3 AML/CFT Program
As per Articles 4, 20, 21 and 26 of the AML-CFT Decision, RHP are required to establish and maintain effective AML/CFT compliance programs designed to prevent them from being misused to facilitate money laundering or terrorist financing (ML/TF). The program must be risk-based and appropriate to the risk of the RHP, taking into consideration its:
• Size; • Volume of transactions; • Types of remittances offered (personal only or personal and commercial); • Complexity; • The nature and volume of its Hawala Activity; • The nature of its customer base; and • The geographic areas in which it operates.
This means that where an RHP engages in higher-risk activities (as discussed below in section 3.2), or does a higher volume of business, it must have a more sophisticated AML/CFT program and employ more intensive measures to manage this risk. The section that follows discusses the mandatory minimum elements of an AML/CFT program under the legal and regulatory framework in the UAE as well as ways that RHP can make adjustments to respond to their risk. It is divided into four parts, as follows:
1. The AML/CFT Program and the Compliance Officer. This part discusses the content of the AML/CFT program and how it should be implemented by the RHP. 2. Understanding Risks. This section discusses how to identify the RHP's ML/TF risks so that the RHP can build an appropriate AML/CFT program. 3. Customer Due Diligence. This section discusses the mandatory procedures for identifying and understanding the RHP's customers and counterparties. 4. Record Keeping. This section discusses the records of activity that the RHP must maintain and provide to law enforcement authorities and counterparties.
3.1 The AML/CFT Program and the Compliance Officer
As per Article 21 of the AML-CFT Decision, each RHP must have a specific person, the Compliance Officer, who is responsible for day-to-day compliance with the legal and regulatory framework in the UAE and the management of the AML/CFT program. This person must be an employee, manager, or owner of the RHP. In large RHP, with multiple employees and substantial revenues from Hawala Activity, the CBUAE expects that the Compliance Officer will be a full-time position without any other responsibilities for managing the business. In small RHP, however, the CBUAE recognizes that the Compliance Officer is likely to have other responsibilities beyond management of the compliance program. If the RHP is owned and operated by a single person, that person will be the Compliance Officer.
The Compliance Officer is responsible for the following:
• Ensure full compliance with the legal and regulatory framework in the UAE and this Guidance. • Making sure that other employees of the RHP (where relevant) comply with the legal and regulatory framework in the UAE and this Guidance, and abide by the RHP's own policies and procedures; and • Implementing the compliance program elements described in this Guidance, including conducting the risk assessment.
The RHP's AML/CFT compliance program must include all the measures discussed in the following sections as well as the following components:
• Provide education and training to appropriate personnel. RHP employees who participate in Hawala Activity must be trained to understand how to comply with the legal and regulatory framework in the UAE and this Guidance, and abide by the RHP's policies and procedures. It is not acceptable for an untrained employee to have responsibility for collecting or disbursing customer funds and initiating transactions. • Conduct a periodic audit of the AML/CFT program. RHP are required to arrange for a regular independent audit of their program by hiring an external qualified independent auditor approved by the CBUAE. Small RHP should be audited once every two or three years, while large RHP once every year. It is important to note that the audit must be independent; i.e. an RHP may not audit itself.
3.2 Understanding Risks
According to Article 16 of the AML-CFT Law and Article 4 of the AML-CFT Decision, RHP must identify, assess and understand the ML/TF risks to which they are exposed, and how they may be affected by those risks, in order to determine the nature and extent of AML/CFT resources necessary to mitigate and manage those risks. The sophistication of an RHP's risk assessment process depends on the RHP's size and operations. A large RHP is expected to produce an extensive risk assessment that complies fully with the standards outlined in the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof. This assessment may be done by an external consultant, but the RHP retains ultimate responsibility for its content and its compliance with the standard set in the Guidelines. The CBUAE recognizes, however, that a small RHP has limited services and resources. RHP of this type can follow the risk assessment process discussed below. All RHP must document their risk assessment, even if it is in the form of notes, to demonstrate that they have thoughtfully completed this process. They must be able to understand their findings and explain them if called upon to the CBUAE.
