3.2.1 Overarching common requirements
The following elements of CDD should be carried out for all customers, no matter the customer type.
3.2.1.1 Customer Identification and verification
Under Article 8 of AML-CFT Decision, LFIs are required to identify and verify the identity of all customers.
In most countries, including the UAE, anyone operating a business, whether as an individual or a legal person, must have a business license. Such persons may also need to be registered with their country's ministry of commerce or economy. Among other documents required for customer identification and verification, LFIs should ensure that they collect proof of an active license and/or registration from all business customers. Where a license is required, lack of one may indicate that a customer is attempting to avoid regulation and supervision by the authorities in the UAE or in its home jurisdiction.
3.2.1.2 Beneficial Owner Identification
The majority of DPMS and real estate sector customers will be legal persons. The UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual(s) holding the senior management position in the entity.
Legal arrangements may be involved in transactions related to real estate. For legal arrangement customers, LFIs must verify the identity of the settlor, the trustee(s), or anyone holding a similar position, the identity of the beneficiaries or class of beneficiaries, the identity of any other natural person exercising ultimate effective control over the legal arrangement and obtain sufficient information regarding the beneficial owner to enable verification of his/her identity at the time of payment, or at the time he/she intends to exercise his/her legally acquired rights.
The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until they discover all individuals who own or control at least 25% of the LFI's customer.
When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision.
Please see the CBUAE's Guidance for Licensed Financial Institutions providing services to Legal Persons and Arrangements8 for more information on identification of beneficial owners.
8 Available at https://www.centralbank.ae/en/cbuae-amlcft
3.2.1.2.1 EDD: Beneficial Ownership
If the LFI is not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the LFI should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25% ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10% or even the 5% level. It may also involve requiring the customer to provide the names of all persons who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks.
3.2.1.3 Nature of the Customer’s Business and Nature and Purpose of the Business Relationship
For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer's business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI's services. This element of CDD will have important implications for the customer risk rating. This is particularly true of the nature of the customer's business, which will likely be the critical determinant of risk for customers of the types addressed in this Guidance.
3.2.1.3.1 Nature of the Customer’s Business
Understanding the nature of the customer's business involves first i) identifying that the customer is a participant in a higher-risk sector; and ii) collecting all the information necessary to assess the risk factors for that specific customer type, as described in section 3.1 above. Customers may not identify themselves explicitly as DPMS or real estate sector participants. In some cases, the nature of the customer's business will be clear based on the customer's own statements; in others, the LFI may need to ask additional questions to ascertain whether or not the customer carries out any of the qualifying activities. For example, an importer/exporter may qualify as a DPMS if it trades in precious metals and stones among other products, or a department store may qualify if it sells fine jewelry.
Following the determination of the customer's sector, the LFI should collect the information necessary to understand the products and services the customer offers, where it operates, and who its customers are. The exact information collected will depend on both the nature of initial findings and on the risk level of the entity. For example:
• Company A is a large commercial real estate broker licensed in Sharjah and supervised as a DNFBP by the Ministry of Economy. Company A applies for a general purpose business account with Bank C, an LFI. Bank C interviews Company A regarding its business activities and customer base, and asks Company A to supply a copy of its institutional risk assessment and its CDD and STR policies.
• Company B, a small business based in Dubai, seeks to establish a checking account with Bank C, an LFI. Company B represents that it primarily sells furniture and curios, but in response to questions from Bank C during the CDD process discloses that it sells gold and silver coins and also that it accepts cash payments. Company B is not licensed as a DPMS and is not registered by the Ministry of Economy. Bank C decides to make an unannounced site visit to Company Band discovers that gold objects make a up a large part of its inventory. Bank C declines to consider opening the account until Company B is licensed and registered as a DPMS.
3.2.1.3.2 Nature and Purpose of the Business Relationship
The risk to which the LFI may be exposed can vary based on the purpose of the account and the types of financial products and services the customer wishes to use. Nevertheless, if other risk factors are present a customer may still qualify as high risk even if they use only low-risk products and services.
• Certain aspects of a customer's business may be higher risk than others. For example, an account used for payroll may be lower risk than an account used to pay suppliers or that receives payments directly from customers.
• Certain LFI products and services may expose the LFI to higher risk. These include cash management services or large-scale cash deposits, and international wires, especially wires to or from high-risk or secrecy jurisdictions. These services are higher risk because they facilitate rapid movements of value across borders, or (in the case of cash) because they are conducive to anonymity. The LFI's entity risk assessment should identify its higher-risk products and services, and a customer that intends to use such services should be risk-rated accordingly.
For example:
• Company X is a small DPMS operating in the Dubai Gold Souk that applies for a general purpose checking account with Bank C, an LFI. Company X tells Bank C that it sells gold jewelry. It claims that it does not accept cash and has not registered as a DNFBP, but tells Bank C to expect weekly cash deposits. The relationship manager visits the store and observes a sign by the cash register saying “Payment by Cheque or Credit Only.” Bank C decides to prohibit cash deposits into the account with prior authorization, and to restrict such deposits to a low monthly total.
