Skip to main content
  • 3.2 Customer Due Diligence and Enhanced Due Diligence

    CDD, and where necessary EDD, are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers. As discussed below, each stage of the CDD process gives LFIs an opportunity to collect the information they need to identify and manage the specific risks of higher- risk customers.

    The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Where an LFI cannot satisfy itself that it understands a customer, then it should not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report (STR), as discussed in section 3.3 below.

    Under Article (5) of AML-CFT Decision, LFIs must conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a Customer with whom there is no business relationship. Although Article 5 permits CDD to be delayed in circumstances of lower risk, the higher risk of the DPMS and real estate sectors makes it very unlikely that delayed CDD will be appropriate in the context of onboarding such customers.

    LFIs should consult the UAE legal and regulatory framework currently in force for a full discussion of their CDD obligations and of the CBUAE's expectations for CDD procedures.

    • 3.2.1 Overarching common requirements

      The following elements of CDD should be carried out for all customers, no matter the customer type.

      • 3.2.1.1 Customer Identification and verification

        Under Article 8 of AML-CFT Decision, LFIs are required to identify and verify the identity of all customers.

        In most countries, including the UAE, anyone operating a business, whether as an individual or a legal person, must have a business license. Such persons may also need to be registered with their country's ministry of commerce or economy. Among other documents required for customer identification and verification, LFIs should ensure that they collect proof of an active license and/or registration from all business customers. Where a license is required, lack of one may indicate that a customer is attempting to avoid regulation and supervision by the authorities in the UAE or in its home jurisdiction.

      • 3.2.1.2 Beneficial Owner Identification

        The majority of DPMS and real estate sector customers will be legal persons. The UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual(s) holding the senior management position in the entity.

        Legal arrangements may be involved in transactions related to real estate. For legal arrangement customers, LFIs must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights.

        The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until they discover all individuals who own or control at least 25% of the LFI's customer.

        When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision.

        Please see the CBUAE's Guidance for Licensed Financial Institutions providing services to Legal Persons and Arrangements8 for more information on identification of beneficial owners.


        8 Available at https://www.centralbank.ae/en/cbuae-amlcft

        • 3.2.1.2.1 EDD: Beneficial Ownership

          If the LFI is not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the LFI should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25% ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10% or even the 5% level. It may also involve requiring the customer to provide the names of all persons who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks.

      • 3.2.1.3 Nature of the Customer’s Business and Nature and Purpose of the Business Relationship

        For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer's business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI's services. This element of CDD will have important implications for the customer risk rating. This is particularly true of the nature of the customer's business, which will likely be the critical determinant of risk for customers of the types addressed in this Guidance.

        • 3.2.1.3.1 Nature of the Customer’s Business

          Understanding the nature of the customer's business involves first i) identifying that the customer is a participant in a higher-risk sector; and ii) collecting all the information necessary to assess the risk factors for that specific customer type, as described in section 3.1 above. Customers may not identify themselves explicitly as DPMS or real estate sector participants. In some cases, the nature of the customer's business will be clear based on the customer's own statements; in others, the LFI may need to ask additional questions to ascertain whether or not the customer carries out any of the qualifying activities. For example, an importer/exporter may qualify as a DPMS if it trades in precious metals and stones among other products, or a department store may qualify if it sells fine jewelry.

          Following the determination of the customer's sector, the LFI should collect the information necessary to understand the products and services the customer offers, where it operates, and who its customers are. The exact information collected will depend on both the nature of initial findings and on the risk level of the entity. For example:

           Company A is a large commercial real estate broker licensed in Sharjah and supervised as a DNFBP by the Ministry of Economy. Company A applies for a general purpose business account with Bank C, an LFI. Bank C interviews Company A regarding its business activities and customer base, and asks Company A to supply a copy of its institutional risk assessment and its CDD and STR policies.
           
           Company B, a small business based in Dubai, seeks to establish a checking account with Bank C, an LFI. Company B represents that it primarily sells furniture and curios, but in response to questions from Bank C during the CDD process discloses that it sells gold and silver coins and also that it accepts cash payments. Company B is not licensed as a DPMS and is not registered by the Ministry of Economy. Bank C decides to make an unannounced site visit to Company Band discovers that gold objects make a up a large part of its inventory. Bank C declines to consider opening the account until Company B is licensed and registered as a DPMS.
           
        • 3.2.1.3.2 Nature and Purpose of the Business Relationship

          The risk to which the LFI may be exposed can vary based on the purpose of the account and the types of financial products and services the customer wishes to use. Nevertheless, if other risk factors are present a customer may still qualify as high risk even if they use only low-risk products and services.

           Certain aspects of a customer's business may be higher risk than others. For example, an account used for payroll may be lower risk than an account used to pay suppliers or that receives payments directly from customers.
           
