Skip to main content
  • Guidance for Licensed Financial Institutions Providing Services to Legal Persons and Arrangements

    Effective from 7/6/2021
    • 1. Introduction

      • 1.2. Applicability

        Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

        National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
         
        Insurance companies, agencies, and brokers.
         
      • 1.4. Definitions

        Key Terms
         

        Beneficial owner: The natural person who owns or exercises effective ultimate control, directly or indirectly, over a client; or the natural person on whose behalf a transaction is being conducted; or the natural person who exercises effective ultimate control over a legal person or legal arrangement.

        Legal person: Any entities other than natural persons that can establish in their own right a permanent customer relationship with a financial institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations, along with similar entities.

        Legal arrangement: A relationship established by means of a contract between two or more parties which does not result in the creation of a legal personality. Examples include trusts or other similar arrangements. Many legal arrangements allow for ownership, control, and enjoyment of funds to be divided between at least two different persons.

        Settlor: A natural or legal person who transfers the control of his funds to a trustee under a trust document.

        Trust: A legal relationship in which a settlor places funds under the control of a trustee for the interest of a beneficiary or for a specified purpose. These assets constitute funds that are independent of the trustee's own estate, and the rights to the trust assets remain in the name of the settlor or in the name of another person on behalf of the settlor.

        Trustee: A natural or legal person who has the rights and powers conferred to him by the settlor or the trust, under which he administers, uses, and acts with the funds of the settlor in accordance with the conditions imposed on him by either the settlor or the trust.

         

    • 2. Understanding and Assessing the Risks of Legal Persons and Arrangements

      Legal persons and arrangements are critical to the conduct of business, charitable activity, estate planning, and many other activities. They have a wide variety of acceptable and desirable purposes, and the vast majority of legal persons and arrangements are engaged solely in licit behaviour.

      Nevertheless, certain aspects of legal persons and arrangements are acknowledged to pose risk for LFIs that accept such entities as customers. Most importantly, the use of legal persons and arrangements to manage funds or do business can obscure or conceal the identity of the individuals who are truly controlling, directing, or benefiting from the services the LFI offers its legal person or legal arrangement customer. This concealment can allow illicit actors to abuse services offered by LFIs in order to launder the proceeds of crime, engage in terrorist financing, evade United Nations or UAE sanctions, and threaten the integrity of the UAE financial system and the security of the State.

      Legal persons and arrangements are attractive to participants in illicit finance—including money laundering (ML), the financing of terrorism (TF), and the financing of proliferation (PF)—because these entities offer the opportunity to transact anonymously, or nearly anonymously, through complex and/or opaque corporate structures. Section 2.1 discusses the ways that legal persons and arrangement can be abused to conceal illicit transactions from financial institutions.

      It is important to be aware, however, that not all legal persons and arrangements pose equal risk of abuse. The vulnerabilities arising from the basic characteristics of legal persons and arrangements can be enhanced or mitigated through the formation process and other controls jurisdictions apply to legal persons and arrangements. Thus, it is critical for LFIs seeking to understand the risks of their customer base to be aware of the presence or absence of these features and controls in the jurisdiction of formation. Section 2.2 below discusses specific aspects of a control regime and how these can impact vulnerability.

      • 2.1. ML/TF Risks Legal Persons and Arrangements Pose to LFIs

        Legal persons and arrangements offer many advantages to illicit actors. Most importantly, however, they could be abused to hide the identity of natural persons and allow bad actors to seek to open an account or carry out a transaction with an LFI under a name other than their own. Weak laws governing the formation of legal persons and arrangements, could allow for bad actors to abuse legal persons and arrangements and enable them to conduct a transaction or transactions almost without the LFI understating the real risks and the involvement of the bad actors—an action that would otherwise be prohibited under the laws of most jurisdictions. This ability to conceal identity has a number of ramifications for financial institutions.

        • 2.1.1. Obscuring Identity/Beneficial Ownership

          Individuals can use legal persons and arrangements to obscure or conceal their involvement in a transaction. In many jurisdictions, the individuals who truly own, control, direct, or benefit from a transaction—known as the beneficial owners—are not required to reveal their identities to the authorities. Individuals who are wanted criminals, known terrorist financiers, or connected to heavily sanctioned jurisdictions can form opaque companies in lower-risk jurisdictions and seek financial services under the name of a legal person or arrangement they control.

          Even in jurisdictions where legal persons and arrangements are required to report their beneficial ownership, illicit actors can seek to conceal their ownership interest through the use of complex corporate structures, intermediaries, and nominees, as discussed below.

        • 2.1.2. Obscuring the Purpose of an Account or Transaction

          Legal persons, particularly businesses, engage in a wide variety of transactions with a wide range of counterparts. Depending on its size and the nature of its business, a legal person customer might be likely to send and receive far larger and more irregular transfers than would an individual—many of them with counterparties that are also legal persons. For example, a company that manufactures for export may send payments to suppliers in a number of foreign jurisdictions, and receive payments from purchasers in different jurisdictions.

          The variety and unpredictability of transactions carried out by legal persons can make it more difficult to identify behaviour that is unusual or has no obvious economic purpose. This is especially true when the counterparts are also opaque legal persons or arrangements. For example, a company may seek to reduce its tax burden by claiming that certain transfers are tax-deductible expenses, when in reality they are payments to a legal person with the same beneficial owners as the originating company.

        • 2.1.3. Obscuring Source of Funds or of Wealth

          Legal persons can also be abused by individuals seeking to hide the source of an incoming transfer. For example, a politically exposed person (PEP) might receive a transfer that supposedly represents investment returns from a company located in another jurisdiction. Without knowing the beneficial owners of the originating company, it is difficult to say whether the transfer does in fact represent a return on investments, or whether it is in fact a bribe or somehow related to corruption.

          The involvement of legal persons and arrangements can also make it more difficult for LFIs to identify a customer’s true source of wealth. A legal person that is represented as a profitable business, for example, may in fact be a shell company that merely passes on income from illicit sources.

        • 2.1.4. Common Typologies of Abuse of Legal Persons and Arrangements

          The use of shell companies: Shell companies, commonly defined as companies that have no significant operations or related assets, may have legitimate business purposes. A shell company’s lack of employees and physical presence, however, makes it possible to abuse it as a vehicle for illicit transactions. These features also make it very difficult for law enforcement agencies in jurisdictions where the company operates to investigate its owners and activities.

