily, weekly, or monthly cap on the volume of transactions? Is the payment service in question closed loop or open loop? Can single users open multiple accounts?
           
           Mode of Funding: How do users fund their accounts and make withdrawals, and is funding permitted prior to customer verification?
           
           Peer-to-Peer Payments. Does the PPS allow users to conduct peer-to-peer transfers, or can they only send transfers to merchants/from customers? How is this restriction implemented and enforced?
           
           Cross-Border Movement. Does the PPS permit funds to move across borders and to high-risk countries through relationships with foreign financial institutions? Can users access the PPS when they are outside the UAE? Does the service support multiple currencies?
           
           Regulatory Status. Is the PPS that the LFI provides a regulated activity in the UAE and in all jurisdictions where it is provided?
           
           Use of Agents and Affiliates. How many entities are involved in delivering the PPS? How open is the network supporting the PPS? Does it include entities that are not regulated as LFIs—for example convenience stores that accept cash in return for topping up account balance? What is the role of each player in the system, and are responsibilities clearly defined in governance documents?
           
           Intermediation. How much visibility does the LFI have into payment activity taking place through the PPS? Can the LFI identify the ultimate payer and payee for all transactions? How many entities are in the payment chain?
           
           Controls. Does the PPS integrate appropriate features that contribute to managing the risk created by the factors listed above, such as by performing a robust customer verification process? These can include both the AML/CFT-specific features discussed in section 3.3 below and measures related to cybersecurity and counter-fraud.
           
          Where LFIs, particularly banks, provide services such as deposit accounts to Payment Sector participants, they should also consider the following in assessing the risk of the relationship:
           
           Nature of the Relationship: What products or services does the LFI provide to the participant? Does the relationship involve direct exposure to the funds of the participant’s customers? Is the sector participant using the relationship to facilitate activity by other Payment Sector participants?
           
           Regulatory Status: Is the participant required to be licensed in the UAE, its home jurisdiction, and all jurisdictions where it operates? Is it subject to AML/CFT requirements in all jurisdictions that are at least as stringent as those imposed in the UAE?
           
           Relationship Governance: Are AML/CFT responsibilities within the relationship clearly defined? Does the LFI outsource some aspects of AML/CFT program implementation to the Payment Sector participant?
           
          The risk assessment should also consider the LFI’s indirect exposure to the Payment Sector through its customers, who may connect their account with an LFI to a variety of PPS, or may fund their account by using such PPS. Because many payment service providers use existing domestic or international payment systems to execute transfers on behalf of their customers, an LFI may not be aware that its customers are using such services nor able to prohibit their use or detect payments activity in customer’s accounts. LFIs should therefore consider a variety of tools to assess their indirect exposure to this sector. These may include:
           
           applying appropriate level of due diligence and asking questions during the CDD process to obtain all relevant information;
           
           administering customer surveys to better understand customer’s interest in and use of payment services; and
           
           utilizing watchlist-based screening over a sample period.
           
          When LFIs have a sense of the most common PPS their customers use, they should assess the risk these services and products pose, considering the factors discussed above, including the involvement of high-risk countries and the extent of exposure. These assessments should in turn be reflected in the LFI’s inherent risk rating. In addition, the LFI’s controls risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed.
        • 3.3. Preventive Measures for LFIs Providing Products and Services Directly to Customers

          Under Article 4(2) of the AML-CFT Decision, all LFIs must implement an AML/CFT program designed to manage the risks identified in their risk assessment that should include:

          • 3.3.1. Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring

            Under Article 5 of the AML-CFT Decision, LFIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. Payment Sector participants, including providers of SVF, retail payment services, and card schemes, generally establish relationships with their customers rather than treat all customers as occasional or walk-in customers. In these scenarios, LFIs must perform, no matter the customer type, all the elements of CDD required under sections 2 and 3 of the AML-CFT Decision, which include customer identification and verification, beneficial owner identification, understanding of the nature of the customer’s business and purpose of the business relationship, and ongoing monitoring. CDD, and where necessary enhanced due diligence (EDD), are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers.
             
            In addition to these mandatory elements, LFIs should consider the following additional elements of CDD that are particularly important in the context of NPPS:
             
             User identification and verification. Many, if not most, NPPS involve the use of digital as opposed to face-to-face methods of onboarding and identifying customers (a.k.a. “electronic Know Your Customer,” or “e-KYC”). Digital delivery of services is increasingly common, but can present higher risks when LFIs do not take appropriate steps to ensure that they fully understand the customer and that the person using the services is in fact the identified customer. In particular, when verifying the Emirates ID card (either physically or by way of digital or e-KYC solutions) LFIs must use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE-Pass Application, or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.
             
             Use of IP addresses and geographical (spatial and temporal) locators. As discussed above, payment services that are internet-based or accessible through smartphones can allow customers to access financial services no matter where they are in the world. LFIs are of course free to allow their customers to access their services while outside the UAE, but should take advantage of geographical location tools at both the onboarding and the ongoing monitoring stages to ensure that they understand the geographic risk they might be exposed to by their customers. This can include:
             
            oRequiring additional authentication or verification when a customer accesses the service from an IP address or device different from the one used at onboarding, or from a different country and/or time zone than the customer’s stated country of residence.
             
            oReviewing the customer’s log-in locations during CDD refresh to identify any suspicious log-in or movement patterns (for example, high numbers of transactions taking place when the customer is near a border with a high-risk country where the PPS is blocked).
             
             SVF due diligence: Risk mitigating measures should include as per Article 14.4 of the SVF Regulation: (a) the application of limits on the maximum storage values, cumulative turnover or transaction amounts; (b) disallowing higher risk funding sources; (c) restricting the SVF product being used for higher risk activities; (d) restricting higher risk functions such as cash access; and (e) implementing measures to detect multiple SVF accounts/cards held by the same Customer or group of Customers.
             
             Merchant due diligence. Payment Sector participants that deal directly with merchants (whether as providers of SVF or card schemes, or conducting merchant acquisition or payment aggregation) may have two main classes of customers: consumers and merchants. It is important to remember that merchants who use the service are customers of the LFI and that merchants that may engage in deceptive or fraudulent business practices or use their legitimate business as a cover for criminal activities, can expose the LFI to extremely high ML/FT risk. Merchants should therefore be subject to CDD designed to understand the nature of their business and the expected transaction volumes. LFIs should understand the merchant’s current financial and payments operations and in particular ascertain why the merchant is seeking a new provider of financial services, as fraudulent merchants may move from LFI to LFI seeking to conceal their activities. Merchants operating in higher-risk sectors, and those that are cash-intensive businesses, are likely to require EDD that could involve performing a periodic site visit of the merchant’s place of business. For more information, please consult the CBUAE’s Guidance for LFIs providing services to the Real Estate and Precious Metals and Stones sectors, and Guidance for LFIs providing services to Cash-Intensive Businesses.
             
            As per Article 7 of the AML-CFT Decision, all customers must be subject to ongoing monitoring to make sure that CDD information on file is accurate, complete and up-to-date and to ensure that transactions conducted are consistent with the expected customer profile. To support this process, LFIs should apply solutions that ensure the accuracy and completeness of their data. It also may be appropriate to include non-standard elements of monitoring to reflect the risks of payments customers, such as geographic and IP-address monitoring discussed above, and the monitoring of the balance between peer-to-peer and merchant payments in a customer’s account. For merchant relationships, ongoing monitoring should include an examination of the number of ‘chargebacks’ or refunds the LFI has had to award to customers of the merchant, as well as any customer complaints the LFI has received. Where a merchant generates a large number of customer complaints or refund requests, or none at all, it may be a sign that it is operating a fraudulent business.
          • 3.3.2. Controls

            In line with their risk appetite and AML/CFT program, LFIs should develop controls that are commensurate with the nature and size of their business to enable them to manage the risks identified. Effective controls are those designed to minimize or eliminate those aspects of the PPS and NPPS that make them most attractive to illicit actors as discussed in section 2 above. LFIs should in particular consider:
             
             Geographical limits. LFIs should strongly consider using IP addresses and smartphone geolocation capabilities to prevent customers accessing PPS from high-risk countries. There are a number of sources that LFIs can use to develop a list of high-risk countries, jurisdictions, or regions. LFIs should consult any publications issued by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (NAMLCFTC)6, the UAE Financial Intelligence Unit (UAE FIU), and the FATF. LFIs may also use public free databases such as, for example, the Basel AML Index7 or the Transparency International Corruption Perceptions Index.8 LFIs should not solely rely on public lists, however, and should consider their own experiences and the nature of their exposure to each jurisdiction when assessing the risk of that jurisdiction. LFIs should be aware, however, that given the widespread availability of Virtual Private Network (VPN) services, simply using IP address-based screening is not likely to be effective in preventing access to their service from specified areas. LFIs that use this control should make sure their systems are designed to detect VPN usage.
             
             Transaction limits. Smaller transactions are not without illicit finance risk, but from the perspective of materiality, transaction and volume limits (daily, weekly, monthly, etc.) can decrease an LFI’s exposure to illicit payments and also make the PPS overall less attractive to illicit actors.
             
             Funding constraints. Requiring customers to fund their accounts and to withdraw funds using only transfers from regulated domestic financial institutions can help protect PPS from the risks related to cash and ensure that the customer will be subject to CDD and monitoring.
             
             Multi-factor authentication. Requiring customers to provide a One-Time Password (OTP), or answer a phone call, or prompt on their smartphone when logging into an internet-based PPS can help prevent the misappropriation of customer funds by hackers. With regard to the OTP, all banks are required to include specific information in the messages that contain an OTP (full transaction amount, detailed beneficiary merchant name and website and a dedicated telephone number for customers to report suspected fraudulent activity). Banks are also required to ensure that card acquirers and issuers assist them to provide the additional OTP information as needed.9
             

            6 Available at: https://www.namlcftc.gov.ae/en/more/jurisdictions/
            7 Available at: https://baselgovernance.org/basel-aml-index
            8 Available at: https://www.transparency.org/en/cpi/2020/index/nzl
            9 Notice 4892/2021 issued by the CBUAE to all Banks in October 2021 regarding “One-Time Password (OTP) for card transactions”.

          • 3.3.3. Wire Transfers Requirements

            Articles 27-29 of the AML-CFT Decision contain specific requirements with regard to information that LFIs must collect, and transmit with the wire transfer, when conducting an international wire transfers as well as specific obligations related to domestic wire transfers. In addition, Guidance on CDD measures concerning wire transfers is laid down in section 6.3.2 of the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions. It is important to note that since many Payment Sector participants qualify as financial institutions, the applicability of these requirements is wide-ranging.

        • 3.4. Preventive Measures for LFIs Providing Services to other Payment Sector Participants

          • 3.4.1. Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring

            As mentioned above, LFIs must conduct appropriate CDD on all customers, regardless of their type or sector. The majority, if not all, of Payment Sector participant customers will be legal persons for which LFIs should conduct CDD as required by Articles 8 and 9 of the AML-CFT Decision. In particular, under Article 9 of the AML-CFT Decision, LFIs are required to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more, and where no such individual meets this description, the LFI must identify and verify the identity of the relevant individual(s) holding the senior management position in the entity. For more information, please consult the CBUAE’s Guidance for Licensed Financial Institutions providing services to Legal Persons and Arrangements. LFIs should ensure that their contractual agreements with Payment Sector participant customers ensure that the LFI can access necessary information in a timely fashion. If LFIs cannot access this information in accordance with timelines laid out in its policies, they should consider restricting and ultimately terminating the relationship.
             
            Furthermore, as per Articles 8.3 and 4 of AML-CFT Decision, for all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s products and services. In the context of payments, the LFI must understand whether and how its services are being used by its Payment Sector participant customer to facilitate provision of the PPS to its customer (Payment Sector participant customers may also be transacting on a proprietary basis). This should include a determination of whether nesting will take place. If the LFI prohibits nesting, it should make that prohibition clear to the customer.
             
            In addition to the standard required CDD elements of Sections 2 and 3 of the AML-CFT Decision, LFIs should collect all the information necessary to risk-rate the Payment Sector participant customer considering the risk factors described in section 3.2 above and whether aspects of the customer profile require EDD. LFIs should also consider the following steps to gain a more detailed understanding of the customer’s business in order to be sure that they fully understand it:
             
             Review the customer’s promotional materials, including its website, to understand its target customers and the services it purports to offer.
             
             Understand how the customer provides payment services, the other participants it works with to do so, and whether it uses agents or affiliates.
             
             Requiring the customer to identify its major merchant customers by providing information such as the merchant’s name, principal business activity, geographic location, and transaction volume, and use public records searches or information provided by the customer to determine whether these merchants are operating a legitimate business.
             
             Visiting the customer’s headquarters and business operations center and evaluating the customer’s AML/CFT controls.
             
             Reviewing public databases to ensure that the customer, its beneficial owners, and its senior management have not been subject to law enforcement actions.
             
            Under Article 7 of the AML-CFT Decision, all customers must also be subject to ongoing monitoring throughout the business relationship. Changes in the design or structure of a PPS, as well as changes in a Payment Sector participant’s customer base (including both the consumer and merchant customer base), can have a major impact on the overall risk associated with the Payment Sector participant. Ongoing monitoring of the customer relationship should be sufficiently rigorous to identify when such changes have taken place, as well as any other changes that impact the customer’s risk rating, and should be conducted at a frequency appropriate to the customer’s risk and the materiality of its transactions. Ongoing monitoring should also include a review of the customer’s transactional activity to determine whether it is in line with expectations established at onboarding and with activity during the previous review period. Sharp or substantial changes in activity may have a fully legitimate cause, such as growth in the customer’s user base, but LFIs should still ensure they understand the reasons for these changes.
          • 3.4.2. Correspondent Due Diligence

            Article 25 of the AML-CFT Decision sets out specific mandatory requirements for LFIs entering into a Correspondent Banking Relationship or any similar relationship, no matter the nature of their customer, which include the following:
             
             Refrain from entering into or maintaining a Correspondent Banking Relationship with shell banks or an institution that allows their accounts to be used by shell banks;
             
             Collect sufficient information about any receiving correspondent banking institution for the purpose of identifying and achieving a full understanding of the nature of its business and to make available, trough publicly available information, its reputation and level of control, including whether it has been investigated;
             
             Evaluate the AML/CFT controls applied by the receiving institution;
             
             Obtain approval from senior management before establishing new Correspondent Banking Relationship; and
             
             Understand each institution’s AML/CFT responsibilities.
             
            In the context of Correspondent Banking Relationships with Payment Sector participants, LFIs should conduct correspondent due diligence that reflects the unique risks and features of those relationships. As discussed above, in the case of extended, intermediated transaction chains such as those frequently seen in the Payment Sector, each LFI involved is ultimately responsible for monitoring all transactions processed or conducted through the LFI, using the information available to it. Thus, LFIs should be aware of intermediated risk posed by Payment Sector participants—including providers of SVF, retail payment services, and card schemes—that access banking services through their accounts with an LFI. As a result, LFIs should in particular consider:
             
             Regulatory status. As discussed above in section 2.1.4, jurisdictions take different approaches to regulating the Payment Sector, and not all Payment Sector participants that would qualify as financial institutions under the UAE’s legal and regulatory framework are required to be licensed and regulated in their home jurisdiction. When offering services to a foreign entity, LFIs should consider not just its licensing status under its home jurisdiction’s laws, but its licensing status should it carry out those same activities in the UAE. Where a foreign entity would require a license in the UAE, LFIs should treat it as a financial institution and subject it to correspondent due diligence. In these cases, LFIs should be particularly cautious to ensure that their correspondent implements an AML/CFT program that at least meets the requirements of the AML-CFT Law and Decision, and be aware that the correspondent is likely not supervised to ensure effective implementation of this program, increasing its risk.
             
             Merchant Due Diligence. LFIs should ensure that their Payment Sector participant customers conduct appropriate due diligence not just on customers but on merchants as well. LFIs should request and review the correspondent’s due diligence policies, procedures, and processes to determine the adequacy of its due diligence standards for merchant and consumer customers.
             
             Controls related to nesting. When an LFI offers services to a correspondent without knowing that nesting is taking place, it is unable to take appropriate measures to manage the risk of the nested relationship and, thus, likely to be exposed to higher risks. LFIs should therefore always understand all purposes for which the correspondent account will be used and ensure that the CDD and monitoring applied to the relationship will assess whether nesting is taking place.
             
             Testing and auditing. On a risk-basis, LFIs should consider taking active measures to test the correspondent’s AML/CFT program. This can include, at a minimum, reviewing the correspondent’s internal audit reports and can extend to requiring the correspondent to hire an external auditor, conducting on-site reviews and discussions at the correspondent’s premises.
             
        • 3.5. Targeted Financial Sanctions

          Article 16.1 of the AML-CFT Law and Article 60 of the AML-CFT Decision require LFIs to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council under Chapter VII of the Charter of the United Nations. In furtherance of this requirement, the Cabinet Decision 74 of 2020 sets out the legal and regulatory framework in the UAE regarding Targeted Financial Sanctions (“TFS”), including the Local Terrorist List and the UN Consolidated List. For more information, please consult the Executive Office of the Committee for Goods and Material Subjected to Import and Export Control’s Guidance on TFS for Financial Institutions and Designated Non-financial Business and Professions and Virtual Assets Service Providers10, the CBUAE’s Guidance for LFIs on the Implementation of TFS, and Guidance for LFIs on Transaction monitoring and Sanctions screening11.

          LFIs should take appropriate steps to develop, implement and regularly update an appropriate Sanctions Compliance Program in order to fulfil their obligation to comply with the related requirements that includes screening of customers and transactions. LFIs should be aware that, for all PPS they offer, they should have in place operational systems that ensure they can appropriately screen transactions related to those products or services. If they cannot conduct appropriate screening, they should not offer that product or service. LFIs should also ensure that the required information fields are created and duly transmitted throughout the payment cycle across the different PPS. LFIs should screen all information they have about a transaction, including any messages between users engaging in a peer-to-peer transfer that may have a non-uniform number of characters, use special characters, or present other challenges to screening systems.

          An LFI that does not wish to have any exposure to high-risk countries will need to take additional measures to control where its customers use its products or services. Furthermore, sanctions risk assessments can change from time to time depending on where a customer is currently located. In intermediated correspondent relationships, LFIs should ensure that they fully understand their correspondents’ sanctions screening approaches, and should not process any payments for a correspondent unless they are entirely confident that the correspondent conducts appropriate screening. LFIs cannot rely on another LFI to fulfill screening obligations related to transactions on their own accounts or systems.

          Furthermore, LFIs must sign up for the Integrated Enquiries Management System (“IEMS”) introduced by the UAE FIU to automate and facilitate the execution process of requests for information, implementing decisions of public prosecutions and any other type of ML/FT requests. Via this system, the FIU can make requests to all LFIs simultaneously with the goal of processing requests and providing results to law enforcement authorities more efficiently. For more information, please consult the IEMS User Guide published by the UAE FIU.12


          10 Available at https://www.uaeiec.gov.ae/en-us/un-page#
          11 Available at https://www.centralbank.ae/en/cbuae-amlcft
          12 Available at https://www.uaefiu.gov.ae/media/jtdnttby/integrated-enquiry-management-system.pdf

        • 3.6. Transaction Monitoring and Suspicious Transaction Reporting

          Under Article 16 of the AML-CFT Decision, LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (STR), a Suspicious Activity report (SAR) or other report types. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD. In all cases, the appropriate type and degree of monitoring should appropriately match the ML/FT risks of the institution’s customers, products and services, delivery channels, and geographic exposure. For more information, please consult the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening.

          As required by Article 15 of the AML-CFT Law and Article 17 of the AML-CFT Decision, LFIs must file a STR, a SAR or other report types with the UAE FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, is related to a crime, or is intended to be used in a crime. STR filing is not sim ply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE FIU, LFIs alert law enforcement authorities about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs.

          As discussed above, in the case of extended, intermediated transaction chains such as those frequently seen in the Payment Sector, each LFI involved is ultimately responsible for monitoring all transactions processed or conducted through the LFI, using the information available to it. Although LFIs cannot outsource their responsibility to report suspicious activity, they can outsource certain aspects of transaction monitoring. In the prepaid card scheme described in section 2.1.7, for example, the bank that offers the prepaid cards may outsource automated transaction monitoring to the program manager, which has more direct insight into individual transactions. The bank in this situation, and any LFI that outsources any elements of transaction monitoring, nevertheless retains ultimate responsibility for identifying and reporting suspicious transactions.

        • 3.7. Governance and Training

          The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. Therefore, in addition to the mandatory governance and training requirements set forth in the AML-CFT Law and Decision, Payment Sector participants and LFIs providing them services should endeavor to incorporate the following considerations into the design of their governance frameworks and their training programs.
           
           Clear allocation of AML/CFT responsibilities among LFIs. When a network of Payment Sector participants combine to deliver a payment service and execute transactions, risks arise when they do not have a clear understanding of each participant’s AML/CFT responsibilities. Allocating responsibilities is particularly important when some LFIs involved in a payment will not form a relationship with the ultimate customer or beneficiary. Card schemes should have a governing body, but this may not be a requirement for other Payment Sector participants depending on their role in processing payments. LFIs should understand the parties and their roles and responsibilities in the scheme and manage risks accordingly. Any LFI that provides payment services as part of a network should assume full responsibility for CDD. Furthermore, LFIs cannot rely on any other entities to implement elements of the AML/CFT program, such as the appointment of a compliance officer and the reporting suspicious transactions. Similarly, when a LFI provides services to a Payment Sector participant as part of a Correspondent Banking Relationship, they should also understand each party’s AML/CFT responsibilities and document them in the contract or other program documents. Understanding the parties’ respective AML/CFT responsibilities is a mandatory element of correspondent CDD under Article 25 of the AML-CFT Decision.
           
           Agent Governance and Training. Where a payment service or product relies on the use of agents for delivery, it is critical that they are appropriately trained to recognize red flags for illicit activity, and to carry out the elements of the AML/CFT program for which they are responsible. LFIs that use agents should have appropriate programs in place to manage them through effective governance arrangements that, among other measures, set clear requirements for terminating relationships if agents do not comply with the LFI’s policy. LFIs should provide training directly to agents and test their compliance on a regular basis. Where agents participate in sensitive activities, such as cash acceptance or onboarding, they should receive increased training and be subject to additional controls and testing.
           
           Employee Training. As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks of PPS, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the LFI’s risk and the nature of its operations. For Payment Sector participants that offer PPS as their primary business, employee training should be focused on payments-related risks. For LFIs that offer services to Payment Sector participants, employee training should cover payment risks as appropriate to the employee’s role and responsibilities as well as the LFI’s overall exposure to the sector.
           
      • Annex 1. Synopsis of the Guidance

        Purpose of this GuidancePurposeThe purpose of this Guidance is to assist the understanding and effective performance by Licensed Financial Institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE.
        ApplicabilityThis Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies, stored value facilities, retail payment service providers, and card schemes.
        Understanding RisksML/FT Risks of the Payment SectorCharacteristics of the Movement of Funds: Products and Services (PPS) and New Payment Products and Services (NPPS)in particular are extremely attractive to illicit actors because of the rapid movement of funds between Payment Sector participants and across borders. The risks vary based on transaction speed, transaction limits, closed vs. open loop system, methods of funding and access to cash, payment transparency, ability for one person to create multiple accounts, non-face-to-face relationships, and use of virtual assets (the latter is addressed in a separate guidance to be issued by CBUAE).
        Peer-to-Peer Payments: NPPS allow participants to send money that will be instantly available to the beneficiary, reducing the need for trust in the relationship. The use of PPS for peer-to-peer payments creates risk for financial institutions because transactions can flow through third parties that may not be subject to AML/CFT requirements.
        Cross-Border Movement: Many NPPS can be used globally for making payments or transferring funds, thus introducing banks to new geographical exposure. Unlike cross-border wires, which carry full identifying information, banks will frequently only see the customer's transactions with the payment network itself, rather than their location or ultimate destination.
        Global Regulatory Gaps: Countries take a variety of approaches to regulating the Payment Sector and there is no one widely accepted classification of participants. And participants, as relatively new market entrants, may lack the experience, expertise, or commitment to apply fully effective preventive measures.
        Intermediation: A number of participants potentially involved in a single transaction. Intermediated transactions create risk because no regulated entity participating in the transaction has the visibility necessary to fully understand the transaction and the participants.
        Nesting: Nesting is a form of intermediation that presents specific risks. In most Correspondent Banking Relationships that involve nesting, the respondent financial institution is not aware of individual transactions ordered by the ultimate customer.
        Use of Agents and Affiliates: Payment Sector participants often interact in a dense web of agency and affiliate relationships. A large number of entities involved in the NPPS, in particular when involving several countries, may increase the ML/FT risk. The interplay between different entities can lead to risks from intermediation and also when the participating entities have not assigned clear responsibility for compliance with AML/CFT requirements.
        Merchant Risks: Globally, Payment Sector participants including providers of NPPS have been abused by or directly complicit with merchants who offer fraudulent or illegal goods or services, or whose business models pose reputational risks to financial institutions. Relying on third parties to conduct customer due diligence (CDD) on merchants can also increase risk if the relationship is not well-governed.
        ML/FT Risks for LFIs Providing Services to Payment Sector ParticipantsCorrespondent and Correspondent-Type Risk: Correspondent Banking Relationships in which the correspondenfs customers' funds flow through an account held at the respondent financial institution are particularly high risk, because they expose the respondent institution directly to any potentially illicit activity in which the correspondent's customers are engaged. Because banks that offer services to correspondents have limited information on these transactions, they are reliant on the correspondent to implement an effective AML/CFT program.
        Other Risks Related to Intermediation: Even banks that view themselves as having limited to no exposure to NPPS may have indirect exposure through customers who link their bank accounts to payment apps, or use their bank accounts to fund stored value facilities (SVF) accounts or wallets, or withdraw funds as cash and use it to purchase other prepaid instruments.
        Risks Related to Outsourcing: Banks often serve as the backbones of PPS such as credit, debit, and prepaid schemes without serving as the administrator or governing body of the scheme. Banks involved in these schemes often outsource CDD and other elements of the AML/CFT program to the program operators who have more direct contact with customers and insight to movement of funds. But Banks remain responsible for implementing an effective and compliant AML/CFT program.
        Mitigating RisksAML/CFT obligations under CBUAE RegulationsIn addition to this guidance, LFIs including non-bank payment service providers should carefully review all the relevant regulations issued by the CBUAE, which provide a comprehensive coverage of all payment products, services, and systems that are issued, provided and/or operated in the UAE, to ensure they fully understand and comply with their AML/CFT obligations. In 2020-2021 the CBUAE issued the SVF Regulation, the Retail Payment Services and Card Schemes Regulation, the Large Value Payment Systems Regulation, and the Retail Payment Systems Regulation.
        Risk AssessmentAn appropriate risk assessment should consider all the PPS that an LFI provides, and the LFI's direct relationships to Payment Sector participants, both domestic and foreign. When assessing an LFI's direct exposure to the Payment Sector, the LFI should consider the risk factors discussed in section 2 of the Guidance, such as the movement of funds, mode offunding, and peer-to-peer payments among others. Where LFIs provide services to Payment Sector participants, they should also assess the risk of the relationship as well as their indirect exposure to the Payment Sector through their customers.
        Preventive Measures for LFIs Providing Products and Services directly to CustomersCustomer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring: LFIs must perform all the elements of CDD, which include customer identification and verification, beneficial owner identification, understanding of the nature of the customer's business and purpose of the relationship, and ongoing monitoring. In addition to these mandatory elements, LFIs should consider the following elements that are particularly important in the context of NPPS: user identification and verification, use of IP addresses and geographical (spatial and temporal) locators, and SVF and merchant due diligence.
        Controls: LFIs should develop controls that are commensurate with the nature and size of their business to manage the risks identified. LFIs should in particular consider geographical limits, transaction limits, funding constraints, and multi-factor authentication to minimize or eliminate those aspects of the PPS and NPPS that make them most attractive to illicit actors.
        Wire Transfers Requirements: The AML-CFT Decision contain specific requirements with regard to information that LFIs must collect, and transmit with the wire transfer, when conducting an international wire transfers as well as specific obligations related to domestic wire transfers (the Guidelines further contain CDD measures). Since many Payment Sector participants qualify as financial institutions, the applicability of these requirements is wide-ranging.
        Preventive Measures for LFIs Providing Services to other Payment Sector ParticipantsCustomer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring: LFIs must conduct appropriate ODD on all customers, regardless of their type or sector (the majority, if not all, of Payment Sector participant customers will be legal persons). In this context, the LFIs should also consider a determination of whether nesting will take place. In addition to the standard required ODD elements, LFIs should collect all the information necessary to risk-rate the Payment Sector participant customer and evaluate whether aspects of the customer profile require EDD. All customers must also be subject to ongoing monitoring throughout the business relationship.
        Correspondent Due Diligence: In the context of Correspondent Banking Relationships with Payment Sector participants, LFIs should conduct correspondent due diligence that reflects the unique risks and features of those relationships. In the case of extended, intermediated transaction chains such as those frequently seen in the Payment Sector, each LFI involved is ultimately responsible for monitoring all transactions processed or conducted through the LFI, using the information available to it. LFIs should in particular consider regulatory status, merchant due diligence, controls relating to nesting, and testing and auditing of the correspondents AML/CFT program.
        Targeted Financial SanctionsLFIs are required to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council under Chapter VII of the Charter of the United Nations and the requirements set by Cabinet Decision 74 of 2020 regarding Targeted Financial Sanctions. LFIs should be aware that, for all PPS they offer, they should have in place operational systems that ensure they can appropriately screen transactions related to those products or services. In intermediated correspondent relationships, LFIs should ensure that they fully understand their correspondents' sanctions screening approaches, and should not process any payments for a correspondent unless they are entirely confident that the correspondent conducts appropriate screening.
        Transaction Monitoring and Suspicious Transaction ReportingLFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (STR), a Suspicious Activity report (SAR), or other report types. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of ODD. As discussed above, in the case of extended, intermediated transaction chains such as those frequently seen in the Payment Sector, each LFI involved is ultimately responsible for monitoring all transactions processed or conducted through the LFI, using the information available to it. Any LFI that outsources any elements of transaction monitoring retains ultimate responsibility for identifying and reporting suspicious transactions.
        Governance and TrainingPayment Sector participants and LFIs providing them services should endeavor to incorporate the following considerations into the design of their governance frameworks and their training programs: clear allocation of AML/CFT responsibilities among LFIs, agent governance and training, and employee training. When a network of Payment Sector participants combine to deliver a payment service and execute transactions, risks arise when they do not have a clear understanding of each participant's AML/CFT responsibilities. Any LFI that provides payment services as part of a network should assume full responsibility for CDD. When a LFI provides services to a Payment Sector participant as part of a Correspondent Banking Relationship, they should also understand each party's AML/CFT responsibilities and document them in the contract or other program documents.
    • Guidance for Licensed Financial Institutions on the Risks Relating to Politically Exposed Persons

      Effective from 1/8/2022
      • 1. Introduction

        • 1.1. Purpose of the Guidance

          Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”

          The purpose of this Guidance is to assist the understanding and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) licensed financial institutions (“LFIs”) of their statutory obligations under the legal and regulatory framework in force in the UAE. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof.1 As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for LFIs to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the CBUAE.

          Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), industry best practices and red flag indicators identified by the FATF. These are not exhaustive and do not set limitations on the measures to be taken by LFIs in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, LFIs should perform their own assessments of the manner in which they should meet their statutory obligations.

