2. Identification of Suspicious Transactions
2.1. Role of the First Line of Defens
Employees within the first line of defense (e.g., relationship managers, business executives, and backoffice operations functions) should understand the AML/CFT risks posed to the business in which they work. First line of defense employees are central to the management of customer and third-party risk and the timely escalation of potentially suspicious activity. LFIs should not rely solely on transaction monitoring systems to identify unusual and potentially suspicious activity in their customer population. First line of defense employees play a critical role in the detection and prevention of money laundering and the financing of terrorism and illegal organisations. Appropriately trained employees are in fact well-placed to identify suspicious transactions and assess that information once deemed reasonable—collected through interactions with a customer—now appears suspicious. They should therefore be trained regarding potential risk and risk mitigation and reporting within their business area. Employees should understand the regulatory requirements within the scope of their role; red flags associated with their customers, products, services, delivery channels, and geographies; and the appropriate escalation procedure both to their management and to the second line of defense without compromising their responsibility to report suspicious transactions.
2.2. Role of the Second Line of Defense
The second line of defense (e.g., compliance employees) provides policy advice, guidance, assurance, oversight, and challenge to the first line of defense. While employees in Financial Crime Operations Units (possibly in the first line of defense) can investigate suspicious transactions and document the resultant investigation, the ultimate filing of the STR or SAR must be made by the Compliance Officer or the MLRO (in the second line of defense). To this end, the second line of defense is charged with overseeing the investigations programme comprised of both automated and manual monitoring processes. The second line of defense is also charged with monitoring risks facing the LFI, such as noncompliance with UAE laws and regulations, and reporting directly to senior management on the LFI’s risk exposure, including through financial crime-related metrics. Specifically, the second line of defense and first line of defense (as applicable) should generate financial crime-related metrics (e.g., STRs or SARs filed, alert backlogs) to provide senior management with an adequate overview of the LFI’s compliance program, including the timeliness and quality of the LFI’s handling and resolution of transaction monitoring alerts and the STR or SAR filing process. The second line of defense should retain records of all information relating to transaction monitoring and suspicious activity reporting for a period of no less than five (5) years as provided in Article 24 of the AML-CFT Decision.
2.2.1. Role of the Compliance Officer / MLRO
According to Article 21 of the AML-CFT Decision, LFIs are required to appoint a Compliance Officer with the appropriate competencies and experience to perform the necessary tasks to:
• Detect transactions relating to any crime as defined in Article 1 of the AML-CFT Decision. • Review, scrutinize, and study records; receive data concerning suspicious transactions; and make decisions to either notify the FIU or maintain the transaction with a documented rationale for maintaining the transaction while upholding confidentiality requirements. • Review the internal rules and procedures relating to combating the crime and their consistency with relevant laws and regulations; assess the extent to which the LFI is committed to the application of these rules and procedures; propose what is needed to update and develop these rules and procedures; prepare and submit semi-annual reports on these points to senior management; and send a copy of that report to the relevant supervisory authority with senior management remarks and decisions. • Prepare, execute, and document ongoing training and development programs and plans for the LFI’s employees on money laundering and the financing of terrorism and financing of illegal organisations, and the means to combat them. • Collaborate with the supervisory authority and FIU, provide them with all requested data, and allow their authorized employees to view the necessary records and documents that will allow them to perform their duties.
According to CBUAE’s Guidelines, the Compliance Officer is the LFI’s money laundering reporting officer (“MLRO”) charged with reviewing, scrutinizing, and reporting STRs and other reports pertaining to suspicious activity. In this capacity, the Compliance Officer or MLRO is ultimately responsible for the detection of transactions related to money laundering and financing of terrorism and illegal organisations; for reporting suspicions to the FIU; implementing the appropriate actions following an STR, SAR, or other report filing (e.g., ensuring the STR or SAR subject is input into the relevant list for close monitoring or internal watchlists/blacklists; changing the customer risk rating; etc.); and for cooperating with the relevant authorities on AML/CFT matters. The Compliance Officer or MLRO is ultimately responsible to ensure that an appropriate programme exists in the LFI and that the LFI effectively deploys a risk-based approach to detect and report suspicious activity.
The Compliance Officer or MLRO should also act as the primary point of contact with law enforcement agencies for their requests and investigations. The Compliance Officer or MLRO is responsible for liaising with regulators and external bodies on financial crime issues in order to share knowledge, report cases, develop best practices, and where possible, to improve coordination within the financial sector.
