3. Mitigating Risks
The sections below discuss how insurance operators can apply preventive measures to identify, assess, manage, and mitigate the risks associated with the insurance sector for life insurance and other investment-related insurance products. This is not a comprehensive discussion of all AML/CFT requirements imposed on insurance sector participants; insurers, agents, and brokers should therefore consult the UAE legal and regulatory framework currently in force.
The controls discussed below should be integrated into each institutionās larger AML/CFT compliance program and supported by appropriate governance, training, and independent audit. As discussed in section 3.6 below, insurers are permitted to delegate the performance of specified controls to insurance agents, brokers, banks, or other intermediaries, using either a third-party reliance or an outsourcing model.
ā¢ Under a third-party reliance model, insurers may rely on any third-party LFI, such as a bank, insurance agent, or insurance broker, to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, following the third partyās AML/CFT policies and procedures. In such circumstances, the third party will usually have an existing business relationship with the customer, which is independent of the relationship to be formed by the customer with the relying institution. The third-party reliance model is most commonly employed in the case of insurance brokers, who sell insurance products to consumers on behalf of multiple insurers and therefore typically maintain and apply their own AML/CFT policies and procedures. ā¢ Under an outsourcing model, by contrast, insurers may engage a third-party service provider, such as an insurance agent, broker, or other intermediaries, to apply some or all of the AML/CFT preventive measures described in this section on behalf of the delegating institution, following the insurerās AML/CFT policies and procedures. In an outsourcing scenario, the third party is subject to the delegating insurerās control regarding the effective implementation of those policies and procedures by the outsourcing entity. The outsourcing model is most commonly employed in the case of tied agents, who sell insurance products to consumers exclusively on behalf of a single insurer and therefore typically follow the insurerās AML/CFT policies and procedures.
Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures (including maintaining the availability of all relevant data and records), and the arrangement must satisfy the conditions set forth in section 3.6 below.
3.1. Risk-Based Approach and Enterprise Risk Assessment
Under article 4 of the AML-CFT Decision, the insurance operator is required to perform, document, and keep up to date an enterprise risk assessment for the purposes of identifying, assessing, and understanding its ML/FT risks for life insurance and other investment-related insurance products, including those arising in relation to its:
ā¢ Products; ā¢ Services and transactions; ā¢ Distribution channels and intermediaries; ā¢ Customers; and ā¢ Geographies, in terms of both the jurisdictions or regions in which has operations and the jurisdictions or regions in which its customers are located or do business.
The insurance operator is expected to document the methodology and findings of the risk assessment, considering all relevant risk factors before determining the level of overall risk and the appropriate type and extent of mitigation to be applied. Insurance operators must keep their risks assessments up to date and ensure that identified risks are within the institutionās risk appetite and that identified deficiencies are appropriately tracked and remediated. Risk assessments should provide a consolidated assessment of the insurance operatorās ML/FT risks across all business units, product lines, and delivery channels, including those of branches, subsidiaries, parent entities, or other affiliates located outside the UAE.
ML/FT risk factors relevant to the insurance sector for life insurance and other investment-related insurance products can be found in section 2.2 above, and red flag indicators for the UAE insurance sector are provided in Annex 1. Please consult also the CBUAEās AML/CFT Guidelines for Financial Institutions, section 48 for further information.
8 Available at: https://www.centralbank.ae/en/cbuae-amlcft.
3.2. New Products, Practices, and Technologies
Under Article 23 of the AML-CFT Decision, an insurance operator is required to identify and assess the ML/FT risks for life insurance and other investment-related insurance products that may arise in relation to:
ā¢ The development of new products and new business practices, including new delivery mechanisms (such as mobile insurance applications, insurance portals, transaction terminals, and insurance booths); and ā¢ The use of new or developing technologies for both new and preexisting products.
An operator must undertake such risk assessments prior to the launch or use of new products, practices, and technologies and must take appropriate measures to manage and mitigate the identified risks. Operators should pay special attention to new products, practices, or technologies that favor anonymity.
3.3. Customer Due Diligence
3.3.1. General CDD Measures
For life insurance and other investment-related insurance products, insurance operators must perform customer due diligence (āCDDā) on their customers, defined as natural persons, legal persons, or legal arrangements with whom an insurer, agent, or broker establishes or intends to establish a business relationship to carry out insurance operations, as defined in Articles 4 and 5 of the Insurance Law.