          Case Study: Shell Companies
           

          A group of individuals conducted an investment fraud scheme which promised victims high returns on an initial investment of USD 35,000. As part of the scheme, the group established a complex web of bank and brokerage accounts and shell companies in the United States and several foreign jurisdictions. The group also opened cash management accounts at brokerages utilizing the shell corporations. Investors were told to send their investment funds to the accounts established utilizing the shell corporation names. Once in this account, the funds were transferred to secondary accounts. From these accounts, the funds were then disbursed to various foreign and domestic accounts and liquidated through the use of checks, debit cards, and ATM cards.

           

          Complex ownership and control structures: Individuals who seek to hide their interest in a company may create multiple layers of ownership and control that make it difficult to identify who really owns and controls the company. For example, a company may be owned by a second legal person, that is in turn owned by three legal persons, that are controlled via a debt financing arrangement. Where directors are required to be reported to the registering authority, a company may name legal persons as directors, further complicating the control structure.

          Case Study: Complex Ownership
           

          Company G was 95% owned by Mr. A and 5% by Mr. B. Company G purchased a power generator from Company K, owned by Company R in the Cayman Islands. Company R was linked to Panamanian Foundation P, which had Mr. A and his spouse as beneficiaries. Company G leased the generator to Company E, receiving amounts cleared by Company L The funds were drawn against Company K’s bank account, and Company G made payments to Company K to settle a debt. The funds were credited to the accounts of Companies S, T and R.

           

          Use of nominee shareholders and directors: Nominee arrangements involve an individual (the nominator) assigning his or her shares or voting rights to a second individual (the nominee) who agrees to act in accordance with the wishes of the nominator. The nominee is listed as the shareholder or director of record, but in fact has no power to direct the company and does not have a legal ownership right over the benefits accruing to the ownership interest, such as dividends. Nominee relationships may be contractual or based on a handshake agreement. Such informal arrangements often involve a nominator and nominee who are close associates or family members.

          Case Study: Informal Nominee Shareholders and Directors
           

          A Russian state agency contracted with Company 1 and Company 2 to perform software development. Neither company had the relevant expertise; they each hired subcontractors to do the work. The majority of funds received by both companies were funnelled into foreign shell companies, invested in real estate, or used to purchase luxury goods. Company 2 had previously been owned by Mr. X, who transferred the ownership to complicit associates. The real estate company that received the investment funds was owned by Mr. X’s daughter. Mr. X also controlled the nominal owners of Company 1, who received a salary from the company. Mr. X was the brother of the director of the state agency’s research department.

           

          Use of intermediaries: Individuals seeking to create complex, opaque corporate structures will often seek out professional intermediaries (lawyers, accountants, and trust and company service providers (TCSPs)) who are experienced in bending and manipulating the rules in the jurisdiction where the legal person or arrangement is formed. Intermediaries may create new legal persons or arrangements, or sell the rights to existing legal persons that appear to have been in operation for some time. These intermediaries may also serve as directors, nominees, or trustees of the resulting legal persons and arrangements.

          Case Study: Use of Intermediaries
           

          Companies registered in New Zealand by a Vanuatu-based TCSP operated by New Zealand citizens were suspected of acting as shell companies that facilitated crime in foreign jurisdictions. The TCSP acted as nominee shareholders and provided nominee directors who resided in jurisdictions such as Vanuatu, Panama and the Seychelles. The TCSP also provided a New Zealand-based nominee director to satisfy the legal requirement to have a New Zealand resident director and address. By 2010, the TCSP had registered approximately 2,000 companies in New Zealand on behalf of clients in foreign jurisdictions. Its address, in Auckland, was used as the registered office for most of the companies. Authorities suspect that at least 73 of these companies facilitated crimes in foreign jurisdictions.

           

      • 2.2. Features and Controls that Mitigate the Risk of a Legal Person or Arrangement

        At a high level, features and controls that affect the vulnerabilities of legal persons and arrangements can be divided into four categories:

         The formation process and requirements to establish the legal person or arrangement;
         The identification of the individuals actually owning and controlling legal persons and arrangements;
         The reporting and recordkeeping requirements imposed on companies throughout their lifetime; and
         The formation authority’s supervisory regime and enforcement tools.
         

        The subsections that follow briefly discuss the various measures that—if effectively implemented—can help mitigate the vulnerabilities of legal persons and arrangements.

        LFIs should be aware of the risks associated with all customer types, including legal persons and arrangements established outside the UAE. Appropriately assessing these risks will often involve developing an understanding of the controls in place to ensure transparency.

        CBUAE recognizes that LFIs do not control the legal frameworks governing their customers. Nevertheless, CBUAE recommends that LFIs familiarize themselves with the features of the company forms most commonly found within their customer base, and the controls in place in the jurisdictions where their legal person customers are most commonly registered. LFIs should also consider seeking some or all of the following information in order to understand legal person and legal arrangement risks, particularly when conducting enhanced due diligence on legal person and legal arrangement customers that pose higher risks.

        • 2.2.1. Formation Requirements and Process

          Abuse of legal persons and arrangements for ML/TF/PF often includes the creation of complex ownership structures with many such entities—including entities of different types and in different jurisdictions; the use of one-time ‘disposable’ entities that are abandoned after they have served their purpose; or the use of previously inactive ‘shelf companies. In addition, illicit actors will be able to more easily transact anonymously if they are required to reveal only minimal information during the formation process, can rely on nominees, or can complete processes without face-to-face interaction. For these reasons, legal persons and arrangements in jurisdictions whose formations processes allow for rapid, remote, and inexpensive formation and registration may be more attractive to illicit actors.

        • 2.2.2. Identification and Reporting of Beneficial Owners

          Because anonymity is one of the greatest attractions for illicit actors who seek to abuse legal persons and arrangements, they are likely to gravitate towards jurisdictions and company forms that require them to provide minimal information about the entities and themselves and that make it difficult for third parties to identify who in fact owns and controls the entity. The following controls that may be applied by the jurisdiction registering the entity in question can, to a certain extent, reduce the vulnerabilities created by corporate opacity.

           The registering authority collects key information about the company (such as name, address, and the names of directors) at formation and makes it available to the public;
           The registering authority collects the identities of all beneficial owners, or all beneficial owners owning at least a given percentage of the company, at the time of establishment, and makes this information available to domestic and foreign law enforcement, as well as AML/CFT regulated entities.
            oThe threshold for identifying ownership should be in line with international and UAE standards.
            oWhere the registering authority applies a threshold that exceeds 25% of the ownership interests in a legal person, LFIs should be aware that the customer is not required to report all individuals qualifying as beneficial owners in the UAE;
           The legal person or arrangement is prohibited from being owned by another legal person or arrangement;
           Nominee shareholders and directors are prohibited, or are appropriately regulated.
           