3.2.1.3.3 Developing a Customer Profile
Businesses, including those in the DPMS and real estate sectors engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a small DPMS is likely to be completely different from that of a large- scale commercial developer. At the same time, specific businesses are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour.
3.2.1.3.4 EDD: Customer’s Business and the Business Relationship
As LFIs advance efforts to understand their customer's business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:
• The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory). • The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets. • The LFI does not fully understand the customer's business model, or the customer has no clear business activities that would justify its expected to use of the account.
EDD on the business activities and account use of business like DPMS and real estate sector participants can involve the following:
• Requiring the customer to provide invoices documenting incoming and outgoing transfers; • Inspecting payroll documents and other business records; • Visiting the customer's business premises and interviewing its personnel; • Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
3.2.1.4 Ongoing Monitoring
All customers must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
3.2.1.4.1 CDD Updating
LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of customers that are companies, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction. For example:
• Mr. Y and Sons is a highly-reputable dealer in uncut diamonds that has been banking with Bank C for more than 40 years. Bank C's account manager reads in the newspaper that Mr. Y has recently passed away and calls on Mr. Y's sons to express his condolences. During the course of the conversation, the account manager asks which son will be in charge of the business going forward. They inform him that they have just sold the business to a consortium of investors who wished to remain anonymous but who were represented by a global law firm with offices in the Free Zone. Once it has become aware of this fact, Bank C should rapidly identify the new beneficial owners of the customer. If it cannot do so promptly, it should suspend activity on the account.
LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:
• The customer's beneficial owners remain the same; • The customer continues to have an active status with a company registrar; • The customer has the same legal form and is domiciled in the same jurisdiction; • The customer is engaged in the same type of business, and in the same geographies;
In addition to a review of the customer's CDD file, the LFI should also review the customer's transactions to determine whether they continue to fit the customer's profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established. This type of transaction review is distinct from the ongoing transaction monitoring discussed in section 3.2.1.4.2 below. The purpose of the review is to complement transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules. For example:
• Bank C is conducting its scheduled CDD review for Company A, a commercial real estate brokerage firm. When reviewing the customer's transactions over the past year, Bank C notices that Company A has begun making fairly regular payments to a counterparty in Country 1. Previously, Company A had engaged in extremely limited cross-border activity. The payments do not exhibit any red flags and therefore were not flagged by Bank C's automated transaction monitoring system. Bank C contacts Company A and learns that it is has recently entered into a referral agreement with a private bank in Country 1. The bank refers customers looking to invest in the real estate sector, in Country 2, to Company A and in return receives a percentage of any commission Company A makes on a resulting sale. Bank C decides to conduct additional due diligence to learn more about the customer base referred to Company A by the bank in Country 1.
The techniques used for transaction review will vary depending on the client. For lower-risk clients, a review of alerts, if any, is likely to be sufficient. For higher risk clients, a more intensive review may be necessary. For clients with a large volume of transactions, LFIs may use data analysis techniques to identify unusual behaviour.
If the review finds that the customer's behaviour or information has materially changed, the LFI should risk- rate the customer again. New information gained during this process may cause the LFI to believe that EDD is necessary, or may bring the customer into the category of customers for which EDD is mandatory (i.e. customers that are PEPs, or owned or controlled by PEPs, or their family members or associates; and customers that are based in high-risk jurisdictions).
LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but should still update CDD on a schedule appropriate to the customer's risk rating.
3.2.1.4.2 Transaction Monitoring
LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of an STR (see section 3.3 below). As with all customer types, LFIs that use automated monitoring systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.
Where possible, monitoring systems should also flag unusual behaviour that may indicate that a customer's business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business activities in such a way as to require a higher risk rating.
Sample red flags for illicit behaviour involving DPMS and the real estate sector are provided in the Annex to this Guidance.
3.2.1.4.3 EDD: Ongoing Monitoring
When customers are higher risk, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, , such as every six or nine months for very high-risk customers. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:
• Manually reviewing all transactions on the account on a quarterly basis, rather than a sample of transactions (as discussed above, such manual review should be in addition to automated transaction monitoring). Manual review can take the form of reviewing individual transactions, or of using data analysis to determine information about the customer's activity (e.g., overall percentage of counterparties in high-risk jurisdictions; new jurisdictions of activity compared to last quarter; overall percentage of transactions that are round numbers, etc.) that would not be apparent to automated transaction monitoring systems;
• Conducting site visits at the customer's premises and requesting a meeting with the customer's managing director or Chief Financial Officer;
• Conducting searches of public databases, including news and government databases, to independently identify material changes in a customer's ownership or business activities or to identify adverse media reports. Searches for adverse media should include relevant key words, including, but not limited to, allegation, fraud, corruption, and laundering.
In addition, higher-risk customers should be subject to more stringent transaction monitoring, such as lower thresholds for alerts and more intensive investigation.