Unless otherwise specified below, the customer of an insurance operator is the existing or prospective policyholder, defined as the natural person, legal person, or legal arrangement who owns and maintains the contractual rights of the insurance policy. Where the insurer is acting as a reinsurer, the customer will be the insurer (or reinsurer) in whose name the reinsurance policy is issued. Additionally, in the case of group life insurance or other policies, when the insured persons have active powers on the contract (e.g., to inject sums into the contract, establish the beneficiary, or exercise early surrender of the amounts), those persons should be considered equal to customers, and life insurers and relevant intermediaries should therefore conduct CDD on these persons, as well as on their related third parties. In cases where the insured persons have no active powers, their names should be screened against sanctions lists, but they are not considered customers for AML/CFT purposes, and insurers and intermediaries are not required to conduct full CDD checks on them.
Finally, although in most cases the policyholder will also be the party who pays the necessary premium to keep the policy in force, there may be exceptional cases in which the policy payer is an unrelated third party (referred to as a third-party payer). In such cases, the insurerāor its agent, under a third-party reliance or outsourcing arrangement, if applicableāshould perform the following general CDD measures on both the policyholder and the third-party payer.
3.3.1.1. Customer Identification and Verification
Under Article 8 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all customers. Customers should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, as per Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete the verification of the customerās identity after establishing a business relationship, as set forth in section 3.3.3 below.
When verifying the Emirates ID card either physically, by way of digital or electronic Know Your Customer (e-KYC) solutions, the insurance operator must use the online validation gateway of the Federal Authority for Identity & Citizenship, Customs & Port Security, the UAE-Pass Application or other UAE Government supported solutions, and keep a copy of the Emirates ID and its digital verification record. Where passports, other than the Emirates ID are used in the KYC process, a copy must be physically obtained from the original passport which must be certified (i.e. certified copy) as āOriginal Sighted and Verifiedā under the signature of the employee who carries out the CDD process and retained.
Please consult also the CBUAEās AML/CFT Guidelines for Financial Institutions, section 6.3.1, for further information.
3.3.1.2. Beneficial Owner Identification and Verification
Under Article 9.1 of the AML-CFT Decision, insurance operators are required to identify and verify the identities of all beneficial owners of any legal person customer, defined as all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25 percent or more. Where no individual meets this description, the operator is required to identify and verify the identity of the individual(s) holding the senior management position in the entity. This option should be used only as a last resort, however, and when the operator is confident that no one individual, or small group of individuals, exercises control over the customer.
Under Article 9.2 of the AML-CFT Decision, for legal arrangements, insurance operators must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights. The beneficial owner of a legal person or arrangement must be an individual. Another legal person cannot be classified as the beneficial owner of a customer, no matter what percentage it owns. Insurance operators should continue tracing ownership all the way up the ownership chain until it identifies all individuals who own or control at least 25 percent of the operatorās customer. If the insurance operator has followed the steps described above and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the operator should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so for legal person is to identify additional beneficial owners below the 25 percent ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10 percent or even the 5 percent level, as risk warrants. It may also involve requiring the customer to provide the names of all individuals who own or control any share in the customerāwithout requiring them to undergo CDDā in order to conduct sanctions screening or negative news checks.
Beneficial owners should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, pursuant to Article 4.3 of the AML-CFT Decision, where there is no ML/FT suspicion and ML/FT risks are assessed to be low, an operator may complete verification after establishing a business relationship, as set forth in section 3.3.3 below.
Please consult also the CBUAEās AML/CFT Guidelines for Financial Institutions, sections 6.3.1 and 6.3.3, respectively, as well as the CBUAEās Guidance for LFIs providing services to Legal Persons and Arrangements9 for further information.
9 Available at: https://www.centralbank.ae/en/cbuae-amlcft.
3.3.1.3. Understanding the Nature of the Customerās Business and the Nature and Purpose of the Business Relationship
Under Article 8 of the AML-CFT Decision, insurance operators are required to understand the nature of the customerās business and the nature and purpose of the operatorās relationship with the customer, including the expected uses to which the customer will put the operatorās products or services. This step requires the operator to collect information that allows it to create a profile of the customer, including the types and volumes of transactions the customer is expected to engage in, and to assess the risks associated with the relationship. In certain instances, the expected type and volume of transactions are implicit in the specific insurance product being provided, in which case this aspect of the customerās profile can be derived directly from the product choice.