The Compliance Officer should begin the risk assessment process by carefully reading and understanding Parts I and II of this Guidance, which contain essential information about the risks faced by an RHP. The Compliance Officer should then consider the RHP's risk in the following risk categories. The discussion below does not cover every factor that increases or decreases risk and RHP should consider any other factors based on their knowledge and experience.
1. Customer Risk. This is the risk that your customers may be involved in ML/TF. By receiving money from a customer who is involved in illegal activities, the RHP itself can unwittingly become involved in those activities. Some examples of questions that RHP can use to assess customer risk include:
a. Are my customers mostly individuals, or do I have many customers that are legal persons? When you provide services to a company, you don't always know who you're really dealing with. So having many legal person customers may increase your risk.
b. Are my customers only sending remittances to family, or are they engaging in business? Business activities are generally considered to be higher risk for ML/TF because amounts are higher and it's harder for the RHP to understand the true purpose of the transaction.
2. Geographic Risk. Some countries are high risk for illicit activity, whether because they have a high volume of crime and terrorism, or because their financial sector doesn't have controls to prevent the movement of illicit funds. If an RHP operates in those countries, either because it has agents there or because it frequently sends or receives money there, then it is exposed to that risk. Questions an RHP can ask to assess its geographic risk include:
a. Do I regularly do business in or with countries that have an ongoing insurgency? Where terrorist attacks are frequent? These countries will be very high risk.
b. Do I regularly do business in or with countries listed on the FATF list of monitored jurisdictions?10
3. Products and Services Risk. RHP are permitted to offer only limited products and services (see Part I section 4.1 above). Within the group of permitted products, transfers connected to commercial activity are generally considered to be higher risk than those connected to personal remittances.
4. Delivery Channel Risk. The way an RHP delivers its products and services will also impact its risk, because some delivery channels make it difficult to understand and observe the customer. For example, if an RHP accepts orders for remittances via text message or phone call, or allows customers to initiate a transaction by giving money to an associate, who then delivers it to the RHP, this will make their activities higher risk.
Based on the considerations above, RHP should give themselves an overall score of Low, Medium, or High risk. RHP should complete the risk assessment process at least once a year. RHP should understand their risk assessment, its findings, and what it means for their business. They should consider their risk assessment when designing and implementing their AML/CFT program. Where they assess themselves as higher risk, they should take additional precautions.
10 The FATF list can be found at https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/?hf=10&b=0&s=desc(fatf_releasedate).
3.3 Customer Due Diligence
Customer due diligence (''CDD'') is the process by which an RHP identifies and understands its customer. CDD is required by Article 5 of the AML-CFT Decision and is essential to protecting the RHP from abuse, and to deterring and detecting ML/TF schemes. In specific cases outlined below, and whenever the RHP believes that higher risks are present, the RHP must perform Enhanced Due Diligence (''EDD''). EDD involves more intensive measures to discover information about the customer.
The RHP must perform Customer Identification Diligence (''CID''), CDD or EDD prior to conducting each and every transaction, even if the customer is a repeat customer (see sections 3.3.1 to 3.3.4 below for their details). An RHP must not conduct a transaction if the appropriate diligence has not been performed or completed.
When to Use CID, CDD and EDD Transaction What is Required A natural person sends or receives a transfer between AED 1 and AED 3,499 CID, unless higher risks are present, in which case CDD & EDD as well. A natural person sends or receives a transfer of between AED 3,500 to AED.54,999 CDD, unless higher risks are present, in which case EDD as well. A natural person sends or receives a transfer of AED 55,000 or greater. CDD and EDD A natural person from a high-risk jurisdiction sends or receives a transfer of any value. CDD and EDD A natural person who is a politically exposed person sends or receives a transfer of any value. CDD and EDD A legal person sends or receives a transfer of any value. CDD and EDD 3.3.1 Customer Identification Diligence
The CID process must be applied for a natural person who sends or receives a transfer between AED 1 and AED 3,499. The CID process is the verification of the original identification documents of the customer who is a natural person and the systematic recording of basic customer information in the point of sale system without the need to retain copies of the identification documents. The customer's full name, address, mobile number, nationality, date of birth, ID type (Emirates ID, or passport number when Emirates ID is not available) and ID number must be recorded in the point of sale system and printed on receipts.