        • 2.2.3. Reporting and Recordkeeping

          Unlike individuals, legal persons and arrangements can swiftly change fundamental elements of their identity, rendering information provided during the formation process obsolete. Legal persons and arrangements can also compartmentalize information about themselves so that no single individual possesses full information about the entity. Because legal persons and arrangements abused for ML/TF/PF may not engage in licit commercial activity and may be controlled by only a small number of closely connected individuals, there is little commercial rationale for such entities to maintain adequate books and records. Illicit actors take advantage of these features by purchasing already-established companies “off the shelf;” selling companies to new owners; changing the company name; or failing to maintain records of their ownership. These vulnerabilities can, to a certain extent, be mitigated through effective controls, such as:

           Legal persons and arrangements are required to promptly update the registering authority if their key information (including beneficial ownership) changes;
           Legal persons and arrangements are required to appoint a resident agent in the jurisdiction where they are established to respond to inquiries;
           Legal persons and arrangements are required to make annual financial reports to their registering authority and/or to undergo a regular audit and provide the audit report to their registering authority.
           
        • 2.2.4. Supervision

          The effectiveness of any regime of controls over legal persons and arrangements depends on the consistency with which such controls are enforced and on the sanctions available to the supervisor and law enforcement.

           Legal persons and arrangements are monitored by their supervisor for their compliance with requirements;
           The supervisor can and does levy substantial penalties, whether civil or criminal, for violations of these requirements.
           
    • 3. Legal Persons and Arrangements in the UAE

      The UAE has a complex regime for formation of legal persons and arrangements, with 39 corporate registrars across the Emirates, the Commercial Free Zones (CFZs), and the Financial Free Zones (FFZs). Historically, each registrar has its own processes, but following the passage of AML-CFT Decision, which institutes common basic standards for all registrars, these processes are being harmonized across the UAE.

      Certain information on legal persons doing business in the UAE is publicly available through the National Economic Register. For entities with a UAE business license, the National Economic Register contains the entity’s license number, address, business activities, and the name of a manager. LFIs are encouraged to consult the Register when conducting CDD on legal persons, but should not rely on information contained in the Register without independently verifying it with the customer.

      • 3.1. Identification of Beneficial Owners

        Under AML-CFT Decision, all registrars of legal persons in the UAE must comply with the following requirements:

         Registrars must provide the public with information on the types and features of companies they establish, the process for creating those companies, and the process by which members of the public can obtain information on those companies, including on the beneficial owner(s).
         Registrars must obtain and maintain certain basic information on each company they register, including its name, address, a list of directors, its legal form, and its founding statutes.
         Registrars must identify the beneficial owners of each company they register, defined as any individual owning or controlling at least 25 percent of the company.
         

        In addition, all legal persons in the UAE are required to:

         Maintain accurate and up to date information on their shareholders and beneficial owners;
         Identify nominee shareholders and directors to their Registrar; and
         Appoint an individual resident in the UAE to be responsible for providing this information to the Registrar.
         

        Cabinet Decision No. (58) of 2020 Regulating the Beneficial Owner Procedures further defined these requirements. All legal persons in the UAE must be licensed or registered, must identify their beneficial owners, and must hold accurate, up-to-date information on their beneficial owners in a Register of Beneficial Owners. They must also report the same information to the relevant registrar. The Resolution also requires that nominee directors identify themselves to the legal person for which they serve as director, and this information must also be included in the legal person’s Register.

        There are certain limited exemptions to this requirement. For example, legal persons that are publicly traded on a stock exchange, or that are owned by such a company, do not have to identify or report their beneficial owners because of other transparency-related measures and obligations associated. In addition, if no individual meets the threshold by owning at least 25% of a legal person, that entity can report an individual who controls the entity (such as its managing director) instead of a true beneficial owner.

        Together, these requirements aim to ensure that customers that are legal persons established and registered under the laws of the UAE must identify their beneficial owners and must always have up-to-date information on these individuals available. LFIs cannot rely solely on customers’ statements and must verify the identity of beneficial owners independently. But a UAE-based legal person customer that claims to be unfamiliar with the requirements, or represents that it has never been required to identify its beneficial owners, may not be in compliance with the law and should be treated as at least high risk.

      • 3.2. Legal Arrangements Under UAE Law

        Two types of legal arrangements can be formed under UAE law:

         Trusts can be formed in the Mainland as well as in the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM). In a trust arrangement, the owner of certain funds, known as the settlor, places these funds under the control of a trustee for the interest of a beneficiary or for a specified purpose. These assets constitute funds that are independent of the trustee's own estate, and the rights to the trust assets remain in the name of the settlor or in the name of another person on behalf of the settlor.
         Awqaf (singular waqf), also known as endowments, can be created on the Mainland. Awqaf are a form of legal arrangement created according to shari’a law. A waqf allows a property owner to endow certain assets (often real property, but also shares or other income-producing assets) for the benefit of family members or a charitable cause. The endower loses control and ownership of the assets, which are registered as endowed and managed by a supervisor or trustee. Many awqaf are directly managed by the General Authority for Islamic Affairs and Endowments, but others are privately superintended.
         

        Under AML-CFT Decision, Articles 9 and 37, trustees of legal arrangements, or persons holding analogous positions in other legal arrangements, are required to hold accurate and up-to-date information on the beneficial owners of the trust or other legal arrangement. For legal arrangements, the beneficial owners are defined as the settlor, the trustee, and the beneficiaries or identifiable class of beneficiaries, along with any other individual exercising ultimate effective control over the legal arrangement. Under Article 9 of AML-CFT Decision, LFIs must identify these individuals as the beneficial owners of their legal arrangement customers.

        In both cases, it is important for financial institutions to be aware that these legal arrangements allow for an individual to legally hold and control funds that he or she does not own and does not have the right to benefit from. A trustee of a trust or waqf may open an account for trust funds under his or her own name, so that the account appears to belong to an individual rather than a legal arrangement. Although trustees are required to disclose their status, LFIs, as part of Customer Due Diligence (CDD), should take a proactive approach to identifying whether a customer is a trustee. This may include directly asking customers whether they are acting as trustees.

