3.3.1. General CDD Measures
For life insurance and other investment-related insurance products, insurance operators must perform customer due diligence (“CDD”) on their customers, defined as natural persons, legal persons, or legal arrangements with whom an insurer, agent, or broker establishes or intends to establish a business relationship to carry out insurance operations, as defined in Articles 4 and 5 of the Insurance Law.
Unless otherwise specified below, the customer of an insurance operator is the existing or prospective policyholder, defined as the natural person, legal person, or legal arrangement who owns and maintains the contractual rights of the insurance policy. Where the insurer is acting as a reinsurer, the customer will be the insurer (or reinsurer) in whose name the reinsurance policy is issued. Additionally, in the case of group life insurance or other policies, when the insured persons have active powers on the contract (e.g., to inject sums into the contract, establish the beneficiary, or exercise early surrender of the amounts), those persons should be considered equal to customers, and life insurers and relevant intermediaries should therefore conduct CDD on these persons, as well as on their related third parties. In cases where the insured persons have no active powers, their names should be screened against sanctions lists, but they are not considered customers for AML/CFT purposes, and insurers and intermediaries are not required to conduct full CDD checks on them.
Finally, although in most cases the policyholder will also be the party who pays the necessary premium to keep the policy in force, there may be exceptional cases in which the policy payer is an unrelated third party (referred to as a third-party payer). In such cases, the insurer—or its agent, under a third-party reliance or outsourcing arrangement, if applicable—should perform the following general CDD measures on both the policyholder and the third-party payer.
3.3.1.1. Customer Identification and Verification
Under Article 8 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all customers. Customers should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, as per Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete the verification of the customer’s identity after establishing a business relationship, as set forth in section 3.3.3 below.
When verifying the Emirates ID card either physically, by way of digital or electronic Know Your Customer (e-KYC) solutions, the insurance operator must use the online validation gateway of the Federal Authority for Identity & Citizenship, Customs & Port Security, the UAE-Pass Application or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.
Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, section 6.3.1, for further information.
3.3.1.2. Beneficial Owner Identification and Verification
Under Article 9.1 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all beneficial owners of any legal person customer, defined as all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25 percent or more. Where no individual meets this description, the operator is required to identify and verify the identity of the individual(s) holding the senior management position in the entity. This option should be used only as a last resort, however, and when the operator is confident that no one individual, or small group of individuals, exercises control over the customer.
Under Article 9.2 of the AML-CFT Decision, for legal arrangements, insurance operators must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights. The beneficial owner of a legal person or arrangement must be an individual. Another legal person cannot be classified as the beneficial owner of a customer, no matter what percentage it owns. Insurance operators should continue tracing ownership all the way up the ownership chain until it identifies all individuals who own or control at least 25 percent of the operator’s customer. If the insurance operator has followed the steps described above and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the operator should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so for legal person is to identify additional beneficial owners below the 25 percent ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10 percent or even the 5 percent level, as risk warrants. It may also involve requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD— in order to conduct sanctions screening or negative news checks.
Beneficial owners should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, pursuant to Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete verification after establishing a business relationship, as set forth in section 3.3.3 below.
Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, sections 6.3.1 and 6.3.3, respectively, as well as the CBUAE’s Guidance for LFIs providing services to Legal Persons and Arrangements9 for further information.
9 Available at: https://www.centralbank.ae/en/cbuae-amlcft.
3.3.1.3. Understanding the Nature of the Customer’s Business and the Nature and Purpose of the Business Relationship
Under Article 8 of the AML-CFT Decision, insurance operators are required to understand the nature of the customer’s business and the nature and purpose of the operator’s relationship with the customer, including the expected uses to which the customer will put the operator’s products or services. This step requires the operator to collect information that allows it to create a profile of the customer, including the types and volumes of transactions the customer is expected to engage in, and to assess the risks associated with the relationship. In certain instances, the expected type and volume of transactions are implicit in the specific insurance product being provided, in which case this aspect of the customer’s profile can be derived directly from the product choice.
Obtaining a sufficient understanding of its customers and the nature and purpose of the customer relationship—together with the ongoing analysis of actual customer behavior and the behavior of relevant peer groups—allows the insurance operator to develop a baseline of normal or expected activity for the customer, against which unusual or potentially suspicious transactions can be identified. This element of CDD can also serve to inform the operator’s risk rating or other risk assessment of the customer for the purposes of performing risk-based ongoing monitoring (see section 3.3.1.4) and determining whether simplified or enhanced due diligence measures may be warranted (see sections 3.3.3 and 3.3.4, respectively).
3.3.1.4. Ongoing Monitoring
Under Article 12 of the AML-CFT Decision, insurance operators are required to subject all customers to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the operator’s products and services are being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
Insurance operators are required to ensure that the CDD information they hold on all customers is accurate, complete, and up to date. This is particularly crucial in the context of customers that are companies or that engage in business. Operators should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:
• The customer’s beneficial owners remain the same; • The customer continues to have active status with a company registrar; • The customer has the same legal form and is domiciled in the same jurisdiction; and • The customer is engaged in the same type of business and in the same geographies.