Obtaining a sufficient understanding of its customers and the nature and purpose of the customer relationshipātogether with the ongoing analysis of actual customer behavior and the behavior of relevant peer groupsāallows the insurance operator to develop a baseline of normal or expected activity for the customer, against which unusual or potentially suspicious transactions can be identified. This element of CDD can also serve to inform the operatorās risk rating or other risk assessment of the customer for the purposes of performing risk-based ongoing monitoring (see section 3.3.1.4) and determining whether simplified or enhanced due diligence measures may be warranted (see sections 3.3.3 and 3.3.4, respectively).
3.3.1.4. Ongoing Monitoring
Under Article 12 of the AML-CFT Decision, insurance operators are required to subject all customers to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the operatorās products and services are being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
Insurance operators are required to ensure that the CDD information they hold on all customers is accurate, complete, and up to date. This is particularly crucial in the context of customers that are companies or that engage in business. Operators should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:
ā¢ The customerās beneficial owners remain the same; ā¢ The customer continues to have active status with a company registrar; ā¢ The customer has the same legal form and is domiciled in the same jurisdiction; and ā¢ The customer is engaged in the same type of business and in the same geographies.
In addition to a review of the customerās CDD file, under Article 7 of the AML-CFT Decision, the operator must also review the customerās transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity and the risks they pose, including, when necessary, the source of funds. It must determine whether they continue to fit the customerās profile and business and are consistent with the business the customer is expected to engage in when the business relationship was established. This type of transaction review is distinct from the transaction monitoring discussed in section 3.4 below and its purpose is to complement it by identifying behaviors, trends, or patterns that are not necessarily subject to transaction monitoring rules. The techniques used for transaction review will vary depending on the customer. For lower-risk customers, a review of alerts, if any, is likely to be sufficient. For higher-risk customers, a more intensive review may be necessary. For customers with a large volume of transactions, operators may use data analysis techniques.
If the review finds that the customerās behavior or information has materially changed, the operator should risk-rate the customer again. New information gained during this process may cause the operator to determine that EDD is necessary or may bring the customer into the category of customers for which EDD is mandatory (i.e., customers that are PEPs, or owned or controlled by PEPs, the direct family members or associates known to be close to the PEPs; customers that are based in high-risk jurisdictions; etc.).
Operators may consider requiring that the customer update them on any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, operators should not rely on the customer to notify it of a change but should still update CDD on a schedule appropriate to the customerās risk rating.
3.3.1.5. Non-Face-to-Face Relationships
Insurance operators should develop policies and procedures to address any specific risks associated with non-face-to-face customer relationships and transactions undertaken in the course of such relationships. Such policies and procedures should be applied when establishing a new customer relationship and when conducting ongoing monitoring, and should be at least as stringent as those that would be required to be performed if there was face-to-face contact.
ā Note: Relationships in which personal contact between an insurer or agent and the customer is achieved via video teleconference are not considered to be non-face-to-face relationships for the purpose of this Guidance.
Heightened ML/FT risks may arise from establishing business relationships or undertaking transactions according to instructions conveyed by customers over the internet (absent personal contact via video teleconference), post, fax, or telephone. An operator should note that online applications and transactions may pose greater risks than other non-face-to-face business due to the following factors, which taken together may compound the associated ML/FT risks:
ā¢ The ease of unauthorized access to the facility, across time zones and locations;
ā¢ The ease of making multiple fictitious applications without incurring additional cost or the risk of detection;
ā¢ The absence of physical documents; and
ā¢ The speed of electronic transactions.
The measures taken by an insurance operator for verifying the identity of customers and beneficial owners in the context of non-face-to-face relationships will depend on the nature and characteristics of the product or service provided and the customerās risk profile. Where verification of identity is performed without face-to-face contact (e.g., electronically), an operator should apply additional checks to manage the risk of impersonation. The additional checks may consist of robust anti-fraud checks that the operator routinely undertakes as part of its existing procedures, which may include as appropriate and feasible:
ā¢ Telephone contact with the customer at a residential or business number that can be verified independently;
ā¢ Confirmation of the customerās address through an exchange of correspondence or other appropriate method;
ā¢ Subject to the customerās consent, telephone confirmation of the customerās employment status with his or her employerās human resource department at a listed business number of the employer;
ā¢ Confirmation of the customerās salary details by requiring the presentation of recent bank statements where applicable;
ā¢ Provision of certified identification documents by lawyers or notaries public;
ā¢ Requiring the customer to make an initial premium payment using a check drawn on the customerās personal account with a bank in the UAE; and
ā¢ Video call with the customer. 3.3.1.6. Name Screening
An insurance operator should screen the following parties against relevant ML/FT information sources (such as negative media databases) and internal watchlists (such as lists of customers previously exited for financial crime reasons) prior to a customer's onboarding:
ā¢ All customers, regardless of risk rating or risk profile;
ā¢ Beneficial owners of legal entity customers;
ā¢ Natural persons appointed to act on behalf of the customer (see section 3.3.2.1);
ā¢ Directors, partners, and managers of customers that are legal persons;
ā¢ Natural persons having executive authority over customers that are legal arrangements; and
ā¢ Insured with no active powers on the contract (if any).
