Under Article 8 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all customers. Customers should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, as per Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete the verification of the customer’s identity after establishing a business relationship, as set forth in section 3.3.3 below.

When verifying the Emirates ID card either physically, by way of digital or electronic Know Your Customer (e-KYC) solutions, the insurance operator must use the online validation gateway of the Federal Authority for Identity & Citizenship, Customs & Port Security, the UAE-Pass Application or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as “Original Sighted and Verified” under the signature of the employee who carries out the CDD process and retained.

Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, section 6.3.1, for further information.

Under Article 9.1 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all beneficial owners of any legal person customer, defined as all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25 percent or more. Where no individual meets this description, the operator is required to identify and verify the identity of the individual(s) holding the senior management position in the entity. This option should be used only as a last resort, however, and when the operator is confident that no one individual, or small group of individuals, exercises control over the customer.

Under Article 9.2 of the AML-CFT Decision, for legal arrangements, insurance operators must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights. The beneficial owner of a legal person or arrangement must be an individual. Another legal person cannot be classified as the beneficial owner of a customer, no matter what percentage it owns. Insurance operators should continue tracing ownership all the way up the ownership chain until it identifies all individuals who own or control at least 25 percent of the operator’s customer. If the insurance operator has followed the steps described above and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the operator should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so for legal person is to identify additional beneficial owners below the 25 percent ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10 percent or even the 5 percent level, as risk warrants. It may also involve requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD— in order to conduct sanctions screening or negative news checks.

Beneficial owners should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, pursuant to Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete verification after establishing a business relationship, as set forth in section 3.3.3 below.

Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, sections 6.3.1 and 6.3.3, respectively, as well as the CBUAE’s Guidance for LFIs providing services to Legal Persons and Arrangements⁹ for further information.

⁹ Available at: https://www.centralbank.ae/en/cbuae-amlcft.

Under Article 8 of the AML-CFT Decision, insurance operators are required to understand the nature of the customer’s business and the nature and purpose of the operator’s relationship with the customer, including the expected uses to which the customer will put the operator’s products or services. This step requires the operator to collect information that allows it to create a profile of the customer, including the types and volumes of transactions the customer is expected to engage in, and to assess the risks associated with the relationship. In certain instances, the expected type and volume of transactions are implicit in the specific insurance product being provided, in which case this aspect of the customer’s profile can be derived directly from the product choice.

Obtaining a sufficient understanding of its customers and the nature and purpose of the customer relationship—together with the ongoing analysis of actual customer behavior and the behavior of relevant peer groups—allows the insurance operator to develop a baseline of normal or expected activity for the customer, against which unusual or potentially suspicious transactions can be identified. This element of CDD can also serve to inform the operator’s risk rating or other risk assessment of the customer for the purposes of performing risk-based ongoing monitoring (see section 3.3.1.4) and determining whether simplified or enhanced due diligence measures may be warranted (see sections 3.3.3 and 3.3.4, respectively).

Under Article 12 of the AML-CFT Decision, insurance operators are required to subject all customers to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the operator’s products and services are being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

Insurance operators are required to ensure that the CDD information they hold on all customers is accurate, complete, and up to date. This is particularly crucial in the context of customers that are companies or that engage in business. Operators should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:

In addition to a review of the customer’s CDD file, under Article 7 of the AML-CFT Decision, the operator must also review the customer’s transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. It must determine whether they continue to fit the customer’s profile and business and are consistent with the business the customer is expected to engage in when the business relationship was established. This type of transaction review is distinct from the transaction monitoring discussed in section 3.4 below and its purpose is to complement it by identifying behaviors, trends, or patterns that are not necessarily subject to transaction monitoring rules. The techniques used for transaction review will vary depending on the customer. For lower-risk customers, a review of alerts, if any, is likely to be sufficient. For higher-risk customers, a more intensive review may be necessary. For customers with a large volume of transactions, operators may use data analysis techniques.

If the review finds that the customer’s behavior or information has materially changed, the operator should risk-rate the customer again. New information gained during this process may cause the operator to determine that EDD is necessary or may bring the customer into the category of customers for which EDD is mandatory (i.e., customers that are PEPs, or owned or controlled by PEPs, the direct family members or associates known to be close to the PEPs; customers that are based in high-risk jurisdictions; etc.).

Operators may consider requiring that the customer update them on any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, operators should not rely on the customer to notify it of a change but should still update CDD on a schedule appropriate to the customer’s risk rating.

Insurance operators should develop policies and procedures to address any specific risks associated with non-face-to-face customer relationships and transactions undertaken in the course of such relationships. Such policies and procedures should be applied when establishing a new customer relationship and when conducting ongoing monitoring, and should be at least as stringent as those that would be required to be performed if there was face-to-face contact.

Heightened ML/FT risks may arise from establishing business relationships or undertaking transactions according to instructions conveyed by customers over the internet (absent personal contact via video teleconference), post, fax, or telephone. An operator should note that online applications and transactions may pose greater risks than other non-face-to-face business due to the following factors, which taken together may compound the associated ML/FT risks:

The measures taken by an insurance operator for verifying the identity of customers and beneficial owners in the context of non-face-to-face relationships will depend on the nature and characteristics of the product or service provided and the customer’s risk profile. Where verification of identity is performed without face-to-face contact (e.g., electronically), an operator should apply additional checks to manage the risk of impersonation. The additional checks may consist of robust anti-fraud checks that the operator routinely undertakes as part of its existing procedures, which may include as appropriate and feasible:

An insurance operator should screen the following parties against relevant ML/FT information sources (such as negative media databases) and internal watchlists (such as lists of customers previously exited for financial crime reasons) prior to a customer's onboarding:

With respect to sanctions lists, the parties listed above must be screened prior to a customer's onboarding and on an ongoing basis thereafter (please see section 3.5 below). In addition, at the time of payout, an insurer must screen against sanctions lists and should screen against the same other lists and information sources all beneficiaries or other payees and their beneficial owners (where applicable).

The results of screening and assessment by the insurance operator should be documented. Please consult the CBUAE’s Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening¹⁰ for further information.

¹⁰ Available at: https://www.centralbank.ae/en/cbuae-amlcft.

Insurance operators should not deal with any person on an anonymous basis or any person using a fictitious name. Prior to establishing an insurance relationship, if an insurance operator has any reasonable grounds to suspect that the assets or funds of a customer are the proceeds of crime or related to the financing of terrorism, the operator should reject the business relationship and, per Article 17 of the AML-CFT Decision, file a suspicious transaction report (“STR”) with the UAE Financial Intelligence Unit (“FIU”).

As per article 13 of the AML-CFT Decision, where an insurance operator is unable to undertake the CDD measures described above, or is a confirmed match to a party included on applicable sanctions lists, the insurance operator must:

In addition, it should add the customer, its beneficial owners, directors, and managers to internal watchlists. The operator should also determine whether the circumstances warrant the filing of a suspicious transaction report (“STR”) or SAR.