      • 3.3. Economic Substance Requirements

        Under Cabinet Resolutions (31) of 2019, (7) of 2020, and (57) of 2020, UAE legal persons operating in certain sectors with relevant income must meet requirements related to the level of core business activities that they carry out in the UAE (the Economic Substance Test). All firms conducting any of the following activities must pass the annual Economic Substance Test:

         Banking;
         Insurance;
         Investment Funds Management;
         Lease-Finance;
         Headquarters operations;
         Shipping;
         Holding Company activities;
         Intellectual Property;
         Distribution and service centres.
         

        In order to pass the test, these firms are required to make an annual report, the Economic Substance Report, to their registrar showing that they in fact carry out core income-generating activities within the UAE, that these activities are directed and managed from the UAE, that the firms maintain an appropriate number of employees, and that the firms have appropriate physical premises. The report is then reviewed by the Federal Tax Authority, which makes a determination as to whether the criteria for economic substance have been satisfied. The Economic Substance Report is not currently available to financial institutions directly, but LFIs may request an attested copy of the Report from their customer or prospective customer.

        The Economic Substance Test could help reduce the likelihood that UAE companies in these sectors are shell companies. The Economic Substance Test is retroactive, however, with companies required to submit Reports at the end of the twelve-month period in which the qualifying activity took place. In addition, Reports may not be promptly reviewed. LFIs should not rely on a customer’s assertion that it has passed the Economic Substance Test and must conduct appropriate customer due diligence, as discussed in section 4.3 below. This may include requesting the customer’s Economic Substance Report from the customer itself.

    • 4. Mitigating Risk

      Legal persons and arrangements are an important part of LFIs’ customer base and of economic activity in the UAE. However, legal persons and arrangements create real, and diverse, risks for financial institutions. LFIs are not expected to prohibit legal person and arrangement customers. Instead, they must understand, manage, and mitigate the risk through the appropriate application of preventive measures required under AML-CFT Decision and CBUAE directives and guidance documents.

      This section describes LFIs’ obligations under UAE Law with specific reference to legal persons and arrangements. It is not a comprehensive discussion of all requirements imposed on LFIs. LFIs should consult the Laws and regulations including AML-CFT Decision and the CBUAE’s Anti-Money Laundering the Combating the Financing of Terrorism and Illegal Organizations Guidelines. The controls discussed below must be integrated into the LFI’s larger AML/CFT compliance program, and supported with appropriate governance and training.

      • 4.1. Requirements for Legal Person and Arrangement Customers Under AML-CFT Decision

        Under Article 8(b) of AML-CFT Decision, when conducting CDD on legal persons and arrangements, LFIs must collect the following information and verify it based on documents from a reliable and independent source:

         The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association;
         Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State;
         Articles of Association or any similar documents, approved by the relevant authority within the State;
         Names of relevant persons holding senior management positions in the legal person or legal arrangement.
         

        Legal persons and arrangements, by definition, cannot take action on their own and must be represented by a natural person. Therefore, for all legal persons and arrangements the LFI must verify that the individual acting on behalf of the customer is authorized to do so, and conduct CDD on that person as required by Article 8(a) of AML-CFT Decision.

        In addition to the information described above, under Article 9 of AML-CFT Decision, the LFI must take reasonable measures to identify the beneficial owner(s) of all legal person and legal arrangement customers.

         For legal persons, LFIs must at least obtain and verify the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer.
         For legal arrangements, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement. LFIs must also obtain sufficient information on the beneficial owners of a legal arrangement to enable verification of the beneficial owner when paying trust funds to the beneficial owner, or when the beneficial owner begins to exercise his or her legally acquired rights. (This may take place, for example, when a beneficiary of a trust reaches his or her majority and takes full control and ownership of the trust funds.)
         

        As stipulated by Article 10 of AML-CFT Decision, LFIs may omit collecting information from the customer to identify the beneficial owner of a legal person or arrangement customer only in two narrowly defined circumstances, which both apply to legal persons only:

         a)The customer is a company listed on a regulated stock exchange and subject to disclosure requirements that ensure adequate transparency with regards to the customer’s beneficial owner(s);
         b)A subsidiary whose majority shares or stocks are held by the shareholders of the holding company.
         

        In both cases, LFIs must still identify the beneficial owner(s) using reliable public sources. LFIs must also verify that the customer does in fact qualify for the exemption. LFIs remain responsible for using a risk-based approach and for ensuring that they understand their customer. LFIs should not seek to take advantage of this exemption if they cannot identify the beneficial owner(s) using reliable public sources. LFIs are unlikely to find reliable public information on the beneficial owners of privately-held holding companies.

        In all cases, LFIs are also required by Article 8.4 of AML-CFT Decision to understand the customer’s ownership and control structure.

      • 4.2. The Risk-Based Approach, Customer Risk Rating, and the Institutional Risk Assessment

        LFIs should take a risk-based approach to the preventive measures they put in place for all customers, including legal persons and arrangements. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision.

        The risk-based approach has three principal components:

        1. Conducting an enterprise risk assessment, as required by Article 4.1 of AML-CFT Decision.

        The enterprise risk assessment should reflect the presence of legal persons and arrangements in an LFI’s customer base. The risk assessment should consider the most common forms of legal persons and arrangements in the LFI’s customer base and should assess the risks of each form. This assessment should carefully consider and incorporate the ML/TF risks legal persons and arrangements pose to LFIs discussed above (section 2.1), although LFIs may have legal person and arrangement customers from outside the UAE whose risks will also need to be assessed. These assessments should in turn be reflected in the LFI’s inherent risk rating.

        In addition, the LFI’s risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its legal person and arrangement customers, including the preventive measures discussed below.

        2. Identifying and assessing the risks associated with specific customers.

        The LFI should assess the risk of each customer to identify those that require enhanced due diligence (EDD). Customer risk assessment for legal person and arrangements should incorporate at least all elements of the customer risk assessment for individuals, but should apply them both to the legal person or arrangement customer itself and to the individuals prominently associated with it. For example, the assessment of the legal person or arrangement’s jurisdictional risk should take into consideration not just the customer’s jurisdiction of establishment, but also the residence and nationality of the beneficial owners, senior manager, and directors.