In addition to a review of the customer’s CDD file, under Article 7 of the AML-CFT Decision, the operator must also review the customer’s transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. It must determine whether they continue to fit the customer’s profile and business and are consistent with the business the customer is expected to engage in when the business relationship was established. This type of transaction review is distinct from the transaction monitoring discussed in section 3.4 below and its purpose is to complement it by identifying behaviors, trends, or patterns that are not necessarily subject to transaction monitoring rules. The techniques used for transaction review will vary depending on the customer. For lower-risk customers, a review of alerts, if any, is likely to be sufficient. For higher-risk customers, a more intensive review may be necessary. For customers with a large volume of transactions, operators may use data analysis techniques.
If the review finds that the customer’s behavior or information has materially changed, the operator should risk-rate the customer again. New information gained during this process may cause the operator to determine that EDD is necessary or may bring the customer into the category of customers for which EDD is mandatory (i.e., customers that are PEPs, or owned or controlled by PEPs, the direct family members or associates known to be close to the PEPs; customers that are based in high-risk jurisdictions; etc.).
Operators may consider requiring that the customer update them on any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, operators should not rely on the customer to notify it of a change but should still update CDD on a schedule appropriate to the customer’s risk rating.
3.3.1.5. Non-Face-to-Face Relationships
Insurance operators should develop policies and procedures to address any specific risks associated with non-face-to-face customer relationships and transactions undertaken in the course of such relationships. Such policies and procedures should be applied when establishing a new customer relationship and when conducting ongoing monitoring, and should be at least as stringent as those that would be required to be performed if there was face-to-face contact.
○ Note: Relationships in which personal contact between an insurer or agent and the customer is achieved via video teleconference are not considered to be non-face-to-face relationships for the purpose of this Guidance.
Heightened ML/FT risks may arise from establishing business relationships or undertaking transactions according to instructions conveyed by customers over the internet (absent personal contact via video teleconference), post, fax, or telephone. An operator should note that online applications and transactions may pose greater risks than other non-face-to-face business due to the following factors, which taken together may compound the associated ML/FT risks:
• The ease of unauthorized access to the facility, across time zones and locations;
• The ease of making multiple fictitious applications without incurring additional cost or the risk of detection;
• The absence of physical documents; and
• The speed of electronic transactions.
The measures taken by an insurance operator for verifying the identity of customers and beneficial owners in the context of non-face-to-face relationships will depend on the nature and characteristics of the product or service provided and the customer’s risk profile. Where verification of identity is performed without face-to-face contact (e.g., electronically), an operator should apply additional checks to manage the risk of impersonation. The additional checks may consist of robust anti-fraud checks that the operator routinely undertakes as part of its existing procedures, which may include as appropriate and feasible:
• Telephone contact with the customer at a residential or business number that can be verified independently;
• Confirmation of the customer’s address through an exchange of correspondence or other appropriate method;
• Subject to the customer’s consent, telephone confirmation of the customer’s employment status with his or her employer’s human resource department at a listed business number of the employer;
• Confirmation of the customer’s salary details by requiring the presentation of recent bank statements where applicable;
• Provision of certified identification documents by lawyers or notaries public;
• Requiring the customer to make an initial premium payment using a check drawn on the customer’s personal account with a bank in the UAE; and
• Video call with the customer. 3.3.1.6. Name Screening
An insurance operator should screen the following parties against relevant ML/FT information sources (such as negative media databases) and internal watchlists (such as lists of customers previously exited for financial crime reasons) prior to a customer's onboarding:
• All customers, regardless of risk rating or risk profile;
• Beneficial owners of legal entity customers;
• Natural persons appointed to act on behalf of the customer (see section 3.3.2.1);
• Directors, partners, and managers of customers that are legal persons;
• Natural persons having executive authority over customers that are legal arrangements; and
• Insured with no active powers on the contract (if any).
With respect to sanctions lists, the parties listed above must be screened prior to a customer's onboarding and on an ongoing basis thereafter (please see section 3.5 below). In addition, at the time of payout, an insurer must screen against sanctions lists and should screen against the same other lists and information sources all beneficiaries or other payees and their beneficial owners (where applicable).
The results of screening and assessment by the insurance operator should be documented. Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening10 for further information.
10 Available at: https://www.centralbank.ae/en/cbuae-amlcft.
3.3.1.7. Customer Rejection and Exit
Insurance operators should not deal with any person on an anonymous basis or any person using a fictitious name. Prior to establishing an insurance relationship, if an insurance operator has any reasonable grounds to suspect that the assets or funds of a customer are the proceeds of crime or related to the financing of terrorism, the operator should reject the business relationship and, per Article 17 of the AML-CFT Decision, file a suspicious transaction report (“STR”) with the UAE Financial Intelligence Unit (“FIU”).
As per article 13 of the AML-CFT Decision, where an insurance operator is unable to undertake the CDD measures described above, or is a confirmed match to a party included on applicable sanctions lists, the insurance operator must:
• Not onboard the customer;
• Exit the relationship if one has been established;
• Not make any payment to a payee or beneficiary under the customer’s policy or other insurance relationship; and • Maintain the related records (Please see Section 3.10 below).
In addition, it should add the customer, its beneficial owners, directors, and managers to internal watchlists. The operator should also determine whether the circumstances warrant the filing of a suspicious transaction report (“STR”) or SAR.