3.3.2 Customer Due Diligence for Natural Persons
Article 4 of Circular No. 24/2019 requires RHP to identify and verify the identity of their customers, including remitters and beneficiaries, by using Emirates ID, or passport when Emirates ID is not available. RHP must collect at least the following information for each customer:
• Name, • Emirates ID number or passport number when Emirates ID is not available; • Date of birth and nationality; • Address; • Mobile number; • Occupation; and • The name of the person from whom the customer is receiving money, or the person to whom the customer is sending money and their country.
This information must be printed on customer receipts. RHP must record this information and store it in their files for five years. RHP must also take a clear photo or photocopy of the customer's identification document and retain it for five years.
The CDD process should also be applied when it appears that a natural person may be deliberately splitting up a larger transfer to evade the CDD requirement (for example by repeatedly once in a week transfer value below AED 3,500 per transaction).
Using this information, as discussed in Part II section 1 above on sanctions obligations, RHP should screen their customers, including the sender/beneficiary as appropriate, and the transaction against the UN Consolidated List and the Local UAE Terrorist List. Screening must be performed before carrying out any transaction for the customer. If there is a match, the RHP should carefully consider whether the other data collected (date of birth, country of birth) match the information available for the listed person in question. The RHP may continue with the transaction only if it is confident that its customer or the person on the other end of the transaction is not a listed person. In addition, if the RHP discovers that any party to the transaction is listed on the UN Consolidated List and the Local Terrorist List, it must not return the customer's funds or provide the customer with funds that have been sent to him, but must instead freeze the funds.
Furthemore, RHP should obtain a clear understanding of the intended purpose and nature of the transaction and ensure that it does not breach the permitted services by RHP listed in Part I section 4 above. RHP should consider whether it is consistent with what they know about the customer. Some examples of transactions that may require further investigation include:
• A customer who says he works as a labourer wishes to transfer a sum that is greater than the average yearly income for someone in his position.
• A customer visits the RHP on a regular basis and makes small or moderate-sized transfers, but the sum of the amounts he transfers over the course of the year is greater than the yearly income for someone in his position.
• A customer says that he has no occupation, but continues to make transfers or transfers a large sum.
• A customer who is from country A states that he is sending funds to a family member, but the beneficiary is located in country B.
• A customer from country A makes regular transfers to people he says are family members in that country, but they appear to live in different regions of country A and their relationship to the customer is not clear.
These transactions are not necessarily illicit, but they suggest that the RHP needs to collect additional information. For example, a customer may actually be acting on behalf of a business. In that case, the RHP's customer is actually the business, and it must perform CDD on the business as described in section 3.3.3 below. If the RHP has any additional concerns, it should follow the EDD procedures discussed in section 3.3.4 below.
RHP must cease and reject any transaction if they cannot collect any of the information required above, or if they cannot comply with any of the above requirements.
3.3.3 Customer Due Diligence for Legal Persons
When a legal person like a company uses an RHP to conduct a transaction, the RHP's customer is the company itself, not the individual representing the company. A legal person conducts a transaction when the funds involved belong to the legal person, and when the transaction is made as part of carrying out the legal person's business. If the customer is a legal person, it must be registered and based in the UAE to carry out transactions through a RHP. Legal persons such as companies, bodies corporate, foundations, partnerships, or associations, along with similar entities do not have bio-data like individuals and can transact under their own names while being controlled by other individuals. This means that they require specific CDD procedures. As per Articles 8 and 9 of the AML-CFT Decision RHP must perform the following actions for a legal person customer:
1. Collecting and recording the following information about the legal person customer: a. The legal person's name; b. The legal person's legal form (e.g., limited liability company); c. The address of the legal person's main office or headquarters; d. The legal person's trade license; and e. The name of the legal person's senior managing official. 2. Conducting CDD as described in section 3.3.2 above on the individual representing the customer (the individual who is directly ordering the transaction). 3. Determining that the representative is authorized to conduct the transaction via a valid authorization, such as the trade license and/or a letter from the legal person customer's management on its letterhead. 4. Identifying and verifying the identity of the customer's beneficial owners. a. Beneficial owners are the individuals who own and control the legal person. In many cases, the managing director or other similar top official will also be the beneficial owner, but not always. b. RHP must identify every individual who owns 25% or more of the legal person customer. They must collect their names, and then perform CDD on them as required by section 3.3.2 above. c. RHP can collect the names of beneficial owners, and thus determine who to perform CDD on, by asking the customer's representative. If they are concerned about the information provided by the representative, they should ask for documentation to prove ownership. d. If no individual owns 25% of the legal person customer, RHP must identify, and conduct CDD on the individual who is the customer's senior managing official. e. Beneficial owners cannot be other legal persons. If a legal person customer is owned by other legal persons, the RHP must understand their ownership as well until it identifies all individuals owning at least 25% of its customer. 5. Understanding the customer's ownership and control structure. The RHP must understand who owns the customer, who exercises control over it and how. 6. Understanding the nature of the customer business. The RHP must understand what sort of business the customer engages in and how the customer makes its money. If the customer's business doesn't make sense, or if the customer has no apparent business activities, that calls into question whether the funds involved in the transaction actually came from legitimate business activities. • Conducting sanctions screening on all related parties. The RHP must at least screen the following names against sanctions lists: a. The name of the legal person customer; b. The name of the customer's representative; c. The name of the beneficial owner(s); d. The name of the customer's senior managing official; and e. The customer's address.
As with CDD for natural persons, RHP must take a clear, readable photo or photocopy of documents obtained from the customer during CDD, and must retain those documents for five years after the transaction.
3.3.4 Enhanced Due Diligence
Sometimes CDD alone as described above is not sufficient to fully understand a customer. In addition, for certain customers, an extra level of due diligence is required. In those cases, the RHP must perform EDD in the following circumstances:
1. The customer is a legal person. In these cases, the RHP must perform all the steps listed in section 3.3.3 above, plus additional due diligence as described here.
2. The customer is a natural person carrying out a transfer worth AED 55,000 or above. In those cases, the RHP must perform all the steps listed in section 3.3.2 above, plus additional due diligence as described in this section below.
3. The customer is a politically exposed person. During CDD, the RHP must collect information regarding the occupation of a natural person customer, and the beneficial owners of a legal person customer. If the customer, or the beneficial owners of a legal person customer, indicates that he or she is a government official with any government, the RHP must ask additional questions to understand that individual's rank and status. If the individual holds a high-ranking position in any government, then EDD is required for the customer. This is to make sure that the funds involved are not related to corruption or abuse of the customer's position.
4. The customer is from, or is sending a remittance to, a high-risk jurisdiction. As discussed in section 3.2 above, high-risk jurisdictions are those with a higher risk of ML/TF.
RHP should consider performing EDD when there are other high risks associated with the transaction, such as concerns about the customer's behaviour or about the source of the funds involved in the transaction.
When performing EDD, RHP must follow the following mandatory steps:
• Seek approval from the manager of the RHP to carry out the transaction. If the RHP is owned and operated by a single person, this step is not necessary. • Collect additional information to understand the source of funds involved in the transaction and the customer's overall source of funds (i.e. source of wealth). For instance, the RHP may ask for a pay slip to verify the customer's income. • Collect additional information about the customer's business. For example, if a transaction is linked to the sale of goods, the RHP may request to see the invoice.
3.3.5 Agent Due Diligence
RHP may use agents in a foreign country to carry out activity on their behalf in that foreign country. This generally entails the corresponding agent in the foreign country executing payments on instructions from the RHP, or the agent sending instructions to the RHP to execute payments domestically. It should be noted that RHP are not permitted to use agents to carry out activity on their behalf in the UAE (as they are required by Circular No. 24/2019 to manage their business personally and never assign such task to another person, also known as ''nesting''.)