          This Guidance comes into effect immediately upon its issuance by the CBUAE with LFIs expected to demonstrate compliance with its requirements within one month from its coming into effect.


          1 Available at https://www.centralbank.ae/en/cbuae-amlcft.

        • 1.2. Applicability

          Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

           National banks, branches of foreign banks, exchange houses, finance companies, stored value facilities, retail payment service providers, card schemes, registered hawala providers and other LFIs; and
           Insurance and re-insurance companies, agencies, and brokers.
        • 1.4. Acronyms and Definitions

          Heads of International Organizations (HIO): Natural persons who are or have been entrusted with the management or any prominent function within an international organization.

          International Organizations: Entities established by formal political agreements between their Member States that have the status of international treaties; their existence is recognised by law in their member countries; and they are not treated as resident institutional units of the countries in which they are located. Examples of international organisations include the United Nations and affiliated international organisations; regional international organisations; military international organisations, and economic organisations.

          Politically Exposed Persons (PEP): Natural persons who are or have been entrusted with a prominent public function in the UAE or any other foreign country such as heads of states or governments, senior politicians, senior government officials, judicial or military officials, senior executive managers of state owned corporations, and senior officials of political parties, and persons who are, or have previously been, entrusted with the management of an international organisation or any prominent function within such an organisation; and the definition also includes the following:

           Direct family members (of the PEP who are spouses, children, spouses of children, parents)
           Associates known to be close to the PEP, which include:
            oIndividuals having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP;
            oIndividuals having individual ownership rights in a legal person or arrangement established in favor of the PEP.
           

          Related Customers: Customers that are the direct family members of a PEP or the associates known to be close to a PEP.

      • 2. Understanding Risks

        Article 15 of the AML-CFT Decision and the FATF standards impose specific Customer Due Diligence (CDD) obligations on LFIs with respect to Customers that are Politically Exposed Persons (PEPs) which include the Direct Family Members or Associates Known to be Close to the PEPs. The AML-CFT Law and Decision give special attention to these customers because they are likely to expose LFIs to a heightened risk of money laundering, terrorism financing, and other illicit finance. The special requirements related to PEPs are not an indication that LFIs should avoid dealing with such customers. Instead, these requirements are meant to ensure that LFIs have done the due diligence necessary to fully identify, understand their customers and have made fully-informed decisions regarding whether or not to accept the customer or to continue the relationship. There are three sub-groups of PEPs:

         PEPs who are or have been entrusted with their prominent public position in the UAE are known as “domestic PEPs”;
         PEPs who are or have been entrusted with their prominent public position in any other foreign country are known as “foreign PEPs”; and
         PEPs who are or have been entrusted with the management or any prominent function within an international organization are known as “Heads of International Organizations (HIOs)”.
         

        Customers that are PEPs, and transactions involving PEPs, receive special attention under the UAE legal and regulatory framework and the FATF standards because they bear a higher risk of involvement in certain proceeds-generating offenses: corruption, misuse or theft of public funds, and bribery. It is important to note that the majority of PEPs are law-abiding public servants and that no more than a small percentage of PEPs are involved in these offenses. Nevertheless, the risk is still higher than in the general population.

        PEPs are at higher risk of involvement in these crimes because of the powers that come with their position or status. Most importantly, a PEP has power or influence over how government funds are spent, or over state action. PEPs may use their power or influence to directly enrich themselves, their family members, and their associates, by stealing or misdirecting government funds. Or they may sell their power or influence to illicit actors who are seeking to obtain a specific outcome, whether it is a lucrative contract, the passage of a regulation, or the transfer of government secrets.

        The AML-CFT Decision also requires LFIs to perform the same specific due diligence on the direct family members and known close associates of a PEP. These individuals may not themselves have any direct power or influence over government actions, but they nevertheless present higher risks to LFIs as a result of their relationship with a PEP.

         PEPs, knowing that their financial transactions will be subject to scrutiny, may use family members or associates to carry out illicit transactions or collect illicit funds, in an attempt to hide their involvement in a transaction and their illicit gains. In many countries where corruption is an issue, PEPs themselves may nominally possess few assets, while their family members and associates openly display their wealth.
         Illicit actors seeking to persuade a PEP to take certain actions may seek to achieve this goal by paying off the people close to the PEP, the PEP’s family members and close associates. For instance, a person seeking a government contract may pay a PEP’s spouse to “put in a good word for him or her” with the PEP, or to gain access to the PEP by inviting the contractor to the PEP’s home. These payments may be made with or without the knowledge or consent of the PEP.
         

        Article 15 of the AML-CFT Decision also requires LFIs to identify those legal person and legal arrangement customers that have at least one beneficial owner who is a PEP (see sections 3.2.1 and 3.2.2 below). In this Guidance, customers that are the direct family members of a PEP, the known close associates of a PEP, or that are legal persons or legal arrangements with at least one beneficial owner who is a PEP will be referred to as “Related Customers.”

        Although LFIs are required to apply special procedures for all PEPs and Related Customers, not all PEPs and Related Customers are equally high-risk. The sources of risk for a PEP are closely related to the risk that a PEP could have abused his or her position for financial gain. Some factors that can influence the risks of a particular PEP are:

         The PEP’s ability to control highly consequential outcomes. Certain roles are more likely to attract large-scale corruption. For example, a judge in a traffic court may be offered bribes, but these are likely to be lower in value than the bribes potentially offered to a judge who presides over the trials of organized criminal groups.
         The authority and independence inherent in the PEP’s role or function. Where a PEP has greater authority or independent decision-making authority, he or she is more likely to be able to achieve outcomes that are beneficial to him/herself or his/her family or associates.
         The access to funds inherent in the PEP’s role. A PEP that can control the disbursement of funds is likely to have more opportunities for engaging in embezzlement and self-dealing.
         The nature of governance in the state or organization that has entrusted the PEP with a prominent function. Poor governance undermines transparency and accountability. Strong governance can help ensure that public officials are unable to use their office for gain, or are quickly caught if they do so. Governance is a broad category that includes the strength of anti-corruption laws, the vigor with which corruption is investigated and prosecuted, and the authority of independent public auditors.
         The overall level of corruption in the state or organization that has entrusted the PEP with a prominent function. Where corruption is rife, public officials are unlikely to be entirely immune.
         

        The sources of risk for a Related Customer can be divided into two broad categories:

         The risk of the PEP to which the Related Customer is connected (i.e. understanding the risk of the PEP and its characteristics).
         The relationship between the Related Customer and the PEP (i.e. the type and strength of the relationship (e.g. the closer the relationship, the more likely the Related Customer is to share the PEP’s risk)).
      • 3. Mitigating Risks

        The AML-CFT Decision contains specific, mandatory requirements for managing risks related to PEPs. It is important for LFIs to be aware that the Decision imposes baseline requirements that are higher than for other types of customers. LFIs cannot choose to omit these requirements even when they consider that risks associated with a specific customer or transaction are low. This does not mean, however, that LFIs are not expected to take a risk-based approach to these customers. LFIs should implement the baseline controls described below as well as consider whether additional controls are necessary when even higher risks are present.

        Furthermore, the sections below discuss how LFIs can apply the required specific preventive measures to identify, manage, and mitigate the risks associated with PEPs. It is not a comprehensive discussion of all AML/CFT requirements imposed on LFIs. LFIs should consult the legal and regulatory framework currently in force, the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations for Financial Institutions, and the CBUAE issued Guidances for further information2. The controls discussed below should at the minimum be integrated into the LFI’s larger AML/CFT compliance program and supported with appropriate governance and training.


        2 Available at https://www.centralbank.ae/en/cbuae-amlcft

        • 3.1. Legal Requirements

          Article 15 of the AML-CFT Decision requires LFIs to carry out specific mandatory due diligence measures on PEPs and Related Customers, in addition to the standard CDD required for all customers under its Section 3 (described in Articles 5-14). In line with FATF standards (Recommendation 12), Article 15 imposes on LFIs different requirements for foreign PEPs as opposed to domestic PEPs and HIOs. For foreign PEPs and Related Customers, LFIs must:

           (a)Put in place suitable risk management systems to determine whether a Customer or the Beneficial Owner is considered a PEP (i.e. a foreign PEP, or the direct family member or known close associate of a PEP).
           (b)Obtain senior management approval before establishing a business relationship, or continuing an existing one, with a PEP (i.e. foreign PEP and Related Customers).
           (c)Take reasonable measures to establish the source of funds and wealth of Customers and Beneficial Owners identified as PEPs (i.e. foreign PEPs and Related Customers).
           (d)Conduct enhanced ongoing monitoring over such relationship (i.e. the relationship with a foreign PEP or Related Customers).
           

          For domestic PEPs and HIOs and their Related Customers, LFIs must:

           (a)Take sufficient measures to identify whether the Customer or the Beneficial Owner is considered one of those persons (see section 3.2.4).
           (b)Take the measures identified in (b), (c), and (d) when there is a high-risk business relationship accompanying such persons.
           

          Like the FATF standards, article 15.2 of the AML-CFT Decision imposes special PEP-related requirements for certain insurance policies, although its requirements apply to a slightly broader range of policies. LFIs must take reasonable measures to determine whether the beneficiary, or the beneficial owner of a beneficiary, of a life insurance policy or of family takaful insurance is a PEP or a Related Customer. If identified as a PEP or Related Customer, LFIs must inform senior management before pay-out of those policies, or prior to the exercise of any rights related to them. LFIs must also thoroughly examine the overall business relationship, and consider filing a suspicious transaction report (STR), a suspicious activity report (SAR) or any other report types with the FIU where applicable (please see section 3.3.2 below).

        • 3.2. Applying Legal Requirements

          • 3.2.1. Classifying Customers as PEPs

            The definition of PEP in the AML-CFT Decision specifically lists the following roles as persons who always qualify as PEPs:

             Heads of States or Governments;
             Senior politicians;
             Senior government officials;
             Judicial officials;
             Military officials;
             Senior executive managers of state-owned corporations;
             Senior officials of political parties; and
             Persons who are, or have previously been, entrusted with the management of an international organisation or any prominent function within such an organisation.
             

            However, as there is no exhaustive list of the positions that qualify an individual as a PEP globally, the above list is not exhaustive and LFIs should use their discretion in identifying PEPs, and develop risk-based policies and procedures to ensure they appropriately identify customers who are PEPs, or the family members or close associates of PEPs.

            For example, LFIs should use discretion in determining whether a customer who is government official or manager of a state-owned corporation is sufficiently “senior” to qualify as a PEP under the definition of the AML-CFT Decision. Not all public sector employees are PEPs. For example, a civil servant who sorts mail at the post office is unlikely to be a PEP, and although any public employee can carry some level of corruption risk, in such cases the risk is not sufficiently high to warrant special procedures. This distinction is captured in the AML-CFT Decision’s definition of a PEP as a natural person who has been awarded a “prominent public function.” At the same time, the decision whether or not to treat a customer as a PEP cannot be based solely on the customer’s title, rank, civil service grade, or other similar factors. It is also important to be aware that “prominent” is not simply equivalent to ‘famous’ or ‘well-known,’ and that individuals may be “entrusted” with a public function in a wide variety of ways, including by appointment, election, and promotion through the civil service.

            Furthermore, LFIs should also be aware that high risks of corruption can exist even when a customer is not immediately qualifying as a PEP per definition. For example, the heads of large trade unions and professional associations are likely to wield political power without having been appointed to those roles by a government or international organization. LFIs may decide, in terms of their own risk appetite, to treat such individuals as PEPs.

            The determination of whether a customer is a PEP should therefore consider a number of factors, including, most importantly, whether the natural person currently holds, or has recently held, a role that gives him or her power or influence over decisions, policy or the disbursal of funds belonging to a government or an international organization. Factors to consider when making this determination include the nature of the political and governance system in the country or international organization where the customer holds his or her position; roles and responsibilities within that system; authority over government decisions and activities, and access to government funds and assets (whether directly or indirectly such as through the awarding of government contracts).

            PEPs are always natural persons. However, LFIs should perform a PEP analysis on customers who are the beneficial owners of legal persons or legal arrangements. Depending on the customer’s ownership and control structure, it may also be appropriate to perform a PEP analysis on the customer’s senior managing officer or senior management. Where risks are higher, for example, in the case of companies with complex structure and complex trust arrangements, LFIs should consider identifying beneficial owners below the 25% threshold mandated by the AML-CFT Decision. For example, a PEP and his spouse and three children may each own 15% of a company. No single family member would have to be identified as a beneficial owner under UAE law, but when their ownership shares are added together the family clearly exercises control over the company. Such a company would likely need to be subjected to the EDD requirements discussed in section 3.2.6.

          • 3.2.2. Classifying Customers as Related Customers

            The AML-CFT Decision requires LFIs to treat the direct family members and close associates of PEPs as if they were PEPs themselves.

             Article 1 of the AML-CFT Decision defines direct family members of a PEP as the PEP’s spouses, children, spouses of children, and parents.
             Article 1 of the AML-CFT Decision defines close associates of a PEP as:
             
              oNatural persons having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP; and
              oNatural persons having individual ownership rights in a legal person or arrangement established in favour of the PEP.
             

            The above-mentioned relationships should be viewed as a mandatory minimum, not as an exhaustive list of all relationships that may justify to treat a customer as a PEP. The link between the family member or the close associate with the PEP determine the level of risk. LFIs should take a risk-based approach and consider whether a relationship exists between their customer and the PEP that could be exploited or abused to obscure the PEP’s connection to illicit funds.

            For example, an LFI may choose to also define as a direct family members any person in a relationship with a PEP, and, as close associates, partners, prominent members of the same political party or civil organization as the PEP; close friends or advisors; business partners or associates, especially those that share (beneficial) ownership of legal entities with the PEP, or who are otherwise connected (e.g. through joint membership of a company board) in accordance with FATF Guidance and the above mentioned definition.

            Once an LFI has established that a qualifying relationship exists between a customer (or the beneficial owner of a customer) and a PEP, the LFI must treat the customer as a PEP (or as owned by a PEP). There is one important distinction, however, between a PEP and the direct family member or close associate of a PEP: the latter cannot transfer their status to their own family members and close associates. For example:

             General A is the head of the Air Force of a country. Mr. B, her son, is married to Mrs. B, a private citizen who owns a grocery store. General A is a PEP, and Mr. B and Mrs. B must be treated as PEPs because they are direct family members of General A.
             
             Mrs. B is the daughter-in-law of General A. Her brother, Mr. C, a lawyer in private practice, is not required to be treated as a PEP. Mr. C’s connection to the true PEP (General A) is too distant. Even though Mrs. B is treated as a PEP, Mr. C does not need to also be treated as a PEP merely because he is a sibling of Mrs. B.
             
              LFIs should, however, apply EDD requirements and/or enhanced monitoring of the relationship if they have identified any high risks, such as concerns that the more distant family members or business associates of a PEP may be involved in corruption or any other sort of illicit activity, whether or not it involves the PEP.
             

            Similarly:

             Mr. X is a prominent politician in a country who recently left office, but who may run for office in the future. Following his departure from office, Mr. X and Mrs. Y became cofounders of a real estate development company, with each owning 50% of the company. Due to Mr. X’s prominent function, the partnership has been extensively covered in the media. Mr. X is a PEP because of his recent past position. Mrs. Y must be treated as a PEP because she is a known close associate of Mr. X.
             
             Mrs. Y is also a 50% owner of an entirely separate business that manufactures cell phones. Mrs. Y’s co-owner of that business, Mr. Z, does not need to be treated as a PEP. As the business partner of a business partner of a PEP, his connection to Mr. X is too distant. LFIs should, however, apply EDD requirements and/or enhanced monitoring of the relationship if they have any concerns that the more distant family members or business associates of a PEP are involved in corruption or any other sort of illicit activity, whether or not it involves the PEP.
          • 3.2.3. Time Limits of PEP Status

            The definition of PEP in the AML-CFT Decision makes clear that a PEP does not cease to qualify as a PEP simply because they no longer hold a prominent public function (i.e. “Natural persons who are or have been entrusted with prominent public functions”). Nor does a Related Customer cease to require PEP treatment simply because the PEP to whom they are related no longer holds that position. A PEP’s risk (and, indirectly, the risk of a Related Customer) derives from the PEP’s power or influence over decisions, funds, or policy. Therefore, it may not be appropriate to continue to treat a customer as a PEP long after they have lost such power or influence. On the other hand, if PEP has amassed funds through corruption during his or her period in office, the PEP is likely to wait until being out of office to access or enjoy those funds. This means that the corruption risk remains even if a PEP has been out of office for a certain time.

            Because each case is different it would not be appropriate for LFIs to apply a universal rule for determining whether a customer is no longer a PEP (e.g. one year after relinquishing the public position). Therefore, while LFIs may set a schedule to review PEP status, they should make a risk-based decision as to when sufficient time has passed for a customer to no longer be classified as a PEP. Factors to consider when making such a determination include:

             The seniority, prominence, and power inherent in the customer’s (or the customer’s beneficial owner’s) previous role.
             
             The corruption potential of the customer’s previous role. Where there was greater opportunity for illicit gain, it is more likely that the customer’s source of funds will continue to be corrupt proceeds for some time after the customer leaves office.
             
             Whether the customer still exercises informal influence over government decision-making through his or her current formal role (e.g. head of a prominent lobbying organization) or through informal relationships (e.g. the customer is an informal but widely accepted leader of a political party but has no official title).
             
             Whether the previous and current role of the customer are linked in any way;
             
             The customer’s relationships to other PEPs (e.g., if the customer is a retired politician whose children are involved in politics. In such cases the customer would also likely qualify as the family member of a PEP).
             
             The nature and purpose of the business relationship, and the overall risks of the products and services the customer avails or intends to avail.
             
             The customer’s relationship to the PEP. Family relationships tend to endure through time, but business relationships do not always persist. A customer who was formerly the close associate of a PEP, but who severed the business relationship some time ago, may present reduced corruption risk.
          • 3.2.4. PEP Screening

            Classification of a customer as a PEP or a Related Customer should take place during the CDD stage, prior to the commencement of the business relationship. Under Article 15 of the AML-CFT Decision, LFIs are required to have suitable risk management systems in place to determine whether a customer, or the beneficial owner of a customer, is a foreign PEP, or Related Customer and are required to take sufficient measures to identify whether a customer, or the beneficial owner of a customer, is a domestic PEP or an HIO, or Related Customer. In practice, however, it will generally be appropriate to conduct onboarding screening and ongoing screening on all customers. Even citizens of the UAE may qualify as foreign PEPs if they have been entrusted with prominent functions by foreign governments, for example, if they are dual citizens, or held office in a country that does not restrict prominent functions to citizens.

            Screening may begin by including a question in onboarding forms or interviews that inquires whether the customer or any beneficial owner is a PEP or Related Customer. LFIs should not however rely solely on a customer’s assertion, but supplement this basic screening question with additional due diligence such as additional questions regarding the customer’s employment and job title, questions regarding the customer’s sources of funds and wealth, and conducting searches of public records (e.g. internet searches or searches of UAE databases) or proprietary databases. Should searches of public records or proprietary databases reveal adverse media on the potential PEP customer, the LFI should review the adverse media and determine whether it is within the LFI's risk appetite to onboard the potential PEP customer and/or subject the PEP to enhanced monitoring.

            Where customers are public servants, LFIs should be sure to conduct these searches using not only the customer’s name but also the customer’s title, as some useful information (such as lists of high-level government positions) may be available by title only.

            Some PEPs and Related Customers may be determined to conceal their status from financial institutions and the public at large in order to avoid enhanced scrutiny. In these cases, searches of public records or private databases may not reveal their status or the connection between the customer and a PEP. As always, LFIs should be alert to any aspects of a customer profile that are inconsistent or do not have a clear explanation. These ‘red flags’ may be connected to a variety of illicit or questionable activity, including concealed PEP status. Some potential indicators include:

             The customer purports to own and operate a business (particularly a business that relies on political connections) without having the experience or expertise that would likely be considered necessary to successfully operate such a business (e.g., a young person, or a person with no work history, owns a company in an industry that is closely connected to the public sector; or a small firm receives a large government contract that appears far beyond its work experience and capabilities);
             
             The customer engages in financial transactions that are inconsistent with his or her declared income;
             
             A minor, or a person with few assets, owns a shell company;
             
             The customer is a legal arrangement (particularly a complex legal arrangement) where the ultimate settlor and the ultimate beneficiary is the same person;
             
             The customer wishes to engage in complex transactions, or uses complex corporate structures, with no clear economic purpose.
             

            Because a customer transforms from a non-PEP to a PEP immediately on being entrusted with a prominent public function, LFIs should use the ongoing monitoring process to determine whether a customer’s status has changed. Where a PEP customer, or a PEP who is connected to a Related Customer, has lost the prominent public function that qualified him or her for PEP status, ongoing monitoring can also determine whether it is appropriate to no longer classify the customer as a PEP or as a Related Customers, and to cease enhanced measures.

          • 3.2.5. PEP Risk Rating

            Under article 15.1.First.d) of the AML-CFT Decision, LFIs must conduct enhanced ongoing monitoring over relationship with foreign PEPs and Related Customers. This does not mean however that such customers should all be automatically assigned the same risk rating. In addition, as per article 15.1.Second.b), for domestic PEPs and HIOs, and their Related Customers, the EDD requirements in section 3.2.6 below are mandatory when there is a high-risk business relationship accompanying such persons. Therefore, it is important to appropriately risk-rate all PEP customers, customers whose beneficial owners are PEPs, and customers that are direct family members and close associates of a PEP. PEP-specific factors to consider in risk rating include:

             The nature of the PEP’s position. As discussed in section 2 above, where a PEP has greater ability to control or influence consequential government decisions, the corruption risk is greater. LFIs should consider, among other factors:
             
              oThe nature of the issues or decisions over which the PEP has or had control;
              oThe extent to which the PEP had control over the disbursement of funds;
              oThe degree of autonomy or independence the PEP has or had in decision-making;
              oThe PEP’s rank or status within the government or international organization.
             
             The controls in place in the PEP’s own country jurisdiction to prevent corruption, including:
             
              oThe country’s position on widely adopted global corruption or transparency ratings;
              oThe extent to which the country investigates and prosecutes high-level corruption;
              oWhether the country has a free and empowered political opposition and a free press;
              oWhether the agency, body, or organization in which the PEP holds his or her function has an internal audit/inspector/comptroller function;
              oWhether asset disclosure requirements or similar requirements apply to PEPs in that country or jurisdiction.
             

            For Related Customers, LFIs should consider the risk of the PEP to which the customer is connected, and also the nature and extent of the connection, in determining the risk rating.

            The risk-rating process should also take into consideration not just features specific to PEPs but also all the standard elements of customer risk rating, such as the nature of the customer’s business and the products and services the customer intends to use. For example, a PEP who owns a cash-intensive business and seeks to make bulk cash deposits would likely be considered higher risk than a PEP whose only income is his salary, even if the two customers hold similar positions within a similarly high-risk jurisdiction.

            In those cases where a natural person customer has PEP status from two sources, or where more than one PEP is involved in a legal person customer, LFIs should always use the higher risk rating. For example, if a single natural person customer has been appointed to prominent public functions by both the government of the UAE and a foreign government, that customer should be treated as a foreign PEP. Similarly, if a legal person customer has two domestic PEP owners, one high risk and the other medium risk, the legal person customer should be subject to EDD requirements.

          • 3.2.6. Enhanced Due Diligence Requirements

            Under Article 15 of AML-CFT Decision, when a customer (or the beneficial owner of a customer) is determined to be a foreign PEP or Related Customer, or where a customer (or the beneficial owner of a customer) is determined to be a domestic PEP or HIO or Related Customer, and when there is a high-risk business relationship accompanying such persons, LFIs must take the following mandatory steps:

             Obtain senior management approval before establishing a business relationship, or continuing an existing one, with a PEP or Related Customer. The specific senior management member within the LFI who are responsible for approving these relationships will vary based on the LFI’s own unique governance arrangements. The CBUAE expects that, if the approving member represents the business (e.g. the Chief Executive Officer or Chief Operating Officer) as opposed to the compliance function (e.g. the Compliance Officer), the LFI’s policies and procedures will clearly require that the head of the LFI’s compliance function give an opinion as to whether the risk associated with the customer is acceptable. When approving an existing relationship with a PEP or Related Customer, senior management should be notified and their approval obtained for the continuance of the relationship.
             Take reasonable measures to establish the source of funds, including the source of wealth, of PEPs and Related Customers. This requirement encompasses two distinct concepts:
             
              oSource of funds: The direct source of the funds that are used to initially fund the account, and of any funds that are transacted through the account during the course of the business relationship.
              oSource of wealth: The source of the customer’s overall wealth, whether or not the LFI is exposed to it.
             
              In the case of foreign PEPs, higher risk domestic PEPs or HIOs, and Related Customers, LFIs should understand, at least at a high level, how the customer acquired his or her wealth. The goal of the process is to provide the LFI with a reasonable degree of confidence that the customer has not generated his or her wealth through illicit activities. Determining source of wealth does not require that the LFI identify and account for every one of the customer’s assets. But the LFI should require the customer to provide information on the customer’s total net worth, and the customer’s principal sources of income (e.g., salary, inheritance, business income, spousal support, etc.). The LFI should supplement information provided by the customer with publicly or privately available information, including, for example media reports, public employee asset declarations (where required by the PEP’s national laws), or published salaries for civil service positions.
             
              The LFI should then make two determinations:
             
              oWhether the customer’s stated net worth is consistent with his or her declared sources of income. For example, if a customer who has spent his career in public service claims not to have inherited any funds yet has a net worth of several million of a currency, this would require further investigation. Alternatively, if a customer was a successful business person for most of his career and only recently entered public service, a high net worth may not be a “red flag”.
              oWhether the customer’s stated net worth is consistent with the customer’s financial behavior. PEPs who have engaged in illicit activities may lie about their net worth to hide discrepancies with their disclosed sources of income. This is likely to be exposed however when the PEP attempts to engage in financial behavior inconsistent with his or her declared income or net worth. For example, if a PEP declares a total net worth of one million of a currency, this may be consistent with his or her declared licit income; but if he or she chooses to invest a sum equivalent to the entire declared net worth in a speculative investment, this is a sign that his or her wealth requires further investigation.
             
              Where risks are higher, LFIs should perform more intense due diligence on the customer’s source of wealth. For example, if a PEP declares that a substantial portion of his net worth is derived from ownership of a business, the LFI should collect information to satisfy itself that the business exists, is operational, and can reasonably be expected to generate such funds for the PEP.
             
             Conduct enhanced ongoing monitoring of the relationship. LFIs must perform risk-based ongoing monitoring of the business relationship for all customers. In the above mentioned cases, the required enhanced ongoing monitoring could include a number of actions designed to manage the enhanced risk of these customers:
             
              oSubjecting the customer file to more frequent review and updating, including a manual review of transactions. All customer files should be reviewed on a risk-based schedule. For the highest-risk PEPs and Related Customers, reviewing the file as frequently as every six or nine months may be appropriate. This review should also include a review of substantial transactions on the account to ensure that they are consistent with information provided by the customer regarding source of funds and source of wealth.
              oApplying specific risk-based transaction monitoring rules. Where automated transaction monitoring systems allow it, LFIs should apply specific monitoring rules to all PEPs and Related Customers. These rules should have more sensitive thresholds for alerts, and should also be able to flag transactions between PEPs and Related Customers where both customers maintain accounts with the LFI.
              oRequiring pre-approval for large transactions. It may be appropriate for LFIs to require pre-approval from the compliance function for any transactions representing a substantial portion of the PEP’s declared net worth, taking into consideration the size of the LFI and defined risk appetite.
        • 3.3. Transaction Monitoring and Suspicious Transaction Reporting

          • 3.3.1. Transaction Monitoring

            As required by Article 7 of the AML-CFT Decision, LFIs must continuously monitor all their transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. As with all customer types, LFIs that use automated monitoring systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD.

            Monitoring systems can include manual monitoring processes and the use of automated and intelligence led monitoring systems. In all cases, the appropriate type and degree of monitoring should appropriately match the money laundering and financing of terrorism (ML/FT) risks of the institution’s customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an LFI’s business lines or units, where applicable. TM programs should also be calibrated to the size, nature, and complexity of each institution. The transaction monitoring system used by LFIs should be equipped to identify patterns of activity that appear unusual and potentially suspicious for PEPs customers as well as unusual behaviour that may indicate that a customer’s business has changed in such a way as to require a high risk rating. Please consult also the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening3 for further information.


            3 Available at: https://www.centralbank.ae/en/cbuae-amlcft

          • 3.3.2. Suspicious Transaction Reporting

            As required by Article 15 of the AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file an STR, SAR or other report types with the UAE Financial Intelligence Unit (UAE FIU) when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. As per Article 18 of the AML-CFT Decision, In reporting their suspicions, employees must maintain confidentiality with regard to both the information being reported and the act of reporting itself, and make reasonable efforts to ensure the information and data reported are protected from access by any unauthorised person (Please consult also section 7.8 of the CBUAE’s Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations for Financial Institutions). STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. STR filings assist law enforcement in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system. Please consult also the CBUAE’s Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting4 for further information.


            4 Available at: https://www.centralbank.ae/en/cbuae-amlcft

        • 3.4. Governance and Training

          The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. The core of an effective risk-based program is an appropriately experienced AML/CFT Compliance Officer who understands the LFI’s risks and obligations and who has the resources and autonomy necessary to ensure that the LFI’s program is effective. Additionally, the LFI’s senior management must clearly endorse and support the AML/CFT program. As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks of PEPs customers, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the LFI’s risk and the nature of its operations. As such, an LFI that has a significant number of PEPs customers should offer training that includes an in-depth discussion of risk factors and “red flags” related to such customers (see Annex 1 below).

      • Annex 1. Red flags

        The following is a list of red flags and indicators for suspicion associated with PEPs.5 PEPS ATTEMPTING TO SHIELD THEIR IDENTITY:

         Use of corporate vehicles (legal entities and legal arrangements) to obscure the beneficial owner.
         Use of corporate vehicles without valid business reason.
         Use of intermediaries when this does not match with normal business practices or when this seems to be used to shield identity of PEP.
         Use of family members or close associates as legal owner.
         

        RED FLAGS AND INDICATORS RELATING TO THE PEP AND HIS BEHAVIOUR:

         Use of corporate vehicles (legal entities and legal arrangements) to obscure i) ownership, ii) involved industries or iii) countries.
         The PEP makes inquiries about the institution’s AML policy or PEP policy.
         The PEP seems generally uncomfortable to provide information about source of wealth or source of funds.
         The information that is provided by the PEP is inconsistent with other (publicly available) information, such as asset declarations and published official salaries.
         The PEP is unable or reluctant to explain the reason for doing business in the country of the financial institution or Designated Nonfinancial Business and Profession (DNFBP).
         The PEP provides inaccurate or incomplete information.
         The PEPs seeks to make use of the services of a financial institution or DNFBP that would normally not cater to foreign or high value clients.
         Funds are repeatedly moved to and from countries to which the PEPs does not seem to have ties with.
         The PEP is or has been denied entry to the country (visa denial).
         The PEP is from a country that prohibits or restricts its/certain citizens to hold accounts or own certain property in a foreign country.
         