2.3. Role of the Third Line of Defense
The independent testing function is responsible for evaluating the design and operational effectiveness of an LFI’s compliance program controls, including technical compliance with AML/CFT policies and procedures. This function serves as a “third line of defense” to identify gaps, deficiencies, and weaknesses in operational controls owned or overseen by an LFI’s business, operations, and compliance functions. Independent testing should be conducted by an internal audit department, outside auditors, consultants, and/or other qualified, independent third parties. At a minimum, employees responsible for conducting independent testing should not be involved in the function being tested or in other AML/CFT functions that could compromise their independence. Risk-based auditing assists an LFI’s Board of Directors and senior management in identifying areas of weakness, prioritizing those areas for remediation, and ensuring the provision of adequate resources, oversight, and training for affected employees.
2.4. Purpose of Transaction Monitoring
The purpose of transaction monitoring is the ongoing, retrospective monitoring of customers’ and prospective customers’ transactions or activity to identify activity anomalous from normal behavior. This may, on further investigation, generate knowledge or reasonable suspicion of financial crime and thereby require reporting to the appropriate law enforcement and/or regulatory authority as an STR, SAR, or equivalent local report in line with AML/CFT regulatory and/or UAE FIU reporting requirements. LFIs may choose to use a combination of automated transaction monitoring scenarios and exception-based (manual) transaction reports to monitor for potentially suspicious activity. The aim of the alert review process is to identify and respond to potential indicators of money laundering, associated predicate offenses, financing of terrorism and illegal organisations , financing of proliferation, and any potentially unusual activity that does not align to a customer’s or account's profile including by deploying a risk-based approach. An LFI’s transaction monitoring systems and manual processes should be reviewed, assessed, and revised periodically—at least annually—and otherwise as appropriate, justified by the required circumstances. Additionally, this review should include both an evaluation of transaction monitoring system thresholds and a fine tuning of the LFI’s transaction monitoring system as well as an evaluation of its effectiveness. The individuals responsible for the review should have a proper understanding of the LFI’s framework-including the LFI's business and customer base—to generate a meaningful output.
2.5. Internal Organization
In order for an LFI’s transaction monitoring and suspicious activity reporting program to be effective, it must be based on the foundation of a sound governance structure. Namely, an LFI’s internal organization is important to appropriately identifying unusual or potentially suspicious activity. Internal organization comprises an LFI’s policies, procedures, and processes designed to oversee and manage risks and to achieve compliance with UAE AML/CFT laws and regulations. In particular, an LFI’s internal organization addresses the core organizational elements of an LFI’s compliance program: governance and management oversight; policies and procedures; clear lines of responsibility and reporting; and ongoing training to account for changes in the UAE’s legislative and regulatory frameworks.
• Governance and Management Oversight: Governance and management oversight helps to ensure that an LFI’s compliance program is appropriately funded, staffed, and equipped with the requisite technology, including to identify and report suspicious activity. An LFI’s Board of Directors also ensures that the compliance program has an appropriately prominent status within the organization and is operationally independent. In this capacity, senior management, inclusive of the Compliance Officer, within a compliance program should have the appropriate authority; independence; access to employees and information within the organization; and appropriate resources to conduct their activities—including the identification and reporting of suspicious activity—effectively. The compliance program should have access to the Board of Directors or a designated board committee to raise any issues or risks; report on the status of ongoing compliance; and escalate any other pertinent AML/CFT-related information. • As part of an LFI’s risk management framework, senior management and an LFI’s Board of Directors should oversee the design, implementation, and maintenance of a transaction monitoring and suspicious activity reporting program based on an LFI’s AML/CFT risks and in accordance with all applicable laws and regulations. Senior management should likewise oversee a vendor selection process (as applicable) if a third-party vendor is used to acquire, install, implement, or test a transaction monitoring program or any aspect of identifying and reporting suspicious activity, among other responsibilities. The Compliance Officer (or MLRO) shall periodically update the Board of Directors (or a committee of the Board) on the overall capability framework (that includes technology and process aspects of suspicious activity identification, investigation and reporting aspects). • Policies and Procedures: An LFI should have policies and procedures that govern changes to its transaction monitoring program which ensures that changes are defined, managed, controlled, reported, and audited. Namely, LFIs should have governance protocols surrounding the design and implementation of new detection scenarios; periodic assessment and validation of existing detection scenarios; and retiring of detection scenarios. In addition, an LFI should develop a procedure for the investigation and processing of transaction monitoring