With respect to sanctions lists, the parties listed above must be screened prior to a customer's onboarding and on an ongoing basis thereafter (please see section 3.5 below). In addition, at the time of payout, an insurer must screen against sanctions lists and should screen against the same other lists and information sources all beneficiaries or other payees and their beneficial owners (where applicable).
The results of screening and assessment by the insurance operator should be documented. Please consult the CBUAEās Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening10 for further information.
10 Available at: https://www.centralbank.ae/en/cbuae-amlcft.
3.3.1.7. Customer Rejection and Exit
Insurance operators should not deal with any person on an anonymous basis or any person using a fictitious name. Prior to establishing an insurance relationship, if an insurance operator has any reasonable grounds to suspect that the assets or funds of a customer are the proceeds of crime or related to the financing of terrorism, the operator should reject the business relationship and, per Article 17 of the AML-CFT Decision, file a suspicious transaction report (āSTRā) with the UAE Financial Intelligence Unit (āFIUā).
As per article 13 of the AML-CFT Decision, where an insurance operator is unable to undertake the CDD measures described above, or is a confirmed match to a party included on applicable sanctions lists, the insurance operator must:
ā¢ Not onboard the customer;
ā¢ Exit the relationship if one has been established;
ā¢ Not make any payment to a payee or beneficiary under the customerās policy or other insurance relationship; and ā¢ Maintain the related records (Please see Section 3.10 below).
In addition, it should add the customer, its beneficial owners, directors, and managers to internal watchlists. The operator should also determine whether the circumstances warrant the filing of a suspicious transaction report (āSTRā) or SAR.
3.3.2. Specific CDD Measures for Insurers
In addition to performing general CDD on their customers, insurers are also expected to collect and verify the identities of any natural persons appointed to act on the customerās behalf and are required, under Article 11 of the AML-CFT Decision, to collect and verify the identities of the beneficiaries or other payees of an insurance policy and their beneficial owners (where applicable), as set forth below.
3.3.2.1. Identification and Verification of Natural Persons Appointed to Act on a Customerās Behalf
As per Article 8.2 of the AML-CFT Decision, where a customer appoints one or more natural or legal persons (such as an insurance broker) to act on his, her, or its behalf in establishing a business relationship with an insurer, the insurer must identify and verify the identity of each such natural person in accordance with the same procedures used to identify and verify the identity of a natural person customer. The insurer should also verify the due authority of each natural person appointed to act on behalf of the customer by obtaining, at a minimum:
ā¢ The appropriate documentary evidence authorizing the appointment of such natural or legal person by the customer to act on his, her, or its behalf; and
ā¢ The signature of such a natural or legal person appointed.
As with customers, natural persons appointed to act on a customerās behalf should generally be identified and verified prior to establishing a business relationship. However, in exceptional circumstances, where there is no ML/FT suspicion, and ML/FT risks are assessed to be low, and where the deferral of verification is essential in order not to interrupt the normal course of business operations, an operator may complete the verification of the appointed personās identity after establishing a business relationship, as set forth in section 3.3.3 below.
3.3.2.2. Identification and Verification of Beneficiaries or Other Payees and Their Beneficial Owners
Under Article 11.1 of the AML-CFT Decision, insurers are required to conduct CDD measures, including ongoing monitoring, with respect to any beneficiary of life insurance and other investment insurance insurance products, including life insurance products relating to investments and family Takaful insurance, as soon as the beneficiary is identified or designated. In addition, as soon as a beneficiary or other payee is designated, an insurer must perform the following:
ā¢ For a beneficiary or payee who is identified as a specifically named natural person, legal person, or legal arrangement, obtain the full name, including any aliases, of such beneficiary or payee; or ā¢ For a beneficiary or payee who is designated by characteristics, class, or other means, obtain sufficient information concerning the beneficiary or payee to satisfy itself that it will be able to establish the identity of such beneficiary or payee at the time of payout. ā¢ At the time of payout, insurers must also verify the identities of all beneficiaries or payees and their beneficial owners in accordance with the same procedures used to identify and verify the identity of a natural person customer. 3.3.3. Simplified Due Diligence for Lower-Risk Scenarios
As per Article 4.3 of the AML-CFT Decision, an insurance operator may perform simplified due diligence (āSDDā) measures in relation to a customer, a beneficial owner of a customer, a natural person appointed to act on behalf of a customer, or a beneficiary or other payee if it is satisfied that the risks of ML/FT are low. The assessment of low risks should be supported by an adequate analysis of risks by the insurance operator, and the selection of simplified measures should be commensurate with the type and level of risk identified through such risk analysis. In all cases, the operator should document the details of its risk analysis and the nature of the SDD measures employed.