        THE PEP’S POSITION OR INVOLVEMENT IN BUSINESSES:

         The PEP has a substantial authority over or access to state assets and funds, policies and operations.
         The PEP has control over regulatory approvals, including awarding licences and concessions.
         The PEP has the formal or informal ability to control mechanisms established to prevent and detected ML/FT.
         The PEP (actively) downplays importance of his/her public function, or the public function s/he is relates to associated with.
         The PEP does not reveal all positions (including those that are ex officio).
         The PEP has access to, control or influence over, government or corporate accounts.
         The PEP (partially) owns or controls financial institutions or DNFBPs, either privately, or ex officio.
         The PEP (partially) owns or controls the financial institution or DNFBP (either privately or ex officio) that is a counter part or a correspondent in a transaction.
         The PEP is a director or beneficial owner of a legal entity that is a client of a financial institution or a DNFBP.
         

        RED FLAGS AND INDICATORS RELATING TO THE INDUSTRY/SECTOR WITH WHICH THE PEP IS INVOLVED:

         Arms trade and defence industry.
         Banking and finance.
         Businesses active in government procurement, i.e., those whose business is selling to government or state agencies.
         Construction and (large) infrastructure.
         Development and other types of assistance.
         Human health activities.
         Mining and extraction.
         Privatisation.
         Provision of public goods, utilities.
         

        BUSINESS RELATIONSHIP / TRANSACTION, PURPOSE OF BUSINESS RELATIONSHIP:

         Multiple STRs or other reports have been submitted on a PEP.
         (Consistent) use of rounded amounts, where this cannot be explained by the expected business.
         Deposit or withdrawal of large amounts of cash from an account, use of bank cheques or other bearer instruments to make large payments. Use of large amounts of cash in the business relationship.
         Other financial institutions and DNFBPs have terminated the business relationship with the PEP.
         Other financial institutions and DNFBPs have been subject to regulatory actions over doing business with the PEP.
         Personal and business related money flows are difficult to distinguish from each other.
         Financial activity is inconsistent with legitimate or expected activity, funds are moved to or from an account or between financial institutions without a business rationale.
         The account shows substantial activity after a dormant period; or over a relatively short time; or shortly after commencing the business relationship.
         The account shows substantial flow of cash or wire transfers into or out of the account.
         Transactions between non-client corporate vehicles and the PEP’s accounts.
         A PEP is unable or reluctant to provide details or credible explanations for establishing a business relationship, opening an account or conducting transactions.
         A PEP receives large international funds transfers to a gaming account. The PEP withdraws a small amount for gaming purposes and withdraws the balance by way of cheque.
         A PEP uses third parties to exchange gaming chips for cash and vice versa with little or minimal gaming activity.
         A PEP uses multiple bank accounts for no apparent commercial or other reason.
         

        PRODUCTS, SERVICE, TRANSACTION OR DELIVERY CHANNELS:

         Businesses that cater mainly to (high value) foreign clients.
         Trust and company service providers.
         Wire transfers, to and from a PEP account that cannot be economically explained, or that lack relevant originator or beneficiary information.
         Correspondent and concentration accounts.
         Dealers in precious metals and precious stones, or other luxurious goods.
         Dealers in luxurious transport vehicles (such as cars, sports cars, ships, helicopters and planes).
         High-end real estate dealers.
         

        COUNTRY SPECIFIC RED FLAGS AND INDICATORS

         The foreign or domestic PEP is from a higher risk country.
         Additional risks occur if a foreign or domestic PEP from a higher risk country would in his/her position have control or influence over decisions that would effectively address identified shortcomings in the AML/CFT system.
         Foreign or domestic PEPs from countries identified by credible sources as having a high risk of corruption.
         Foreign or domestic PEPs from countries that have not signed or ratified or have not or insufficiently implemented relevant anti-corruption conventions, such as the UNCAC, and the OECD Anti-Bribery Convention.
         Foreign or domestic PEPs from countries with a mono economies (economic dependency on one or a few export products), especially if export control or licensing measures have been put in place.
         Foreign or domestic PEPs from countries that are dependent on the export of illicit goods, such as drugs.
         Foreign or domestic PEPs from countries (including political subdivisions) with political systems that are based on personal rule, autocratic regimes, or countries where a major objective is to enrich those in power, and countries with high level of patronage appointments.
         Foreign or domestic PEPs from countries with poor and/or opaque governance and accountability.
         Foreign or domestic PEPs from countries identified by credible sources as having high levels of (organised) crime.

        5 FATF: https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-PEP-Rec12-22.pdf

      • Annex 2. Synopsis

        Purpose of this GuidancePurposeThe purpose of this Guidance is to assist the understanding and effective performance by licensed financial institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE relating to PEPs.
        ApplicabilityThis Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies, stored value facilities, retail payment service providers, card schemes, registered Hawala providers, and other LFIs; and insurance and re-insurance companies, agencies, and brokers.
        Understanding Risks

        Article 15 of the AML-CFT Decision and the FATF standards impose specific Customer Due Diligence (CDD) obligations on LFIs with respect to Customers that are Politically Exposed Persons (PEPs) which include the Direct Family Members or Associates Known to be Close to the PEPs. The special requirements related to PEPs are not an indication that LFIs should avoid dealing with such customers. Instead, these requirements are meant to ensure that LFIs have done the due diligence necessary to fully identify, understand their customers and have made fully-informed decisions regarding whether or not to accept the customer or to continue the relationship.

        There are three sub-groups of PEPs: (1) Domestic PEPs; (2) Foreign PEPs; and (3) Heads of International Organizations (HIOs). PEPs are at higher risk of involvement in crimes because of the powers that come with their position or status. PEPs may use their power or influence to directly enrich themselves, their family members, and their associates, by stealing or misdirecting government funds. Customers that are the direct family members of a PEP, the known close associates of a PEP, or that are legal persons or legal arrangements with at least one beneficial owner who is a PEP are referred to as "Related Customers.''

        Although LFIs are required to apply special procedures for all PEPs and Related Customers, not all PEPs and Related Customers are equally high-risk. Some factors that can influence the risks of a particular PEP are:

        The PEP's ability to control highly consequential outcomes.
        The authority and independence inherent in the PEP's role or function.
        The access to funds inherent in the PEP's role.
        The nature of governance in the state or organization that has entrusted the PEP with a prominent function.
        The overall level of corruption in the state or organization that has entrusted the PEP with a prominent function.

        The sources of risk for a Related Customer can be divided into two broad categories:

        The risk of the PEP to which the Related Customer is connected
        The relationship between the Related Customer and the PEP.
        Mitigating RisksLegal requirements

        The AML-CFT Decision requires LFIs to carry out specific mandatory due diligence measures on PEPs and Related Customers, in addition to the standard CDD required for all customers. In line with FATF standards, the AML-CFT Decision imposes different requirements on LFIs for foreign PEPs as opposed to domestic PEPs and HIOs.

        For foreign PEPs and Related Customers, LFIs must: (1) Put in place suitable risk management systems to determine whether a Customer or the Beneficial Owner is considered a PEP: (2) obtain senior management approval before establishing a business relationship, or continuing an existing one, with a PEP; (3) take reasonable measures to establish the source of funds and the sources of wealth of Customers and Beneficial Owners identified as PEPs; and (4) conduct enhanced ongoing monitoring over such relationship.
        For domestic PEPs and HIOs and Related Customers, LFIs must (1) Take sufficient measures to identify if their customer or the Beneficial Owner is considered one of those persons and (2) Take the measures identified in (b), (c), and (d) when there is a high-risk business relationship accompanying such persons.

        LFIs must take reasonable measures to determine whether the beneficiary, or the beneficial owner of a beneficiary, of a life insurance policy or of family takaful insurance is a PEP or a Related Customer. LFIs must inform senior management before pay-out of those policies, or prior to the exercise of any rights related to them. LFIs must also thoroughly examine the overall business relationship.

        Applying Legal RequirementsClassifying Customers as PEPs:
        The legal definition of PEP specifically lists the roles of persons who always qualify as PEPs, such as Heads of States or Governments, senior politicians, senior government officials, and judicial officials, among others.
        However, as there is no exhaustive list of the positions that qualify an individual as a PEP globally and LFIs should use their discretion in identifying PEPs and develop risk-based policies and procedures to ensure they appropriately identify customers who are PEPs, or the family members or close associates of PEPs.
        The determination of whether a customer is a PEP should therefore consider a number of factors, including, most importantly, whether the natural person currently holds, or has recently held, a role that gives him or her power or influence over decisions, policy or the disbursal of funds belonging to a government or an international organization.
        PEPs are always natural persons, and LFIs should perform a PEP analysis on customers who are the beneficial owners of legal persons or legal arrangements.
        Classifying Customers as Related Customers:
        LFIs are required to treat the direct family members (spouses, children, spouses of children, and parents) and close associates of PEPs (Natural persons having joint ownership rights in a legal person or arrangement or any other close business relationship with the PEP or having individual ownership rights in a legal person or arrangement established in favour of the PEP) as if they were PEPs themselves.
        The above-mentioned relationships should be viewed as a mandatory minimum, not as an exhaustive list of all relationships that may justify to treat a customer as a PEP. LFIs should take a risk-based approach and consider whether a relationship exists between their customer and the PEP that could be exploited or abused to obscure the PEP's connection to illicit funds.
        Once an LFI has established that a qualifying relationship exists between a customer (or the beneficial owner of a customer) and a PEP, the LFI must treat the customer as a PEP (or as owned by a PEP). However, between a PEP and the direct family member or close associate of a PEP: the latter cannot transfer their status to their own family members and close associates.
        Time Limits of PEP Status:
        A PEP's risk derives from the PEP's power or influence over decisions, funds, or policy. Therefore, it may not be appropriate to continue to treat a customer as a PEP long after they have lost such power or influence. While LFIs may set a schedule to review PEP status, they should make a risk-based decision as to when sufficient time has passed for a customer to no longer be classified as a PEP.
        Factors to consider when making such a determination include: the seniority and power inherent in the customer's previous role; the corruption potential of the customer's previous role; whether the customer still exercises informal influence over government decisionmaking through his or her current formal role; whether the previous and current role of the customer are linked in any way; the customer's relationships to other PEPs and the nature and purpose of the business relationship, and the overall risks of the products and services the customer avails or intends to avail.
        PEP Screening:
        Classification of a customer as a PEP or a Related Customer should take place during the CDD stage, prior to the commencement of the business relationship. LFIs are required to have suitable risk management systems in place to determine whether a customer, or the beneficial owner of a customer, is a foreign PEP, or Related Customer and are required to take sufficient measures to identify whether a customer, or the beneficial owner of a customer, is a domestic PEP or an HIO, or Related Customer. In practice, however, it will generally be appropriate to conduct onboarding screening and ongoing screening on all customers.
        Preliminary screening may begin by including a question in onboarding forms or interviews that inquires whether the customer or any beneficial owner is a PEP or Related Customer. LFIs should not however rely solely on a customer's assertion, but supplement this basic screening question with additional due diligence.
        LFIs should be alert to any aspects of a customer profile that are inconsistent or do not have a clear explanation. LFIs should use the ongoing monitoring process to determine whether a customer's status has changed.
        PEP Risk Rating: Under the AML-CFT Decision, LFIs must conduct enhanced ongoing monitoring over relationships with foreign PEPs and Related Customers. Therefore, it is important to appropriately risk-rate all PEP customers, customers whose beneficial owners are PEPs, and customers that are direct family members and close associates of a PEP. PEP-specific factors to consider in risk rating include: the nature of the PEP's position, and the controls in place in the PEP's own country jurisdiction to prevent corruption. For Related Customers, LFIs should consider the risk of the PEP to which the customer is connected, and also the nature and extent of the connection, in determining the risk rating. In cases where a natural person customer has PEP status from two sources, or where more than one PEP is involved in a legal person customer, LFIs should always use the higher risk rating.
        Enhanced Due Diligence Requirements: Under the AML-CFT Decision, when a customer (or the beneficial owner of a customer) is determined to be a foreign PEP or Related Customer, or where a customer is determined to be a domestic PEP or HIO or Related Customer, and when there is a high-risk business relationship accompanying such persons, LFIs must take the following mandatory steps: (1) Obtain senior management approval before establishing a business relationship, or continuing an existing one, with a PEP or Related Customer; (2) take reasonable measures to establish the source of funds, including the source of wealth, of PEPs and Related Customers; and (3) conduct enhanced ongoing monitoring of the relationship.
        Transaction Monitoring and Suspicious Transaction ReportingTransaction Monitoring: As required by the AML-CFT Decision, LFIs must continuously monitor all their transactions to ensure that transactions are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. Monitoring systems can include manual monitoring processes and the use of automated and intelligence led monitoring systems. The transaction monitoring system used by LFIs should be equipped to identify patterns of activity that appear unusual and potentially suspicious for PEP customers as well as unusual behaviour that may indicate that a customer's business has changed in such a way as to require a high-risk rating.
        Suspicious Transaction Reporting: As required by the AML-CFT Law and the AML-CFT Decision, LFIs must file a suspicious transaction report (STR) or suspicious activity report (SAR) or other report types with the UAE Financial Intelligence Unit (UAE Fill) when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime.
        Governance and TrainingThe specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces. As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks of PEPs customers, familiar with the obligations of the LFI, and equipped to apply appropriate risk-based controls.
    • Guidance for the Insurance Sector

      Effective from 31/10/2022
      • 1. Introduction

        • 1.1. Purpose

          Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, as amended, charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”

          The purpose of this Guidance is to assist the understanding, and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) licensed insurers, agents, and brokers of their statutory obligations under the legal and regulatory framework in force in the UAE. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof.1 As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for licensed insurers, agents, and brokers to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the Central Bank.

          Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), industry best practices, and red flag indicators identified by the FATF and leading jurisdictional authorities. These are not exhaustive and do not set limitations on the measures to be taken by licensed insurers, agents, and brokers in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, licensed insurers, agents, and brokers should perform their own assessments of the manner in which they should meet their statutory obligations.

          This Guidance comes into effect immediately upon its issuance by the CBUAE with licensed insurers, agents, and brokers expected to demonstrate compliance with its requirements within one month from its coming into effect.


          1 Available at: https://www.centralbank.ae/en/cbuae-amlcft.

        • 1.2. Applicability

          Unless otherwise noted, this Guidance applies to all insurance and re-insurance companies, agents, and brokers that are licensed and supervised by the CBUAE.

        • 1.4. Acronyms

          TermsDescription
          AMLAnti-money laundering
          CBUAECentral Bank of the United Arab Emirates
          CDDCustomer due diligence
          CFTCombating the financing of terrorism
          DNFBPDesignated non-financial business or profession
          EDDEnhanced due diligence
          FATFFinancial Action Task Force
          FFRFund Freeze Report
          FIUFinancial intelligence unit
          LFILicensed financial institution
          MLMoney laundering
          PEPPolitically exposed person
          PNMRPartial Name Match Report
          SARSuspicious activity report
          SDDSimplified due diligence
          STRSuspicious transaction report
          TFTerrorist financing
          UNUnited Nations
          UNSCUnited Nations Security Council
          UNSCRUN Security Council Resolution

           

      • 2. Understanding and Assessing the ML/FT Risks

        • 2.1. Overview of Insurance Sector Activities and Participants

          The insurance sector offers a range of products and services to individuals and companies designed to provide a guarantee of compensation for specified loss, damage, illness, or death and facilitate financial planning and risk management in the face of uncertain future events. At the most general level, insurance products can be divided into two categories:

           Insurance of persons and funds accumulation (hereafter referred to as “life and other investment-related insurance”), which provides long-term coverage against the risk of a future loss, such as death, and may serve as an alternative long-term savings or investment vehicle (e.g., to be paid out upon retirement); and
           
           Property and liability insurance (hereafter referred to as “general insurance”), which provides shorter-term coverage against the risk of specific losses, such as damage to property, illness and associated medical expenses, or personal or corporate liability.
           

          Both types of insurance may be offered in the UAE by conventional and Takaful insurance companies. The classes and types of the above-mentioned insurance categories are defined by Articles 3 and 4 of the Executive Regulation2 of the Federal Law No. (6) of 2007 on the Establishment of the Insurance Authority & Organization of Its Operations as amended by Federal Law No. 3 of 2018 (“Insurance Law”)).

          Under Article 2.16 of the AML-CFT Decision as amended, only life insurance and other investment-related insurance products are subject to the UAE’s AML/CFT legal and regulatory framework. It is therefore critical that each licensed insurer, re-insurer, agent, and broker undertakes a comprehensive assessment of its ML/FT risks, including especially the risks associated with its life insurance and other investment-related insurance product offerings, and that it designs and implements an AML/CFT compliance program that is commensurate with those risks.

          Insurance sector participants include operators in the insurance sector, which sell or facilitate the sale of insurance products and must be licensed by the CBUAE, and customers who own, pay for, and/or are covered by or the beneficiaries of insurance products.

          Principal insurance sector operators, as defined by the Insurance Law, include:

           Insurers, defined as any insurance company incorporated in the UAE or foreign company licensed to carry out insurance operations in the UAE according to the provisions of the Insurance Law, including Takaful insurance companies.
           
             Note: An insurer can issue insurance policies to consumers, or to other insurers or re-insurers, in exchange for payment of a premium.
           
           Re-insurers, defined as any re-insurance company incorporated in the UAE of foreign re-insurance company licensed to carry out insurance operations inside the UAE or a foreign re-insurance company outside the UAE.
           
             Note: Reinsurers are insurers that issue insurance policies to customers that are themselves insurers or reinsurers. Reinsurance includes both “treaty” agreements, which cover broad groups of policies issued by the primary insurer, as well as “facultative” agreements, which cover specific policies or risks, negotiated on an ad hoc basis.
           
           Insurance agents, defined as any natural or legal person approved and authorized by the insurance company to carry out insurance operations on its behalf or on behalf of any branch thereof.
           
             Note: All insurance agents are “tied” agents, meaning they have a contractual agreement to underwriting and sell insurance products exclusively on behalf of a single insurer. Persons who are contractually free to sell insurance on behalf of multiple insurers or as a freestanding intermediary between insurers and consumers are referred to as insurance brokers, as defined below.
           
           Insurance brokers, defined as any legal person who independently intermediates in insurance and re-insurance operations between the insurance or re-insurance seeker on one side and any insurance or re-insurance company on the other side and receives for his efforts commission from the insurance company or the re-insurance company with which the insurance or re-insurance has been accomplished.
           
             Note: Insurance brokers can be authorized by multiple insurers to sell insurance products to consumers (or other insurers or reinsurers) on their behalf or to execute insurance sales as freestanding intermediaries between insurers and consumers, in either case in exchange for payment of a commission from the insurer.
           

          Under the Insurance Law and supporting Insurance Authority Board Resolutions3, insurance operators also include:

           Health insurance third-party administrators, defined as legal persons licensed by the CBUAE to perform health insurance third party administration in accordance with the provisions of the related instructions (e.g. manage health insurance programs and pay health insurance claims on behalf of an insurer);
           Insurance producers, defined as natural or legal persons licensed by the CBUAE to practice the profession of marketing insurance policies through ordinary means or electronic means;
           Price comparison websites (also referred to as “insurance aggregators”), defined as legal persons registered by the CBUAE to provide insurance premium price comparison services using the Internet;
           Consultants, defined as natural or legal persons who study the insurance requirements for his customers, give advice in respect of the suitable insurance coverage, assist in preparing the insurance claims along with conducting the other duties specified in the regulation and receive their fees from his customers;4
           Actuaries, defined as persons who estimate values of the insurance contracts, documents and the related accounts; and
           Loss and damage adjusters, defined as persons who examine the damages occurred to the subject matter of the insurance, and assess them.
           

          However, as these participants are not involved or play a very limited role in selling or facilitating the sale of insurance products, and as per Article 2 of the AML-CFT Decision, they are not included under Section 1.2. Applicability of this Guidance.

          Principal insurance sector customers include:

           Policyholders or policy owners, defined as natural persons, legal persons, or legal arrangements who own and maintain the contractual rights of an insurance policy, including powers to inject funds, establish the beneficiary, and exercise early surrender rights. In the case of a group policy, the policyholder is the owner of the master policy.
           
           Policy payers, defined as natural persons, legal persons, or legal arrangements who pay the necessary premium to keep the policy in force.
           
           Insured, defined by the Insurance Law as natural persons, legal persons, or legal arrangements who concluded an insurance contract with the Insurer.
           
             Note: In many cases, the policyholder, policy payer, and insured will be the same person. The insured will also be the person covered by the insurance policy.
           
           Beneficiaries, defined by the Insurance Law as natural persons, legal persons, or legal arrangements who acquired the rights of the insurance contract at the start or these rights has been legally transferred thereto.
           
             Note: Beneficiaries and other payees are entitled to receive claim payments, distributions, or other payouts under an insurance policy. The payee of a general insurance policy is typically the insured, although certain property insurance policies may specify a third party, such as a lender or lessor with an interest in the covered property, as entitled to all or part of the claim payments on the policy.5

          2 Insurance Authority – The Board of Directors’ Resolution No2 of 2009 on Issuance of the Executive Regulation of the Federal Law No6 f 2007 on Establishment of the Insurance Authority and Organization of the Insurance Operations (Published in the Official Gazette No504 on 31/01/2010).
          3 Including Insurance Authority Board Resolution No. 9 of 2011 Concerning the Instructions for Licensing Health Insurance Third Party Administrators and Regulation and Control of their Business, Insurance Authority Board of Directors’ Decision No. 12 of 2018 Concerning the Regulation on Licensing and Registration of Insurance Consultants and Organization of their Operations, Insurance Authority Board of Directors’ Resolution No. 27 of 2020 Concerning the Instructions for Licensing Insurance Producers, and Insurance Authority Board of Directors’ Resolution No. 18 of 2020 Concerning the Electronic Insurance Regulations.
          4 Unlike agents and brokers, consultants are not authorized to complete insurance sales (or to “bind coverage”) on behalf of an insurer.
          5 A policyholder’s insurable interest is an interest in the value of the subject of insurance, including any item, event, action, or legal or financial relationship whose loss would cause a financial or other hardship. An insurable interest may result from property rights, contractual rights, or potential legal liability.

        • 2.2. ML/FT Risks Relevant to Life Insurance and other Investment-Related Insurance Products

          Criminal actors may use life insurance and other investment-related insurance products to place illicit proceeds into the financial system, especially (though not exclusively) where the insurer or intermediary accepts premium payments in cash. Such products may be purchased with the intention of either holding the insurance policy over its standard duration or canceling coverage before maturity and, where permitted, withdrawing premiums paid less a penalty (a practice known as “early surrender”) so as to free up funds for alternative uses. Illicit actors may also deliberately overpay premiums and request a refund for the amount overpaid to the insurance carrier in order to trigger payout under a policy. Reimbursed premiums, withdrawn contributions, and payout proceeds (whether legitimate or fraudulent) can then be deposited into a bank account or used to purchase other financial instruments without necessarily revealing the ultimate origin of the funds.

          As noted above, life and other investment-related products are generally considered to present higher ML/FT risk, particularly where they have high cash values upon surrender. The following methods may be employed to launder funds through life insurance and other investment-related insurance products or relationships:

           Assigning policies and payments to third parties, especially through policies (such as secondhand endowment and bearer insurance policies) that allow the policyholder to change the beneficiary before maturity or surrender without the knowledge or consent of the insurer;
           
           Borrowing against the cash surrender value of permanent life insurance policies or using a policy as collateral to purchase other financial instruments;
           
           Selling units in investment-linked products, such as annuities;
           
           Buying products with insurance termination features without concern for the product’s investment performance; and
           
           Establishing fictitious insurance or reinsurance companies or intermediaries in order to place or move illicit proceeds without revealing the true source of funds.
           

          In addition to these vulnerabilities, the insurance sector is also vulnerable to abuse from other types of economic crime, particularly orchestrated fraud. Moreover, even where insurance products or relationships are not directly abused to launder money or perform other illicit transactions, insurance may be purchased by illicit actors to provide an appearance of legitimacy to the underlying, insured activities. As per Article 11.2 of the AML-CFT Decision, LFIs must consider the customer and the beneficiary of life insurance and family Takaful policies as risk factors when determining the applicability of enhanced due diligence procedures (EDD).

          The remainder of this section presents additional examples of key ML/FT risk factors relevant to the insurance sector for life insurance and other investment-related insurance products, organized by risks related to insurance products, services and transactions, distribution channels and intermediaries, customers, and geographies. These should be considered by insurance sector operators when performing their financial crimes risk assessments (see section 3.1) and determining the risks presented by specific customers or business activities. Individual risks may be heightened in view of the UAE’s national and regional circumstances and the composition of the local insurance sector. Where a risk factor is coupled with one or more of the red flag indicators provided in Annex 1 of this Guidance, insurance sector operators should consider assigning additional resources or controls to the area of heightened risk, such as by applying enhanced due diligence (“EDD”) or heightened ongoing monitoring.

          Insurance operators are expected to perform and document an enterprise ML/FT risk assessment and keep the risk assessment up to date given material changes to their risk profile or legal, regulatory, or supervisory environment. Additional details on the enterprise risk assessment process and the use of risk assessment findings to support a risk-based approach are provided in section 3.1.

          • 2.2.1. Product Risk Factors

            Product risk is assessed by identifying how vulnerable a product is to money laundering and terrorist financing based on the product’s design. Product risk should be assessed periodically and when significant changes are made to product offerings, including the development of new products, services, or technologies. Product risk is a significant factor in identifying unusual activity.

            The following table describes attributes used to assess the vulnerability of product offerings and provides lower-and higher-risk examples of each.

            AttributeLower-risk exampleHigher-risk example
            Ability to hold funds or transact large sumsProduct design that does not hold a balance or cannot be withdrawn against, such as group benefitsProduct design that allows funds to be held on behalf of the customer; high-value or unlimited-value premium payments, overpayments, or large volumes of lower-value payments
            Customer anonymity or third-party transactionsProduct design that only allows transactions from customers with identification, or where all funds flow back to the customerProduct design that allows deposits and payments by third parties or that provides for non-face-to-face transactions (e.g., mobile apps where payment source is unknown)
            LiquidityProduct design that does not permit withdrawals or includes significant fees or other penalties for early withdrawalsProduct design that has no (or no significant) fees or other penalties for early withdrawal
            Time horizonProducts that are typically held for a long period of time, such as years, until retirement or deathProducts that are typically held for a shorter time period
            Purpose or intended use of the productProduct design makes it easy to identify if products are not being used as intendedProduct design makes it difficult to identify if products are not being used as intended

             

          • 2.2.2. Service and Transaction Risk Factors

            Service and transaction risk can be assessed by identifying how vulnerable a product is to use by a third party or unintended use based on the methods of transaction available. Service and transaction risk is influenced by product design. Understanding potential service and transaction risks in the business is a significant factor in recognizing unusual activity at a customer level.

            The following table describes attributes used to assess service and transaction risk and provides lower-and higher-risk examples of each.

            AttributeLower-risk exampleHigher-risk example
            Difficulty in tracing ownership of fundsPreprinted checks, bill payments, and electronic funds transfer (EFT) payments with verified banking recordsCash, bank drafts in bearer form, travelers checks, counter checks (where ownership information is handwritten or typed in a different font than the rest of the check), and potentially some digital currencies
            The customer is not the payer or recipient of the fundsThe funds are moved from or to another financial institutionThe third-party paying or receiving funds has not previously been disclosed
            Payment source or recipient is based outside of the countryThe recipient or payer is the policyholder and is in a low-risk countryThe recipient or payer is the policyholder and is in a higher-risk country or is a third party outside the country (making it more difficult to trade or confirm the source of funds)
            Number of transactionsThe low number of transactions or transaction frequency that is typical for the productA large number of transactions back and forth with the customer or third parties, especially where it exceeds typical usage for the product
            Transactional patternsRegular and expected customer account activitySignificant, unexpected, and unexplained change in the customer’s typical activity, such as early surrenders or withdrawals where such service is offered

             

          • 2.2.3. Distribution Channel and Intermediary Risk Factors

            The distribution channel is the method a customer uses to open a new policy or account. The distribution channel risk is identified by assessing how vulnerable the channel is to money laundering or terrorist financing activities based on attributes that may make it easier to obscure customer identity.

            The risk of failing to identify a customer correctly may be higher for distribution channels that use an intermediary or do not require face-to-face contact. Depending on the product, distribution channel risk may be mitigated by using distributors who are also subject to AML/CFT obligations or a pension scheme subscribed through the customer’s employer.

            The following table describes attributes used to assess the vulnerability of distribution channels and provides lower- and higher-risk examples of each.

            AttributeLower-risk exampleHigher-risk example
            The distributor has AML/CFT obligationsThe distributor is overseen by a regulatory authority and subject to AML/CFT laws equivalent to or stronger than the insurerDistributor is not subject to AML/CFT requirements
            Payment to an insurerCustomer pays the insurer directly from their account at a bank or securities dealerThe customer pays the distributor, who then pays the insurer
            The direct relationship of customer to insurerTied agents, brokers, and banking consultants; products distributed directly by insurersNon-face-to-face relationships6 with insurers or agents (e.g., trusts or insurance sold by telephone or online without adequate safeguards for confirmation of identity)

             


            6 As discussed in section 3.3.1.5 below, relationships in which personal contact between an insurer or agent and the customer is achieved via video teleconference are not considered to be non-face-to-face relationships.

          • 2.2.4. Customer Risk Factors

            Customer-based risk factors are assessed to evaluate the level of vulnerability to ML/FT threats posed by customers based on their characteristics. Understanding the inherent risks enables an insurer, agent, or broker to identify appropriate mitigating controls and manage residual risks. Customer risk factors combined with business risk factors can be used as criteria for risk scoring to identify high-risk customers. Such risk factors include:

             Customer identity;
             Third-party involvement;
             Customer’s source of wealth or funds;
             Customers who are politically exposed persons (“PEPs”), including the direct family members and close known associates of a PEP, and legal entities where at least one beneficial owner is a PEP; and
             Known criminals, terrorists, or persons on sanctions lists.7
             

            The following table describes attributes used to assess customer risks and provides lower- and higher-risk examples of each.

            AttributeLower-risk exampleHigher-risk example
            IdentificationCustomer provides identification or can be identified using third-party sources.Customer has difficulty producing identification, or the authenticity of the identification provided is questionable
            Third-party relationshipsNo third-party involvementCustomer is controlled by a third party, or there are multiple indicators of third-party deposits or payments; customer is controlled by a gatekeeper (such as an accountant, lawyer, or other professional holding accounts or contracts at the insurer) without any interaction with the beneficial owner
            Customer’s legal formCustomer is a living person or is a large, publicly-traded legal entity with clear ownership and controlCustomer is a legal entity with a complex structure where it is difficult to ascertain those who own or control the entity; policyholder and/or beneficiary are companies with nominee shareholders and/or shares in bearer form
            Occupation, business type, or another source of wealth or fundsCustomer’s business type or occupation is in a lower-risk industryCustomer’s business or occupation is in a higher-risk industry (such as a cash-intensive business or an industry that has extensive international exposure or is associated with crime typologies) or is associated with a lower income for a high-value deposit without a confirmed source of funds or wealth (such as inheritance or real estate)
            Depth and duration of relationship with customerCustomer has a long history with the insurer or its agents and additional information is on file (such as credit underwriting, insurance underwriting, customer due diligence, etc.)Customer is new to the insurer or insurer has little or no experience with the customer
            Customer only holds accounts with lower risk products and servicesCustomer holds policies or accounts that are registered with the government, such as a registered retirement savings planCustomer only holds non-registered policies or accounts (e.g., investment or bank accounts with an affiliate)
            Political exposureCustomer does not have any ties to politically exposed personsCustomer is considered a politically exposed person, particularly from a foreign jurisdiction
            Other screening resultsCustomer does not have negative news media or media confirms what is known about the customer (such as career confirmation or community engagement)Customer has ties to or is on a designated sanctions list; has a history of predicate offenses; or is associated with negative news

             


            7 Please see section 3.5 below and also refer to the Executive Office’s “Typologies on the circumvention of Targeted Sanctions against Terrorism and the Proliferation of Weapons of Mass Destruction”: available at https://www.uaeiec.gov.ae/en-us/un-page?p=2#

          • 2.2.5. Geographic Risk Factors

            A customer’s geographic location or connections may indicate a higher risk for ML/FT activities. To mitigate risk, controls are recommended based on domestic and international geographic risk factors. Where available, data from internal insurer historical case experiences or government data based on crimes applicable to ML or predicate offenses can be used to inform the assessment of domestic geographical risk. Customer risk is higher among customers with connections outside the country, especially connections to higher-risk countries. According to the National Assessment of Inherent Money Laundering and Terrorist Financing Risks in the United Arab Emirates, the regions and jurisdictions most often involved in criminal activity in relation to the UAE were Pakistan, India, Iran, Bangladesh, China, Russia, South Africa, Nigeria, Somalia, Lebanon, Yemen, Syria, Iraq, Afghanistan, and North Africa. The following table describes attributes used to assess geographic risks and provides each's lower- and higher-risk examples.