alerts in order to file an STR, SAR, or other report type promptly and qualitatively. These policies and procedures should cover the key processes for drafting and filing an STR, SAR, or other report type and other regulatory reports. More broadly, policies and procedures work to manage key AML/CFT risks and create processes for adherence across an LFI. • Clear Lines of Responsibility and Reporting: In relation to suspicious transactions, an LFI should have clear roles, responsibilities, and reporting lines, including reporting and escalations to the Board of Directors and senior management. These roles, responsibilities, and reporting lines should be clearly documented across all three lines of defense. Clear lines of responsibility help with effectively identifying and reporting suspicious activity in a timely manner while ensuring that there is appropriate and effective oversight of employees who engage in activities which may pose greater AML/CFT risk. LFIs should also have a mechanism to inform senior management and the Board of Directors (or a committee of the Board) of compliance initiatives, compliance deficiencies, STRs or SARs (or other reports) filed, and corrective actions taken. • Ongoing Training: Training should be provided on an ongoing basis to an LFI’s employees and should include changes to the UAE’s legislative and regulatory frameworks; internal policies or procedures; and understanding of evolving risk issues with respect to an LFI’s transaction monitoring and suspicious activity reporting program. Training topics can include, but are not limited to, thematic analysis of STRs or SARs; regulatory requirements and best practices related to STR or SAR reporting; noteworthy STRs or SARs (or other reports) filed during the prior quarter; and controls related to emerging financial crime risks. Training should be customized to include any other internal data that would be beneficial to both the first line and second line of defense.
2.5.1. Considerations for Institutions with Foreign Branches and Subsidiaries
For LFIs operating in an international context, FATF Recommendation 18 recommends that financial groups are required to implement group-wide AML/CFT programs applicable to foreign branches and majority-owned subsidiaries. Recent major enforcement actions taken by supervisors in key jurisdictions have highlighted the need to ensure that systems and controls are aligned across a financial group and that foreign branches and majority-owned subsidiaries align AML/CFT measures with a financial group’s home country requirements. As a result, LFIs have implemented global AML/CFT policies that outline a group risk appetite and are managed in each jurisdiction to align to local regulatory or legislative requirements. To support alignment of controls, LFIs operating across jurisdictions may seek to leverage the same control solutions for key processes, such as customer screening or transaction monitoring, though there may be different rules for different jurisdictions. For example, if the LFI operates in an economy which is known to be more cash-based than another, the cash trigger rules in transaction monitoring may vary appropriately. Centralized controls with operational centers of excellence also provide a means of ensuring alignment across the group around systems and controls.
2.6. Transaction Monitoring Methods
The five key components to an effective transaction monitoring and reporting system are: (i) identification of unusual or suspicious activity; (ii) managing alerts with an alert risk scoring model; (iii) STR or SAR decision making; (iv) STR or SAR completion and filing; and (v) monitoring and STR or SAR filing on continuing activity. To effectively identify unusual or potentially suspicious activity, LFIs should first maintain a transaction monitoring program based on an underlying AML/CFT risk-based assessment. The transaction monitoring program should take into account the AML/CFT risks of the LFI’s customers, prospective customers, counterparties, businesses, products, services, delivery channels, and geographic markets in addition to helping prioritize high-risk alerts. However, the sophistication of monitoring systems can differ based on an LFI’s AML/CFT risks. Monitoring systems typically include employee identification or referrals, transaction-based (manual) systems, surveillance (automated) systems, or a combination of these. Overall, LFIs must adopt monitoring processes and procedures to monitor customer activity that are commensurate with the size and nature of the line of business and the money laundering and the financing of terrorism and illegal organisations’ risks posed by their relevant customer base. The monitoring system and/or manual processes must reasonably demonstrate that transactions that carry the highest risk of money laundering and financing of terrorism and illegal organisations are subject to enhanced scrutiny.
As part of a risk-based approach to AML/CFT, in the case of customers or Business Relationships identified as high-risk, LFIs are expected to investigate and obtain more information about the purpose of transactions, and to enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities. In the case of customers or Business Relationships that are identified as low-risk, LFIs may consider monitoring and reviewing transactions at a reduced frequency.
Examples of some of the methods that may be employed for the ongoing monitoring of transactions include, but are not limited to:
• Threshold-based rules, in which transactions above certain pre-determined values, numerical volumes, or aggregate amounts are examined; • Transaction-based rules, in which the transactions of a certain type are examined; • Location-based rules, in which the transactions involving a specific location (either as origin or destination) are examined; and • Customer-based rules, in which the transactions of particular customers are examined.