        Other risk assessment considerations that are unique to legal person and arrangement customers include:

         The legal form of the customer, and the controls in place to ensure transparency;
         The status of the beneficial owners and senior management. For example, if a beneficial owner or senior manager of a customer is a PEP, as defined in Article 15 of AML-CFT Decision, the customer may also need to be treated as PEP, depending on the extent of the PEP’s ownership and control and his or her relationship to the other beneficial owners or managers.
         
        3.Applying EDD and other preventive measures to customers the LFI determines to be higher-risk, as required by Article 4.2(b) of AML-CFT Decision, or to specific customer types, no matter their risk rating, as required by AML-CFT Decision.
         

        Many EDD measures for legal persons and arrangements are the same as those applied to individual customers. EDD measures that are specific to legal person and arrangement customers are discussed in section 4.3 below.

        Under AML-CFT Decision, the legal person customer types for which enhanced or special due diligence is required are:

         Legal persons based in high-risk countries (Article 22);
         
         Financial institutions with which the LFI proposes to enter into a correspondent relationship (Article 25);
         
         Legal person customers that are fully owned or controlled by PEPs, their direct family members, or their close associates (Article 15). If a PEP, a direct family member, or an associate is a partial owner of a customer, LFIs may take a risk-based approach to applying EDD to the customer.
         
         Non-Profit Organisations (Article 33).
         
      • 4.3. Customer Due Diligence and Enhanced Due Diligence

        CDD, and, where necessary, EDD are the core preventive measures that help LFIs manage the risks of legal person and legal arrangement customers. Because of this, LFIs are prohibited from maintaining anonymous accounts, and from onboarding any account or customer with fictitious names or characteristics. LFIs must perform CDD on every customer.

        The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Therefore, the LFI must identify customers that are legal persons and legal arrangements. When the customer is a legal person or arrangement, the process of understanding the customer (“knowing your customer”) is more complex and requires additional steps.

        Where an LFI cannot satisfy itself that it understands a legal person or legal arrangement-including when it has doubts that it has identified the individuals who truly own and control the legal person or legal arrangement—then it must not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report, as discussed 4.4 below.

        • 4.3.1. Core Elements of Customer Due Diligence

          LFIs are reminded that all elements of CDD (and EDD) apply to customers that are legal persons and legal arrangements. LFIs should refer to the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions for a full discussion of CDD obligations. CDD obligations include, but are not limited to, the requirement that LFIs, using a risk-based approach:

           Identify the customer and verify if the customer’s identity is reliable by using independent sources (discussed in this section);
           Identify beneficial owners of the customer (discussed in section 4.3.2 below);
           Assess and understand customer risk (discussed in section 4.2 above);
           Obtain information on the purpose and intended nature of the account (discussed in section 4.3.3 below); and
           Ensure ongoing due diligence is conducted and that the business relationship and transactions are scrutinized in the course of the relationship (discussed in section 4.3.4 below).
           

          LFIs must maintain records of the customer information obtained through CDD to enable the LFI to demonstrate compliance to CBUAE and to comply with requests for information from competent authorities.

          As discussed above in section 4.1, LFIs must identify legal person customers by collecting the following information and verifying it using independent, reliable sources:

           The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association;
           Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State;
           Articles of Association or any similar documents, approved by the relevant authority within the State;
           Names of relevant persons holding senior management positions in the legal person or legal arrangement.
           

          Verification of information collected to identify the customer should be risk-based. In standard cases, verification should rely on government-issued or certified documents, such as business licenses and notarized copies of the legal person’s memorandum of association. Where risks are lower, LFIs may consider using non-documentary sources, such as public registries, including the registries maintained by company registrars in the UAE. Consulting a registry, however, is not a replacement for collecting the documents specifically required by the AML-CFT Decision, even if the customer was required to submit the same documents to the registry.

        • 4.3.2. Identification of Beneficial Owners and of Ownership and Control Structure

          • 4.3.2.1. UAE Requirements

            As discussed in section 4.1 above, the UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual holding the senior management position in the entity.

            The AML-CFT Decision does not define “senior management position,” and LFIs should make a judgment, based on the specific facts and circumstances, as to the individual who meets this description. The senior management official should be a single individual with significant responsibility to control, manage, or direct a legal person customer. This may include the entity’s Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Director, General Partner, or President.

            LFIs should consider whether the individual’s background, experience, and expertise make it plausible that they would indeed hold a position of responsibility at a legal person of the customer’s size. Where a customer identifies a relatively young or inexperienced individual as its senior manager, that may be a sign that the individual does not in fact control the customer and instead takes orders from another individual who wishes to obscure his or her identity.

            For legal arrangement customers, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement.

            The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until it discovers all individuals who own or control at least 25% of the LFI’s customer.

            When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision. Where the customer is a UAE legal person, LFIs may require the customer provide the beneficial ownership report it has submitted to its company registrar as per Cabinet Decision (58). This should not be a substitute, however, for independent identification of beneficial owners by the LFI.

            LFIs are also required to understand the customer’s ownership and control structure. This means that LFIs must be aware of who owns the customer, even if they have not verified the identity of the individuals owning every company in the customer’s ownership chain. LFIs should have confidence that they fully understand who has the power to direct and control their customer’s actions.

          • 4.3.2.2. Applying a Risk Based Approach

            It is important to note that the legal requirements mentioned above (section 4.3.2.1) are baseline obligations rather than definitions of beneficial ownership. A beneficial owner, as defined in AML-CFT Decision, is any individual who owns or controls all or part of a legal person. This means that a legal person can have several beneficial owners, not all of whom are required to be identified under the law. LFIs should always identify and verify the identity of all individuals owning or controlling at least 25% of a legal person, but they should also make a risk-based decision as to whether to identify and verify the identity of additional beneficial owners. For legal person customers that require EDD, whether as a function of law or because they are higher risk, LFIs should always consider lowering the ownership threshold below 25%.

            LFIs should be aware that even minority owners of a legal person customer can exercise control over the legal person through information arrangements, family relationships, and specific governance arrangements (e.g. preferred stock), among other methods. Customers whose minority owners include individuals that are subject to United Nations or UAE sanctions may also create serious risks for LFIs, even if the individual only owns a small share of the customer (see section 4.5 below). Thus, particularly in higher risk scenarios, LFIs should consider completing an ownership and control chart that includes at least the names of all beneficial owners of every legal customer, or all individuals owning at least 5% of the customer. Collecting the names of beneficial owners is distinct from identifying them and verifying their identity and does not require the LFI to collect identifying information. LFIs must still identify and verify the identity of all individuals owning at least 25% of legal person customers.