            AttributeLower-risk exampleHigher-risk example
            Higher-crime regionsCustomer does not reside in a region with higher frequency and severity of crimes with ML risk, based on the insurer’s own risk assessment (utilizing historical case experiences or government data where appropriate)Customer resides in a region with high frequency and severity of crimes with ML risk, based on the insurer’s own risk assessment (utilizing historical case experiences or government data where appropriate)
            History high-risk activity or fraudCustomer does not reside in a region that experiences a higher incidence of high-risk activity or fraudCustomer resides in a region that experiences a higher incidence of high-risk activity or fraud
            Foreign tax or physical residency of customerCountries risk rated as low by the insurerCountries risk rated as high by the insurer
            Foreign ties or transactionsCustomer does not have any indicators of foreign residency or transactions outside of countryCustomer has requested or performed transactions with ties to high-risk countries, including especially those on the NAMLCFTC’s and FATF’s lists of high-risk jurisdictions subject to a call for action and jurisdictions under increased monitoring.

             

      • 3. Mitigating Risks

        The sections below discuss how insurance operators can apply preventive measures to identify, assess, manage, and mitigate the risks associated with the insurance sector for life insurance and other investment-related insurance products. This is not a comprehensive discussion of all AML/CFT requirements imposed on insurance sector participants; insurers, agents, and brokers should therefore consult the UAE legal and regulatory framework currently in force.

        The controls discussed below should be integrated into each institution’s larger AML/CFT compliance program and supported by appropriate governance, training, and independent audit. As discussed in section 3.6 below, insurers are permitted to delegate the performance of specified controls to insurance agents, brokers, banks, or other intermediaries, using either a third-party reliance or an outsourcing model.

         Under a third-party reliance model, insurers may rely on any third-party LFI, such as a bank, insurance agent, or insurance broker, to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, following the third party’s AML/CFT policies and procedures. In such circumstances, the third party will usually have an existing business relationship with the customer, which is independent of the relationship to be formed by the customer with the relying institution. The third-party reliance model is most commonly employed in the case of insurance brokers, who sell insurance products to consumers on behalf of multiple insurers and therefore typically maintain and apply their own AML/CFT policies and procedures.
         Under an outsourcing model, by contrast, insurers may engage a third-party service provider, such as an insurance agent, broker, or other intermediaries, to apply some or all of the AML/CFT preventive measures described in this section on behalf of the delegating institution, following the insurer’s AML/CFT policies and procedures. In an outsourcing scenario, the third party is subject to the delegating insurer’s control regarding the effective implementation of those policies and procedures by the outsourcing entity. The outsourcing model is most commonly employed in the case of tied agents, who sell insurance products to consumers exclusively on behalf of a single insurer and therefore typically follow the insurer’s AML/CFT policies and procedures.
         

        Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures (including maintaining the availability of all relevant data and records), and the arrangement must satisfy the conditions set forth in section 3.6 below.

        • 3.1. Risk-Based Approach and Enterprise Risk Assessment

          Under article 4 of the AML-CFT Decision, the insurance operator is required to perform, document, and keep up to date an enterprise risk assessment for the purposes of identifying, assessing, and understanding its ML/FT risks for life insurance and other investment-related insurance products, including those arising in relation to its:

           Products;
           Services and transactions;
           Distribution channels and intermediaries;
           Customers; and
           Geographies, in terms of both the jurisdictions or regions in which has operations and the jurisdictions or regions in which its customers are located or do business.
           

          The insurance operator is expected to document the methodology and findings of the risk assessment, considering all relevant risk factors before determining the level of overall risk and the appropriate type and extent of mitigation to be applied. Insurance operators must keep their risks assessments up to date and ensure that identified risks are within the institution’s risk appetite and that identified deficiencies are appropriately tracked and remediated. Risk assessments should provide a consolidated assessment of the insurance operator’s ML/FT risks across all business units, product lines, and delivery channels, including those of branches, subsidiaries, parent entities, or other affiliates located outside the UAE.

          ML/FT risk factors relevant to the insurance sector for life insurance and other investment-related insurance products can be found in section 2.2 above, and red flag indicators for the UAE insurance sector are provided in Annex 1. Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, section 48 for further information.


          8 Available at: https://www.centralbank.ae/en/cbuae-amlcft.

        • 3.2. New Products, Practices, and Technologies

          Under Article 23 of the AML-CFT Decision, an insurance operator is required to identify and assess the ML/FT risks for life insurance and other investment-related insurance products that may arise in relation to:

           The development of new products and new business practices, including new delivery mechanisms (such as mobile insurance applications, insurance portals, transaction terminals, and insurance booths); and
           The use of new or developing technologies for both new and preexisting products.
           

          An operator must undertake such risk assessments prior to the launch or use of new products, practices, and technologies and must take appropriate measures to manage and mitigate the identified risks. Operators should pay special attention to new products, practices, or technologies that favor anonymity.

        • 3.3. Customer Due Diligence

          • 3.3.1. General CDD Measures

            For life insurance and other investment-related insurance products, insurance operators must perform customer due diligence (“CDD”) on their customers, defined as natural persons, legal persons, or legal arrangements with whom an insurer, agent, or broker establishes or intends to establish a business relationship to carry out insurance operations, as defined in Articles 4 and 5 of the Insurance Law.

            Unless otherwise specified below, the customer of an insurance operator is the existing or prospective policyholder, defined as the natural person, legal person, or legal arrangement who owns and maintains the contractual rights of the insurance policy. Where the insurer is acting as a reinsurer, the customer will be the insurer (or reinsurer) in whose name the reinsurance policy is issued. Additionally, in the case of group life insurance or other policies, when the insured persons have active powers on the contract (e.g., to inject sums into the contract, establish the beneficiary, or exercise early surrender of the amounts), those persons should be considered equal to customers, and life insurers and relevant intermediaries should therefore conduct CDD on these persons, as well as on their related third parties. In cases where the insured persons have no active powers, their names should be screened against sanctions lists, but they are not considered customers for AML/CFT purposes, and insurers and intermediaries are not required to conduct full CDD checks on them.

            Finally, although in most cases the policyholder will also be the party who pays the necessary premium to keep the policy in force, there may be exceptional cases in which the policy payer is an unrelated third party (referred to as a third-party payer). In such cases, the insurer—or its agent, under a third-party reliance or outsourcing arrangement, if applicable—should perform the following general CDD measures on both the policyholder and the third-party payer.

            • 3.3.1.1. Customer Identification and Verification

              Under Article 8 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all customers. Customers should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, as per Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete the verification of the customer’s identity after establishing a business relationship, as set forth in section 3.3.3 below.

              When verifying the Emirates ID card either physically, by way of digital or electronic Know Your Customer (e-KYC) solutions, the insurance operator must use the online validation gateway of the Federal Authority for Identity & Citizenship, Customs & Port Security, the UAE-Pass Application or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.

              Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, section 6.3.1, for further information.

            • 3.3.1.2. Beneficial Owner Identification and Verification

              Under Article 9.1 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all beneficial owners of any legal person customer, defined as all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25 percent or more. Where no individual meets this description, the operator is required to identify and verify the identity of the individual(s) holding the senior management position in the entity. This option should be used only as a last resort, however, and when the operator is confident that no one individual, or small group of individuals, exercises control over the customer.

              Under Article 9.2 of the AML-CFT Decision, for legal arrangements, insurance operators must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights. The beneficial owner of a legal person or arrangement must be an individual. Another legal person cannot be classified as the beneficial owner of a customer, no matter what percentage it owns. Insurance operators should continue tracing ownership all the way up the ownership chain until it identifies all individuals who own or control at least 25 percent of the operator’s customer. If the insurance operator has followed the steps described above and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the operator should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so for legal person is to identify additional beneficial owners below the 25 percent ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10 percent or even the 5 percent level, as risk warrants. It may also involve requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD— in order to conduct sanctions screening or negative news checks.

              Beneficial owners should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, pursuant to Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete verification after establishing a business relationship, as set forth in section 3.3.3 below.

              Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, sections 6.3.1 and 6.3.3, respectively, as well as the CBUAE’s Guidance for LFIs providing services to Legal Persons and Arrangements9 for further information.


              9 Available at: https://www.centralbank.ae/en/cbuae-amlcft.

            • 3.3.1.3. Understanding the Nature of the Customer’s Business and the Nature and Purpose of the Business Relationship

              Under Article 8 of the AML-CFT Decision, insurance operators are required to understand the nature of the customer’s business and the nature and purpose of the operator’s relationship with the customer, including the expected uses to which the customer will put the operator’s products or services. This step requires the operator to collect information that allows it to create a profile of the customer, including the types and volumes of transactions the customer is expected to engage in, and to assess the risks associated with the relationship. In certain instances, the expected type and volume of transactions are implicit in the specific insurance product being provided, in which case this aspect of the customer’s profile can be derived directly from the product choice.

              Obtaining a sufficient understanding of its customers and the nature and purpose of the customer relationship—together with the ongoing analysis of actual customer behavior and the behavior of relevant peer groups—allows the insurance operator to develop a baseline of normal or expected activity for the customer, against which unusual or potentially suspicious transactions can be identified. This element of CDD can also serve to inform the operator’s risk rating or other risk assessment of the customer for the purposes of performing risk-based ongoing monitoring (see section 3.3.1.4) and determining whether simplified or enhanced due diligence measures may be warranted (see sections 3.3.3 and 3.3.4, respectively).

            • 3.3.1.4. Ongoing Monitoring

              Under Article 12 of the AML-CFT Decision, insurance operators are required to subject all customers to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the operator’s products and services are being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

              Insurance operators are required to ensure that the CDD information they hold on all customers is accurate, complete, and up to date. This is particularly crucial in the context of customers that are companies or that engage in business. Operators should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

              CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:

               The customer’s beneficial owners remain the same;
               The customer continues to have active status with a company registrar;
               The customer has the same legal form and is domiciled in the same jurisdiction; and
               The customer is engaged in the same type of business and in the same geographies.
               

              In addition to a review of the customer’s CDD file, under Article 7 of the AML-CFT Decision, the operator must also review the customer’s transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. It must determine whether they continue to fit the customer’s profile and business and are consistent with the business the customer is expected to engage in when the business relationship was established. This type of transaction review is distinct from the transaction monitoring discussed in section 3.4 below and its purpose is to complement it by identifying behaviors, trends, or patterns that are not necessarily subject to transaction monitoring rules. The techniques used for transaction review will vary depending on the customer. For lower-risk customers, a review of alerts, if any, is likely to be sufficient. For higher-risk customers, a more intensive review may be necessary. For customers with a large volume of transactions, operators may use data analysis techniques.

              If the review finds that the customer’s behavior or information has materially changed, the operator should risk-rate the customer again. New information gained during this process may cause the operator to determine that EDD is necessary or may bring the customer into the category of customers for which EDD is mandatory (i.e., customers that are PEPs, or owned or controlled by PEPs, the direct family members or associates known to be close to the PEPs; customers that are based in high-risk jurisdictions; etc.).

              Operators may consider requiring that the customer update them on any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, operators should not rely on the customer to notify it of a change but should still update CDD on a schedule appropriate to the customer’s risk rating.

            • 3.3.1.5. Non-Face-to-Face Relationships

              Insurance operators should develop policies and procedures to address any specific risks associated with non-face-to-face customer relationships and transactions undertaken in the course of such relationships. Such policies and procedures should be applied when establishing a new customer relationship and when conducting ongoing monitoring, and should be at least as stringent as those that would be required to be performed if there was face-to-face contact.

                 Note: Relationships in which personal contact between an insurer or agent and the customer is achieved via video teleconference are not considered to be non-face-to-face relationships for the purpose of this Guidance.
               

              Heightened ML/FT risks may arise from establishing business relationships or undertaking transactions according to instructions conveyed by customers over the internet (absent personal contact via video teleconference), post, fax, or telephone. An operator should note that online applications and transactions may pose greater risks than other non-face-to-face business due to the following factors, which taken together may compound the associated ML/FT risks:

               The ease of unauthorized access to the facility, across time zones and locations;
               
               The ease of making multiple fictitious applications without incurring additional cost or the risk of detection;
               
               The absence of physical documents; and
               
               The speed of electronic transactions.
               

              The measures taken by an insurance operator for verifying the identity of customers and beneficial owners in the context of non-face-to-face relationships will depend on the nature and characteristics of the product or service provided and the customer’s risk profile. Where verification of identity is performed without face-to-face contact (e.g., electronically), an operator should apply additional checks to manage the risk of impersonation. The additional checks may consist of robust anti-fraud checks that the operator routinely undertakes as part of its existing procedures, which may include as appropriate and feasible:

               Telephone contact with the customer at a residential or business number that can be verified independently;
               
               Confirmation of the customer’s address through an exchange of correspondence or other appropriate method;
               
               Subject to the customer’s consent, telephone confirmation of the customer’s employment status with his or her employer’s human resource department at a listed business number of the employer;
               
               Confirmation of the customer’s salary details by requiring the presentation of recent bank statements where applicable;
               
               Provision of certified identification documents by lawyers or notaries public;
               
               Requiring the customer to make an initial premium payment using a check drawn on the customer’s personal account with a bank in the UAE; and
               
               Video call with the customer.
            • 3.3.1.6. Name Screening

              An insurance operator should screen the following parties against relevant ML/FT information sources (such as negative media databases) and internal watchlists (such as lists of customers previously exited for financial crime reasons) prior to a customer's onboarding:

               All customers, regardless of risk rating or risk profile;
               
               Beneficial owners of legal entity customers;
               
               Natural persons appointed to act on behalf of the customer (see section 3.3.2.1);
               
               Directors, partners, and managers of customers that are legal persons;
               
               Natural persons having executive authority over customers that are legal arrangements; and
               
               Insured with no active powers on the contract (if any).
               

              With respect to sanctions lists, the parties listed above must be screened prior to a customer's onboarding and on an ongoing basis thereafter (please see section 3.5 below). In addition, at the time of payout, an insurer must screen against sanctions lists and should screen against the same other lists and information sources all beneficiaries or other payees and their beneficial owners (where applicable).

              The results of screening and assessment by the insurance operator should be documented. Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening10 for further information.


              10 Available at: https://www.centralbank.ae/en/cbuae-amlcft.

            • 3.3.1.7. Customer Rejection and Exit

              Insurance operators should not deal with any person on an anonymous basis or any person using a fictitious name. Prior to establishing an insurance relationship, if an insurance operator has any reasonable grounds to suspect that the assets or funds of a customer are the proceeds of crime or related to the financing of terrorism, the operator should reject the business relationship and, per Article 17 of the AML-CFT Decision, file a suspicious transaction report (“STR”) with the UAE Financial Intelligence Unit (“FIU”).

              As per article 13 of the AML-CFT Decision, where an insurance operator is unable to undertake the CDD measures described above, or is a confirmed match to a party included on applicable sanctions lists, the insurance operator must:

               Not onboard the customer;
               
               Exit the relationship if one has been established;
               
               Not make any payment to a payee or beneficiary under the customer’s policy or other insurance relationship; and
               Maintain the related records (Please see Section 3.10 below).
               

              In addition, it should add the customer, its beneficial owners, directors, and managers to internal watchlists. The operator should also determine whether the circumstances warrant the filing of a suspicious transaction report (“STR”) or SAR.

          • 3.3.2. Specific CDD Measures for Insurers

            In addition to performing general CDD on their customers, insurers are also expected to collect and verify the identities of any natural persons appointed to act on the customer’s behalf and are required, under Article 11 of the AML-CFT Decision, to collect and verify the identities of the beneficiaries or other payees of an insurance policy and their beneficial owners (where applicable), as set forth below.

            • 3.3.2.1. Identification and Verification of Natural Persons Appointed to Act on a Customer’s Behalf

              As per Article 8.2 of the AML-CFT Decision, where a customer appoints one or more natural or legal persons (such as an insurance broker) to act on his, her, or its behalf in establishing a business relationship with an insurer, the insurer must identify and verify the identity of each such natural person in accordance with the same procedures used to identify and verify the identity of a natural person customer. The insurer should also verify the due authority of each natural person appointed to act on behalf of the customer by obtaining, at a minimum:

               The appropriate documentary evidence authorizing the appointment of such natural or legal person by the customer to act on his, her, or its behalf; and
               
               The signature of such a natural or legal person appointed.
               

              As with customers, natural persons appointed to act on a customer’s behalf should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, where there is no ML/FT suspicion, and ML/FT risks are assessed to be low, and where the deferral of verification is essential in order not to interrupt the normal course of business operations, an operator may complete the verification of the appointed person’s identity after establishing a business relationship, as set forth in section 3.3.3 below.

            • 3.3.2.2. Identification and Verification of Beneficiaries or Other Payees and Their Beneficial Owners

              Under Article 11.1 of the AML-CFT Decision, insurers are required to conduct CDD measures, including ongoing monitoring, with respect to any beneficiary of life insurance and other investment insurance insurance products, including life insurance products relating to investments and family Takaful insurance, as soon as the beneficiary is identified or designated. In addition, as soon as a beneficiary or other payee is designated, an insurer must perform the following:

               For a beneficiary or payee who is identified as a specifically named natural person, legal person, or legal arrangement, obtain the full name, including any aliases, of such beneficiary or payee; or
               For a beneficiary or payee who is designated by characteristics, class, or other means, obtain sufficient information concerning the beneficiary or payee to satisfy itself that it will be able to establish the identity of such beneficiary or payee at the time of payout.
               At the time of payout, insurers must also verify the identities of all beneficiaries or payees and their beneficial owners in accordance with the same procedures used to identify and verify the identity of a natural person customer.
          • 3.3.3. Simplified Due Diligence for Lower-Risk Scenarios

            As per Article 4.3 of the AML-CFT Decision, an insurance operator may perform simplified due diligence (“SDD”) measures in relation to a customer, a beneficial owner of a customer, a natural person appointed to act on behalf of a customer, or a beneficiary or other payee if it is satisfied that the risks of ML/FT are low. The assessment of low risks should be supported by an adequate analysis of risks by the insurance operator, and the selection of simplified measures should be commensurate with the type and level of risk identified through such risk analysis. In all cases, the operator should document the details of its risk analysis and the nature of the SDD measures employed.

            Examples of potentially lower-risk scenarios include, but are not limited to, those in which:

             The customer is a UAE government entity, including UAE state-owned enterprises;
             The customer is an entity listed on a stock exchange and subject to regulatory disclosure requirements relating to adequate transparency with respect to beneficial owners;
             The insurance product does not offer cash payouts except upon the occurrence of specified trigger events;
             The insurance product does not have an early surrender option and cannot be used as collateral; or
             The insurance product is a pension or other scheme where contributions are made via deduction from wages and scheme rules and do not permit the assignment of a member’s interest under the scheme.
             

            Additional examples of lower-risk attributes for the insurance sector are provided in section 2.2 above.

            Where an insurance operator is satisfied that the ML/FT risks are low, the operator may perform one or more of the following SDD measures, as warranted by the risk analysis:

             Verifying the identity of the customer and any beneficial owner(s) after establishing the business relationship, provided verification is nonetheless completed in a timely fashion (to be documented in the operator’s internal procedures) and appropriate controls are in place to manage the ML/FT risks associated with the customer and the relationship prior to verification;11
             Reducing the frequency of updates to CDD information;
             Reducing the degree of ongoing monitoring and scrutiny of transactions, based on a reasonable monetary threshold; or
             Developing an understanding of the intended nature and purpose of the customer relationship on the basis of the relationship type and the customer’s historical transaction activity, rather than by collecting information regarding the intended nature and purpose of the relationship during onboarding or CDD updating.
             

            An insurance operator should not perform SDD measures where:

             A customer or any beneficial owner of the customer is from or in a country or jurisdiction against which the FATF has called for countermeasures;
             A customer or any beneficial owner of the customer is from or in a country or jurisdiction known to have inadequate AML/CFT measures, as determined by the operator for itself or notified to operators generally by local regulatory or supervisory authorities; or
             The operator suspects that ML or FT is involved.

            11 Such measures may include holding funds in suspense or escrow until verification of identity has been completed or making completion of identity verification a precondition of closing any transaction with or on behalf of the customer.

          • 3.3.4. Enhanced Due Diligence for Higher-Risk Scenarios

            The AML-CFT Law and the AML-CFT Decision impose specific and enhanced due diligence obligations on insurance operators with respect to two classes of customers or transactions:

             Customers that are politically exposed persons (“PEPs”), which include the direct family members or associates known to be close to the PEPs; and
             
             Business relationships and transactions with natural persons, legal persons, or legal arrangements from high-risk countries.
             

            The AML-CFT Law and Decision give special attention to customers in these groups because they are likely to expose operators to a heightened risk of money laundering, terrorism financing, and other illicit finance.

            In addition to these classes of customers and transactions, for which EDD is mandatory, operators are expected to implement appropriate policies and procedures to determine whether relationships with or transactions undertaken for or on behalf of a customer present a higher risk for ML or FT. Examples of potentially higher-risk scenarios include, but are not limited to, those in which:

             The customer belongs to a higher-risk industry or sector identified in topical risk assessments, or to an industry or sector identified by the operator as higher-risk for ML or FT;
             
             The ownership structure of a legal entity customer appears unusual or excessively complex given the nature of the legal entity’s business;
             
             The legal entity customer is a personal asset-holding vehicle;
             
             The business relationship is conducted under unusual circumstances, such as significant unexplained geographic distance between the operator and the customer;
             
             The legal entity customer has nominee shareholders or shares in bearer form;
             
             The customer is a cash-intensive business;
             
             The customer operates in or does business with a jurisdiction that has relatively higher levels of corruption or organized crime, or inadequate AML/CFT measures, as identified by the FATF;
             
             The customer operates in or does business with a jurisdiction identified by credible bodies (e.g., reputable international bodies such as Transparency International) as having significant levels of corruption, terrorism financing, or other criminal activity;
             
             The relationship involves or could involve cash or anonymous transactions;
             
             The relationship involves or could involve frequent payments received from unknown or unassociated third parties.
             

            Additional examples of higher-risk attributes and red flag indicators for the insurance sector are provided in section 2.2 and Annex 1 of this Guidance respectively.

            As per Article 4.2 b) of the AML-CF Decision, where the operator identifies a customer or relationship as presenting higher ML/FT risks, it must apply EDD measures commensurate with those risks. Examples of EDD measures include but are not limited to:

             Obtaining approval from the operator’s senior management to establish or continue a business relationship with the customer, including making any payment to a beneficiary or payee;
             
             Establishing the source of wealth and source of funds of the customer and any beneficial owner of the customer;
             
             Conducting enhanced monitoring during the course of the business relationship with the customer, including by increasing the degree and nature of transaction monitoring and CDD updating;
             
             Requiring the first payment to be carried out through an account in the customer’s name with a bank subject to similar or equivalent CDD standards;
             
             Using public sources of information (e.g., websites) to gain a better understanding of the reputation of the customer or any beneficial owner of the customer;
             
             Commissioning external intelligence reports where it is not possible for the operator to easily obtain information through public sources or where there are doubts about the reliability of public information; and
             
             For high-net-worth individuals, particularly those utilizing higher-risk products or services or characterized by other markers of heightened ML/FT risk:
             
               Independently corroborating information obtained on the source of wealth of customers and beneficial owners against documentary evidence or public information sources;
             
               Screening operating companies and individual benefactors contributing to the customer’s and beneficial owner’s wealth or funds; and
             
               Scrutinizing transactions relating to customers that have multiple policies with the operator or to customers having a common beneficial owner.
             

            In addition, as noted in section 3.3.1.2 above, if the insurance operator has followed its standard beneficial ownership identification and verification procedures and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the operator should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25 percent ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10 percent or even the 5 percent level, as risk warrants. It may also involve requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks.

            Additional examples of EDD measures are provided in the CBUAE’s AML/CFT Guidelines for Financial Institutions, section 6.4.

        • 3.4. Transaction Monitoring and Suspicious Transaction Reporting

          • 3.4.1. Transaction Monitoring

            Under Article 16 of the AML-CFT Decision, insurance operators must monitor activity by all customers to identify behavior that is potentially suspicious and that may need to be the subject of an STR or SAR when conducting operations related to life insurance and other investment-related insurance products. Transactions may be suspicious simply in virtue of their individual characteristics (such as their value, source, destination, or use of intermediaries) or because, together with other transactions, they form a pattern that diverges from expected or historical transactional activity or may otherwise be indicative of illicit activity, including the evasion of reporting or recordkeeping requirements. When monitoring and evaluating transactions, the operator should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. In addition, higher-risk customers should be subject to more stringent transaction monitoring, with lower thresholds for alerts and more intensive investigation.

            Transaction monitoring can include manual monitoring processes and the use of automated and intelligence-led monitoring systems. In all cases, the appropriate type and degree of monitoring should appropriately match the ML/FT risks of the operator’s customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an operator’s business lines or units, where applicable.

            Transaction monitoring programs should also be calibrated to the size, nature, and complexity of each institution. Operators with a larger scale of operations are expected to have in place automated systems capable of handling the risks from an increased volume and variance of transactions. Operators utilizing automated systems should perform a typology assessment to design appropriate rule- or scenario-based automated monitoring capabilities and processes. While smaller operators may rely on transaction monitoring systems that are less automated, they should still ensure that these are appropriately executed to address the risks from their day-to-day transactional activity.

            Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening for further information.

          • 3.4.2. STR Reporting

            As required by Article 15 of the AML-CFT Law and Article 17 of AML-CFT Decision, insurance operators must file without any delay an STR or SAR with the UAE FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. STR/SAR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. STR/SAR filings are essential to assisting law enforcement authorities in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system.

            In addition to the requirement to file an STR when an operator suspects that a transaction or funds are linked to a crime, operators should consider filing an STR or SAR in the following situations involving higher-risk customers:

             A potential customer decides against purchasing financial services after learning about the operator’s CDD requirements;
             A current customer cannot provide required information (including documentation) about its business or its beneficial owners;
             A customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty;
             The operator is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the customer. In such cases, the operator should not establish the business relationship, or continue an existing business relationship; or
             Other situations that are suspicious or involve activity with no legitimate business or other lawful purpose.
             

            Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting12 for further information.


            12 Available at: https://www.uaeiec.gov.ae/en-us/un-page.

        • 3.5. Sanctions Obligations and Freezing Without Delay

          The AML-CFT Law and AML-CFT Decision require insurance operators to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council (“UNSC”) under Chapter VII of the Charter of the United Nations (“UN”). In furtherance of this requirement, the Cabinet Decision No. (74) of 2020 sets out the legislative and regulatory framework regarding the Targeted Financial Sanctions (“TFS”), including the Local Terrorist List and the UN Consolidated List. As per Cabinet Decision 74 and in particular its Article 15, all insurance operators without any exception, are obliged to apply policies, procedures and controls to implement TFS to those sanctioned and designated in the Local Terrorist List and the UN Consolidated List.

          For more information and details on their obligations in relation to their sanctions obligations, insurance operators should consult the Executive Office for Control and Non-Proliferation (former Executive Office of the Committee for Goods and Materials Subjected to Import and Export Control‘s – referred to as the Executive Office) “Guidance on Targeted Financial Sanctions for Financial Institutions and designated non-financial business and professions13; the CBUAE’s Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions as well as the CBUAE’s Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening and any of their amendments or updates thereof. Insurance operators should also consult the CBUAE’s and the Executive Office’s websites as updated from time to time, and refer to the Executive Office’s list of Frequently Asked Questions (FAQ) for the insurance sector.


          13 Available at: https://www.uaeiec.gov.ae/en-us/un-page.

        • 3.6. Third-Party Reliance and Outsourcing

          As noted above, insurers are permitted to delegate the performance of specified controls to insurance agents or other intermediaries, using either a third-party reliance or an outsourcing model.

           Under a third-party reliance model, insurers may rely on any third-party LFI, such as a bank or insurance agent or broker, to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, following the third party’s AML/CFT policies and procedures. In such circumstances, the third party will usually have an existing business relationship with the customer, which is independent of the relationship to be formed by the customer with the relying institution. The third-party reliance model is most commonly employed in the case of insurance brokers, who sell insurance products to consumers on behalf of multiple insurers and therefore typically maintain and apply their own AML/CFT policies and procedures.
           Under an outsourcing model, by contrast, insurers may engage a third-party service provider, such as an insurance agent or other intermediary, to apply some or all of the AML/CFT preventive measures described in this section on behalf of the delegating institution, following the insurer’s AML/CFT policies and procedures. In an outsourcing scenario, the third party is subject to the delegating insurer’s control regarding the effective implementation of those policies and procedures by the outsourcing entity. The outsourcing model is most commonly employed in the case of tied agents, who sell insurance products to consumers exclusively on behalf of a single insurer and therefore typically follow the insurer’s AML/CFT policies and procedures.
           

          Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures.

          • 3.6.1. Third-Party Reliance

            Insurers are permitted to rely on third-party LFIs to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, provided the insurer relying on a third party:

             Immediately obtains the necessary CDD information concerning the elements described in sections 3.3.1.1 through 3.3.1.3;
             Takes adequate steps to satisfy itself that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay;
             Satisfies itself that the third party is regulated, supervised, or monitored for, and has measures in place for compliance with, CDD and recordkeeping requirements in line with FATF standards and local law and regulation; and
             Takes appropriate steps to identify, assess, and understand the ML/FT risks specific to the countries or jurisdictions in which the third party operates.
             

            With respect to the second of these conditions, a best practice is for insurers to obtain a copy of the relevant CDD records or have direct access to the database where such information is held, in order to facilitate ongoing monitoring of the business relationship and, if applicable, the filing of STRs and for a complete assessment record in case of a change of intermediary servicing the policy.

            Insurers are not permitted to rely on third parties to conduct ongoing monitoring of business relationships (described in section 3.3.1.4), although they may outsource such functions following the guidelines described immediately below.

          • 3.6.2. Outsourcing

            In an outsourcing or agency scenario, the outsourced entity applies CDD or other AML/CFT measures on behalf of the delegating insurer, in accordance with the insurer’s internal policies and procedures, and is subject to the insurer’s control of the effective implementation of those policies and procedure by the outsourced entity. When outsourcing a part of their AML/CFT function, including the distribution of products, an insurer should therefore include any outsourced entity in its own AML/CFT program and internal control processes, and should monitor such an entity for compliance with its internal AML/CFT policies and procedures. Outsourced entities should also be subject to the employee and agent screening and monitoring checks described immediately below.