           Certain LFI products and services may expose the LFI to higher risk. These include cash management services or large-scale cash deposits, and international wires, especially wires to or from high-risk or secrecy jurisdictions. These services are higher risk because they facilitate rapid movements of value across borders, or (in the case of cash) because they are conducive to anonymity. The LFI's entity risk assessment should identify its higher-risk products and services, and a customer that intends to use such services should be risk-rated accordingly.
           

          For example:

           Company X is a small DPMS operating in the Dubai Gold Souk that applies for a general purpose checking account with Bank C, an LFI. Company X tells Bank C that it sells gold jewelry. It claims that it does not accept cash and has not registered as a DNFBP, but tells Bank C to expect weekly cash deposits. The relationship manager visits the store and observes a sign by the cash register saying “Payment by Cheque or Credit Only.” Bank C decides to prohibit cash deposits into the account with prior authorization, and to restrict such deposits to a low monthly total.
           
        • 3.2.1.3.3 Developing a Customer Profile

          Businesses, including those in the DPMS and real estate sectors engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a small DPMS is likely to be completely different from that of a large- scale commercial developer. At the same time, specific businesses are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour.

        • 3.2.1.3.4 EDD: Customer’s Business and the Business Relationship

          As LFIs advance efforts to understand their customer's business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:

           The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory).
           The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets.
           The LFI does not fully understand the customer's business model, or the customer has no clear business activities that would justify its expected to use of the account.
           

          EDD on the business activities and account use of business like DPMS and real estate sector participants can involve the following:

           Requiring the customer to provide invoices documenting incoming and outgoing transfers;
           Inspecting payroll documents and other business records;
           Visiting the customer's business premises and interviewing its personnel;
           Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
           
      • 3.2.1.4 Ongoing Monitoring

        All customers must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

        • 3.2.1.4.1 CDD Updating

          LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of customers that are companies, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction. For example:

           Mr. Y and Sons is a highly-reputable dealer in uncut diamonds that has been banking with Bank C for more than 40 years. Bank C's account manager reads in the newspaper that Mr. Y has recently passed away and calls on Mr. Y's sons to express his condolences. During the course of the conversation, the account manager asks which son will be in charge of the business going forward. They inform him that they have just sold the business to a consortium of investors who wished to remain anonymous but who were represented by a global law firm with offices in the Free Zone. Once it has become aware of this fact, Bank C should rapidly identify the new beneficial owners of the customer. If it cannot do so promptly, it should suspend activity on the account.
           

          LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.

          CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:

           The customer's beneficial owners remain the same;
           The customer continues to have an active status with a company registrar;
           The customer has the same legal form and is domiciled in the same jurisdiction;
           The customer is engaged in the same type of business, and in the same geographies;
           

          In addition to a review of the customer's CDD file, the LFI should also review the customer's transactions to determine whether they continue to fit the customer's profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established. This type of transaction review is distinct from the ongoing transaction monitoring discussed in section 3.2.1.4.2 below. The purpose of the review is to complement transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules. For example:

           Bank C is conducting its scheduled CDD review for Company A, a commercial real estate brokerage firm. When reviewing the customer's transactions over the past year, Bank C notices that Company A has begun making fairly regular payments to a counterparty in Country 1. Previously, Company A had engaged in extremely limited cross-border activity. The payments do not exhibit any red flags and therefore were not flagged by Bank C's automated transaction monitoring system. Bank C contacts Company A and learns that it is has recently entered into a referral agreement with a private bank in Country 1. The bank refers customers looking to invest in the real estate sector, in Country 2, to Company A and in return receives a percentage of any commission Company A makes on a resulting sale. Bank C decides to conduct additional due diligence to learn more about the customer base referred to Company A by the bank in Country 1.
           

          The techniques used for transaction review will vary depending on the client. For lower-risk clients, a review of alerts, if any, is likely to be sufficient. For higher risk clients, a more intensive review may be necessary. For clients with a large volume of transactions, LFIs may use data analysis techniques to identify unusual behaviour.

          If the review finds that the customer's behaviour or information has materially changed, the LFI should risk- rate the customer again. New information gained during this process may cause the LFI to believe that EDD is necessary, or may bring the customer into the category of customers for which EDD is mandatory (i.e. customers that are PEPs, or owned or controlled by PEPs, or their family members or associates; and customers that are based in high-risk jurisdictions).

          LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but should still update CDD on a schedule appropriate to the customer's risk rating.

        • 3.2.1.4.2 Transaction Monitoring

          LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of an STR (see section 3.3 below). As with all customer types, LFIs that use automated monitoring systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.

          Where possible, monitoring systems should also flag unusual behaviour that may indicate that a customer's business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business activities in such a way as to require a higher risk rating.

          Sample red flags for illicit behaviour involving DPMS and the real estate sector are provided in the Annex to this Guidance.