            Beyond lowering the ownership threshold, EDD methods related to identification of ownership and control can include requiring the beneficial owners of customers to verify their ownership by presenting share certificates or contracts.

            Example 1: Company A is a UAE-based company that leases office space. Company A applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company A is 50% owned by Mr. Y and 40% owned by Ms. W. Bank Lion is aware that Company A has additional owners, but knows they own less than 10% of Company A.

            Because Company A is a low-risk domestic firm, Bank Lion is not required to identify the additional owners of Company A.

            Example 2: Company B is a Cayman Islands-based company with no business operations and a letterbox address on the premises of a known Cayman Islands TCSP. Company B applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company B is 50% owned by Mr. Y, a citizen of Russia and 40% owned by Ms. W, a citizen of Malta.

            Company B is likely a shell company, and its known beneficial owners are from high-risk jurisdictions. Therefore, Bank Lion decides to take the step of identifying and verifying the identity of the individuals who owns the remaining 10% of the company before accepting Company B as a customer. It discovers that the remaining 10% of shares are owned by Mr. Y’s father, a well-known Russian businessman. Because Mr. Y is only 22 and a recent university graduate, Bank Lion suspects that Mr. Y is a nominee and that his father may be the true controlling owner of Company B.

             

          • 4.3.2.3. Legal Persons – Common Situations

            In many cases, identifying the beneficial owners of a legal person customer will be a straightforward process. A customer may be directly owned by one or two individuals:

                           4.3.2.3-1

            In such cases, an LFI is obliged to identify and to verify the identity of both individuals, Mr. X and Ms. Y.

            Legal persons may have more complex ownership structures, however, in which other legal persons are involved in the ownership chain. In such cases, LFIs must continue up the chain until they identify an individual:

              4.3.2.3-2

            In this situation, the owners of Company A are as follows:

            OwnerShareOwnership Type
            Mr. X30%Direct
            Ms. Y30%Direct
            Ms. E28%Indirect - Ms E owns 70% of Company B, which in turn owns 40% of Company A
            Mr. D12%Indirect - Mr. D owns 30% of Company B, which in turn owns 40% of Company A

             

            Mr. X, Ms. Y, and Ms. E must all be identified under UAE law, as they own at least 25% of Company A. Mr. D owns 12%, so he is not required to be identified. But the LFI should make a risk-based decision as to whether to identify him.

            Illicit actors may seek to use complex ownership structures to hide the fact that they own 25% or more of the customer. This is why it is important for LFIs to use a risk-based approach and to be confident that, at the end of the process, they fully understand who controls their customer.

            4.3.2.3-3

            In this situation, although it at first appears that Ms. Y and Mr. X each own less than 25% of Company A, in fact between them they own 100% of the company. Their ownership interests can be calculated as follows:

            Mr. X:

             20% of Company B, which owns 40% of Company A: 20% of 40% is 8%; plus
             100% of Company E, which owns 75% of Company C, which owns 60% of Company A: 100% of 75% of 60% is 45%.
             Mr. X owns 53% of Company A.
             

            Ms. Y:

             25% of Company C, which owns 60% of Company A: 25% of 60% is 15%; plus
             100% of Company D, which owns 80% of Company B, which owns 40% of Company A: 100% of 80% of 40% is 32%.
             Ms. Y owns 47% of Company A.
             

            Both Mr. X and Ms. Y must be identified under UAE law. In addition, LFIs should be aware that Mr. X and Ms. Y are likely associated parties and should question whether there is a legitimate economic purpose for the ownership structure of Company A.

          • 4.3.2.4. Legal Arrangements - Common Situations

            Legal arrangements may not present the layered ownership structures seen in legal persons. This does not mean, however, that identifying the beneficial owners of legal arrangements is always straightforward. In particular, the very different forms of legal arrangements that may be formed in different jurisdictions can make it difficult to identify the individuals who hold roles analogous to settlor, trustee, and beneficiary. LFIs should always identify the following individuals:

             The legal entities or individuals who have the power to control the property of the legal arrangements. These legal entities or individuals are analogous to trustees. If a legal entity (such as a financial institution) acts as trustee, LFIs must identify the beneficial owners of that legal entity.
             The legal entities or individuals for whose present or future benefit the trustees are safeguarding the legal arrangement property. These legal entities or individuals are analogous to the beneficiaries.
              oBeneficiaries may be defined as a class which can change over time (e.g., “all the underage grandchildren of the settlor”).
              oLFIs should identify the class of beneficiaries, and all beneficiaries currently in existence, at the time of onboarding the customer. During periodic CDD refresh, they should ascertain whether additional identifiable individuals have joined or left the beneficiary class (e.g. a new child has been born, a beneficiary has come of legal age).
              oIf a legal entity is the named beneficiary, LFIs must identify the beneficial owners of that legal entity.
             The legal entities or individuals who assigned control of the legal arrangement property to the trustees (or individuals holding a similar position). This individual or legal entity is analogous to the settlor. A settlor may or may not retain underlying legal ownership of the legal arrangement property. If a legal entity acts as settlor, LFIs must identify the beneficial owners of that legal entity.
             

            In addition, where trustees are financial institutions, lawyers or any other professional with secrecy rules in a foreign jurisdiction, it may be difficult to obtain the information LFIs need. LFIs should be aware that if they cannot obtain this information, they should not establish the business relationship or continue an existing relationship.

            Legal arrangements may also be part of the ownership structures of other legal persons or arrangements. Because trusts do not have shares or equity, LFIs should treat all participants in a trust or similar legal arrangement as if they own 100% of the legal arrangement.

            4.3.2.4-1

             

            In the example above, Company A is 40% owned by Company B, which is in turn wholly owned by a trust established in the Isle of Jersey. Ms. Y and Mr. X are beneficiaries of the trust and also indirectly own shares of the Company A through Company C. Mr. X has to be identified and verified based solely on his indirect 45% ownership of Company A through Company E. Ms. Y and Mr. Z, must also be identified and verified because they are beneficial owners of a legal arrangement that owns 40% of Company A.

        • 4.3.3. Understanding the Purpose of the Account and Nature of the Customer’s Business

          For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s services. Because almost all legal persons and arrangements are created to make it easier to do business, invest assets, or engage in some form of organized activity, this element of CDD is critical to understanding customers who are legal persons and arrangements.