        • 3.7. Employee, Officer, Agent, and Broker Risk Management

          Insurance operators should have in place screening procedures to ensure high standards when hiring employees, appointing officers, or engaging agents or brokers (including but not limited to outsourced entities, as described in section 3.6.2 above). Employee, officer, and agent or broker screening procedures should include:

           Background checks of employment history; and
           Screening against sanctions lists, ML/FT information sources, and internal watchlists.
           

          In addition, insurance operators should conduct credit history checks on a risk basis. The operator should be aware of potential conflicts of interest for staff with AML/CFT responsibilities and should act to reduce or manage such conflicts of interest, for example by reallocating responsibilities or by instituting quality controls and “four-eye” reviews of the conflicted employee’s work.

          Operators should also monitor on an ongoing basis for possible indicators of suspicious or illicit behavior by employees, such as:

           An employee whose lifestyle cannot be supported by his/her salary, which may indicate receipt of tips or bribes.
           An employee who is reluctant to take a vacation, which may indicate they have agreed or are being forced to provide services to customers in violation of the law or company policy.
           An employee who is associated with an unusually large number of transactions or a transaction in an unusually large amount, which may indicate they have agreed or are being forced to provide services to customers in violation of the law or company policy.
        • 3.8. Training

          As with all risks to which the operator is exposed, the AML/CFT training program should ensure that employees are aware of the risks facing the insurance sector for life insurance and other investment-related insurance products, familiar with the obligations of the operator, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the operator’s risk and the nature of its operations, and should be clearly documented in the operator’s AML/CFT compliance program and associated training policies, procedures, plans, materials, and attendance records.

        • 3.9. Governance and Independent Audit

          The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the operator faces and organized in accordance with the “three lines of defense” model. All three lines of defense must report up to and have the active support and oversight of the operator’s senior management, defined broadly to include executives, senior leadership, and the Board of Directors.

          Under the model, an operator’s business units, sales or relationship managers, and other frontline personnel represent the units or functions that create risk and should therefore serve as the first line of defense against ML/TF, and other forms of illicit activity. They should scrutinize customers and their related parties at onboarding and performing periodic and risk-based reviews to update customer information and the operator’s understanding of the customer’s risks.

          The operator’s AML/CFT compliance function, in turn, constitutes the second line of defense, supporting the frontline units’ risk management activities through its system of internal controls and related monitoring, reporting, and risk assessment responsibilities. The core of an effective risk-based program is an appropriately experienced AML/CFT compliance officer, located within the second line of defense, who understands the operator’s risks and obligations and who has the resources and autonomy necessary to ensure that the operator’s program is effective.

          Finally, under article 20.6 of the AML-CFT decision, operators must be subject to independent testing by internal or external auditors, who represent the third line of defense by providing independent assurance to the Board and executive management on the effectiveness and adequacy of the operator’s governance, risk management, and internal controls. Auditors should have sufficient expertise and understanding of ML/FT risks and requirements and should be fully independent of the activities and reporting structure of the functions subject to independent testing.

          Additionally, as per article 32 of the AML-CFT decision, operators with overseas branches, subsidiaries, or other affiliates or legal entities must ensure that all entities within the affiliate network are subject to the AML/CFT policies, procedures, and controls that are at least as stringent as those in place at the entity located in the UAE. Likewise, all entities within the affiliate network should be included in the operator’s enterprise risk assessment and subject to AML/CFT independent testing and consolidated governance and oversight.

        • 3.10. Record Keeping

          According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, insurance operators must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, copies of personal identification documents, including STRs/SARs and results of any analysis performed. Operators should maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. Operators must make the records available to the competent authorities immediately upon request.

          The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.

      • Annex 1. Red Flag Indicators for the UAE Life Insurance Sector

        The UAE Insurance Authority (now merged with the CBUAE) has issued the following list of red flag indicators when handling life insurance and other investment-related insurance products. 14 These indicators should be incorporated into an insurance operator’s AML/CFT policies, procedures, detection scenarios, and other processes for identifying potentially suspicious activity related to life and general insurance products.

         1.The purchase of an insurance product does not reflect a customer’s known needs (e.g., purpose of the account).
         2.The early surrender of an insurance product is taken at a cost to the customer.
         3.The surrender of an insurance product is initiated with the refund directed to a third party.
         4.The customer exhibits no concern for the investment performance of a purchased insurance product and instead exhibits significant concern for its early surrender terms.
         5.The customer purchases insurance products using unusual payment methods, such as cash or cash equivalents, or with monetary instruments in structured amounts.
         6.The customer demonstrates reluctance to provide identifying information when purchasing an insurance product.
         7.The customer borrows the maximum amount available from their insurance product shortly after purchase.
         8.The customer used to purchase low-premium insurance and pay premiums by making regular payments but suddenly purchases insurance that requires a large lump-sum premium payment, for which no reasonable explanations are provided.
         9.The customer purchases an insurance product without concern for the coverage or benefits, or the customer only cares about the procedures for the policy loan, cancellation of insurance policy, or changing beneficiary when purchasing an insurance policy that has a high cash value or requires a high lump-sum premium payment.
         10.The customer usually pays a premium by making regular payments but suddenly requests to purchase a large-sum policy by paying off premium all at once.
         11.The customer purchases insurance products with high cash value successively over a short period of time, and the insurance products purchased do not appear to be commensurate with the customer’s status and income or are unrelated to the nature of the customer’s business.
         12.The customer pays premiums in cash and in several payments marginally below the threshold for declaration but cannot reasonably explain the source of funds. In addition, the transactions do not appear to be commensurate with the customer’s status and income or are unrelated to the nature of the customer’s business.
         13.The customer, after making a large premium payment for a policy purchased, applies for a large policy loan or cancels the policy in a short period of time, for which no reasonable explanations are provided.

        14 Sources: FATF, Life Insurance Sector: Guidance for a Risk-Based Approach (October 2018), available at: https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/RBA-Life-Insurance.pdf; and U.S. Federal Financial Institutions Examination Council, Bank Secrecy Act/Anti-Money Laundering Examination Manual, “Insurance,” available at: https://bsaaml.ffiec.gov/manual/RisksAssociatedWithMoneyLaunderingAndTerroristFinancing/16.

      • Annex 2. Synopsis

        Purpose of this GuidancePurposeThe purpose of this Guidance is to assist the understanding of risks and effective performance by CBUAE licensed insurers, agents, and brokers of their AML/CFT obligations.
        ApplicabilityThis Guidance applies to all insurance and re-insurance companies, agents, and brokers that are licensed and supervised by the CBUAE.
        Understanding and Assessing ML/FTRisksOverview of Insurance Sector Activities and ParticipantsUnder Article 2.16 of the AML-CFT Decision, as amended, only direct insurance and re-insurance operations with respect to insuranee of persons and funds accumulation (referred to as life insurance and other investment-related insurance products' hereafter) are subject to the UAE's AML/CFT legal and regulatory framework, with the exception of the targeted financial sanctions' requirements applicable for all insurance operators. Insurance sector participants include operators in the insurance sector, which sell or facilitate the sale of insurance products and must be licensed by the CBUAE, and customers, who own, pay for, and/or are covered by or the beneficiaries of insurance products.
        Operators principally include insurers, re-insurers, insurance agents, and insurance brokers. Operators also include consultants, actuaries, loss and damage adjusters, third-party administrators, insurance producers, and price comparison websites (or "insurance aggregators"), although due to their reduced risk exposure these operators are not subject to the Guidance with the exception of the requirements relating to targeted financial sanctions.
        Customers principally include policy holders (or "policy owners), policy payers, insureds, and beneficiaries.
        ML/FT Risks relevant to life insurance and other investment-related insurance products
        Criminal actors may use life insurance and other investment-related insurance products to place illicit proceeds into the financial system, especially (though not exclusively) where the insurer or intermediary accepts premium payments in cash.
        Reimbursed premiums, withdrawn contributions, and payout proceeds (whether legitimate or fraudulent) can be deposited into a bank account or used to purchase other financial instruments without necessarily revealing the ultimate origin of the funds.
        Life and other investment-related products are generally considered to present higher ML/FT risk, particularly where they have high cash values upon surrender (e.g. assigning policies and payments to third parties, borrowing against the cash surrender value of permanent life insurance policies, selling units in investment-linked products or buying products with insurance termination features without concern for the product's investment performance).
        Product Risk FactorsHigher-risk productscan include those: whose design allows the insurance operator to hold funds or transact large sums on behalf of the customer; provides for customer anonymity or third-party transactions; has no (or very small) fees or penalties for early withdrawal; allows the product to be held for a shorter period of time; and makes it difficult to identify if products are not being used as intended.
        Service and Transaction Risk FactorsHigher-risk services and transactions can include those: for which it is difficult to trace the ownership of funds; where the customer is not the payer or recipient of the funds; where the payment source or recipient is based outside the country; or involving a large number or transactions back and forth or significant, unexpected, and unexplained changes in the customer's typical activity.
        Distribution Channel and Intermediary Risk FactorsHigher-risk distribution channels can include those: involving a distributor or other intermediary that is not subject to AML/CFT requirements; where the customer pays a distributor, who then pays the insurer; or where the customer has a purely non-face-to-face relationship with insurers or agents (e.g., insurance sold online without adequate safeguards to confirm identity).
        Customer Risk FactorsHigher-risk customers can include those: with incomplete or questionable identification; who are controlled by third parties; that are legal entities with a complex structure: in high-risk industries; making high-value transactions without a confirmed source of funds or wealth; who are new to the insurer; who only hold non-registered policies or accounts; who are politically exposed persons; or who are sanctioned, have ties to sanctioned persons, or are associated with negative news.
        Geographic Risk FactorsHigher-risk geographies can include: regions with high frequency and severity of crimes with ML risk; regions that experience a higher incidence of high-risk activity or fraud; countries risk-rated as high by the insurer; or countries on the NAMLCFTC's or FATF's lists of high-risk jurisdictions or FATF's list of jurisdictions under increased monitoring.
        Mitigating RisksRisk-Based Approach and Enterprise Risk AssessmentAny insurance operator is required to perform, document, and keep up to date an enterprise risk assessment for the purposes of identifying, assessing, and understanding its ML/TF risks for life insurance and other investment-related insurance products and to ensure that identified risks are within the institution's risk appetite and that identified deficiencies are appropriately tracked and remediated.
        New Products, Practices, and TechnologiesAn insurance operator is required to identify, assess, and take steps to mitigate the ML/TF risks for life insurance and other investment-related insurance products that may arise in relation to: (i) the development of new products and new business practices, including new delivery mechanisms; and (ii) the use of new or developing technologies for both new and preexisting products. The operator must undertake such risk assessments prior to the launch or use of the new products, practices, and technologies and must take appropriate measures to manage and mitigate the identified risks
        Customer Due Diligence ("CDD")For life insurance and other investment-related insurance products, all insurance operators must perform general CDD on their customers, including customer identification and verification, beneficial ownership identification and verification, understanding the nature of the customer's business and the nature and purpose of the relationship, ongoing monitoring, and name screening.
        Additionally, insurance operators are expected to collect and verify the identities of: (i) any natural persons appointed to act on the customer's behalf and (ii) the beneficiaries or other payees of an insurance policy and their beneficial owners.
        In low-risk scenarios, insurance operators may perform certain simplified due diligence ("SDD") measures, such as verifying the customer's or beneficial owner's identity after establishing the business relationship, unless there is a suspicious of ML/TF.
        In higher-risk scenarios, insurance operators must perform enhanced due diligence ("EDD")measures, such as establishing the source of wealth or funds or conducting enhanced monitoring during the course of the business relationship.
        Transaction Monitoring and STR ReportingWhen conducting operations related to life insurance and other investment-related insurance products, Insurance operators must monitor activity by all customers to identify behavior that is potentially suspicious. Insurance operators must file without any delay an STR or SAR with the UAE FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. Please consult CBUAE's Guidance for Licensed Financial Institutions (LFI) on Transaction Monitoring and Sanctions Screening as well as CBUAE's Guidance for LFIs on Suspicious Transaction Reporting.
        Sanctions Obligations and Freezing without delayAll insurance operators without any exception, are obliged to apply policies, procedures and controls to implement TFS to those sanctioned and designated in the Local Terrorist List and the UN Consolidated List. Please consult the Executive Office for Control and Non-Proliferation (previously known as the Executive Office of the Committee for Goods and Materials Subjected to Import and Export Control's - referred to as the Executive Office) "Guidance on TFS for Financial Institutions and designated non-financial business and professions"; the CBUAE's Guidance for LFIs on the Implementation of Targeted Financial Sanctions as well as the CBUAE's Guidance for LFIs on Transaction Monitoring Screening and Sanctions screening. Insurance operators should also consult the CBUAE's and the Executive Office's websites as updated from time to time (in particular the Executive Office's list of FAQ for the insurance sector).
        Third-Party Reliance and OutsourcingInsurers are permitted to delegate the performance of specified controls to insurance agents or other intermediaries, using either a third-party reliance model (whereby a third-party licensed financial institution carries out CDD measures following its own AML/CFT policies and procedures) or an outsourcing model (whereby insurers engage a third-party service provider to apply all or some of the insurer's own AML/CFT policies and procedures). Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures.
        Employee, Officer, Agent, and Broker Risk ManagementInsurance operators should have in place screening procedures to ensure high standards when hiring employees, appointing officers, or engaging agents or brokers. Operators should also monitor on an ongoing basis for possible indicators of suspicious or illicit behavior.
        TrainingAn operator's AM L/CFT training program should ensure that employees are aware of the risks facing the insurance sector for life insurance and other investment-related insurance products, are familiar with the obligations of the operator, and are equipped to apply appropriate riskbased controls.
        Governance and Independent AuditThe preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the operator faces and organized in accordance with the "three lines of defense" model, comprising business unites, a compliance function, and an independent audit function.

         

    • Guidance for Licensed Financial Institutions on Digital Identification for Customer Due Diligence

      Effective from 31/10/2022
      • 2. Overview of Digital ID Systems and Participants

        • 2.1. Terminology and Definitions

          For the purposes of this Guidance, in relation to identifying and verifying the identity of a customer as part of the customer due diligence (“CDD”) process, identity (“ID”) refers to the specification of a unique natural person that is:

           Based on characteristics (attributes or identifiers) of the person that establish a person’s uniqueness in the population or particular context(s); and
           Recognized by the state for regulatory and other official purposes.
           

          Proof of identity generally depends on some form of government-provided or issued registration, documentation, or certification (such as a birth certificate, identity card, or digital ID credential) that constitutes evidence of core attributes (such as name and date and place of birth) for establishing and verifying identity. Proof of identity may be provided through general-purpose ID systems (such as national ID and civil registration systems) or various limited-purpose ID systems (such as taxpayer identification numbers, driver’s licenses, passports, voter registration cards, social security numbers, and refugee identity documents).

          Digital ID systems use electronic means to assert and prove a person’s identity online and/or in in-person environments, including through the use of:

           Electronic databases, including distributed databases and/or ledgers, to obtain, confirm, store, and/or manage identity evidence;
           Digital credentials to authenticate identity for accessing mobile, online, and offline applications;
           Biometrics to help identify and/or authenticate individuals; and
           Digital application program interfaces (“APIs”), platforms, and protocols that facilitate online identification and the verification and authentication of identity.
           
          Identification Systems in the UAE
           
          LFIs should understand and utilize national-level identification systems and processes currently in place or under development in the UAE, including but not limited to:
           
           UAE Pass, the UAE’s first national digital identity and signature solution that enables users to identify themselves to government service providers in all emirates through a smartphone-based authentication protocol and to sign documents digitally with a high level of security. The UAE Pass app uses biometric facial recognition software to verify and register users without requiring an in-person visit to a government services center. The UAE Pass also includes a “digital vault” for storing users’ digital documents and sharing them with government departments, as well as a “digital signature” function to complete official transactions without the need for paper documents or physical signatures.
           
           Emirates ID, the mandatory, government-issued identity card for all UAE citizens and residents. While issued as a physical card, the Emirates ID card uses public key infrastructure to attach individual identities to digital certificates that can be used to sign and encrypt data, as well as fingerprint biometrics. When verifying an Emirates ID card, LFIs should use the online validation gateway of the Federal Authority for Identity and Citizenship and should keep a copy of the Emirates ID and its digital verification in their records.
           
           Emirates Facial Recognition, an initiative launched by the UAE Ministry of Interior and Federal Authority for Identity, Citizenship, Customs & Port Security, together with private sector partners. The facial recognition initiative includes a “face fingerprint” system for digital verification of digital transactions and remote identities.
           

           

          Digital ID systems involve two basic components and an optional third component:

           Identity proofing and enrollment answers the question: Who are you? It involves collecting, validating, and verifying identity evidence and information about a person, establishing an identity account, and binding the individual’s unique identity to authenticators possessed and controlled by this person.
           
           Authentication and identity lifecycle management answers the question: Are you the person who has been identified and verified? It establishes, based on possession and control of authenticators, that the person asserting the identity is the same person who was identity proofed and enrolled, and ensures that adequate controls are in place to manage events that can occur over the identity lifecycle that affect the use, security, and trustworthiness of authenticators.
           
           Portability and interoperability mechanisms, where used, enable proof of identity to be portable, so that an individual’s digital ID credentials can be used to prove identity for new customer relationships at unrelated private-sector or governmental entities, without their having to obtain and verify personal data and conduct customer identification and verification each time. Portability and interoperability are optional components of any digital ID system.
           

          Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrollment can be either digital or physical, or a combination; however, binding, credentialing, authentication, and portability/federation (where applicable) are always and necessarily digital. These concepts are explained further in the following sections.

          Digital ID systems can enable remote customer identification and verification, support remote financial transactions, and otherwise facilitate non-face-to-face business relationships and transactions, defined as interactions in which the parties are not in the same physical location and conduct activities by digital or other non-physically present means, such as mail or telephone. Under international standards, non-face-to-face business relationships and transactions are included as an example of a potentially higher-risk situation in undertaking CDD.3 However, given the evolution of digital ID technology, architecture, and processes, and the emergence of consensus-based open-source digital ID technical standards, non-face-to-face interactions that rely on reliable, independent digital ID systems with appropriate risk mitigation measures in place may present a standard level of risk, and may even present a lower level of risk where higher assurance levels are implemented and/or appropriate control measures are present.4 See section 4 below for specific risk mitigation measures and strategies that can help ensure that a digital ID system is suitably “reliable” and “independent” in this sense.


          3 See The FATF Recommendations, Interpretive Note to Recommendation 10, at 68, available at: https://www.fatf- gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf.
          4 FATF, Guidance on Digital Identity, at 30, available at: https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance- on-Digital-Identity.pdf.

        • 2.2. Identity Proofing and Enrollment

          Identity proofing and enrollment (with initial binding/credentialing) constitute the first stage of a digital ID system. This component is directly and most immediately relevant to LFIs’ customer identification and verification obligations under Article 8 of the AML-CFT Decision. For illustrative purposes only, Figure 1 below presents a sample process flow for identity proofing and enrollment; the discussion that follows explains each step in greater detail.

          Figure 1. Identity Proofing and Enrollment

          1Source: The Financial Action Task Force5
           

          Identity proofing comprises three actions: (1) collection and resolution, (2) validation, and (3) verification. Examples of each of these actions are included in the discussion below for illustrative purposes only; there is no expectation that LFIs employing a digital ID system for CDD use any particular method of identity proofing unless otherwise required.

           1.Collection and resolution involves obtaining attributes, collecting attribute evidence, and resolving identity evidence and attributes to a single unique identity within a given population or context (a process known as “de-duplication”).6
           
             Attribute evidence may be either physical (documentary) or purely digital, or a digital representation of physical attribute evidence (such as a digital representation of a paper or plastic driver’s license). Identity evidence has traditionally taken a physical form and been physically presented by the person seeking to prove his or her identity (known as a “claimant”) to an identity service provider (“IDSP”). However, with the development of digital technology, identity evidence may now be generated digitally (or converted from physical to digital form) and stored in electronic databases, allowing the identity evidence to be obtained remotely and/or identity evidence to be remotely verified and validated against a digital database.
             Attributes may also be inherent, that is, based on an individual’s personal biometric characteristics, including:
           
               Biophysical biometrics, such as fingerprints, iris patterns, voiceprints, and facial recognition—all of which are static;
           
               Biomechanical biometrics, such as keystroke mechanics, which are the product of unique interactions of an individual’s muscles, skeletal system, and nervous system—all of which are dynamic; and
           
               Behavioral biometrics, such as email or text message patterns, mobile phone usage, geolocation patterns, and file access log, which are based on an individual’s patterns of movement and usage in what are known as “geospatial temporal data streams.”
           
             Under Article 8.1 of the AML-CFT Decision and section 6.3.1 of the AML/CFT Guidelines for Financial Institutions, required identity attributes for CDD under UAE regulations and guidance include, for a natural person, the name (as in the passport or identity card, number, country of issuance, date of issuance and expiration date of the identity card or passport), the nationality, the address (i.e., the permanent residential address), the date and place of birth, and the name and address of employer (if applicable).
           
              When verifying the Emirates ID card, either physically or by way of digital or electronic Know Your Customer (“e-KYC”) solutions, LFIs should use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE Pass Application, or other UAE Government-supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than Emirates IDs, are used in the KYC process, a copy should be physically obtained from the original passport, which should be certified as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.
           
           2.Validation involves determining that the evidence is genuine (i.e., not counterfeit, forged, or misappropriated) and that the information the evidence contains is accurate. Validation is performed by checking the identity information and evidence against an authoritative and reliable source to establish that the information matched reliable, independent source data or records.
           
             For instance, in order to assess whether an individual’s physical identity evidence (such as a driver’s license or passport), or the digital images thereof, is genuine, an IDSP may review the evidence to determine that there have been no alterations, that the identification numbers follow standard formats, and that the physical and digital security features are valid and intact.
           
               When utilizing a physical or digital copy of identity evidence such as an Emirates ID card for purposes of validation, LFIs are expected to review the evidence for physical or digital abnormalities or possible alterations and to make a determination as to whether the evidence has been altered or forged.
           
             In order to assess whether such evidence is accurate, the IDSP may query the government issuing sources for the license or passport and confirm that the information matches.
           
               As noted above, LFIs should use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE Pass Application, or other UAE Government-supported solutions, to ensure that the information presented for validation purposes matches the information included in reliable databases or other sources.
           
           3.Verification involves confirming that the validated identity relates to the specific individual being identity-proofed, including (but not limited to) through the use of biometric solutions like facial recognition or liveliness detection.
           
             For example, if performing verification remotely, an LFI or other IDSP could ask the applicant to take and send a mobile phone video or photo with other liveliness checks, compare the submitted photos to the photos on the applicant’s Emirates ID, passport, or other valid documents, and determine that they match to a given level of certainty.
           
             To tie this identity evidence to the actual (real-person) applicant, the IDSP could then send an enrollment code to the applicant’s validated phone number, email address, or another address that is tied to the identity, require the applicant to provide the enrollment code to the IDSP, and confirm that the submitted code matches the code sent. Such measures would verify that the applicant is a real person, in possession and control of the validated phone number. At this point, the applicant will have been identity proofed.
           

          The fourth and final action in the first stage of a digital ID system is enrollment and binding.

           4.Enrollment is the process by which an IDSP registers (or “enrolls”) an identity-proofed applicant as a “subscriber” and establishes their identity account. This process authoritatively binds the subscriber’s unique verified identity (i.e., the subscriber’s attributes/identifiers) to one or more authenticators possessed and controlled by the subscriber, using an appropriate binding protocol. The process of binding the subscriber’s identity to authenticator(s) is also referred to as “credentialing.”
           
             An authenticator is something the claimant possesses and controls—typically, a cryptographic module, one-time code generator, or password—that is used to confirm or “authenticate” that the claimant is the individual to whom a credential was issued and therefore is (to a given degree of likelihood) the actual subscriber and accountholder. The likelihood that the claimant to whom a credential was issued is in fact the actual subscriber is a function, in part, of the strength of the authentication component; stronger authenticators, such as longer and more complex passwords, can increase an IDSP’s confidence that the claimant is in fact the actual subscriber.
           
             A credential is a physical object or digital structure, such as a physical or electronic ID card, that authoritatively binds a subscriber’s proofed identity (via one or more identifiers) to at least one authenticator possessed and controlled by the subscriber. When a digital IDSP issues an authenticator (such as a password or PIN) and authoritatively binds the authenticator to the subscriber’s identity, the physical object or digital structure that results (such as an ID card) is a credential.
           
             Typically, an IDSP issues one or more authenticators (such as a password or auto-generated code) to the subscriber and registers the authenticators in a way that ties them to the subscriber’s proofed identity at enrollment. However, the IDSP can also bind the subscriber’s account to authenticators provided by the subscriber that are acceptable to the IDSP. For example, users of the UAE Pass app are prompted to create a signing password while completing the verification step at a UAE Pass kiosk or through the mobile app. The IDSP can also bind a subscriber’s credentials to additional or alternative authenticators at a later point in time, as part of identity lifecycle management (discussed immediately below).

          5 Available at: https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-on-Digital-Identity.pdf.
          6 Some government-provided ID solutions include a de-duplication process as part of identity proofing, which may involve checking the applicant’s specific biographical attributes (such as name, age, or gender), biometrics (such as fingerprints, iris scans, or facial recognition images), and/or government-assigned attributes (such as driver’s license, passport, or taxpayer identification numbers) against the identity system’s database of enrolled individuals and their associated attributes and identity evidence to prevent duplicate enrollment.

        • 2.3. Authentication and Identity Lifecycle Management

          Authentication and identity lifecycle management constitute the second stage of a digital ID system. Authentication answers the question: Are you the person who has been identified and verified? It establishes the individual seeking to access an account (or other services or resources) is the same person who has been identity proofed, enrolled, and credentialed and has possession and control of the binding credentials and other authenticators, if applicable. In other words, it establishes that the claimant is the onboarded customer. Authentication can rely on various types of authentication factors and processes, with the trustworthiness of the authentication depending on the type of authentication factors used and the security of the authentication processes:

           Authentication factors fall into three basic categories:
           
             Knowledge factors, that is, something you know, such as a shared secret (e.g., username, password, or passphrase), a personal identification number (“PIN”), or a response to a pre-selected security question;
           
             Ownership factors, that is, something you have, such as a cryptographic key stored in hardware (e.g., in a mobile phone, tablet, computer, or USB-dongle) or software that the subscriber controls; a one-time password (“OTP”) generated by a hardware device; or a software OTP generator installed on a digital device, such as a mobile phone; and
           
             Inherence factors, i.e., something you are, including biophysical biometrics, biomechanical biometrics, and behavioral biometrics (as discussed in section 2.2 above).
           
           Authentication processes have historically been assessed by the number and type of authentication factors the process requires, on the assumption that the more factors an authentication process employs, the more robust and trustworthy the authentication system is likely to be. As authentication technology and processes have evolved, however, this assumption has been revised, and the strength of the authentication component is no longer assumed to depend on how many factors (or types of factors) it uses but rather on whether its authentication processes are secure: that is, resistant to compromise by commonly executed and evolving attacks, such as phishing and man-in-the-middle attack vectors. In this revised paradigm, multifactor authentication (“MFA”)—where an IDSP uses two or more independent authenticators from at least two different authentication factor categories (knowledge/possession/inherence) to authenticate the claimant’s identity—is typically assumed.
           
             As detailed in the Guidance for Financial Institutions adopting Enabling Technologies, LFIs should implement MFA using a biometric factor where possible to authorize high-risk activities and protect the integrity of customer account data and transaction details. High-risk activities include changes to personal data (e.g., customer office or home address, email address, or telephone contact details), registration of third-party payee details, high-value funds transfers, and revisions to funds transfer limits.
           
               LFIs deploying MFA at login that includes a biometric factor should consider employing phishing-resistant authenticators where at least one factor relies on public key encryption to secure the customer authentication process.
           
             Digital ID authentication has traditionally been conducted at a particular point in time: namely, when the claimant asserts the customer’s/subscriber’s identity and seeks authorization to begin a digital or in-person interaction to access his or her account or other financial services or resources. Today, however, many regulated entities augment traditional authentication at the beginning of an online interaction with continuous authentication solutions that leverage biomechanical biometrics, behavioral biometrics, and/or dynamic transaction risk analysis.
           
               Instead of relying on something the claimant has/knows/is to establish at the beginning of the interaction that the claimant is the onboarded customer and is in control of the authenticators issued to that customer, continuous authentication focuses on ensuring that certain data points collected throughout the course of an online interaction—such as geolocation, Media Access Control (“MAC”) and Internet Protocol (“IP”) addresses, typing cadence, and mobile device angle— match what should be expected during the entire session.
           
               However, ways of measuring the effectiveness of continuous authentication technology in mitigating authentication risks have not reached maturity, and the digital ID technical standards, such as the U.S. National Institute of Standards and Technology (“NIST”) Digital Identity Guidelines, do not currently address them.
           
           Finally, identity lifecycle management refers to the actions IDSPs should take in response to events that can occur over the lifecycle of a subscriber’s authenticator that affect the use, security, and trustworthiness of the authenticator. The attributes associated with an identity may change from year to year, and analytics systems may uncover risk signals suggesting an identity is being used in a manner consistent with fraud or account compromise. Key identity lifecycle events may include:
           
             Issuing and recording credentials: At customer onboarding, the IDSP issues the credential and records and maintains the credential and associated enrollment data in the subscriber’s identity account throughout the credential’s lifecycle.
           
             Binding: Throughout the digital ID lifecycle, the IDSP should also maintain a record of all authenticators that are, or have been, associated with the identity account of each of its subscribers, as well as the information required to control authentication attempts. When an IDSP binds a new authenticator to the subscriber’s account post-enrollment, it should require the subscriber to first authenticate at the assurance level (or higher) at which the new authenticator will be used.
           
             Compromised authenticators: If a subscriber loses or otherwise experiences compromise of all authenticators of a factor required for MFA, the subscriber should repeat the identity proofing process, confirming the binding of the authentication claimant to previously proofed evidence, before the IDSP binds a replacement for the lost authenticator to the subscriber’s identity account. If the subscriber has MFA and loses one authenticator, the IDSP should require the claimant to authenticate, using the remaining authentication factors.
           
             Expiration and renewal: Where an IDSP has issued an authenticator that expires, the IDSP should bind an updated authenticator prior to expiration, using a process that conforms to the initial authenticator binding process and protocol, and then revoke the expiring authenticator.
           
             Revocation or termination: IDSPs should promptly revoke the binding of authenticators when an identity ceases to exist (e.g.., because the subscriber has died or is discovered to be fraudulent); when requested by the subscriber; or when the IDSP determines that the subscriber no longer meets its eligibility requirements.
        • 2.4. Portability and Interoperability Mechanisms

          Digital ID systems can—but need not—include a component that allows proof of identity to be portable. An individual’s identity is portable when his or her digital ID credentials can be used to prove identity for new customer relationships at unrelated private sector or government entities, without their having to obtain and verify personally identifiable information (“PII”) and conduct customer identification and verification each time. Portability requires developing interoperable digital identification products, systems, and processes, including through the use of federated digital architecture and assertion protocols to convey identity and authentication information across a set of networked systems or through APIs that do not use federated architecture and protocols.

          Portability and interoperability can potentially save relying parties (e.g., financial institutions and government entities) time and resources in identifying, verifying, and managing customer identities, including for account opening and authorizing customer account access, and may reduce the risk of identity theft stemming from the repeated exposure of PII. However, as discussed below, portability and interoperability are optional components of a digital ID system and will not be a focus of this Guidance.

