3.3. Preventive Measures for LFIs Providing Products and Services Directly to Customers
Under Article 4(2) of the AML-CFT Decision, all LFIs must implement an AML/CFT program designed to manage the risks identified in their risk assessment that should include:
3.3.1. Customer Due Diligence, Enhanced Due Diligence and Ongoing Monitoring
Under Article 5 of the AML-CFT Decision, LFIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. Payment Sector participants, including providers of SVF, retail payment services, and card schemes, generally establish relationships with their customers rather than treat all customers as occasional or walk-in customers. In these scenarios, LFIs must perform, no matter the customer type, all the elements of CDD required under sections 2 and 3 of the AML-CFT Decision, which include customer identification and verification, beneficial owner identification, understanding of the nature of the customer’s business and purpose of the business relationship, and ongoing monitoring. CDD, and where necessary enhanced due diligence (EDD), are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers.In addition to these mandatory elements, LFIs should consider the following additional elements of CDD that are particularly important in the context of NPPS:• User identification and verification. Many, if not most, NPPS involve the use of digital as opposed to face-to-face methods of onboarding and identifying customers (a.k.a. “electronic Know Your Customer,” or “e-KYC”). Digital delivery of services is increasingly common, but can present higher risks when LFIs do not take appropriate steps to ensure that they fully understand the customer and that the person using the services is in fact the identified customer. In particular, when verifying the Emirates ID card (either physically or by way of digital or e-KYC solutions) LFIs must use the online validation gateway of the Federal Authority for Identity, Citizenship, Customs & Port Security, the UAE-Pass Application, or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.
• Use of IP addresses and geographical (spatial and temporal) locators. As discussed above, payment services that are internet-based or accessible through smartphones can allow customers to access financial services no matter where they are in the world. LFIs are of course free to allow their customers to access their services while outside the UAE, but should take advantage of geographical location tools at both the onboarding and the ongoing monitoring stages to ensure that they understand the geographic risk they might be exposed to by their customers. This can include: o Requiring additional authentication or verification when a customer accesses the service from an IP address or device different from the one used at onboarding, or from a different country and/or time zone than the customer’s stated country of residence.
o Reviewing the customer’s log-in locations during CDD refresh to identify any suspicious log-in or movement patterns (for example, high numbers of transactions taking place when the customer is near a border with a high-risk country where the PPS is blocked).
• SVF due diligence: Risk mitigating measures should include as per Article 14.4 of the SVF Regulation: (a) the application of limits on the maximum storage values, cumulative turnover or transaction amounts; (b) disallowing higher risk funding sources; (c) restricting the SVF product being used for higher risk activities; (d) restricting higher risk functions such as cash access; and (e) implementing measures to detect multiple SVF accounts/cards held by the same Customer or group of Customers.
• Merchant due diligence. Payment Sector participants that deal directly with merchants (whether as providers of SVF or card schemes, or conducting merchant acquisition or payment aggregation) may have two main classes of customers: consumers and merchants. It is important to remember that merchants who use the service are customers of the LFI and that merchants that may engage in deceptive or fraudulent business practices or use their legitimate business as a cover for criminal activities, can expose the LFI to extremely high ML/FT risk. Merchants should therefore be subject to CDD designed to understand the nature of their business and the expected transaction volumes. LFIs should understand the merchant’s current financial and payments operations and in particular ascertain why the merchant is seeking a new provider of financial services, as fraudulent merchants may move from LFI to LFI seeking to conceal their activities. Merchants operating in higher-risk sectors, and those that are cash-intensive businesses, are likely to require EDD that could involve performing a periodic site visit of the merchant’s place of business. For more information, please consult the CBUAE’s Guidance for LFIs providing services to the Real Estate and Precious Metals and Stones sectors, and Guidance for LFIs providing services to Cash-Intensive Businesses.
As per Article 7 of the AML-CFT Decision, all customers must be subject to ongoing monitoring to make sure that CDD information on file is accurate, complete and up-to-date and to ensure that transactions conducted are consistent with the expected customer profile. To support this process, LFIs should apply solutions that ensure the accuracy and completeness of their data. It also may be appropriate to include non-standard elements of monitoring to reflect the risks of payments customers, such as geographic and IP-address monitoring discussed above, and the monitoring of the balance between peer-to-peer and merchant payments in a customer’s account. For merchant relationships, ongoing monitoring should include an examination of the number of ‘chargebacks’ or refunds the LFI has had to award to customers of the merchant, as well as any customer complaints the LFI has received. Where a merchant generates a large number of customer complaints or refund requests, or none at all, it may be a sign that it is operating a fraudulent business.3.3.2. Controls
In line with their risk appetite and AML/CFT program, LFIs should develop controls that are commensurate with the nature and size of their business to enable them to manage the risks identified. Effective controls are those designed to minimize or eliminate those aspects of the PPS and NPPS that make them most attractive to illicit actors as discussed in section 2 above. LFIs should in particular consider:• Geographical limits. LFIs should strongly consider using IP addresses and smartphone geolocation capabilities to prevent customers accessing PPS from high-risk countries. There are a number of sources that LFIs can use to develop a list of high-risk countries, jurisdictions, or regions. LFIs should consult any publications issued by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (NAMLCFTC)6, the UAE Financial Intelligence Unit (UAE FIU), and the FATF. LFIs may also use public free databases such as, for example, the Basel AML Index7 or the Transparency International Corruption Perceptions Index.8 LFIs should not solely rely on public lists, however, and should consider their own experiences and the nature of their exposure to each jurisdiction when assessing the risk of that jurisdiction. LFIs should be aware, however, that given the widespread availability of Virtual Private Network (VPN) services, simply using IP address-based screening is not likely to be effective in preventing access to their service from specified areas. LFIs that use this control should make sure their systems are designed to detect VPN usage.
• Transaction limits. Smaller transactions are not without illicit finance risk, but from the perspective of materiality, transaction and volume limits (daily, weekly, monthly, etc.) can decrease an LFI’s exposure to illicit payments and also make the PPS overall less attractive to illicit actors.
• Funding constraints. Requiring customers to fund their accounts and to withdraw funds using only transfers from regulated domestic financial institutions can help protect PPS from the risks related to cash and ensure that the customer will be subject to CDD and monitoring.
• Multi-factor authentication. Requiring customers to provide a One-Time Password (OTP), or answer a phone call, or prompt on their smartphone when logging into an internet-based PPS can help prevent the misappropriation of customer funds by hackers. With regard to the OTP, all banks are required to include specific information in the messages that contain an OTP (full transaction amount, detailed beneficiary merchant name and website and a dedicated telephone number for customers to report suspected fraudulent activity). Banks are also required to ensure that card acquirers and issuers assist them to provide the additional OTP information as needed.9
6 Available at: https://www.namlcftc.gov.ae/en/more/jurisdictions/
7 Available at: https://baselgovernance.org/basel-aml-index
8 Available at: https://www.transparency.org/en/cpi/2020/index/nzl
9 Notice 4892/2021 issued by the CBUAE to all Banks in October 2021 regarding “One-Time Password (OTP) for card transactions”.3.3.3. Wire Transfers Requirements
Articles 27-29 of the AML-CFT Decision contain specific requirements with regard to information that LFIs must collect, and transmit with the wire transfer, when conducting an international wire transfers as well as specific obligations related to domestic wire transfers. In addition, Guidance on CDD measures concerning wire transfers is laid down in section 6.3.2 of the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions. It is important to note that since many Payment Sector participants qualify as financial institutions, the applicability of these requirements is wide-ranging.