As required by Article 4.1 of the AML-CFT Decision, the enterprise risk assessment should reflect the presence of higher-risk customers, including hawala providers, in an LFI's customer base. These assessments should in turn be reflected in the LFI's inherent risk rating. In addition, the LFI's controls risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its hawala providers customers, including the preventive measures discussed below.

The LFI should assess the risk of each customer to identify those that require EDD and to support its entity risk assessment. As discussed in Part I section 3 above, the regulatory environment and illicit finance risks in the jurisdictions in which they do business, the products and services they provide and its customer base, are critical determinants of a hawala provider's inherent risk. In assessing the risks of a hawala provider customer, LFIs should consider:

Questions that an LFI may ask to determine the risk profile of a hawala provider customer include, but are not limited to:

In addition to risk rating hawala providers, LFIs should also consider the risks of specific transactions, especially high-value transactions, those involving high-risk jurisdictions, and those that represent departures from a customer's standard or expected behaviour.

Where the LFI determines a customer to be higher-risk, Article 4.2(b) of the AML-CFT Decision requires that the LFI apply EDD. Specific EDD steps are also required for hawala providers customers that are politically exposed persons, or are owned or controlled by a politically exposed person, or are based in a higher-risk jurisdiction.

Under Article 8 of AML-CFT Decision, LFIs are required to identify and verify the identity of all customers. Please see also the AML/CFT Guidelines for Financial Institutions for full information on customer identification. In particular, when verifying the Emirates ID card, LFIs must use the online validation gateway of the Federal Authority for Identity & Citizenship and keep a copy of the Emirates ID and its digital verification.

Hawala providers based in the UAE are required to have an active registration certificate issued by the CBUAE and a commercial trade license that includes Hawala Activity. In particular, when opening any accounts for hawala providers, LFIs must physically check the original hawala provider registration certificate issued by the CBUAE and keep a copy thereof. LFIs should not form business relationships or conduct transactions with hawala providers without an active registration certificate issued by the CBUAE (unregistered hawala providers). In addition, if an LFI determines that a customer or prospective customer has materially misrepresented itself or its business, it must not accept the customer, must exit the relationship if one has been established, should add the customer, its beneficial owners, directors and managers to its internal watchlists, and should file an STR with the FIU.

Where the hawala provider customers is a legal person, please consult the CBUAE's Guidance for LFIs providing services to Legal Persons and Arrangements for details on the identification of beneficial owners.¹¹

¹¹ Available at https://www.centralbank.ae/en/cbuae-amlcft.

For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer's business. This element of CDD will have important implications for the customer risk rating. This is particularly true of the purpose of the account, which will likely be an essential determinant of risk for hawala provider customers. It is critical that LFIs have processes and controls in place to ensure that they are able to identify hawala customers. LFIs must ensure that they fully understand their customers' source of funds and the business in which they are engaged. In addition to interviewing the customer, requesting financial records, and reviewing invoices, LFIs should also search company databases and consider visiting the customer's business premises.

Underground hawala providers often try to evade detection by creating new companies and/or frequently switching to new financial institutions. In addition, even those that operate legally, may seek to misrepresent the purpose of the relationship in order to evade scrutiny and controls imposed by the LFI. It can be particularly difficult for an LFI to establish the bona fides and business activities of a newly established company, which is likely to not have any customers or inventory, especially when that company's line of business (e.g. import/export) is vague. LFIs should screen the names of new customer's beneficial owners, directors, and managers against its internal watchlists of customers previously exited by the LFI.

When a customer provides information indicating it is a hawala provider, LFIs must collect sufficient information during the CDD process to understand the full scope of the customer's business, including not only its provision of hawala services but also any other business activities in which the customer engages. LFIs should pay particular attention to the jurisdictions with which their hawala provider customers does business, and must understand whether their customer offers financial services to other hawala providers (e.g. participates in clearing networks or makes transfers on behalf of the customers of another provider who lacks a network in certain jurisdictions). Furthermore, LFIs must fully understand the intended use of the account and the expected activity on the account, to the extent that it can generally predict activity on the account and identify activity that does not fit the profile. This may be many small cash deposits followed by large cross-border transfers or volume of activity that does not fit the customer's business. They must also understand whether the hawala provider may be using the LFI's accounts to conduct business and to move funds on behalf of customers while attempting to conceal this activity from the LFI. Section 2.3.1 contains red flags for concealed activity.

All customers must be subject to ongoing monitoring throughout the business relationship to ensure that transactions are reasonable, and legitimate. Ongoing monitoring is particularly important in the context of business relationships with hawala providers, where the risks these relationships create for the LFI can change significantly based on the hawala provider's business activities. LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

In addition to a review of the customer's CDD file, the LFI should also review the customer's transactions to determine whether they continue to fit the customer's profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established. This type of transaction review is distinct from the ongoing transaction monitoring discussed in 2.3.1 below. The purpose of the review is to complement ongoing transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules. For example:

When customers are higher risk, including hawala provider customers, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, such as twice a year. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:

Where possible, transaction monitoring systems used to monitor activity in the accounts of the RHP should also be equipped to identify breaches of the permitted services by RHP listed in Part I section 4.1. The transaction monitoring system used by LFIs should also be equipped to identify RHP that are using the LFI's accounts to conduct their business and to move funds on behalf of customers while attempting to conceal this activity from the LFI. Red flags for concealed activity appear below. If an LFI's automated transaction monitoring system is not capable of alerting on these red flags, LFIs should have in place manual monitoring, such as management information systems that are capable of doing so. Frequent deposits by multiple individuals into a single bank account, followed by international wire transfers and /or international withdrawals through ATMs.

As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file an STR, or SAR or other report types with the FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE's effort to combat financial crime and protect the integrity of its financial system. STR filings are essential to assist concerned UAE authorities, such as law enforcement, in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system.

In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations:

Please see also the CBUAE's Guidance for LFIs on Suspicious Transaction Reporting for further information.