        • 2.5. Focus of this Guidance

          This Guidance focuses on the use of digital ID systems for CDD, specifically for customer identification and verification at onboarding or account opening and for ongoing CDD monitoring, thus enabling LFIs to fulfill their obligations under Articles 8 and 7, respectively, of the AML-CFT Decision. The Guidance emphasizes, however, that customer identification and verification and ongoing monitoring of the business relationship are only two components of LFIs’ wider CDD obligations, which include identifying and verifying the identities of a legal entity customer’s beneficial owners and understanding the nature of the customer’s business and the nature and purpose of the customer’s business relationship with the LFI. LFIs are also separately required under Article 24 of the AML-CFT Decision to maintain all records and documents obtained through CDD measures for a period of no less than five years from the date of termination of the business relationship with the customer; under FATF standards and UAE regulation, such recordkeeping requirements are technology neutral, meaning they apply equally to records kept in digital and physical (documentary) form.

          The Guidance focuses primarily on identity proofing and enrollment and secondarily on authentication; it does not address portability and interoperability, as these components are regarded as optional under international AML/CFT standards and are less directly relevant to the application of CDD measures by LFIs. Particular emphasis will be placed on the use of third-party sources or providers to verify and authenticate customer identity through digital means.

          Finally, the Guidance focuses on the use of digital ID systems to identify and verify the identity of customers that are individuals (natural persons). It does not examine the use of digital ID systems to help identify and verify the identity of a legal person’s representative(s) or beneficial owner(s) or to understand and obtain information on the nature and intended purpose of the business relationship—although reliable, independent digital ID systems are important for all of these CDD functions.

      • 3. Use of Digital ID Systems for CDD

        • 3.1. Customer Identification and Verification

          Under Article 8 of the AML-CFT Decision, LFIs are required to identify each customer and verify the customer’s identity using documents, data, or any other identification information from a reliable and independent source. This requirement is technology neutral and expressly permits LFIs to use documentary as well as non-documentary sources (i.e., information or data) when performing identification and verification; it does not impose any restrictions on the form—physical or digital—that identity evidence must take, nor does it impose limitations as to the use of digital ID systems for the purpose of linking a customer’s verified identity to a unique, real-life individual, provided this is done using a “reliable” and “independent” source. As such, LFIs are permitted to utilize digital ID systems as well as physical forms to perform customer identification and verification, consistent with the expectations set forth in this Guidance.

          In the digital ID context, the requirement that digital source documents, data, or information must be “reliable” and “independent” means that the digital ID system used to conduct CDD relies upon technology, adequate governance, processes, and procedures that provide an appropriate level of confidence that the system produces accurate results. Reliability and independence in this sense depends specifically on the effective application of mitigation measures to prevent and manage risks related to identity proofing and enrollment, such as the risks of an applicant using falsified identity evidence or another individual’s identity, as well as risks related to authentication and identity lifecycle management, including various risks that bad actors will illicitly obtain an individual’s legitimate identity credentials and assert them to open an account or obtain unauthorized access to products, services, and data. These risks and the corresponding mitigating measures that LFIs should consider implementing are discussed in greater detail in section 4 below.

        • 3.2. Ongoing Due Diligence on the Business Relationship

          Under Article 7 of the AML-CFT Decision, all customers must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

          As discussed in section 2 above, authentication using a digital ID system establishes confidence that the person asserting identity today is the same person who previously opened the account or other financial service and is in fact the same individual who underwent reliable, independent identification and verification at onboarding. In other words, ongoing digital authentication of the customer’s identity links that individual with their financial activity. LFIs that use digital ID systems to authenticate the identity of their existing customers as part of account authorization should leverage the data generated by authentication and related information (such as geolocation or IP addresses) to support ongoing due diligence and transaction monitoring, such as to assess whether a customer’s actual activity conforms to the LFI’s expectations of normal or typical activity and to identify cases in which a customer may be transacting from a sanctioned, otherwise prohibited, or high-risk jurisdiction.

        • 3.3. Third-Party Reliance and Provision of Digital ID Services

          Per Article 19 of the AML-CFT Decision, LFIs are permitted to rely on customer identification and verification undertaken by a third party at onboarding, provided the relying LFI:

           1.Immediately obtains the necessary information concerning customer identification and verification from the third party, including the assurance levels, where applicable;
           
             For example, the digital ID system could enable the prospective customer to assert identity to the relying LFI and the third party to authenticate the person’s identity and provide additional needed information, such as the person’s name, date of birth, government-provided unique identity number, or other attributes required to prove official identity.
           
           2.Takes adequate steps to satisfy itself that the third party will make available copies of or other appropriate forms of access to identification data and other relevant CDD information and documentation without delay;
           
             For example, the relying LFI could take appropriate steps to satisfy itself: (a) that, as part of identity proofing and enrollment, the third party established a digital ID account for the identified person that contains adequate attribute evidence and other identity data and information; and (b) that the third party’s authentication processes enable it to provide that information to the relying party upon request without delay.
           
           3.Satisfies itself that the third party adheres to the CDD and recordkeeping requirements set forth in the AML-CFT Decision and is regulated and supervised for compliance with these requirements. In practice, this means that the third party should either be another LFI, a designated non-financial business and profession (“DNFBP”), or another regulated entity, as defined in UAE regulation and guidance; and
           
           4.Considers country risk information when determining in which countries a third party meeting the above conditions can be based.
           

          Unlike outsourcing relationships, in which an LFI engages a third-party provider to perform certain control functions on the LFI’s behalf and in conformity with the LFI’s AML/CFT policies and procedures,7 third-party reliance relationships typically involve an LFI relying the customer identification and verification measures already undertaken by another regulated entity on an existing customer of that entity in accordance with the entity’s own AML/CFT policies and procedures. In reliance relationships, that is, the third party will usually already have a business relationship with the customer that is independent of the relationship to be formed by the customer with the relying institution. The third party will therefore have onboarded the customer in accordance with its own AML/CFT policies and procedures. In a typical reliance scenario, a prospective customer will assert identity to the relying LFI using a digital ID system, at which point the third party will be prompted by the system to authenticate the person’s identity and (per condition 1 above) immediately provide relevant identification and verification information to the relying LFI. In all reliance relationships, the ultimate responsibility for CDD measures remains with the LFI that relies on the third party.


          7 See also Guidance for Financial Institutions adopting Enabling Technologies, section 3.90 for additional detail related specifically to the outsourcing of biometric activities.

      • 4. Risks and Challenges Presented by Digital ID Systems

        Like any ID system, the reliability of digital ID systems depends on the strength of the documents, processes, technologies, and security measures used for identity proofing, credentialing, and authentication, as well as ongoing identity management. In both documentary and digital ID systems, reliability can be undermined by identity theft and source documents that can be easily forged or tampered with. Some types of fraud, such as “massive attack” frauds, may be less likely to occur in-person or in processes requiring human intervention. While digital ID systems provide security features that mitigate some issues with paper-based systems, they also increase some risks, such as data loss, data corruption, or misuse of data due to unauthorized access.

        Digital ID systems also present a variety of technical challenges and risks due to their reliance on open communications networks (i.e., the Internet) for identity proofing and authentication, and the involvement of multiple parties (such as the IDSP, the customer, and the relying LFI), which together can present multiple opportunities for cyberattacks. Without careful consideration of relevant risk factors and the implementation of appropriate, technology-based safeguards and effective governance and accountability measures to address these risks, criminals, money launderers, terrorists, and other illicit actors may be able to abuse digital ID systems to create false identities or exploit (e.g., hack or spoof) authenticators linked to a legitimate identity.

        The discussion below covers both identity proofing and enrollment risks and authentication risks. Risks at the identity proofing stage include the risk that proofing and enrollment processes result in digital IDs that are fake—that is, obtained under false pretenses through an intentionally malicious act—and can be used to facilitate illicit activities. These risks are mitigated by having an appropriate identity assurance level. Risks at the authentication stage include the risk that a legitimately issued digital ID has been compromised and that its credentials or authenticators are under the control of an unauthorized person. These risks are mitigated by having an appropriate authentication assurance level. This section concludes with a discussion of broader connectivity, cybersecurity, and privacy challenges in the digital space that may impact the integrity or availability of digital ID systems to conduct CDD.

        • 4.1. Identity Proofing and Enrollment Risks

          This section focuses on threats to the identity proofing and enrollment process presented by cyberattacks, security breaches, and the production and presentation of false identity evidence, either by stealing a real person’s identity or by combining real and fake information to create a new identity. The enrollment process may also be threatened through the compromise of, or misconduct by, an IDSP or through the compromise of the broader digital ID infrastructure. The latter type of threat is outside the scope of this Guidance and should be directly addressed by traditional computer security controls (such as intrusion protection, recordkeeping, and independent audits) and by broader governance and organizational requirements and digital ID assurance frameworks and standards.

          In certain respects, the risks arising from the presentation of stolen or counterfeit identity evidence can be even greater in digital ID systems, as online counterfeiters and cybercriminals may be able to obtain or produce false identity evidence at far greater scale than illicit actors trading solely in physical documents. Impersonation involves a person pretending to have the identity of another genuine person, including by using a stolen document of someone with a similar appearance or by combining stolen identity evidence with counterfeit or forged evidence (as when an imposter places his or her photo onto a stolen passport or ID card). By contrast, a synthetic ID is created by criminals by combining real (usually stolen) and fake information to create a new, synthetic identity, which can be used to open fraudulent accounts and make fraudulent purchases. Unlike impersonation, the criminal using a synthetic ID is pretending to be someone who does not exist in the real world, rather than impersonating an existing identity.

          For example, criminal groups have been known to produce synthetic digital IDs at large scale by stealing real individuals’ identity attributes and other data from online transactions or by hacking Internet databases, and combining these attributes with entirely fake information. The resulting synthetic IDs have been used to obtain credit cards or online loans and to withdraw funds, with the account abandoned shortly thereafter.

          The table below sets out these risks and presents some strategies for mitigating threats to the identity proofing and enrollment process, based on the U.S. National Institute of Standards and Technology (“NIST”) Digital Identity Guidelines (also incorporated into the FATF’s Guidance on Digital Identity). FATF further advises regulated entities to utilize safeguards built into digital ID systems to prevent fraud, such as monitoring authentication events to detect systemic misuse of digital IDs to access accounts, including through lost, compromised, stolen, or sold digital ID credentials/authenticators, to feed into suspicious activity monitoring and reporting systems.

          Type of RiskDescriptionPotential Risk Mitigation Strategy
          Falsified identity proofing evidenceAn applicant claims an incorrect identity by using a forged driver’s license
          IDSP validates physical security features of presented evidence
          IDSP validates personal details in the evidence with the issuer or other authoritative source
          Fraudulent use of another’s identityAn applicant uses a passport associated with a different individual
          IDSP verified identity evidence and biometric of applicant against information obtained from issuer or other authoritative source

           

        • 4.2. Authentication and Identity Lifecycle Management Risks

          Risks at the authentication stage involve the possibility of bad actors asserting an individual’s legitimate identity to a relying party to open an account or obtain unauthorized access to products, services, and data. Key authentication vulnerabilities include:

           Credential stuffing (also referred to as breach replay or list cleaning): a type of cyberattack where stolen account credentials, often from a data breach, are tested for matches on other systems. This type of attack can be successful if the victim has used the same password that was stolen in the data breach for another account.
           
           Phishing: a fraudulent attempt to gather credentials from unknowing victims using social engineering attacks such as deceptive emails, phone calls, text messages, or websites. For example, a criminal may attempt to trick his or her victim into supplying names, passwords, government ID numbers, or credentials to a seemingly trustworthy source that is in fact controlled by the criminal.
           
           Man-in-the-middle (also known as credential interception): an attack that attempts to achieve the same goal as phishing and can be a tool to commit phishing, but does so by intercepting communications between the victim and the service provider.
           
           PIN code capture and replay: an attack in which a criminal uses a key logger to capture a PIN code entered on a computer keyboard or other device and, without the user noticing, uses the captured PIN to access services (e.g., when a smartcard is present in the reader).
           

          Most authentication vulnerabilities are exploited without the identity owner’s knowledge, but abuse can also involve the witting participation of subscribers or IDSPs. For example, shared-secret authenticators, such as passwords, may be stolen and exploited by bad actors, but they can also be deliberately shared by the owner of the identity credentials for illicit purposes, as in the case study below.

           

          Misuse of Digital ID by Straw Men
           

          Criminal organizations can purchase digital ID credentials from individuals that enable them to access the individuals’ accounts at LFIs or other regulated entities, in effect turning them into digital mules for the organization. The individuals may either already have an account or agree to open one in connection with selling the identity credentials.

          In one case highlighted by the FATF, criminal groups opened bank accounts using straw men, who established the account, obtained a digital ID and a security code, and provided their credentials to the criminal group, in exchange for money. In many cases, multiple digital IDs were used on a single mobile phone or tablet. Access to these accounts afforded the criminal groups access to real-time transactions, making it possible for them to quickly transfer money between various accounts. As the FATF notes, the overwhelming majority of digital IDs that are misused by criminal groups are issued on the basis of legitimate identity evidence.

           

          Some of the primary known risks at the authentication stage are associated with specific types of authenticators or authentication processes, including:

           Multifactor authentication vulnerabilities: Passwords or passcodes, which are supposed to be shared-secret knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak, or default passwords are believed to be behind the vast majority of data breaches. MFA solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords and passcodes, but they can also be vulnerable to phishing, subscriber identity module (“SIM”) card swapping, mobile device compromise, and other attacks.
           
             Phishing-resistant authenticators, where at least one factor relies on public key encryption, can help combat these vulnerabilities. In public-key encryption, a pair of keys are generated for an entity (person, system, or device), and that entity holds the private key securely, while freely distributing the public key to other entities. Anyone with the public key can then use it to encrypt a message to send to the private-key holder, knowing that only they will be able to open it. Examples of phishing-resistant authenticators include authenticators built off public key infrastructure (“PKI”) certificates or the Fast Identity Online (“FIDO”) Alliance standards.
           
             Per the Guidance for Financial Institutions adopting Enabling Technologies, LFIs should implement MFA using a biometric factor (discussed immediately below) where possible to authorize high-risk activities (including changes to personal, registration of third-party payee details, high-value funds transfers, and revisions to funds transfer limits) and to protect the integrity of customer account data and transaction details. Moreover, LFIs deploying MFA at login that includes a biometric factor should consider employing phishing-resistant authenticators where at least one factor relies on public key encryption to secure the customer authentication process.
           
           Biometric authenticators: Biophysical authenticators, such as fingerprints and iris scans, are more difficult to defeat than traditional authenticators and are increasingly ubiquitous. Most smart phones have built-in fingerprint scanners, some have built-in iris scanners, and facial recognition capabilities are built into many personal computer systems and advanced smart phones. Biometric characteristics can be stolen in bulk from central databases, obtained by taking high-resolution photos, lifted from objects the individual touches, or captured with high-resolution images and then spoofed. Currently, however, these types of attacks are difficult and/or highly resource intensive and therefore not scalable. For example, biometric authenticators that require on-device matching cannot be fraudulently used at scale because they require physical access to the device of the customer.
           
             Biometrics have a variety of other weaknesses that give rise to reliability concerns when used for authentication purposes and have led some technical standards to restrict their use for authentication (although not for identity proofing). Fingerprints may not be read or may be read incorrectly; and facial recognition factors can be rendered unreliable by changes in facial expressions, facial hair, makeup, or lighting conditions. Due to incomplete data sets, facial recognition has been less reliable for persons with darker skin pigmentation and certain ethnic features, although this is improving. In contrast to knowledge- or possession-based authenticators, stolen biometric authenticators are difficult to revoke or replace.
           
           Identity life cycle risks: Poor identity life cycle and access management can, wittingly or unwittingly, compromise the integrity of authenticators and enable unauthorized persons to access and misuse customer accounts, undermining the purpose of customer identification and verification, ongoing due diligence, and transaction monitoring requirements in protecting the financial system from abuse.
           
           Compromised MFA workflow bypass: Attackers have also been known to identify loopholes in MFA protocols, for example by initiating a denial-of-service attack that causes the MFA workflow to break or its security to degrade.
           
           Unknown risks: Digital ID systems develop and evolve. In many cases, technical design changes introduce operational improvements but bring with them vulnerabilities that are not apparent until they are exploited by bad actors in ways that disclose how the digital ID system has been compromised.
        • 4.3. Broader Issues Presented by Digital ID Systems

          Beyond specific risks associated with identity proofing/enrollment and authentication, there are a number of broader issues in the digital space that may impact the integrity or availability of digital ID systems to conduct CDD. These include but are not limited to:

           Connectivity issues: The lack of a reliable network infrastructure can undermine digital ID systems at particular customer touchpoints or across larger geographic areas for meaningful periods of time. However, digital ID systems can be designed to support both offline and online transactions, allowing them to function with or without access to the Internet or a mobile network. LFIs should consider the resilience of available networks and systems, including the geographic locations from which customers may be utilizing a digital ID system for authentication, when deciding whether to use a digital ID system for CDD.
           
           UAE frameworks for official identity: The reliability and independence of purely documentary approaches can be undermined by identity theft and the widespread counterfeiting of official identity documents, including where official identity documents either lack advanced security features to prevent tampering or counterfeiting or are issued without adequate identity proofing. Such weaknesses in the reliability of documentary identity evidence can have a cascading effect on the risks posed by digital ID systems, and identity theft from online databases can generate similar risks for both digital ID systems and documentary approaches.
           
             The Emirates ID utilizes ultraviolet ink, public key infrastructure, and fingerprint biometrics to prevent tampering or counterfeiting of the card.
           
             To further mitigate the risks associated with tampering or counterfeiting of official identity documents, LFIs should use the online validation gateway of the Federal Authority for Identity and Citizenship when verifying the Emirates ID card, and should keep a copy of the Emirates ID and its digital verification in their records.8
           
           Data protection and privacy challenges: Digital ID involves the collection and processing of PII, potentially including biometrics. As such, digital ID systems are subject to local data protection and privacy (“DPP”) requirements, including Federal Decree-Law No .34 of 2021 Concerning the Fight Against Rumors and Cybercrime; Federal Decree-Law No. 46 of 2021 On Electronic Transactions and Trust Services; the Internet Access Management (IAM) policy; relevant Emirate-level requirements such as the Dubai Data Law; and Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, where relevant.
           
             Under the UAE’s DPP framework, LFIs and DISPs are not permitted to transfer or store personal data, including digital or physical copies of Emirates IDs, outside of the UAE, except as permitted by Articles 22 and 23 of the Federal Decree-Law No. 45 of 2021.
           
             LFIs should also consult the Principles on Identification for Sustainable Development, including Principle 8 regarding the protection of personal data and the maintenance of cyber security,9 as well as guidance from global standard-setting bodies in their respective sub-sectors.
           
           Financial exclusion considerations: Where digital ID systems do not cover all, or most, persons within a jurisdiction, or where they exclude certain populations, they may drive (or at least fail to mitigate) financial exclusion. The mandatory use of a specific digital ID that is not universally available for CDD presents challenges similar to the prescriptive use of a documentary ID that is not accessible to the entire population.
           
             Lack of access to digital technology or low levels of technological literacy may compound exclusion risks. For example, lack of access to mobile phones, smartphones, or other digital access devices, or lack of coverage and/or unreliable connectivity, may exclude poor and rural populations or women as well as those living in fragile and conflict-affected areas, such as refugees and displaced people.
           
             Digital ID systems may also contribute to financial exclusion if they use biometric authentication without providing alternative mechanisms for authentication, as certain biometric modalities have greater failure rates for some vulnerable groups. For example, manual laborers may have worn fingerprints, which cannot be read by biometric readers; the elderly may experience frequent match failure, due to altered facial characteristics, hair loss, or other signs of aging, illness, or other factors; and certain ethnic groups and individuals with certain physical characteristics related to darker pigmentation, eye shape, or facial hair experience disproportionate facial recognition failures.
           
             Special considerations for LFIs related to financial inclusion are discussed in section 5.2 below.

          8 See https://ica.gov.ae/en/ica-validation-gateway/.
          9 See https://id4d.worldbank.org/principles. Although developed to support the creation of “good” government-recognized ID systems, FATF’s Guidance on Digital ID notes that they apply more broadly and can be adopted by both public- and privately-provided and used identity systems and services.

      • 5. Assessing the Reliability and Independence of Digital ID Systems for CDD

        Unless otherwise specified,10 the UAE permits LFIs to adopt digital ID systems of their choosing, provided that they “rely upon technology, adequate governance, processes, and procedures that provide appropriate levels of confidence that the system produces accurate results.”11 This means that there is an appropriate level of confidence (or “assurance,” in the FATF’s terminology) that the digital ID system works as it is supposed to and produces accurate results. The digital ID system should also be adequately protected against internal or external manipulation or falsification designed to fabricate and credential false identities or authenticate unauthorized users, including by cyberattack or insider malfeasance.

        To this end, LFIs should conduct:

         An assurance level assessment, through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
         
         An appropriateness assessment, through which the LFI can make a risk-based determination— given the digital ID system’s assurance levels—of whether the digital ID system is appropriately reliable and independent for CDD in light of potential ML, TF, fraud, and other illicit financing risks.
         

        As explained in greater detail below, these assessments should be performed sequentially. If an LFI cannot assess a digital ID system’s assurance level or determines that it is not sufficiently reliable and independent for its purposes, it should not proceed with using the system for CDD unless it can be adequately strengthened or supplemented; in such a case, it is therefore not necessary to perform an appropriateness assessment until assurance concerns have been resolved.

        Both an LFI’s assurance assessment of a digital ID system and its determination of the system’s appropriateness for CDD given its business and risk profile should be documented—whether as part of the institution’s enterprise risk assessment or through a separate process—and updated on a periodic and event-driven basis. LFIs may determine which functional unit or team within the institution is best suited to carry out the assurance and appropriateness assessments; there is no requirement that these assessments be performed by a specific unit, such as an internal audit department.


        10 For example, as noted above, when verifying the Emirates ID card, LFIs should use the online validation gateway of the Federal Authority for Identity and Citizenship and keep a copy of the Emirates ID and its digital verification in their records; see https://ica.gov.ae/en/ica-validation-gateway/.
        11 Available at https://www.centralbank.ae/en/cbuae-amlcft; see p. 49.

        • 5.1. Understanding the System’s Assurance Levels

          Where UAE law, regulation, or supervisory guidance has not mandated or prohibited the use of a specific digital ID system for CDD, LFIs should first determine, for any digital ID system it is considering adopting, the system’s assurance levels.12 In determining the reliability and independence of a given system, LFIs may either:

           Perform the assurance assessment themselves; or
           Obtain audit or certification information on assurance levels from an expert body.
           

          Where an LFI performs the assurance assessment itself, it should conduct appropriate due diligence on the digital ID system provider, including the governance systems in place, and exercise additional caution. An LFI should only use information from an expert body, including another member of the same financial group or an independent third party, if it has a reasonable basis for concluding that the entity accurately applies appropriate, publicly disclosed assurance frameworks and standards.

          Digital ID assurance frameworks and technical standards are a set of open source, consensus-driven assurance guidelines and best practices for digital ID systems that have been developed in several jurisdictions and by international organizations and industry bodies, and provide a useful tool for informing an LFI’s or expert body’s assurance assessment.13 LFIs are encouraged to consider the reliability of each of the system’s main digital ID components separately, as the same degree of reliability may not be required for each component of the digital ID system (identity proofing/enrollment, authentication, or, if applicable, federation), depending on the relevant risk factors and mitigating measures in place.

          Digital ID technology and architecture, and digital ID assurance frameworks and standards, are dynamic and evolving. The standards themselves are flexible and outcome-based in order to facilitate innovation. They permit different technologies and architectures to satisfy the requirements for different assurance levels and are framed in ways intended to help make them as future-proof as possible (e.g., by providing a floor, rather than a ceiling, for reliability).

          Digital ID assurance frameworks and standards usually set out various, progressively more reliable assurance levels, with increasingly rigorous technical requirements, for each of the three main steps in a digital ID system. The technical standards provide ID reliability factors, in the form of assurance levels for the basic constituent processes of a digital ID system. Each assurance level reflects a specified level or certitude or confidence in the process at issue; a process with a higher assurance level is more reliable, while a process with a lower assurance level presents a greater risk of failure and is less reliable. This Guidance does not require or recommend any particular assurance level; rather, LFIs are expected to perform an assurance assessment and to determine what assurance levels for which processes are appropriate, given their ML, TF, fraud, and other illicit financing risks.

          For illustrative purposes only, the following table summarizes and adapts some of the technical requirements from the NIST Digital ID Guidelines14 for the identity proofing and enrollment stage of a digital ID system, which LFIs might leverage in assessing the degree to which a digital ID system is reliable and independent.

          Reliability FactorNo AssuranceHigh AssuranceVery High Assurance
          PresenceNo requirementsIn-person or remote proofing is permittedEither in-person or supervised15 remote proofing is required
          ResolutionNo requirementsCollection of as many identity attributes as necessary to achieve resolution into a single unique identity (i.e., to achieve de-duplication) is required; knowledge-based verification may be used for added confidenceSame as “High”
          EvidenceNo identity evidence is collectedEvidence of identity attributes is collected based on the quality of the evidence (classified as weak, fair, strong, or superior) and the number of documents or quantity of digital information relied uponSame as “High,” albeit with higher thresholds for evidence quality and quantity; use of biometrics is mandatory (noted below)
          ValidationNo validationEach piece of evidence is validated as genuine and accurate against independent and reliable sourcesSame as “High”
          VerificationNo verificationThe identity evidence is verified, confirming that the validated identity relates to the individual applicant16Identity evidence is verified by an authorized and trained credential service provider (“CSP”) representative
          Address ConfirmationNo requirements for address confirmationRequiredRequired
          Biometric CollectionNoneOptionalMandatory
          Security ControlsNot applicableModerate Baseline (per NIST Digital ID Guidelines)17 or equivalent jurisdictional or industry standardHigh Baseline (per NIST Digital ID Guidelines)18 or equivalent jurisdictional or industry standard

           

          Likewise, the NIST Digital ID Guidelines set forth technical requirements for authentication protocols and processes (including credential and authenticator issuance and binding) and authenticator lifecycle management (including revocation in the event of loss or theft, and expiration/re-proofing and re-binding). For illustrative purposes only, the following table describes at a high level of generality some of the NIST requirements for authentication at various authentication assurance levels.19

          Assurance LevelGeneral Requirements
          Some Assurance
          This assurance level can be achieved through a wide range of authentication technologies and authenticator types, and information security controls at a low baseline
           
          Biometrics alone may be used as a single-factor authenticator at this level
          High Assurance
          MFA is required (i.e., either a multi-factor authenticator or two single-factor authenticators), using secure authentication protocols that incorporate specified approved cryptographic techniques, and information security controls at a moderate baseline
           
          More stringent requirements are imposed on authenticator types at this level20
           
          Biometrics may be used as one authentication factor (something you are), with the device authenticated as a second factor (something you have), but cannot serve as the only authenticator type
          Very High Assurance
          Requires MFA that uses both a hardware-based authenticator and an authenticator that provides verifier impersonation resistance, based on proof of possession of a key through an approved cryptographic protocol21
           
          Claimants prove possession and control of two distinct authentication factors through secure authentication protocols, using approved cryptographic techniques
           
          The authenticators are verifier impersonation resistant, replay resistant, and resist relevant side-channel attacks
           
          When a biometric factor is used, the identity service provider (verifier) makes its own determination that the biometric sensor and subsequent processing meet specified performance requirements
           
          The CSP employs appropriately tailored security controls at a high baseline

           


          12 Where the government of the UAE has mandated a specific digital ID system for CDD, as in the case of verifying the Emirates ID card via the online validation gateway of the Federal Authority for Identity and Citizenship, LFIs may rely on the government’s assessment of such system’s assurance levels.
          13 See, for example, FATF, Guidance on Digital Identity, Appendix D (Digital ID Assurance Framework and Technical Standard-Setting Bodies) and Appendix E (Overview of U.S. and EU Digital Assurance Frameworks and Technical Standards), available at: https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-on-Digital-Identity.pdf.
          14 The NIST 800-63 Digital Identity Guidelines consists of a suite of documents: NIST SP 800-63-3 Digital Identity Guidelines (Overview); NIST SP 800-63A: Digital Identity Guidelines: Enrollment and Identity Proofing; NIST SP 800-63B Digital Identity Guidelines: Authentication and Life Cycle Management; and NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions. For additional context, see Appendix E of the FATF Guidance on Digital Identity.
          15 Supervised remote proofing involves a remote interaction with the applicant that is supervised by an operator in accordance with specified requirements so as to achieve comparable levels of confidence and security to in-person identity proofing. NIST comparability requirements, are provided in Box 19 of Appendix E of the FATF Guidance on Digital Identity, at 96.
          16 As noted above, an LFI need not verify the accuracy of every element of identifying information obtained at the collection and resolution stage but should do so for enough information to form a reasonable belief it knows the true identity of the customer.
          17 See FATF, Guidance on Digital Identity, pp. 97-98.
          18 See FATF, Guidance on Digital Identity, pp. 97-98.
          19 Appendix E of the FATF Guidance on Digital Identity also presents summary of authentication assurance levels under EU Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market.
          20 Under NIST standards, a “High” assurance level permits the use of any of the following multi-factor authenticators: multi-factor OTP device; multi-factor cryptographic software; or multi-factor cryptographic device. When a combination of two single-factor authenticators is used, one authenticator must be a memorized secret authenticator and the other must be possession-based (i.e., “something you have”) and use any of the following: look-up secret; out-of-band device; single-factor OTP device; single-factor cryptographic software; or single-factor cryptographic device.
          21 The claimant uses a private key stored on the authenticator to prove possession and control of the authenticator. An IDSP (verifier), knowing the claimant’s public key through some credential (typically, a public key certificate) uses an approved cryptographic authentication protocol to verify that the claimant has possession and control of the associated private key authenticator, and asserts the person’s verified identity to the RP.

        • 5.2. Determining Appropriate Usage in Context of Risk

          Once the LFI is satisfied that it knows the assurance levels of the digital ID system, it should analyze whether the digital ID system is adequate for the purposes of performing CDD in the context of the relevant illicit financing risks associated with the LFI’s customers, products and services, geographic areas of operations, and other relevant factors. Depending on the availability of digital ID systems, LFIs may have the option to select from multiple digital ID systems that have different assurance levels for identity proofing and authentication. In such circumstances, LFIs should match the robustness of the system’s identity proofing and/or authentication processes to the type of potential illicit activities and level of ML/TF risks.

          In choosing among digital ID systems providing the same assurance level, or selecting among varying levels of identity proofing and/or particular credentials and authenticators offered by a single system, LFIs should consider their specific ML/TF risks as they relate to identity proofing and authentication in selecting an option. LFIs may also have the option to choose appropriate digital ID systems for lower-risk scenarios.