Examples of potentially lower-risk scenarios include, but are not limited to, those in which:
ā¢ The customer is a UAE government entity, including UAE state-owned enterprises; ā¢ The customer is an entity listed on a stock exchange and subject to regulatory disclosure requirements relating to adequate transparency with respect to beneficial owners; ā¢ The insurance product does not offer cash payouts except upon the occurrence of specified trigger events; ā¢ The insurance product does not have an early surrender option and cannot be used as collateral; or ā¢ The insurance product is a pension or other scheme where contributions are made via deduction from wages and scheme rules and do not permit the assignment of a memberās interest under the scheme.
Additional examples of lower-risk attributes for the insurance sector are provided in section 2.2 above.
Where an insurance operator is satisfied that the ML/FT risks are low, the operator may perform one or more of the following SDD measures, as warranted by the risk analysis:
ā¢ Verifying the identity of the customer and any beneficial owner(s) after establishing the business relationship, provided verification is nonetheless completed in a timely fashion (to be documented in the operatorās internal procedures) and appropriate controls are in place to manage the ML/FT risks associated with the customer and the relationship prior to verification;11 ā¢ Reducing the frequency of updates to CDD information; ā¢ Reducing the degree of ongoing monitoring and scrutiny of transactions, based on a reasonable monetary threshold; or ā¢ Developing an understanding of the intended nature and purpose of the customer relationship on the basis of the relationship type and the customerās historical transaction activity, rather than by collecting information regarding the intended nature and purpose of the relationship during onboarding or CDD updating.
An insurance operator should not perform SDD measures where:
ā¢ A customer or any beneficial owner of the customer is from or in a country or jurisdiction against which the FATF has called for countermeasures; ā¢ A customer or any beneficial owner of the customer is from or in a country or jurisdiction known to have inadequate AML/CFT measures, as determined by the operator for itself or notified to operators generally by local regulatory or supervisory authorities; or ā¢ The operator suspects that ML or FT is involved. 11 Such measures may include holding funds in suspense or escrow until verification of identity has been completed or making completion of identity verification a precondition of closing any transaction with or on behalf of the customer.
3.3.4. Enhanced Due Diligence for Higher-Risk Scenarios
The AML-CFT Law and the AML-CFT Decision impose specific and enhanced due diligence obligations on insurance operators with respect to two classes of customers or transactions:
ā¢ Customers that are politically exposed persons (āPEPsā), which include the direct family members or associates known to be close to the PEPs; and
ā¢ Business relationships and transactions with natural persons, legal persons, or legal arrangements from high-risk countries.
The AML-CFT Law and Decision give special attention to customers in these groups because they are likely to expose operators to a heightened risk of money laundering, terrorism financing, and other illicit finance.
In addition to these classes of customers and transactions, for which EDD is mandatory, operators are expected to implement appropriate policies and procedures to determine whether relationships with or transactions undertaken for or on behalf of a customer present a higher risk for ML or FT. Examples of potentially higher-risk scenarios include, but are not limited to, those in which:
ā¢ The customer belongs to a higher-risk industry or sector identified in topical risk assessments, or to an industry or sector identified by the operator as higher-risk for ML or FT;
ā¢ The ownership structure of a legal entity customer appears unusual or excessively complex given the nature of the legal entityās business;
ā¢ The legal entity customer is a personal asset-holding vehicle;
ā¢ The business relationship is conducted under unusual circumstances, such as significant unexplained geographic distance between the operator and the customer;
ā¢ The legal entity customer has nominee shareholders or shares in bearer form;
ā¢ The customer is a cash-intensive business;
ā¢ The customer operates in or does business with a jurisdiction that has relatively higher levels of corruption or organized crime, or inadequate AML/CFT measures, as identified by the FATF;
ā¢ The customer operates in or does business with a jurisdiction identified by credible bodies (e.g., reputable international bodies such as Transparency International) as having significant levels of corruption, terrorism financing, or other criminal activity;
ā¢ The relationship involves or could involve cash or anonymous transactions;
ā¢ The relationship involves or could involve frequent payments received from unknown or unassociated third parties.