          Legal persons and arrangements engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a taxi firm will be completely different from that of an investment vehicle or of a waqf that collects revenues from real property and distributes them to charitable causes. But specific legal person and arrangements customers are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour. For example:

           A taxi company is likely to see substantial cash inflows and make regular, predictable transfers to cover payroll and to a limited set of suppliers (e.g. mechanics, gas stations). If a taxi company starts making transfers to a foreign jurisdiction, even a low-risk one, that behaviour may not fit the expected pattern and if so would require investigation.
           A waqf managing an apartment building should receive very regular monthly rent payments from residents, whether by cash, check or Automated Clearing House. The waqf should have regular expenses for maintenance and property taxes, as well as predictable payments to the beneficiaries of the waqf. If the waqf suddenly doubles its cash deposits, the LFI will need to investigate to understand why the customer’s behaviour has changed.
           

          Understanding the nature of the customer’s business can be a straightforward process. Most legal person customers will be engaged in familiar, easily identifiable activities in recognized sectors: manufacturing, retail, agricultural production, etc. In other cases, it may not be so simple. A legal person customer may be formed solely to facilitate a complex financial transaction. In other cases, the legal person may not have fully determined their business model or may plan to engage in a business activity that is out of keeping with the owners’ and managers’ resources and expertise, or that don’t seem to make economic sense. Finally, a customer may try to conceal its actual business; for instance, a company that is engaged in computer hacking and fraud may describe itself as a software engineering firm or a call centre.

          As LFIs advance efforts to understand their customer’s business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:

           The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory).
           The customer is engaged in a high-risk sector. High-risk sectors can include, but are not limited to:
            oSectors with high flows of cash;
            oOther financial sectors (e.g. customers who are MSBs or payment processors);
            oSectors that involve the import or export of dual-use technology (technology that may be used for proliferation);
            oSectors that are at high risk for human trafficking (bars and dance venues; construction; cleaning);
            oCharitable activities, especially those involving high-risk jurisdictions.
           The customer is a state-owned-enterprise (SOE). SOEs engage in a wide variety of business activities; their close relationship to government and government officials means that they may be at higher risk for corruption-related transactions.
           The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets.
           The LFI does not fully understand the customer’s business model or activities. Customers that generate revenue, but that have no apparent business activities, are perhaps the highest risk.
           

          When conducting EDD on the business activities and account use of legal persons and arrangements, LFIs should use techniques designed to manage the specific risks of the customer. These may include, but are not limited to:

           Requiring the customer to provide invoices documenting incoming and outgoing transfers;
           Requiring the customer to provide its Economic Substance Report;
           For customers operating in licensed sectors, requiring the customer to provide proof that it has a valid business license;
           Inspecting payroll documents and other business records;
           Visiting the customer’s business premises and interviewing its personnel;
           Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
           
        • 4.3.4. Ongoing Monitoring

          Like all customers, legal persons and arrangements must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.

          • 4.3.4.1 CDD Updating

            LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of legal person and arrangement customers, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction.

            LFIs should update CDD on legal person and arrangement customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers, including legal persons and arrangements, should involve more frequent CDD updates.

            CDD updates should include a refresh of all elements of initial CDD, and in particular must ascertain that:

             The customer’s beneficial owners remain the same;
             The customer continues to have an active status with a company registrar (this may not apply to legal arrangement customers);
             The customer has the same legal form and is domiciled in the same jurisdiction;
             The customer is engaged in the same type of business, and in the same geographies;
             The customer’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established.
             

            If any of the above characteristics have changed, the LFI should risk-rate the customer again.

            The LFI should conduct EDD when the revised risk rating demands it or if the customer’s history of transactions is not consistent with its profile and with the expectations established at account opening. LFIs must always conduct EDD when this is required by law (a beneficial owner of the customer is a PEP, as defined in Article 15 of AML-CFT Decision, or the customer or its beneficial owner is domiciled in a high-risk jurisdiction).

            LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but must still update CDD on a schedule appropriate to the customer’s risk rating.

          • 4.3.4.2. Transaction Monitoring

            As with all customers, LFIs must monitor activity by legal person and arrangement customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (see section 4.4 below). Legal persons, especially those that engage in commerce, are likely to engage a wider range of financial activity than are individual and most legal arrangement customers. This can make identifying suspicious behaviour by legal persons difficult.

            As with other customer types, LFIs that use automated monitoring systems should apply rules that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.

            Where possible, monitoring systems should also flag unusual behaviour that may indicate that a legal person customer’s business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business model in such a way as to require a higher risk rating.

            A list of red flags for illicit behaviour involving legal persons and arrangements is provided in the Annex to this Guidance.

      • 4.4. Suspicious Transaction Report Filing

        As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAE FIU) when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, the proceeds of crime, is related to a crime, or is intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE FIU, LFIs alert law enforcement about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs.

        In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations involving legal persons or arrangements:

         A potential legal person or arrangement customer decides against opening an account or purchasing other financial services after learning about the LFI’s CDD requirements;
         A current legal person or customer cannot provide required information about its business or its beneficial owners;
         A legal person or arrangement customer cannot adequately explain transactions, provide supporting documents such as invoices, or provide satisfactory information about its counterparty;
         The LFI is not confident, after completing CDD procedures, that it has in fact identified the individuals owning or controlling the legal person or arrangement. In such cases, the LFI should not establish the business relationship, or continue an existing business relationship, and should also consider filing an STR.
         

        Please consult the CBUAE’s Guidance on Suspicious Transaction Reporting for further information.

      • 4.5. Implementation of Targeted Financial Sanctions - Special Considerations for Legal Persons and Arrangements

        Key Terms for Targeted Financial Sanctions
         

        Affiliate is an entity owned by another entity by more than 25% and less than 50% of its capital.

        Controlling shareholder is a shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the Board of directors, or the decisions made by the board.

        Listed Person is a person or organization listed by the UN Security Council on the Sanctions List, or listed by the Cabinet on Local Lists, as the case may be.

        Subsidiary is an entity owned by another entity by more than 50% of its capital or under full control of that entity regarding appointment of the Board of Directors.

         

        Legal persons can be included on international sanctions lists. In addition, the obligation to freeze the funds of a listed person, imposed by AML-CFT Decision and by articles 15 and 21 of Cabinet Decision (74) of 2020, extends to funds that a Listed Person owns or controls through ownership or control of a legal person or through a legal arrangement.