RHP are exposed to risks when their agents engage in transactions that create risks for ML or TF. RHP must identify and assess the ML/TF risks they may be exposed to from the use of agents to provide activity on their behalf in a foreign country. RHP should ensure that they understand who their agents are, and that they are not breaching any applicable AML/CFT laws and regulations. In order to reduce their exposure to ML/TF risks, RHP are required to perform appropriate due diligence on their agents, to ensure they thoroughly know their agents and monitor their transactions to ensure that they are legitimate. The required elements of due diligence on agents are as follows:
• When entering into a business relationship with an agent, as a first step, the RHP should identify and verify the identity of the agent, using reliable, independent source documents, data or information. • RHP should also identify and take reasonable measures to verify the identity of the beneficial owner(s) and understand the ownership and control structure of the agent, such that the RHP is satisfied that it knows the beneficial owner(s) and that the agent is not a shell bank. • RHP should gather sufficient information to understand the purpose and intended nature of the business relationship, which includes understanding what types of customers the agent intends to service through the business relationship, how it will offer services, the transaction volume and value, and the extent to which any of these are assessed as high risk. • RHP should also gather sufficient information and determine from publicly available information the reputation of the agent, including whether it has been subject to a ML/TF investigation or regulatory action. In addition, RHP should ensure that the agent has proper AML/CFT controls. • RHP should conduct ongoing due diligence of the business relationship, including periodical reviews of the CDD information on the agent, and ongoing monitoring to detect any changes in the agents' activity pattern that may indicate unusual activity.
RHP should keep up-to-date agent lists and retain them for a period of five years. RHP must provide the CBUAE current lists of their agents and the countries in which they operate. In addition, RHP should make current lists of their agents available to the relevant authorities within the country in which they operate. RHP should ensure that their agents fully adhere to the procedures of record keeping as described in this Guidance and that they make those records available to the RHP immediately upon request.
3.4 Record Keeping
Under Article 16 of AML-CFT Law and Article 24 of the AML-CFT Decision, RHP, as remittance providers, have very important obligations relating to the records they maintain about the remittances they execute.
3.4.1 Record Keeping Related to Remittances
1. Sending a Remittance
When the RHP's customer is the person originating a transaction, the RHP must collect the following information through the CID and CDD process:
• The sending customer's name; • His or her Emirates ID, or passport number when Emirates ID is not available; • His or her date and nationality; • His or her address; • Mobile number; • Occupation; and • The name of the beneficiary of the transaction and the country it is sent to.
The RHP must assign the transaction a unique ID number that allows the RHP to quickly identify and track the transaction. The RHP must provide all of this information to the hawala provider at the other end of the transaction and keep the relevant record. The RHP must not carry out the transaction if it has not supplied this information.
2. Receiving a Remittance
When the RHP's customer is the person receiving the remittance, the RHP must conduct CDD on the beneficiary and make sure that its customer's information matches that of the beneficiary identified in the information provided by the Originating Hawala Provider and keep the relevant record. The information must include:
• The receiving customer's name; • His or her Emirates ID, or passport number when Emirates ID is not available; • His or her date and nationality; • His or her address; • Mobile number; • Occupation; and • The name of the sender of the transaction and the country it is sent from.
The RHP's partners and agents outside the UAE should comply with the requirements under ``Sending a Remittance'' above even though they are not subject to UAE laws. If a RHP receives a transaction order from a hawala provider outside the UAE that does not contain the information required under ``Sending a Remittance'' above, it cannot perform required sanctions screening or identify whether the transaction is suspicious and needs to be reported to the FIU. Therefore, the RHP should require its agent or counterpart to provide the information listed before it releases the funds to the beneficiary.
3.4.2 Other Types of Record Keeping
According to the AML-CFT Law and the AML-CFT Decision, RHP must keep all records obtained through the CDD process; copies of personal identification documents provided during CDD; and copies of Suspicious Transaction Reports (STR) filed with the FIU. Under Article 4 of Circular No. 24/2019, RHP are required to have forms in which the customers fills in the necessary information to originate the transaction; RHP must retain these forms as well.
RHP must also maintain records of transactions. These records must be sufficiently detailed to allow authorities to reconstruct and understand the transaction. They must at least include the names of the sender and beneficiary, the date of the transaction, and the amount of the transaction, and be organized in such a way so that the RHP and authorities can easily find the records they need for a specific transaction.
RHP must make the records described here, or any other records, available to the competent authorities immediately upon request. All the records described in this section must be kept for at least five (5) years, from the date of completion of the transaction, or for longer if directed by the CBUAE or other authority.