Additional examples of higher-risk attributes and red flag indicators for the insurance sector are provided in section 2.2 and Annex 1 of this Guidance respectively.
As per Article 4.2 b) of the AML-CF Decision, where the operator identifies a customer or relationship as presenting higher ML/FT risks, it must apply EDD measures commensurate with those risks. Examples of EDD measures include but are not limited to:
ā¢ Obtaining approval from the operatorās senior management to establish or continue a business relationship with the customer, including making any payment to a beneficiary or payee;
ā¢ Establishing the source of wealth and source of funds of the customer and any beneficial owner of the customer;
ā¢ Conducting enhanced monitoring during the course of the business relationship with the customer, including by increasing the degree and nature of transaction monitoring and CDD updating;
ā¢ Requiring the first payment to be carried out through an account in the customerās name with a bank subject to similar or equivalent CDD standards;
ā¢ Using public sources of information (e.g., websites) to gain a better understanding of the reputation of the customer or any beneficial owner of the customer;
ā¢ Commissioning external intelligence reports where it is not possible for the operator to easily obtain information through public sources or where there are doubts about the reliability of public information; and
ā¢ For high-net-worth individuals, particularly those utilizing higher-risk products or services or characterized by other markers of heightened ML/FT risk:
ā Independently corroborating information obtained on the source of wealth of customers and beneficial owners against documentary evidence or public information sources;
ā Screening operating companies and individual benefactors contributing to the customerās and beneficial ownerās wealth or funds; and
ā Scrutinizing transactions relating to customers that have multiple policies with the operator or to customers having a common beneficial owner.
In addition, as noted in section 3.3.1.2 above, if the insurance operator has followed its standard beneficial ownership identification and verification procedures and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the operator should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25 percent ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10 percent or even the 5 percent level, as risk warrants. It may also involve requiring the customer to provide the names of all individuals who own or control any share in the customerāwithout requiring them to undergo CDDāin order to conduct sanctions screening or negative news checks.
Additional examples of EDD measures are provided in the CBUAEās AML/CFT Guidelines for Financial Institutions, section 6.4.
3.4. Transaction Monitoring and Suspicious Transaction Reporting
3.4.1. Transaction Monitoring
Under Article 16 of the AML-CFT Decision, insurance operators must monitor activity by all customers to identify behavior that is potentially suspicious and that may need to be the subject of an STR or SAR when conducting operations related to life insurance and other investment-related insurance products. Transactions may be suspicious simply in virtue of their individual characteristics (such as their value, source, destination, or use of intermediaries) or because, together with other transactions, they form a pattern that diverges from expected or historical transactional activity or may otherwise be indicative of illicit activity, including the evasion of reporting or recordkeeping requirements. When monitoring and evaluating transactions, the operator should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. In addition, higher-risk customers should be subject to more stringent transaction monitoring, with lower thresholds for alerts and more intensive investigation.
Transaction monitoring can include manual monitoring processes and the use of automated and intelligence-led monitoring systems. In all cases, the appropriate type and degree of monitoring should appropriately match the ML/FT risks of the operatorās customers, products and services, delivery channels, and geographic exposure, and may therefore vary across an operatorās business lines or units, where applicable.
Transaction monitoring programs should also be calibrated to the size, nature, and complexity of each institution. Operators with a larger scale of operations are expected to have in place automated systems capable of handling the risks from an increased volume and variance of transactions. Operators utilizing automated systems should perform a typology assessment to design appropriate rule- or scenario-based automated monitoring capabilities and processes. While smaller operators may rely on transaction monitoring systems that are less automated, they should still ensure that these are appropriately executed to address the risks from their day-to-day transactional activity.
Please consult the CBUAEās Guidance for Licensed Financial Institutions on Transaction Monitoring and Sanctions Screening for further information.
3.4.2. STR Reporting
As required by Article 15 of the AML-CFT Law and Article 17 of AML-CFT Decision, insurance operators must file without any delay an STR or SAR with the UAE FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. STR/SAR filing is not simply a legal obligation; it is a critical element of the UAEās effort to combat financial crime and protect the integrity of its financial system. STR/SAR filings are essential to assisting law enforcement authorities in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system.