2.6.1. Manual Monitoring
An LFI may seek to utilize a manual transaction monitoring system, which typically targets specific categories of transactions (e.g., those involving large amounts of cash, those to or from certain geographies) and includes a manual review of various reports generated by the LFI’s systems in order to identify unusual activity. The type and frequency of reviews and resulting reports used should be commensurate with the LFI’s AML/CFT risk profile—including the nature, size, and complexity of its operations—and properly cover customers, counterparties, businesses, products, services, delivery channels, and geographic markets. System-generated reports typically use a certain currency threshold to detect unusual activity. An LFI’s responsible senior employee should periodically evaluate the appropriateness of filtering criteria and thresholds used in the monitoring process and periodically appraise Senior Management and where required, notify the Board of Directors (as part of periodic updates), on the appropriateness of design of manual monitoring reports. LFIs should be alert to the fact that complex and evolving financial crime risks can undermine the effectiveness of manual monitoring systems, and therefore, manual monitoring systems should also be independently reviewed for reasonable filtering criteria.
2.6.2. Automated Transaction Monitoring
Automated transaction monitoring systems can cover multiple types of transactions and use different rules to identify potentially suspicious activity. In addition, many systems can adapt over time based on historical activity, trends, or internal peer comparison. After parameters and filters have been developed, they should be reviewed before implementation to identify any gaps in coverage to address potential financial crime schemes that may not have been addressed. LFIs should also seek to have appropriate case management systems so that such funds or transactions are scrutinized in a timely manner and a determination is made as to whether the funds or transaction are suspicious.
Once established, the LFI should review and test system capabilities and thresholds on a periodic basis, commensurate to its risk profile. This review should focus on specific parameters or filters in order to ensure that intended information is accurately captured, and that the parameter or filter is appropriate for the LFI’s particular risk profile, including the applicability of the detection scenarios, underlying rules, threshold values, and assumptions used. An LFI should also aim to review its transaction monitoring program at least annually to account for changes in the LFI’s internal procedures; local laws and regulations; and best practices.
Relatedly, the authorization to establish or alter expected activity profiles should be clearly defined through policies and procedures. An LFI’s internal controls should ensure limited access to the monitoring systems, and changes should require the approval of the Compliance Officer, MLRO, or senior management. The LFI should implement a robust end-to-end, pre- and post-implementation testing procedure of its transaction monitoring program with documentation detailing current detection scenarios and the underlying assumptions, parameters, and thresholds applied.
Employees appointed by the LFI should also be responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the transaction monitoring program, which may extend to assessing the timely review and decision-making of generated alerts and potential STR or SAR filings. Such employees should be responsible for independently validating an LFI’s transaction monitoring system's programming methodology and effectiveness to ensure that the LFI’s automated transaction monitoring system is effectively detecting potentially suspicious activity. These appointed employees should also ensure that customer segments, customer types, and transactions/transaction codes are mapped into the transaction monitoring system, and that the transaction monitoring system is integrated with the LFI’s core banking and other relevant system. Independent validation should also take place of an LFI’s policies with an aim to assess if employees are adhering to these policies. This is especially important to validate the proper use of automated tools and to ensure that the application of information technology instruments or algorithms—often leveraged by LFIs to reduce the number of false positives in their transaction monitoring programs—is not inadvertently suppressing instances of reportable suspicious activity. Where appropriate, the LFI, in lieu of maintaining full time employees to perform aforementioned functions, may hire qualified specialist consultants or external vendors to provide such review services.
2.6.3. Intelligence-led Transaction Monitoring Approach
LFIs have begun to invest in forming and developing their own intelligence units or capabilities. By establishing such units or capabilities, these units seek to maximize the use of data and information available both internally—within the LFI—and externally—across jurisdictions and businesses—in order to tackle money laundering, the financing of terrorism and illegal organisations, and fraud schemes, as well as to consolidate analytical capacity and remove any jurisdictional and business silos. This has led some LFIs to shift from a pure transaction-level monitoring approach towards adopting a “customer-level” or “network” monitoring approach. Under this approach, previous investigations can be applied to inform and refine risk models, which can then be used to customize monitoring for different business lines and customer types. These enhancements are focused on looking beyond single transactions or single customers to identify the wider network in which a customer operates—looking at the customer as an entity—enabling LFIs to manage networks of accounts and report on these networks, that in turn, increases opportunities to disrupt that network. This model moves reporting away from reports of single suspicious transactions towards suspicious entities and networks with a view on how the funds flow between them.