        • 3.2.1.4.3 EDD: Ongoing Monitoring

          When customers are higher risk, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, , such as every six or nine months for very high-risk customers. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:

           Manually reviewing all transactions on the account on a quarterly basis, rather than a sample of transactions (as discussed above, such manual review should be in addition to automated transaction monitoring). Manual review can take the form of reviewing individual transactions, or of using data analysis to determine information about the customer's activity (e.g., overall percentage of counterparties in high-risk jurisdictions; new jurisdictions of activity compared to last quarter; overall percentage of transactions that are round numbers, etc.) that would not be apparent to automated transaction monitoring systems;
           
           Conducting site visits at the customer's premises and requesting a meeting with the customer's managing director or Chief Financial Officer;
           
           Conducting searches of public databases, including news and government databases, to independently identify material changes in a customer's ownership or business activities or to identify adverse media reports. Searches for adverse media should include relevant key words, including, but not limited to, allegation, fraud, corruption, and laundering.
           

          In addition, higher-risk customers should be subject to more stringent transaction monitoring, such as lower thresholds for alerts and more intensive investigation.

    • 3.2.2 Key Considerations for DPMS

      All of the requirements above apply fully to DPMS customers. This section describes specific or additional considerations that LFIs should have in mind when carrying out CDD on such customers.

       Nature of the Customer’s Business: Understanding the nature of the customer's business is particularly important in the context of DPMS, as risk is largely driven by the nature of the entity's business activities. LFIs should consider factors such as:
       
        oWhether the customer qualifies as a DNFBP, and, if so, whether it is registered as such with the appropriate authority in its home jurisdiction (in the UAE, this is the Ministry of Economy, see section 2.2.4);
       
        oThe DPMS-specific risks of the countries where the customer does business (see section 3.1.1.2 (i)). Certain countries that may not be considered extremely high risk in other contexts may be very high risk in the DPMS sector, such as countries where illegal mining takes place on a significant scale, or countries were smuggling of gold and precious stones is particularly common;
       
        oThe products and services the customer provides, and their attractiveness to illicit actors.
       
        oExample: Customer, a large Abu Dhabi luxury goods store, seeks to establish a general purpose business account with Bank B, an LFI. Customer sells fine jewelry to a clientele that includes a number of PEPs. Bank B collects additional information about sales and policies from Customer, and determines that all purchases of fine jewelry must be made using a credit card, and that fine jewelry accounts for less than 10% of Customer's annual turnover. Bank B decides that EDD is not necessary at this point, but decides to review activity on the account after six months to determine whether it presents any red flags.
       
       Ongoing Monitoring: Because DPMS risk varies with their business activities, it is particularly important that LFIs monitor DPMS accounts for any unexpected changes in activity. A change in activity is not necessarily a sign of illicit behaviour, but it may indicate that a DPMS has changed its activity profile in ways that affect its risk rating.
       
        oExample: When conducting its scheduled review of activity on the account of Customer, a large Abu Dhabi luxury goods store, Bank B notices that Customer has recently begun to receive large transfers from Iraq. When Bank B contacts Customer, the store explains that they've just begun conducting ‘trunk shows' of fashion and fine jewelry for customers in Iraq and as a result have substantially increased the business they do with customers there. Based on this information, Bank B increases Customer's risk rating and considers placing other controls on the relationship.
       
    • 3.2.3 Key Considerations for the Real Estate Sector

      Customers that are overall low-risk, and whose business is unrelated to the real estate sector, can nonetheless engage in high-risk transactions related to the sector. For example, a retired businesswoman who has been a customer of an LFI for twenty years may sell her luxury villa to a foreign PEP. In such cases, the CDD that has been performed on the customer may not be sufficient to manage the risk of this particular transaction, and LFIs may need to perform additional transactional due diligence. Transactional due diligence may also be necessary to comply with the requirements of Article 7.1 of AML-CFT Decision, which requires LFIs to audit transactions carried out throughout the business relationship to ensure that the transactions are consistent with the customer's risk profile.

      Transactional due diligence should at least involve collecting additional information about the underlying activity and the customer's counterparty. Information that an LFI may request in the context of transactional due diligence on real estate transactions includes:

       Sufficient information about the property to support an assessment that the purchase/sale price is reasonable and generally consistent with values for similar properties. This may include its official valuation for property tax purposes (where one exists); cadastral maps for the area where the property is located; floor plans; photographs; and recent sales information for similar properties. Where the LFI is financing a purchase, or has previously financed the purchase of the same property, it likely has this information on hand already.
       
       Information about the customer's counterparty. Where the counterparty is an individual, this should include sufficient information to perform adverse media, sanctions and PEP screening. Adverse media searches should include searches of public records and databases using relevant key words, including but not limited to, allegation, fraud, corruption, laundering.
       
       Where the counterparty is a legal person, it should include the jurisdiction in which the counterparty is registered/headquartered; identifying information on the counterparty's beneficial owners and line of business.
       
       Information on source of funds and source of wealth. LFIs should be able to identify the source of funds for every large transaction related to the real estate sector. Where a transaction is financed, the source of funds will often be a bank loan, but for unfinanced transactions the determination may be more difficult. For high-risk customers or counterparties, such as PEPs, LFIs should also understand the source of overall wealth, in addition to the source of the specific funds used to purchase the property.