In addition to the requirement to file an STR when an operator suspects that a transaction or funds are linked to a crime, operators should consider filing an STR or SAR in the following situations involving higher-risk customers:
ā¢ A potential customer decides against purchasing financial services after learning about the operatorās CDD requirements; ā¢ A current customer cannot provide required information (including documentation) about its business or its beneficial owners; ā¢ A customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty; ā¢ The operator is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the customer. In such cases, the operator should not establish the business relationship, or continue an existing business relationship; or ā¢ Other situations that are suspicious or involve activity with no legitimate business or other lawful purpose.
Please consult the CBUAEās Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting12 for further information.
12 Available at: https://www.uaeiec.gov.ae/en-us/un-page.
3.5. Sanctions Obligations and Freezing Without Delay
The AML-CFT Law and AML-CFT Decision require insurance operators to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council (āUNSCā) under Chapter VII of the Charter of the United Nations (āUNā). In furtherance of this requirement, the Cabinet Decision No. (74) of 2020 sets out the legislative and regulatory framework regarding the Targeted Financial Sanctions (āTFSā), including the Local Terrorist List and the UN Consolidated List. As per Cabinet Decision 74 and in particular its Article 15, all insurance operators without any exception, are obliged to apply policies, procedures and controls to implement TFS to those sanctioned and designated in the Local Terrorist List and the UN Consolidated List.
For more information and details on their obligations in relation to their sanctions obligations, insurance operators should consult the Executive Office for Control and Non-Proliferation (former Executive Office of the Committee for Goods and Materials Subjected to Import and Export Controlās ā referred to as the Executive Office) āGuidance on Targeted Financial Sanctions for Financial Institutions and designated non-financial business and professionsā13; the CBUAEās Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions as well as the CBUAEās Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening and any of their amendments or updates thereof. Insurance operators should also consult the CBUAEās and the Executive Officeās websites as updated from time to time, and refer to the Executive Officeās list of Frequently Asked Questions (FAQ) for the insurance sector.
13 Available at: https://www.uaeiec.gov.ae/en-us/un-page.
3.6. Third-Party Reliance and Outsourcing
As noted above, insurers are permitted to delegate the performance of specified controls to insurance agents or other intermediaries, using either a third-party reliance or an outsourcing model.
ā¢ Under a third-party reliance model, insurers may rely on any third-party LFI, such as a bank or insurance agent or broker, to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, following the third partyās AML/CFT policies and procedures. In such circumstances, the third party will usually have an existing business relationship with the customer, which is independent of the relationship to be formed by the customer with the relying institution. The third-party reliance model is most commonly employed in the case of insurance brokers, who sell insurance products to consumers on behalf of multiple insurers and therefore typically maintain and apply their own AML/CFT policies and procedures. ā¢ Under an outsourcing model, by contrast, insurers may engage a third-party service provider, such as an insurance agent or other intermediary, to apply some or all of the AML/CFT preventive measures described in this section on behalf of the delegating institution, following the insurerās AML/CFT policies and procedures. In an outsourcing scenario, the third party is subject to the delegating insurerās control regarding the effective implementation of those policies and procedures by the outsourcing entity. The outsourcing model is most commonly employed in the case of tied agents, who sell insurance products to consumers exclusively on behalf of a single insurer and therefore typically follow the insurerās AML/CFT policies and procedures.
Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures.
3.6.1. Third-Party Reliance
Insurers are permitted to rely on third-party LFIs to perform the elements of general CDD described in sections 3.3.1.1 through 3.3.1.3, provided the insurer relying on a third party:
ā¢ Immediately obtains the necessary CDD information concerning the elements described in sections 3.3.1.1 through 3.3.1.3; ā¢ Takes adequate steps to satisfy itself that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay; ā¢ Satisfies itself that the third party is regulated, supervised, or monitored for, and has measures in place for compliance with, CDD and recordkeeping requirements in line with FATF standards and local law and regulation; and ā¢ Takes appropriate steps to identify, assess, and understand the ML/FT risks specific to the countries or jurisdictions in which the third party operates.
With respect to the second of these conditions, a best practice is for insurers to obtain a copy of the relevant CDD records or have direct access to the database where such information is held, in order to facilitate ongoing monitoring of the business relationship and, if applicable, the filing of STRs and for a complete assessment record in case of a change of intermediary servicing the policy.