    • Cabinet Decision 58 of 2020: Beneficial Owner Procedures

      Cab Dec 58/2020 Effective from 25/8/2020

      Cabinet Decision No. (58) of 2020 Regulating the Beneficial Owner Procedures

      The Cabinet:

      Pursuant to the perusal of the Constitution,

      - Federal Law No. (1) of 1972 Concerning the Competencies of the Ministries and Powers of the Ministers and its amendments;

      - Federal Law No. (5) of 1975 on the Commercial Register;

      - Federal Law No. (2) of 2015 on Commercial Companies and its amendments;

      - Federal Law No. (14) of 2016 concerning the Violations and Administrative Sanctions in the Federal Government;

      - Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations;

      - Cabinet Decision No. (10) of 2019 on the Executive Regulations of Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations;

      - Cabinet Decision No. (34) of 2020 concerning Regulating the Beneficial Owner Procedures; and

      - Upon the proposal of the Minister of Economy and the approval therefore of the Cabinet,

      Has resolved:

      • Article (1)

        • Definitions

          In application of the provisions of this Decision, the following terms and expressions shall have the meanings assigned against each, unless the context otherwise requires:

          State:The United Arab Emirates.
          Minister:The Minister of Economy.
          ministry:The Ministry of Economy.
          Decree-Law:The Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations.
          Executive Regulations:The Cabinet Decision No. (10) of 2019 concerning the Executive Regulations of the Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations.
          Licensing Authority:The Authority in charge of licensing or registration of the Legal Persons in the State.
          Registrar:The entity in charge of supervision of the commercial names register for different types of corporate entities registered in the State, which includes the Licensing Authority.
          Relevant Entities:The Governmental Entities in charge of implementation of any provisions of the Federal Decree-Law and the Executive Regulations.
          Beneficial Owner:The natural person who ultimately owns or controls the Legal Person, whether directly or through a chain of ownership or control or any-other indirect means, and also the natural person on whose behalf the transactions are being conducted or who exercises ultimate control over a legal person, as defined in Article (5) hereof.
          Nominee Board Member:Any natural person who acts in accordance with the directives, instructions or wills of another person.
          Higher Management:The decision-making authority in the Legal Person.
          Register of Beneficial Owner:A Specific Register of the Beneficial Owners in the Legal Person, which includes all of their data.
          Register of Partners or Shareholders:A Specific Register of the Partners or Shareholders in the Legal Person, which includes all of their data.
          Trustor:A natural or legal person who transfers the management of his funds to a trustee by virtue of a deed.
          Trustee:A natural or legal person who enjoys the rights and authorities granted by the Trustor or the Trust Fund, to manage, use and dispense of the Trustor's funds in accordance with the conditions imposed on him by either of them.
          Trust Fund:A legal relationship in which the Trustor places the funds under control of the Trustee for the interest of a beneficiary or for a specific purpose, which funds shall be independent of the Trustor's properties, and the right in the Trustor's funds shall remain under the name of the Trustor or under the name of another person on behalf of the Trustor.
      • Article (2)

        • Objectives of the Decision

          The Decision has for objective to:

          1. Contribute to the development of business environment, capacities of the State and its economic position in accordance with the international requirements, by regulating the minimum obligations of the Registrar and Legal Persons in the State, including the licensing or registration procedures, regulating the Register of Beneficial Owner and the Register of Partners or Shareholders.
             
          2. Develop effective and sustainable executive and regulatory mechanisms and procedures for the beneficial owner data.
             
      • Article (3)

        • Scope of Application

          1. The provisions of this Decision shall apply to the Registrar and the licensed or registered Legal Persons in the State, including the Commercial Free Zones.
             
          2. The provisions of this Decision shall not apply to the companies which are wholly owned by the Local or Federal Government, or any-other companies wholly-owned by such companies, and the Financial Free Zones.
             
      • Article (4)

        • Licensing or Registration of Legal Persons

          1. The Legal Person shall be licensed or registered in the State and shall, while submitting its licensing or registration application, provide the Registrar with the following basic data:
            1. Name, legal form and memorandum of association.
            2. Head office address or the principal address of business and, in case of a foreign Legal Person, the name and address of its legal representative in the State, with a proof thereof.
            3. Articles of Association or any-other similar documents approved by the Relevant Entity in the State.
            4. Names of the relevant persons who are holding higher management positions in the Legal Person, providing their data from their passports or identity cards, including such documents' numbers, issuance and expiry dates and issuing entity.
               
          2. The Legal Person may not be licensed or registered under a trade name that is previously registered in the State or in similar name to the extent that it may lead to confusion.
             
          3. The Legal Person shall not use a name other than its registered name, and such name must be followed by the legal form of the Legal Person. The Legal Person may submit an application to the Registrar to change its trade name and in case of the approval, the legal person shall not use the cancelled name. All correspondence and documents of the Legal Person shall clearly state its trade name and address in the State.
             
          4. The Legal Person shall have a clear, detailed and registered address in the State and to notify the Registrar thereof. Such address shall be used in all correspondence and notices to be served on the Legal Person.
             
      • Article (5)

        • Identification of the Beneficial Owner

          1. For the purposes of implementing the provisions of this Decision, the Beneficial Owner of the Legal Person shall be whoever person that ultimately owns or controls, whether directly through a chain of ownership or control or by other means of control such as the right to appoint or dismiss the majority of its Directors, 25% or more of the shares or 25% or more of the voting rights in the Legal Person.
             
          2. The Beneficial Owner may be traced through any number of Legal Persons or arrangements of whatsoever kind.
             
          3. If two or more natural persons jointly own or control a ratio of capital in the Legal Person, all of them shall be deemed as jointly owners or controllers of such ratio.
             
          4. If, after all reasonable means have been taken, no natural person is identified as an ultimate Beneficial Owner in accordance with Clause (1) of this Article, or there is reasonable doubt that any natural person identified as an ultimate Beneficial Owner is the true Beneficial Owner in the Legal Person; then the natural person who controls the Legal Person by other means of control shall be deemed as the Beneficial Owner.
             
          5. Where no natural person is identified in accordance with Clause (4) of this Article; then the natural person who holds the position of a higher management official shall be deemed as the Beneficial Owner.
      • Article (6)

        • Transparency and Beneficial Owner

          1. The Legal Person shall take reasonable procedures to obtain and maintain adequate, accurate and up-to-date data in respect of the Beneficial Owner.
             
          2. The provisions of Clause (1) of this Article shall not apply to the licensed or registered Legal Persons in the State that are owned by a company listed on a recognized stock exchange subject to disclosure requirements which ensure sufficient transparency on its beneficial owners or a company wholly-owned by such listed company.
             
      • Article (7)

        • Notices of Beneficial Owner

          1. If the Legal Person believes that a person could be a Beneficial Owner whose ultimate beneficial ownership data are not correctly recorded in the Register of Beneficial Owner, the Legal Person shall inquire as to the person's status as a Beneficial Owner. If (15) fifteen days have lapsed without any response to such inquiry being received, the Legal Person shall give such person a notice thereof.
             
          2. The notice referred to in Clause (1) of this Article shall:
            1. State that it is given by virtue of this Decision.
            2. Set-out the Beneficial Owner's relevant data that the Legal Person reasonably knows or believes to be correct, with a request to provide the data that are missed and required to complete data of the Beneficial Owner's Register.
            3. Request the addressee the following:
              1. State whether or not he is the Beneficial Owner of the Legal Person;
              2. Confirm or correct any data set-out in the notice;
              3. Supply any data that are missing.

             
          3. If the addressee fails to comply with the notice within (15) fifteen days of dispatching the notice, the Legal Person shall enter the notified data in the Register of Beneficial Owner.
             
          4. For the purpose of identifying the Beneficial Owner, the Legal Person may rely on the written response of the person to whom a notice was given, unless the Legal Person has reasonable reasons to suspect that the response is misleading or false, where he shall register the beneficial ownership data of such person as a Beneficial Owner and notify him of the same.
             
      • Article (8)

        • Register of Beneficial Owner

          1. The Legal Person shall keep and maintain the data of each Beneficial Owner in a register of beneficial Owner to be established within (60) sixty days from the date of promulgation of this Decision or the date on which the Legal Person comes into existence. The Legal Person shall update and record any changes to the data contained in the Register of Beneficial Owner within (15) fifteen days of becoming aware of such change.
             
          2. The Register of Beneficial Owner shall include the following data in respect of each Beneficial Owner:
            1. Full name, nationality, date and place of birth.
            2. Residential address or the address which the notices shall be sent on it, by virtue of this Decision.
            3. Number of passport or identity card, the country of issuance, date of issuance and expiry.
            4. Basis and date on which the person became a Beneficial Owner of the Legal Person.
            5. Date on which the person ceased to be a Beneficial Owner of the Legal Person.
               
          3. If the Legal Person enters name of a natural person as a Beneficial Owner in its Register of the Beneficial Owner, information and data were not provided by such natural person or with his knowledge, the Legal Person shall, within (15) fifteen days of making such entry, notify the natural person of such inclusion.
             
          4. Any concerned or interested person may make an application to the competent court to rectify the Register of Beneficial Owner, in the following cases:
            1. Name of any person is, without sufficient cause, entered-into or omitted from the Register of Beneficial Owner.
            2. A person's name is not entered into the Register of Beneficial Owner.
            3. An undue delay takes place in entrance of the name of any person into the Register of Beneficial Owner, or omitting the name of any person who has ceased to be a beneficial owner from the Register of Beneficial Owner.
               
          5. The Legal Person may not register or give effect to any document relating to a change in its ownership, unless a statement is provided by or on behalf of the transferee, which states whether the transfer will result in a change in the Beneficial Owner for the Legal Person, and the nature of such change or no. The said statement shall include the data of the new Beneficial Owner and to be entered into the Register.
             
      • Article (9)

        • Nominee Board Members

          1. A manager or board member who acts as a Nominee Board Member shall inform the Legal Person that he is a nominee board member and provide all the data referred to in Article (10) hereof within (15) fifteen days of becoming a nominee board member. A nominee board member who acquired such capacity prior to the promulgation of this Decision shall inform the Legal Person of this fact within (30) thirty days of the promulgation date of this Decision.
             
          2. A Nominee Board Member shall inform the Legal Person of any change to the data referred to in Article (10) hereof within (15) fifteen days of making such change.
             
          3. A Nominee Board Member shall inform the Legal Person that he ceased to be a nominee Board Member within (15) fifteen days of such cessation.
             
      • Article (10)

        • Register of Partners or Shareholders

          1. The Legal Person shall keep and maintain a Register of Partners or Shareholders, in which it includes the data in respect of each of its partners or shareholders. The Legal Person must update and record any change to the Register within (15) fifteen days of becoming aware of such change. The Register of Partners and Shareholders shall include:
            1. Number of shares held by each of them along with their categories and associated voting rights.
            2. Date on which such partner or shareholder acquire that capacity in the Legal Person.
            3. In case of natural partners or shareholders: the full name as it appears on the identity card or the passport, nationality, address, place of birth, name and address of employer and a true copy of the valid passport or ID.
            4. In case of corporate partners or shareholders: the data stated in Clause (1) of Article (4) hereof.
               
          2. The Legal Person shall enter into the Register of Partners or Shareholders the data of any partner(s) or shareholder(s) acting as Trustor or Nominee Board Member.
             
          3. The Register of Partners or Shareholders shall include the data of persons represented by any Trustee or Nominee Board Member, as specified in Clause (2) of Article (8) hereof.
             
      • Article (11)

        • Provision of Information to the Registrar

          1. The Legal Person shall, within (60) sixty days of the promulgation date of this Decision or date of licensing or registration of the Legal Person, furnish the Registrar with the data contained in the Register of Beneficial Owner and Register of Partners or Shareholders and shall carry-out the reasonable procedures to protect its registers from loss, damage or destruction.
             
          2. The Legal Person shall provide any additional information as may be required by the Registrar within the specified duration.
             
          3. Subject to the legislation in force, the Legal Person shall furnish the Registrar with all data referred to in Clause (1) of Article (4) hereof, upon submitting the application of incorporation, licensing, registration, renewal, amendment or any other procedures as the Registrar may deem proper to this effect.
             
          4. The Legal Person shall provide the Registrar with the name of a natural person residing in the State and authorized to disclose to the Registrar all data and information required by the mentioned Federal Decree-Law or the Executive Regulations or this Decision, along with his address, contact numbers and a copy of his valid passport or ID.
             
          5. The licensed or registered Legal Person in the State may not issue bearer share warrants.
             
          6. The Legal Person shall, on the issuance of shares in the name of persons or board members , disclose to the Registrar the data in respect of such shares and the identity of such persons or board members within (15) fifteen days of such issuance.
             
          7. If the Legal Person is in the process of dissolution or liquidation , the liquidator shall hand-over to the Registrar a copy of the Beneficial Owner Register and Register of Partners or Shareholders, if any, or a true copy thereof within (30) thirty days of his appointment.
             
          8. The Legal Person, its managerial body, the liquidator or other person responsible for the dissolution affairs of the Legal Person shall keep, maintain the records and all data referred to herein for at least (5) five years after the date of dissolution, liquidation or de-registration.
             
      • Article (12)

        • Notices issued by the Registrar

          1. For the registrar to be able to carry out his tasks, the Legal Person, or any other person who has data or documents related to the Beneficial Owners or the Nominee Board Members, shall abide - without prejudice to any privilege he might have - by the Registrar's request to provide such data or documents, or disclose the same to his personnel or authorized agents. This is done by virtue of a written notice sent to either of them in the time and place specified in the notice.
          2. The granted powers to the Registrar by virtue of Clause (1) of this Article shall include:
            1. Take copies of the provided documents, according to circumstances as the Registrar deems fit.
            2. Where the data or documents are not provided , to require the person who was required to provide them to state where they are, attend at such time and place as may be required by the Registrar and answer any questions relating to any matters that require providing data.
          3. Lawyers and other independent legal professionals and chartered auditors shall be exempted from providing such information required in the notice where such provision relates to their assessment of the legal status of the Legal Person or its defense or representation in legal action, arbitration, mediation or conciliation or the provision of any legal opinion in a mater related to judicial proceedings, including an advice on initiating or avoiding such proceedings, whether such data have been obtained prior to, during or after the taking of judicial proceedings or in other circumstances under which they are subject to professional confidentiality.
             
      • Article (13)

        • Obligations of the Registrar

          The Registrar shall abide by the following:

          1. Prepare and issue the templates, notices and manuals related to the licensing or registration procedures, in such manner as may be required to achieve efficiency.
             
          2. Provide adequate human resources that enable him to perform his functions in an effective manner.
             
          3. Automate the information obtained by him, and classify the same in a manner that facilitates the reference thereto and exchange thereof with the Relevant Entities, upon request.
             
          4. Furnish the required data concerning the National Economic Register within (6) six months of the date of promulgation of this Decision and any other information as may be required by the Ministry.
             
          5. Furnish information on the Legal Persons in the State and make them available to public as follows:
            1. Description of their types, forms and main characteristics.
            2. Their licensing or registration procedures.
            3. The procedures for obtaining the basic information stated in Clause (1) of Article (4) hereof.
            4. The procedures for obtaining the Beneficial Owner data.
               
          6. Keep and maintain the basic information stated in Clause (1) of Article (4) hereof, and ensure that they are accurate, up-to-date and available to public.
             
          7. Obtain the Beneficial Owner data upon licensing or registering the Legal Person or the update thereof, and verify their accuracy.
             
          8. Maintain all registers delivered to him under Clause (7) of Article (11) hereof for a period of (5) five years after the date of dissolution, liquidation or de-registration of the Legal Person.
             
          9. Update the basic information stated in Clause (1) of Article (4) of this Decision and the data contained in the Register of Beneficial Owner and Register of Partners or Shareholders on constant basis, based on information provided by the Legal Person, and furnish or disclose the same to the Ministry upon Relevant Entity's request.
             
      • Article (14)

        • Change of Data

          1. The Legal Person shall keep and maintain all basic information required by virtue of Article (8) of this Decision, and the data contained in the Register of Partners or Shareholders and the Register of Beneficial Owner, and any-other data or information may be required to be kept by virtue of the legislation in force, to be accurate and updated.
             
          2. The Legal Person who makes an amendment or change in data or information required hereunder shall within (15) fifteen days of the date of making the amendment or change, notify the Registrar thereof.
             
      • Article (15)

        • Data Confidentiality

          1. The Ministry and Registrar shall not disclose to any person the data contained in the Register of Beneficial Owner or the Register of Partners or Shareholders, without a written consent of the Beneficial Owner or the Nominee Board Member.
             
          2. The provisions of Clause (1) above shall not apply to:
            1. Disclosure obligations set forth herein.
            2. Anything provided for by the international laws and conventions in force in the State, particularly the provisions of Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations.
      • Article (16)

        • Domestic and international cooperation

          1. The Ministry shall, upon a request from the Relevant Entities, provide to the Relevant Entities the basic information required under Clause (1) of Article (4) hereof and the data contained in the Register of Beneficial Owner and Register of Partners or Shareholders.
             
          2. The Ministry shall provide international cooperation in respect of the basic information on the Legal Person and the data contained in the Register of Beneficial Owner and Register of Partners or Shareholders. Such cooperation shall include:
            1. Facilitate the access of foreign authorities to the basic information contained in the registers of the Legal Person.
            2. Exchange data and information of the partners or shareholders of the Legal Person.
            3. Exercise its powers to obtain all the beneficial owner data on behalf of its counterpart foreign entities.
               
          3. The Ministry shall supervise the quality of implementation of international cooperation operations received by the other states in relation to the requests for basic information on the Legal Persons and the data in respect of the Beneficial Owner of the Legal Persons, and international cooperation requests on the whereabouts of the Beneficiary Owner abroad.
             
      • Article (17)

        • Administrative Sanctions

          The Minister or any Licensing Authority delegated by him may, in case of contravention of the provisions hereof, impose one or more of the sanctions specified in the List of Administrative Sanctions issued by Cabinet Decision upon proposal of the Minister of Finance and after coordination with the Minister.

      • Article (18)

        • Grievance

          Sanctions imposed under the provisions of Article (17) hereof may be appealed within (30) thirty days from the notification date, before a committee formed to this effect by decision of the Minister or the Head of the delegated Licensing Authority. The Committee shall decide on the appeal within (30) thirty days from its submission date.

      • Article (19)

        • Repeals

          The Cabinet Decision No. (34) of 2020 concerning the Regulation of Beneficial Owner Procedures shall be repealed, and any provision that contradicts or is in conflict with this Decision shall be annulled.

      • Article (20)

        • Decision Promulgation and Entry into Force

          This Decision shall be promulgated in the Official Gazette and shall come into force on the day following its Promulgation.

    • Cabinet Decision 74 of 2020: Terrorism Lists Regulation and Implementation of UN Security Council Resolutions

      CABINET DECISION NO 74

      Issued on 27/10/2020.

      Corresponding to 10 Rabi’ Al Awwal 1442 AH

      Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolutions

      Abrogating:

      Cabinet Decision No. 20 dated 25/02/2019

      The Cabinet:

      - Having perused the Constitution,

      - Federal Law No (1) of 1972 on the Mandates of Ministries and Powers of Ministers, and amendments thereto;

      - Federal Law No. (17) of 2006 on the Establishment of the Supreme Council for National Security;

      - Federal Law No. (13) of 2007 on Goods Subjected to Import and Export Control, and amendments thereto;

      - Federal Law No. (7) of 2014 on Combating Terrorism Offences;

      - Federal Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations;

      - Cabinet Decision No. (20) of 2019 on Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing and Proliferation of Weapons of Mass Destruction, and Relevant Resolutions, and

      - Based on the proposal of the Minister of Foreign Affairs and International Cooperation and the Cabinet’s approval;

      Resolved as follows:

      • Article 1 - Definitions

        In the implementation of the provisions of this Decision, and unless the context otherwise requires, the following terms and expressions shall have the meanings cited against each:

        The State: The United Arab Emirates;

        The Council: The Supreme Council for National Security;

        The Ministry: The Ministry of Foreign Affairs & International Cooperation;

        The Competent Court: The Court that has jurisdiction over State Security Offences;

        The Office: The Executive Office of the Committee for Goods Subjected to Import and Export Control;

        Supervisory Authorities: Federal and Local authorities entrusted as per Legislations, with the supervision of Financial Institutions and Designated Non-Financial Businesses and Professions.

        Law Enforcement Authorities: Federal and Local authorities entrusted, as per Legislations with the tasks of combating crime, search, investigation, and collection of evidence in offences, including money laundering, financing of terrorism and the financing of illegal organizations.

        Sanctions Committee: Any of the UN Security Council Committees established as per its resolutions, including UNSCRs 1267 (1999) and 1989 (2011) relating to ISIL and Al-Qaida, 1988 (2011) relating to the Security and Stability of Afghanistan, and 1718 (2006) relating to the suppression and combating of proliferation of weapons of mass destruction for the DPRK.

        Listed Person: A person or organization listed by the UN Security Council on the Sanctions List, or listed by the Cabinet on Local Lists, as the case may be.

        Person: A natural or legal person.

        Ombudsperson: The person appointed by the UN Secretary General to assist the Sanctions Committee when examining requests submitted by individuals, groups, undertakings and entities for delisting from the ISIL and Al Qaeda Sanctions List.

        Focal Point: The focal point established within the Secretariat pursuant to UNSCR 1730 (2006) to receive petitions from persons or entities in the State or holding the State’s nationality, listed on the relevant list, requesting to be de-listed or seeking exemptions for humanitarian reasons, from a travel ban, or from freezing measures or persons claiming to have been wrongfully sanctioned.

        Relevant UNSCRs: All current and future UN Security Council resolutions relating to the suppression and combating of terrorism, terrorist financing and proliferation of weapons of mass destruction and its financing, including but not limited to Resolutions 1267 (1999), 1988 (2011), 1989 (2011), 1718 (2006), 2231 (2015) and any successor resolutions.

        Listing: Identifying the individual or organization subject to sanctions imposed pursuant to relevant UNSCRs, decisions of the Sanctions Committee, or relevant decisions of the Cabinet, as the case may be, and implementing relevant sanctions against such individual or organization, with a statement of the reasons for listing.

        Local Lists: Terrorism lists issued by the Cabinet pursuant to the provisions of Article (63) paragraph (1) of Federal Law No (7) of 2014.

        Sanctions List: A list containing the names of individuals and organizations linked to terrorism, financing of terrorism or proliferation of weapons of mass destruction and its financing, and that are subject to sanctions imposed as per UNSCRs and decisions of the Sanctions Committee, along with information related to such persons and reasons for their listing.

        Narrative Summary: The declared part of the reasons for Listing an individual or organization on the Sanctions List annexed to the Listing decision by the Sanctions Committee.

        Funds: Assets of all types, in whatever form and however acquired, whether corporeal or incorporeal, tangible or intangible, movable or immovable, electronic, digital or encrypted, including national currency, foreign currencies, documents and legal instruments establishing ownership of such assets or any associated rights, in whatever form, including electronic or digital forms, as well as economic resources considered as assets of any kind, including oil and natural resources, and bank credits, checks, money orders, shares, securities, bonds, drafts, and letters of credit and any interest, dividends, or other income accruing from or generated by such assets, and that may be used to obtain any other funds, goods or services including internet posting services or related services.

        Other Measures: Sanction measures other than freezing that must be enforced, and which may be included in relevant UNSCRs or Cabinet decisions regarding the issuance of local lists, such as prohibitions relating to travel, weapons, imports, or provision of fuel supplies and other.

        Without Delay: Within 24 hours of the Listing decision being issued by the UN Security Council, the Sanctions Committee or the Cabinet, as the case may be.

      • Article 2 - Mandate of the Council

        1. For the purposes of implementing the provisions of this decision, the Council shall have the following mandate:
           
          1. Establish one Local List or more, where it proposes the listing, de-listing or re-listing of terrorist persons and organizations and the updating of such list, whether spontaneously or upon the request of another country, or in case the State has an international obligation to list such persons or organizations.
             
          2. Coordinate with other countries to list a terrorist person or organization in their local terrorist lists.
             
          3. Propose the listing of terrorist persons or organizations on the Local List to the Sanctions Committee.
             
          4. Submit requests for de-listing terrorist persons or organizations from the Sanctions List, when it believes that such terrorist persons or organizations do not or no longer meet the designation criteria, while taking into account procedures and criteria set out in relevant UNSCRs.
             
          5. Conduct a regular review of Local Lists in coordination with the Ministry of Justice. The Council is entitled to request any clarifications or document it deems suitable from Law Enforcement Authorities and concerned entities in the State to review such, provided that the period for review does not exceed one year.
             
        2. The Council shall exercise its powers set forth in sub-paragraphs a, b and c of paragraph 1 of this Article in accordance with the rules and procedures set forth in Relevant UNSCRs, whenever there are reasonable grounds for such, irrespective of the existence of criminal proceedings.
           
      • Article 3 - Proposing Listing and Re-listing on Local Lists and Updating Such

        Subject to the provisions of Article (2) Paragraph (2) of the present Decision, the Council shall coordinate with any entity it deems suitable in the State and abroad to obtain information regarding the designation of terrorist persons and organizations that meet the designation criteria for the purpose of preparing a proposal for listing on Local Lists according to the following procedures:

        1. The Council shall, unilaterally and without prior notice to the Listed Person, establish one Local List or more where it proposes the Listing of terrorist persons and organizations, or propose Listing upon the request of another country, whenever the Council is satisfied with the presence of reasonable grounds or sound basis for suspicion or when it believes that such person or organization meets the designation criteria for Listing, or if the State is internationally committed to list such persons and organizations. The Council shall take such decision as swiftly as possible.
           
        2. In the Listing process, the Council shall take into account the designation criteria contained in UNSCR 1373 (2001), which include the following:
           
          1. Any person or organization that commits, attempts to commit, participates in or facilitates the commission of terrorist acts.
             
          2. Any organization directly or indirectly owned or controlled by a person or organization as set out in sub-paragraph (a) of paragraph (2) of the present Article.
             
          3. Any person or organization acting on behalf of or at the direction of any person or organization as set out in sub-paragraph (a) of paragraph (2) of the present Article.
             
        3. The Council shall coordinate with the Ministry of Justice with regard to proposed Listing on Local Lists, if the Council determines that a person or an organization meets the designation criteria referred to in paragraph (2) of the present Article. The Council then forwards the proposal to the Ministry of Presidential Affairs for consideration and issuing by the Cabinet.
           
        4. In case Local Lists were issued by the Cabinet, the Office shall be notified for publication, Without Delay, as per its established procedures.
           
        5. The procedures set forth in the present Article shall be implemented when Local Lists are updated, and when re-listing any previously de-listed person, in case there are reasons requiring their Listing in such lists, in accordance with the provisions of paragraph (2) of the present Article.
           
      • Article 4 - De-listing From Local Lists

        The Council may de-list a Listed Person from Local Lists according to the following procedures:

        1. The Council shall notify the Ministry of Presidential Affairs of reasons to de-list, if it considers that the information or evidence regarding a Listed Person on the Local List no longer require their listing, and once it has verified that the reasons for the Listing no longer exist.
           
        2. The Ministry of Presidential Affairs shall be in charge of submitting the proposal to de-list the Listed Person from the Local Lists to the Cabinet, in order for the Cabinet to decide whether to approve or reject the request.
           
        3. The Office shall be notified of the de-listing decision referred to under paragraph (2) of the present Article, immediately upon issuance thereof, to circulate the decision, lift freezing and any other measures taken, as per its established procedures.
           
      • Article 5 - Enforcement and Publication of Local Lists

        1. Decisions to list, de-list and re-list on Local Lists, and to update such lists shall be effective from the date of their issuance, or from the date determined by the Cabinet, and shall be published in the Official Gazette.
           
        2. Decisions to list, de-list and re-list on Local Lists, and to update such lists shall be published in the media, in both Arabic and English, as per the regulations established by the Council.
           
      • Article 6 - Grievances Against Decisions to List on Local Lists

        Anyone whose name is listed on Local Lists may file a grievance against such decision according to the following procedure:

        1. The Listed Person may submit, in person or through a legal representative, a written grievance application to the Office, in accordance with the latter’s established mechanism, attaching thereto all documents supporting the grievance.
           
        2. The Office shall refer the grievance to the Council for review and examination. Both the Office and the Council shall have the right to request any clarifications or further documentation from the applicant, or from Law Enforcement Authorities or other relevant entities in the State, for the purposes of deciding on the application.
           
        3. The Council shall receive the grievance application, verify whether it is new or recurring, and may reject it, if it was recurring and did not include additional information other than the information contained in the previous grievance, or for any other reasons.
           
        4. If the Council, during its review of the grievance application, determines that the information or evidence regarding the Listed Person on Local List no longer require their listing, and once it has confirmed that the reasons that called for the Listing no longer exist, the Council shall notify the Ministry of Presidential Affairs.
           
        5. The Minister of Presidential Affairs shall be in charge of submitting the grievance application, along with the Council’s opinion to the Cabinet, as per its established submittal mechanisms, in order for the Cabinet to make a decision to either approve or reject the grievance.
           
        6. In case of approval of the grievance by the Cabinet, the name of the Listed Person shall be removed from Local Lists and freezing and other measures taken in accordance with the Listing decision shall be lifted. The Office shall be notified immediately upon issuance thereof to notify the applicant and publish the decision as per the Office’s established procedures.
           
        7. In case the grievance is rejected or if no response is received regarding the application within sixty days from the date of its submission, the applicant may appeal the Cabinet’s Listing decision before the Competent Court within sixty days from the date he/she was notified of the rejection, or from the expiry of the response period.
           
        8. The court’s decision regarding the grievance shall be not be subject to appeal. If a grievance is rejected, a new grievance may only be submitted after six months from the date of rejection of the previous grievance, unless a serious reason that is accepted by the president of the court arises before the expiry of such period.
           
        9. An appeal against a Listing or re-Listing decision shall not be accepted before a grievance against it is filed and rejected, or before the period given to respond expires, as set out in the present Article.
           
      • Article 7 - Lifting Freezing and Other Measures in the Case of False Positives on Local Lists

        Any person or organization inadvertently affected by freezing or other measures due to a similarity between their name and the name of a Listed Person on Local Lists, and any person or organization that has been affected by such measures may cancel such procedures as follows:

        1. Submitting a written request to the Office, in person or through a legal representative, to lift freezing or any other measures taken against them, along with all supporting documents.
           
        2. The Office shall refer the request to the Council for examination. Both the Office and the Council may ask for any clarifications or additional documents from the applicant, Law Enforcement Authorities or relevant entities in the State, for the purpose of deciding on the request.
           
        3. After examining that the applicant or his/her funds are not related to the Listing, the Council shall issue its decision to accept or reject the request, and shall send such decision, within thirty days from date of receipt of the request to the Office, which would in turn notify the applicant of the outcome in writing.
           
        4. In case the request is accepted by the Council, the Office shall address the entity where the funds are frozen, Law Enforcement Authorities and the entities concerned with Other Measures, to lift the actions taken against the applicant. The addressed entity should immediately execute the decision.
           
        5. In case the request is rejected by the Council, or if no response to the request is received within thirty days from date of its submission, the applicant may file a grievance before the Competent Court within sixty days from the date of notification of the rejection, or from the expiry of the response period.
           
        6. The court’s decision on the grievance shall be not be subject to appeal, and if the court ruled to reject the grievance, a new grievance may only be filed after six months from the date of rejection of the grievance, unless a serious reason that is accepted by the president of the court arises before the expiry of such period.
           
        7. An appeal against a decision to apply freezing and Other Measures shall not be accepted before a grievance against such is filed and rejected, or before the period given to respond expires, as set out in the present Article.
           
      • Article 8 - Permission to Use Funds Frozen pursuant to Listing on Local Lists

        1. Any Listed Person on Local Lists, or their legal representative, and any interested party may submit to the Office a written request to use the Listed Person’s frozen Funds. The Office shall refer the request to the Ministry of Justice, provided such request includes all supporting documents.
           
        2. The Ministry of Justice shall examine the request, its reasons and the amounts to which access is requested and may reduce such amounts or reject the request based on justified reasons.
           