Insurers are not permitted to rely on third parties to conduct ongoing monitoring of business relationships (described in section 3.3.1.4), although they may outsource such functions following the guidelines described immediately below.
3.6.2. Outsourcing
In an outsourcing or agency scenario, the outsourced entity applies CDD or other AML/CFT measures on behalf of the delegating insurer, in accordance with the insurerās internal policies and procedures, and is subject to the insurerās control of the effective implementation of those policies and procedure by the outsourced entity. When outsourcing a part of their AML/CFT function, including the distribution of products, an insurer should therefore include any outsourced entity in its own AML/CFT program and internal control processes, and should monitor such an entity for compliance with its internal AML/CFT policies and procedures. Outsourced entities should also be subject to the employee and agent screening and monitoring checks described immediately below.
3.7. Employee, Officer, Agent, and Broker Risk Management
Insurance operators should have in place screening procedures to ensure high standards when hiring employees, appointing officers, or engaging agents or brokers (including but not limited to outsourced entities, as described in section 3.6.2 above). Employee, officer, and agent or broker screening procedures should include:
ā¢ Background checks of employment history; and ā¢ Screening against sanctions lists, ML/FT information sources, and internal watchlists.
In addition, insurance operators should conduct credit history checks on a risk basis. The operator should be aware of potential conflicts of interest for staff with AML/CFT responsibilities and should act to reduce or manage such conflicts of interest, for example by reallocating responsibilities or by instituting quality controls and āfour-eyeā reviews of the conflicted employeeās work.
Operators should also monitor on an ongoing basis for possible indicators of suspicious or illicit behavior by employees, such as:
ā¢ An employee whose lifestyle cannot be supported by his/her salary, which may indicate receipt of tips or bribes. ā¢ An employee who is reluctant to take a vacation, which may indicate they have agreed or are being forced to provide services to customers in violation of the law or company policy. ā¢ An employee who is associated with an unusually large number of transactions or a transaction in an unusually large amount, which may indicate they have agreed or are being forced to provide services to customers in violation of the law or company policy. 3.8. Training
As with all risks to which the operator is exposed, the AML/CFT training program should ensure that employees are aware of the risks facing the insurance sector for life insurance and other investment-related insurance products, familiar with the obligations of the operator, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the operatorās risk and the nature of its operations, and should be clearly documented in the operatorās AML/CFT compliance program and associated training policies, procedures, plans, materials, and attendance records.
3.9. Governance and Independent Audit
The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the operator faces and organized in accordance with the āthree lines of defenseā model. All three lines of defense must report up to and have the active support and oversight of the operatorās senior management, defined broadly to include executives, senior leadership, and the Board of Directors.
Under the model, an operatorās business units, sales or relationship managers, and other frontline personnel represent the units or functions that create risk and should therefore serve as the first line of defense against ML/TF, and other forms of illicit activity. They should scrutinize customers and their related parties at onboarding and performing periodic and risk-based reviews to update customer information and the operatorās understanding of the customerās risks.
The operatorās AML/CFT compliance function, in turn, constitutes the second line of defense, supporting the frontline unitsā risk management activities through its system of internal controls and related monitoring, reporting, and risk assessment responsibilities. The core of an effective risk-based program is an appropriately experienced AML/CFT compliance officer, located within the second line of defense, who understands the operatorās risks and obligations and who has the resources and autonomy necessary to ensure that the operatorās program is effective.
Finally, under article 20.6 of the AML-CFT decision, operators must be subject to independent testing by internal or external auditors, who represent the third line of defense by providing independent assurance to the Board and executive management on the effectiveness and adequacy of the operatorās governance, risk management, and internal controls. Auditors should have sufficient expertise and understanding of ML/FT risks and requirements and should be fully independent of the activities and reporting structure of the functions subject to independent testing.
Additionally, as per article 32 of the AML-CFT decision, operators with overseas branches, subsidiaries, or other affiliates or legal entities must ensure that all entities within the affiliate network are subject to the AML/CFT policies, procedures, and controls that are at least as stringent as those in place at the entity located in the UAE. Likewise, all entities within the affiliate network should be included in the operatorās enterprise risk assessment and subject to AML/CFT independent testing and consolidated governance and oversight.
3.10. Record Keeping
According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, insurance operators must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, copies of personal identification documents, including STRs/SARs and results of any analysis performed. Operators should maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. Operators must make the records available to the competent authorities immediately upon request.
The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.