        3. Following coordination with the Council, The Ministry of Justice may approve the request to use the frozen funds of a Listed Person on Local Lists, for any of the following purposes:
           
          1. To cover necessary or basic expenses, such as the amounts payable for foodstuff, rent, mortgage, medicine, medical treatment, taxes, insurance premium, educational or judicial fees, or public utility fees.
             
          2. To pay professional fees or costs relating to legal services rendered or other extraordinary expenses within reasonable limits; or fees for services relating to safekeeping or management of frozen Funds.
             
        4. The Ministry of Justice shall notify the Office of the approval or rejection of the request, and the Office shall in turn notify the applicant of the decision in writing.
           
        5. In case the request is rejected, or if no response to the request is received within thirty days from date of its submission, the applicant may file a grievance before the Competent Court within thirty days from the date when he/she was notified of the rejection, or from the expiry of the response period.
           
        6. An appeal against the rejection of the request shall not be accepted before a grievance against it is filed and rejected, before the period given to respond expires, as set out in the present Article.
           
        7. In all cases, the procedures set forth in UNSCR 1452 (2002) and any successor resolutions shall be taken into account.
           
      • Article 9 - Request to Listing on Another Country's List

        Subject to paragraph (2) of Article (2) of the present Decision, the Council may, unilaterally, request a foreign country to list a person or organization that meets the designation criteria under UNSCR 1373 (2001) on the local list of such country, through the following procedures:

        1. Communicate through diplomatic or established security channels with the country of nationality or previous or current residence of the person or organization, to obtain, as much as possible, information supporting the Listing request.
           
        2. The Listing request should include as much details as possible on the grounds and justifications of such request and may include the following:
           
          1. Specific information supporting links to terrorist organizations, individuals or activities or otherwise establishing that the person or organization meets the designation criteria.
             
          2. Evidence or documents supporting the Listing request such as reports from Law Enforcement Authorities, security services, the Judiciary, the media and others.
             
        3. The Council shall attach to the Listing request all personal information to enable accurate and positive identification of the person requested for listing, along with all data and information supporting that the person requested for listing meets the designation criteria set forth in UNSCR 1373 (2001).
           
        4. The Council shall send the Listing request to the Ministry, which would in turn address the concerned country and notify the Council upon receipt of the response.
           
      • Article 10 - Proposal for Listing to the Sanctions Committee

        Subject to paragraph (2) of Article (2) of the present Decision, and if the Council is satisfied that there are reasonable grounds or a sound basis to suspect or believe that a person or organization meets the designation criteria for Listing on the Sanctions List, the Council may, unilaterally and without prior notice, propose Listing on the relevant Sanctions List of any person or organization, by submitting such proposal to the Security Council or the concerned Sanctions Committee such as those established pursuant to UNSCRs 1988 (2011), 1267 (1999), 1989 (2011), 2253 (2015), 1718 (2006) and 2231 (2015) for designation and successor resolutions, while taking into account the relevant designation criteria and using the standard forms approved by the relevant committee for Listing in accordance with the following procedures:

        1. The Council shall seek to collect information about the person or organization proposed for Listing using the assistance of Law Enforcement Authorities and relevant entities in the State, for the purposes of preparing the proposal for Listing on the Sanctions List.
           
        2. The Council shall communicate, through diplomatic or established security channels with the country of nationality or current or past residence of the proposed person in order to obtain information, if possible.
           
        3. The Listing proposal must include a detailed statement of the case to support the proposed Listing, and the specific criteria on the basis of which the name of the person or organization was proposed for Listing, including:
           
          1. Specific results and reasons showing fulfillment of the Listing criteria as set out in relevant UNSCRs or by the relevant Sanctions Committee.
             
          2. Evidence or documents supporting the Listing proposal such as reports of Law Enforcement Authorities, security services, the Judiciary, the media and others.
             
          3. Details on any relationship with a person currently listed on the Sanctions List.
             
        4. The Council shall work on providing a statement of information to the extent possible as per the Consolidated Form for the purposes of Listing on the relevant Sanctions List.
           
        5. The Listing proposal must include a statement by the State as to whether the Sanctions Committee can disclose that the State is the entity requesting the listing or not.
           
        6. The Council shall send the Listing proposal to the relevant Sanctions Committee through the Office.
           
      • Article 11 - Mandate of the Office

        For the purposes of implementing the provisions of the present Decision, the Office - as a National Coordination Body - shall have the following mandate:

        1. Take necessary measures to implement UN Security Council resolutions, Without Delay and without prior notice to the Listed Person, in accordance with the requirements thereof, particularly resolutions related to Terrorism, Terrorist Financing and the Prevention, Suppression and Disruption of Proliferation of Weapons of Mass Destruction and its Financing.
           
        2. Publish the Sanctions List and the updated Local Lists on the Office’s website, Without Delay.
           
        3. Notify a Listed Person residing in the State of their Listing, after the completion of the Funds freezing procedures, and provide such Listed Person with the Narrative Summary directly, or with the necessary information on the reasons for their listing, and explain the implications of their Listing on the Sanctions List, the procedures that the Sanctions Committee follows in considering requests for de-listing from the Sanctions List, including the possibility of submitting such requests to the Ombudsperson or Focal Point, as the case may be, in addition to the possibility of using part of the Funds frozen in accordance with the provisions of the present Decision , by making this information available on the Office’s website.
           
        4. Receive and process notifications relating to measures taken in implementation of the relevant UNSCR or Local Lists.
           
        5. Receive grievances against Listing on Local Lists, requests for lifting freezing or Other Measures taken against persons with names similar to the names of Listed Persons, in addition to requests for using frozen Funds.
           
        6. Internal coordination and exchange of information between concerned entities regarding the implementation of the provisions of the present Decision, including coordination to develop typology reports on the evasion of freezing and Other Measures, and cooperation with the Financial Intelligence Unit (FIU) in developing red flags at financial institutions and DNFBPs related to evading freezing and Other Measures.
           
        7. Collect the results of supervision and enforcement measures from Supervisory Authorities related to implementing the provisions of the present Decision and coordinate efforts in this regard.
           
        8. Communicate and engage with FIs, DNFBPs and the public with regards to the implementation of the provisions of the present Decision, including by providing training, outreach and awareness raising in coordination with Supervisory Authorities, in order to enhance effectiveness at the level of receiving notifications from the Office related to the Sanctions List and Local Lists, Without Delay; and issue the necessary instructions on compliance and collect statistics related to the implementation of the present Decision.
           
      • Article 12 - Publication of the Sanctions List, Local Lists, and Implementation of Related Decisions

        1. The Office shall publish Sanctions List and Local Lists by sending them using the means it deems appropriate to Supervisory Authorities, financial institutions and DNFBPs for the implementation of the freezing decision, and to Law Enforcement Authorities for the implementation of Other Measures, Without Delay and without prior notice to the Listed Person.
           
        2. Law Enforcement Authorities and Supervisory Authorities shall provide the Office with any information, if applicable, regarding the outcome of the implementation of the freezing or Other Measures, as the case may be, within five business days from the date of implementation.
           
        3. The Office shall send the data and information received from Supervisory Authorities and Law Enforcement Authorities to the UN Security Council and the Sanctions Committee, as the case may be, through the Ministry.
           
        4. The Office shall send information and data received from Supervisory Authorities and Law Enforcement Authorities regarding measures taken in relation to Local Lists, to the Council.
           
      • Article 13 - Declared Procedures Relating to Sanctions List

        The Office shall state, on its official website, procedures for submitting requests for de-listing from the Sanctions List, including the following procedures:

        1. Guiding Listed Person as per relevant UNSCRs to submit a de-listing request to the Ombudsperson or Focal Point directly, as the case may be, showing the applicable steps to submit a request as indicated below:
           
          1. Submit a request to the Focal Point or the Ombudsperson, as the case may be, to verify such, coordinate with the concerned states and present the request to the relevant Sanctions Committee.
             
          2. The Office shall receive, from the Ombudsperson or the Focal Point, the additional information request related to the Listed Person’s request for de-listing.
             
          3. The Office shall coordinate with the concerned authorities it deems appropriate to examine the request for additional information during the period specified by the Ombudsperson or Focal Point, and provide them with its observations and to what extent the Listed Person or organization is entitled to be de-listed. The Office may ask any questions or ask for more clarifications from the Listed Person submitting the request and shall respond to any other queries raised by the Ombudsperson or Focal Point.
             
        2. Procedures to lift freezing measures imposed due a false positive.
           
        3. Cases where access to frozen Funds is permitted and cases of exemption from Other Measures.
           
        4. Mechanisms for notifying Supervisory Authorities, Law Enforcement Authorities, Financial Institutions and DNFBPs of cases of de-listing or lifting of freezing measures.
           
      • Article 14

        1. The Office shall submit a request for de-listing a deceased person or a defunct organization from the Sanctions List and Local Lists, to the Ombudsperson or Focal Point, as the case may be, along with a death certificate for natural persons and any information proving that the organization no longer exists or is no longer active.
           
        2. The Office shall take necessary actions to ensure, in coordination with concerned entities, that the funds that were in the possession of the Listed Person are not transferred or at any time distributed to other persons listed on the Sanctions List or Local Lists, including ensuring that none of the legal heirs or beneficiaries of the Funds is listed on the Sanctions List or Local Lists, and the Office should notify the Ombudsperson or Focal Point, as the case may be, to such effect.
           
        3. The Office shall take necessary actions to lift the freezing of Funds of Listed Person referred to in the present Article, after receiving the response of the Ombudsperson or Focal Point, as the case may be. If the State was the party that proposed the Listing on the Sanctions List, and a de-listing request was submitted to the Ombudsman or Focal Point, the Office shall examine the request in coordination with the Council and shall proceed with the actions mentioned the present Article.
           
      • Article 15 - Freezing Funds As per the Sanctions List & Local Lists

        1. Any person shall, Without Delay and without prior notice, freeze Funds as per the Sanctions List and Local Lists without limiting such measure to funds that may only be used to perpetrate a certain act, conspiracy, threat or agreement related to terrorism and its financing or WMD proliferation and its financing. The freezing measure shall include the following:
           
          1. Funds owned or controlled, wholly or jointly, directly or indirectly, by the Listed Person or funds owned or controlled, wholly or jointly, directly or indirectly, by a person or organization acting on behalf or at the direction of the Listed Person;
             
          2. Funds derived or generated from funds under sub-paragraph (a) of the present Article.
             
        2. Any person must notify the Office of any freezing measures taken pursuant to Paragraph (1), within five business day of the date of the freezing.
           
        3. No person shall make funds available or provide financial or other related services, whether in whole or in part, directly or indirectly, to any of the persons or entities mentioned in paragraph (1) of the present Article, except upon authorization from the Office in line with the provisions of the present Decision, and after coordination with the Council or the UN Security Council or the relevant Sanctions Committee, and in line with Cabinet decisions regarding the issuance of Local Lists, or relevant UNSCRs, as the case may be.
           
        4. In all cases, the rights of bona fide third parties shall be taken into account when implementing any freezing measure.
           
      • Article 16

        1. The implementation of freezing measures pursuant to UNSCRs 1718 (2006) and 2231 (2015) shall not prevent adding to the frozen account any interest, profits or other payments due under contracts, agreements or obligations that arose prior to the date on which the account was subject to provisions of the said resolutions, provided such additions are immediately frozen and reported to the Office.
           
        2. In all cases, procedures set forth in UNSCRs 1452 (2002), 2231 (2015), 1718 (2006) and 2270 (2016) and any successor resolutions must be observed.
           
      • Article 17

        The implementation of a freezing order pursuant to UNSCR 1737 (2006), continued pursuant to UNSCR 2231 (2015) or taken pursuant to UNSCR 2231 (2015), shall not prevent a Listed Person or organization from making a payment due under a contract that was concluded prior to their listing, subject to the following conditions:

        1. The Office has determined that the contract is not related to any prohibited items, materials, equipment, goods, technologies, assistance, training, financial assistance, investments, brokerage or services referred to in UNSCR 2231 (2015) or any future successor resolution.
           
        2. The Office has determined that the payment is not received, directly or indirectly, by any person or organization listed pursuant to Paragraph (6) of Appendix B of UNSCR 2231 (2015).
           
        3. The Office has submitted a prior notification to the UN Security Council, including its request to make or receive such payments or to authorize, where appropriate, the unfreezing of funds for this purpose, within ten business days before the issuance of such authorization.
           
      • Article 18 - Lifting the Freezing of Funds & Other Measures Taken in Cases of False Positives on the Sanctions List

        The mechanism for lifting freezing and any other measures taken against a person or organization bearing a name similar to that of a listed person, shall be as follows:

        1. The affected person shall submit a written request to the Office in person or through a legal representative, to lift freezing or any other measures taken against him, along with all documents supporting a false positive.
           
        2. The Office shall examine the request, and for the purposes of deciding on the request, may ask for any clarifications or additional documents, it deems suitable from the applicant, the UN Security Council, the relevant Sanctions Committee or any other party.
           
        3. The Office shall issue its decision to reject or approve the request to lift the freezing measures within thirty days from date of receipt of the request and shall notify the applicant accordingly.
           
        4. The Office shall communicate the decision to approve the request, to the entity where the funds are frozen, Law Enforcement Authorities and concerned agencies. The addressed organization shall immediately execute the decision to lift freezing and other measures taken against the applicant due to a false positive.
           
        5. In case the request to lift freezing and Other Measures is rejected, or remained without a response for thirty days from date of its submission, the applicant may file a grievance before the Competent Court within sixty days from the date on which he/she was notified of the rejection of the request, or from the expiry of the response period.
           
        6. The court’s decision regarding the grievance shall not be subject to appeal. If a grievance is rejected, a new grievance may only be submitted after six months from the date of rejection of the previous grievance, unless a serious reason that is accepted by the president of the Court arises before the expiry of such period.
           
        7. An appeal against a decision regarding freezing or Other Measures shall not be accepted before a grievance against such is filed and rejected, or the period for responding to such grievance has elapsed, as set out in the present Article.
           
      • Article 19 - Permission to Use Funds Frozen as Per the Sanctions List

        1. The Office may approve a person’s request to access funds frozen as per the Sanctions List, in the following cases:
           
          1. To cover necessary or basic expenses, such as the amounts payable for foodstuff, rent, mortgage, medicine, medical treatment, taxes, insurance premiums, educational or judicial fees, or public utility fees.
             
          2. To pay professional fees and costs relating to rendered legal services within reasonable limits; or services relating to the safekeeping or management of frozen Funds.
             
          3. To cover extraordinary expenses other than those mentioned in sub-paragraphs (a and b) of this paragraph.
             
          4. In the case of sanctions imposed pursuant to UNSCRs 1718 (2006) and 1737 (2006), and continued as per UNSCR 2231 (2015), and in addition to the measures mentioned above, if access was requested to use frozen funds which are subject to mortgage, or a judicial, administrative or arbitral lien or ruling, and if the funds will be used, exclusively, to satisfy the expenses of that lien or judgment, and provided that the mortgage or the ruling entered into effect at a time prior to the date of the listing in accordance with the referenced resolutions, and that the funds are not used for the benefit of any Listed Peron, and after the Office notifies the UN Security Council or the relevant Sanctions Committee, as the case may be.
             
        2. Requests for the purpose of deciding on any of the items under paragraph (1) of this article, shall be submitted directly to the Office, by the Listed Person or their legal representative, along with all supporting documents.
           
        3. The Office shall examine the requests referred to in paragraph (2) of this article, their reasons, and the requested amounts, and may reduce or reject such amounts, based on justifiable grounds.
           
        4. In the event that the submitted request is related to the expenses mentioned in sub-paragraphs (a, b, and d) of paragraph (1) of the present Article, the Office must notify the UN Security Council or the Sanctions Committee of its intention to approve the submitted request following consideration thereof in accordance with the provisions of paragraph (3) of this article, and in case the sanctions committee does not object, or issue a decision of rejection within five business days from the date of its notification, the funds that the Office agreed to unfreeze shall be unfrozen and the entity holding the frozen funds shall be immediately notified in writing to such effect and asked to implement the decision immediately. Such entity shall notify the Office of the actions taken in this regard.
           
        5. In case the submitted request relates to the expenses mentioned in sub-paragraph (c) of Paragraph (1) of the present Article, the Office shall notify the Sanctions Committee of its intention to approve the submitted request following consideration thereof in accordance with the provisions of Paragraph (3) of this article, and obtain the Sanctions Committee’s written approval.
           
        6. For the purposes of paragraphs (4) and (5) of this article, the Office must notify the person requesting the use of funds frozen as per the Sanctions List, or their legal representative, in writing, of its approval of the request or its justified rejection of such, as soon as possible.
           
        7. The Office may revoke its decision to approve the request to use funds frozen under the Sanctions List, any time there are reasonable grounds for suspicion that the funds are used for financing terrorism or financing WMD proliferation.
           
        8. In case the request to use funds frozen under the Sanctions List is rejected, or remains without response for thirty days from date of its submission, the applicant may file a grievance before the Competent Court within sixty days from the date on which he/she was notified of the rejection of the request, or from the expiry of the response period.
           
        9. The Court’s decision on the grievance may not be appealed, and if the court ruled to reject the grievance, a new grievance may only be filed after six months from the date of rejection of the grievance, unless a serious reason that is accepted by the president of the Court arises before the expiry of such period.
           
        10. An appeal against a decision to refuse the use of frozen funds shall not be accepted before a grievance against such is filed and rejected, or the period for responding to such grievance has elapsed.
           
        11. In all cases, the procedures set forth in UNSCRs 1452 (2002), 1718 (2006) and 2231 (2015) and any successor resolutions, shall be observed.
           
      • Article 20

        The Office may set any controls it deems appropriate for the exemptions and payments stipulated in this Decision, to prevent the use of the funds for financing terrorism or WMD proliferation.

      • Article 21 - Obligations of Financial Institutions and DNFBPs

        For the purposes of implementing the present Decision, financial institutions and DNFBPs shall abide by the following:

        1. Register on the Office’s website in order to receive notifications related to new listing, re-listing, updating, or de-listing decisions issued by the UN Security Council, the Sanctions Committee or the Cabinet.
           
        2. Regularly screen their databases and transactions against names on lists issued by the UN Security Council, the Sanctions Committee or the Local Lists, and also immediately when notified of any changes to any of such lists, provided that such screening includes the following:
           
          1. Searching their customer databases.
             
          2. Search for the names of parties to any transactions.
             
          3. Search for the names of potential customers.
             
          4. Search for the names of beneficial owners.
             
          5. Search for names of persons and organizations with which they have a direct or indirect relationship.
             
          6. Continuously search their customer database before conducting any transaction, or entering into a serious business relationship with any person, to ensure that their name is not listed on the Sanctions List or Local Lists.
             
        3. Implement freezing measures, without delay, and without prior notice to the Listed Person, immediately when a match is found through the screening process referred to in paragraph (2) of this article.
           
        4. Implement decisions to lift freezing measures without delay, pursuant to Relevant UNSCRs or decisions of the Cabinet regarding the issuance of Local Lists.
           
        5. Immediately notify the Supervisory Authority in the following cases:
           
          1. Identification of funds and actions that have been taken as per requirements of Relevant UNSCRs or decisions of the Cabinet regarding the issuance of Local Lists, including attempted transactions.
             
          2. Detection of any match with listed persons or entities, details of the match data and actions that have been taken as per the requirements of Relevant UNSCRs and Local Lists, including attempted transactions.
             
          3. If it was found that one of its previous customers or any occasional customer it dealt with, is listed on the Sanctions List or Local Lists.
             
          4. If it suspects that one of its current or former customers, or a person it has a business relationship with is listed or has a direct or indirect relationship with the Listed Person.
             
          5. No action has been taken due to a false positive, and the inability to dismiss such false positive through available or accessible information.
             
          6. Information relating to funds that have been unfrozen, including their status, nature, value and measures that were taken in respect thereof, and any other information relevant to such decisions.
             
        6. Establish and effectively implement internal controls and procedures to ensure compliance with the obligations arising from this Decision.
           
        7. Establish and implement policies and procedures that prohibit staff from, directly or indirectly, informing the customer or any third party that freezing or any Other Measures shall be implemented in accordance with the provisions of this Decision.
           
        8. Cooperate with the Office and the Supervisory Authority in verifying the accuracy of submitted information.
           
      • Article 22 - Obligations of Supervisory Authorities

        Supervisory Authorities shall abide by the following:

        1. Receive all information from FIs and DNFBPs regarding frozen funds, or any measures taken in compliance with prohibition requirements pursuant to the present Decision, including attempted transactions and send such information to the Office within five working days from the date of its receipt.
           
        2. Supervise, monitor and follow-up to ensure compliance with the provisions of this Decision, through onsite and offsite inspection, and imposing appropriate administrative sanctions in case of violation or failure to implement such provisions.
           
        3. Establish a list of cases detected, as per the provisions of this Decision, by FIs and DNFBPs, where the customer or beneficial owner was a Listed Person or organization.
           
        4. Identify any funds related to a Listed Person that have been detected and frozen by FIs and DNFBPs, and whether or not relevant reports were submitted to the Office in line with the provisions of the present Decision.
           
        5. Submit reports to the Office at least semiannually on results of supervision, monitoring and follow-up on the implementation of FIs and DNFBPs of their obligations under the present Decision.
           
      • Article 23 - General Provisions

        1. Any person who, due to the nature of their work, has access to, or becomes aware of, any information provided or exchanged pursuant to the provisions of the present Decision, whether directly or indirectly, shall not disclose this information in any form, unless for the purposes of implementing the present Decision.
           
        2. A person who, in good faith, freezes Funds, denies disposal thereof, refuses to provide financial services relating thereto, or declines to perform any other obligation in compliance with the provisions of the present Decision, shall be exempt from any damages or claims resulting from such actions.
           
        3. Violating the provisions of the present Decision shall result in the implementation of penal and administrative sanctions stipulated in Federal Decree Law No. (20) of 2018.
           
      • Article 24 - Administrative Measures

        1. Both the Council and the Office may, within the limits of their respective mandates, issue procedures and instructions concerning the implementation of the present Decision.
           
        2. Procedures, criteria and templates adopted by the UN Security Council and its Committees are considered the main reference for implementing the provisions of the present Decision and any other related procedures.
           
        3. Subject to relevant UNSCRs, the Council or the Office, as the case may be, may ask the Ministry of Justice to appoint whoever it deems appropriate to manage frozen Funds, if necessary.
           
      • Article 25 - Repeal of Conflicting Provisions

        Cabinet Decision No. (20) of 2019 referred to above is hereby repealed as any provisions conflicting with the provisions of the present Decision are repealed.

      • Article 26 - Publication and Entering into Effect

        The present Decision shall be published in the Official Gazette, and shall come into effect on the day following the date of its publication.

    • Registered Hawala Providers Regulation

      The Chairman of the Board of Directors of the Central Bank,

      Having perused provisions Federal Law No. (7) of 2014 regarding Combating Terrorism Crimes;

      Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities;

      Decretal Federal Law No. (20) of 2018 on Anti-Money Laundering and Countering the Financing of Terrorism and Illegal Organizations and its Executive Regulations;

      The Central Bank Board of Directors’ Resolution No 20/2/2019 regarding approving the Registered Hawala Providers Regulation; and

      National Anti-Money Laundering Committee’s decision in its meeting of 14 June 2012.

      Has decided the following:

      • Objective:

        The objective of this Regulation is to provide a regulatory framework for Hawala Providers in the UAE in order to operate within the UAE financial sector in a robust and prudent manner. As such, the framework set out in this Regulation is aimed at protecting the customers of Registered Hawala Providers and the reputation of the financial system of the UAE.

        This Regulation is issued by the Central Bank pursuant to the powers vested in the Central Bank Law.

        Where this Regulation includes a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements, which are additional to the list provided in the relevant article.

      • Application:

        This Regulation applies to any person carrying out Hawala activity in the UAE.

      • Article 1: Definitions

        The following terms and phrases shall have the definitions assigned to them for the purpose of this Regulation:

        Central Bank: The Central Bank of the United Arab Emirates;

        Central Bank Law: Decretal Federal Law No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities;

        Hawala Activity: The arrangements for transfer and receipt of funds or equivalent value and settlement through trade and cash;

        Hawala Provider Certificate: The certificate issued by the Central Bank for carrying on Hawala activity in the U.A.E;

        Juridical Person: A juridical person in accordance with Article 92 of Federal Law No. 5 of 1985 Concerning the Issuance of the Civil Transactions Law as amended. For the purpose of this Regulation, this definition only refers to Juridical Persons in the UAE;

        Registered Hawala Provider: Any natural person holding a valid residency visa or Juridical Person, who is registered in the Central Bank’s Hawala Providers Register in accordance with the provisions of this Regulation, including its agents or a network of agents;

        Registered Hawala Provider’s Agent: Any natural or Juridical Person carrying out activity on behalf of a Registered Hawala Provider, whether by contract with or under the direction of the Registered Hawala Provider; and

        Regulations: Any resolution, regulation, circular, rule, instruction, Standard or notice issued by the Central Bank.

        The terms mentioned in the Central Bank Law shall bear the same meanings ascribed thereto in the said Law when used in this Regulation, unless a definition otherwise is stated herein.

      • Article 2: Registration and Certificate Requirements

        2-1 A resident natural person or a juridical person may not carry on Hawala activity in the UAE unless he holds a Hawala Provider Certificate issued by the Central Bank in accordance with the provisions of this Regulation.

        2-2 Any natural person or juridical person may apply for registration and obtain a Hawala Provider Certificate. The said application shall be made on the Central Bank’s prescribed form for this purpose and be accompanied by the following documents:

        1. A statement showing the nature and scope of the Hawala activity carried out by the applicant, in addition to any plans he may have for future business expansion, and details of the applicant’s arrangements for management of his business;
           
        2. The applicant’s name, address, age and occupation, along with a true copy of his UAE ID card and/or passport, for natural persons, and a true copy of the commercial license for juridical persons;
           
        3. An undertaking by the applicant:
           
          1. to guarantee all transfers for its customers;
             
          2. that the Central Bank bears no responsibility whatsoever towards customer funds regardless of their value;
             
          3. to maintain an account with a bank operating in the UAE to be used for settlement and provide the Central Bank with details of such account;
             
          4. to abide, alike with its agents, by all UAE established laws, including civil laws, commercial companies’ law, federal laws on AML/CFT, and Central Bank Regulations;
             
          5. to notify the competent authorities of the violation of said laws and Regulation;
             
          6. to make his records and documents available for examination by the Central Bank's staff or any third party authorized to act on its behalf;
             
          7. to provide any information or documents the Central Bank may require for the purposes of deciding on the application for registration;
             
          8. to amend the license provided by the relevant economic department to reflect Hawala activity; and
             
          9. to install all security systems (alarm system/CCTV), in accordance with the relevant authority requirements and use authorized cash transit Service providers for bulk currency transfers.

        3-2 A Hawala Provider Certificate shall only be granted if the following conditions are met:

        1. The applicant undertakes to provide the Central Bank, electronically via the Central Bank’s Remittance Reporting System and/or other applicable Central Bank system, with the data and information on remitters and beneficiaries required as per the forms prepared by the Central Bank for this purpose;
           
        2. The applicant is not of UAE nationality and is legally competent and officially residing in the UAF.;
           
        3. The applicant is of good conduct and behavior and has not been convicted of any crime of honor or honesty and has not failed to honor his liabilities towards financial institutions or any other creditors. Furthermore, the applicant should not have been declared bankrupt nor reached a settlement agreement with his creditors or have his property confiscated or put under court receivership;
           
        4. The applicant has a reasonable level of education, administrative, and professional experience.
           
      • Article 3: Notification of Approval/Rejection and Certificate Conditions

        3-1 The Central Bank may agree or decline to issue a Hawala Provider Certificate.

        3-2 In case of approval or rejection of the application for a Hawala Provider Certificate, the Central Bank shall notify the applicant in writing indicating reasons in case of rejection.

        3-3 The Central Bank shall issue a Hawala Provider Certificate valid for one year, renewable for similar periods. The Central Bank may include in the Hawala Provider Certificate whatever terms and conditions it deems appropriate.

      • Article 4: On-Going Obligations of Registered Hawala Providers

        4-1 A Registered Hawala Provider should strictly abide by the following:

        1. Its commercial name should not include any financial activity term, such as bank, exchange house or any other licensed activity by the Central Bank (for juridical persons);
           
        2. Manage his business personally and never assign such task to another person;
           
        3. Not to change his address, place of residence/business, sponsor or commercial activity without obtaining the Central Bank’s approval;
           
        4. Carry out his activity in suitable premises that enables the Central Bank's staff to visit and examine his records;
           
        5. Upload electronically to the Central Bank the details of all transfers, remitters and beneficiaries in the Central Bank's prescribed systems on a daily basis;
           
        6. Receive all applications for money value transfers as per official vouchers for each transaction. Such vouchers should be appropriately stored;
           
        7. Verify identities of remitters and beneficiaries using Emirates ID or passports;
           
        8. Deposit funds received from its customers in the account designated for settlement;
           
        9. Submit to the Central Bank statements of his settlement account on a quarterly basis along with other required forms;
           
        10. Provide the Central Bank with any data, information or statistics it may require at any time and for any specific period. Such data and information shall be regarded as confidential and shall be treated accordingly. A Registered Hawala Provider may not disclose such information except in accordance with the law;
           
        11. A Registered Hawala Provider must exercise due diligence when approving an agent and provide the Central Bank a current list of its agents and the countries in which they operate;
           
        12. Submit to the Central Bank an application for renewal of the Hawala Provider Certificate within a period not less than two months from the date of expiry of the original certificate or any renewals thereof; and
           
        13. Abide, alike with its customers and agents, by all UAE laws, including civil laws, Commercial Companies’ Law, federal laws on AML/CFT, and Central Bank Regulations particularly with regard to notifying the competent authorities of any violation thereof.
           
      • Article 5: Specific Obligations with Regard to ML/FT Risks

        5-1 In addition, a Hawala Provider registered in the Central Bank's Hawala Providers Register must strictly comply with Decretal Federal Law No. (20) of 2018 on Anti-money Laundering and Countering the Financing of Terrorism and Illegal Organizations and its executive regulations, and any Regulations and directions issued by the Central Bank in this regard.

        5-2 Hawala Providers may be guided by the Financial Action Task Force (FATF) Standards on anti-money laundering and countering the financing of terrorism and proliferation and to abide by guidance issued by the Central Bank in this regard.

      • Article 6: Supervision and Examination

        6-1 The Central Bank shall have the right to examine the business of the Hawala Providers and their agents and customers whenever it deems appropriate to ensure proper implementation of the provisions of this Regulation.

      • Article 7: Enforcement and Sanctions

        7-1 Violation of any provision of this Regulation may be subject to supervisory action as deemed appropriate by the Central Bank. In addition, without prejudice to other sanctions stated in any other laws in the UAE, the Central Bank may impose administrative and financial sanctions and penalties in accordance with the Central Bank Law and the Regulations issued in implementation thereof.

      • Article 8: Interpretation of the Provisions of the Regulation

        8-1 The Regulatory Development Division of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.

      • Article 9: Cancellation of Previous Resolutions

        9-1 The Central Bank Board of Directors’ Resolution No 109/5/2002 regarding the preparation of a simple regulation for licensing and monitoring of Hawala intermediaries is cancelled.

        9-2 This Regulation replaces “Hawala Intermediaries Regulation” issued on 2 July 2012.

      • Article 10: Publication and Application

        10-1 This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect one month from the date of publication