        Listed individuals and legal persons are known to seek to evade sanctions by hiding their interest in a transaction via complex layers of control and ownership, through informal nominee arrangements, and through the assistance of complicit professionals. Listed Persons may also use front companies-companies mixing legitimate and illicit economic activity—to conceal their activities. For this reason, identification of beneficial ownership through the entire corporate ownership structure is critical for effective sanctions implementation, as is fully understanding the nature of the customer’s business.

        LFIs that employ automated screening technologies to identify matches to sanctions lists must ensure that their screening tools include all individuals associated with a legal person customer, including beneficial owners, authorized signatories, directors, and senior management.

        Legal persons and arrangements that are directly or indirectly (i) owned 50% or more in the aggregate, or (ii) controlled, by one or more Listed Person, including subsidiaries of a Listed Person, and entities where a listed person is a controlling shareholder, are subject to the same prohibitions as the Listed Person, even if such entities are not specifically listed by the UAE or the United Nations.

        Financial institutions should observe caution when considering a transaction with an entity that is not a Listed Person in which one or more Listed Persons have a significant ownership interest that is less than 50 percent or which one or more Listed Persons may control by means other than a majority ownership interest. Such non-listed entities, to include affiliates, may become the subject of future designations or enforcement actions. As discussed above, LFIs should make a risk-based decision as to whether to identify beneficial owners who own or control less than 25% of the legal persona or arrangement. LFIs are not required to identify every beneficial owner in order to conduct sanctions screening. But should an LFI, in the course of enhanced due diligence, discover that a Listed Person owns a minority interest in a legal person, this information must be taken into consideration in risk-rating that customer.

        Please see the Guidance on Targeted Financial Sanctions for more information on this issue.

        LFIs should consult the CBUAE and the Supreme Council for National Security if they have any questions regarding implementation of UN or UAE sanctions. LFI employees must be trained on these issues as part of comprehensive ongoing training.

        Example: Listed individual Ms. Y owns 25% of foreign Company A. Foreign Company A owns 30% of UAE Company B. Company B is a customer of UAE LFI Lion Bank. Ms. Y has no other ownership interests in Company B. Ms. Y therefore ultimately owns 7.5% of Company B.

        Ms. Y’s minority interest may not in itself give her ownership or control Company B. But Lion Bank should also consider the following factors when determining whether Ms. Y exercises control over Company B:

         The other beneficial owners of Company B are known close associates of Ms. Y’s; and
         Ms. Y has loaned Company B a sum equal to 100% of its operating revenue in the previous financial year, and under the terms of the loan agreement, if Company B does not repay the loan Ms. Y will acquire an additional 35% of Company B.
        .../...

        .../...

        When these factors are considered, it becomes likely that Ms. Y does in fact exercise control over Company B, despite her relatively small ownership stake, and transactions with Company B may therefore be prohibited under Cabinet Decision (20) of 2019.

        Alternatively, if Company B operates in the high-tech manufacturing sector, and Ms. Y has been listed for proliferation activities, the LFI may conclude that the sanctions evasion risk posed by Company B is too great to permit accepting it as a customer, even if Ms. Y does not exercise control of the company.

         

      • 4.6. Training

        As will all risks to which the LFI is exposed, the AML/CFT training program must ensure that employees are aware of the risks of legal persons and arrangements, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls.

    • 5. Lessons Learned and Examples from Amld Supervision

      The CBUAE’s examinations of LFIs have found that some LFIs struggle with key aspects of the preventive measures regime for legal persons. LFIs should take care to implement effective compliance programs, including by avoiding common deficiencies such as:

       Incomplete and out of date CDD: CBUAE has identified instances where CDD files are missing key information, such as the country of operation, the nature of the business, and the nationality of beneficial owners, shareholders, and directors. Equally important, CDD files are often out of date, with expired customer information.
       
       Inadequate systems: LFIs’ systems for supporting CDD do not always mandate the collection of all required information or guide the compiler to supply complete information, such as the full name of a beneficial owner. LFIs’ core banking systems may not be capable of linking or tracking related parties, which inhibits identification of suspicious behavior. In some cases, risk-rating and identification of UBOs is done manually, which increases the likelihood of user error or manipulation.
       
       Incomplete risk-rating: LFIs’ risk rating tools for legal persons and arrangements did not always take into account critical information, such as the type of entity and the risk rating of beneficial owners.
       
    • Annex 1. Red Flags for Concealment of Beneficial Ownership

      The following are indicators that Financial Action Task Force (FATF) member states have observed in connection to abuse of legal persons and arrangements. This is not an exhaustive list of every potential indicator of illicit activity involving legal persons and arrangements, but it represents a wide range of behaviours and activities that should prompt LFIs to investigate further, to consider closing or not opening an account, and to consider filing an STR.

      Indicators Related to the Customer

       The customer is reluctant to provide personal information.
       The customer is reluctant or unable to explain:
       
        otheir business activities and corporate history
        othe identity of the beneficial owner
        otheir source of wealth/funds
        owhy they are conducting their activities in a certain manner
        owho they are transacting with
        othe nature of their business dealings with third parties (particularly third parties located in foreign jurisdictions).
       
       Individuals or connected persons:
       
        oinsist on the use of an intermediary (either professional or informal) in all interactions without sufficient justification;
        oare actively avoiding personal contact without sufficient justification;
        oare foreign nationals with no significant dealings in the country in which they are procuring professional or financial services;
        orefuse to co-operate or provide information, data, and documents usually required to facilitate a transaction
        oare politically exposed persons, or have familial or professional associations with a person who is politically exposed;
        oare conducting transactions which appear strange given an individual’s age (this is particularly relevant for underage customers);
        ohave previously been convicted for fraud, tax evasion, or serious crimes;
        oare under investigation or have known connections with criminals;
        ohave previously been prohibited from holding a directorship role in a company or operating a trust and company service provider (TCSP);
        oare the signatory to company accounts without sufficient explanation;
        oconduct financial activities and transactions inconsistent with their customer profile;
        ohave declared income which is inconsistent with their assets, transactions, or lifestyle.
       
       Legal persons or legal arrangements:
       
        ohave demonstrated a long period of inactivity following incorporation, followed by a sudden and unexplained increase in financial activities;
        odescribe themselves as a commercial business but cannot be found on the internet or social business network platforms (such as LinkedIn, XING, etc.);
        oare registered under a name that does not indicate the activity of the company;
        oare registered under a name that indicates that the company performs activities or services that it does not provide;
        oare registered under a name that appears to mimic the name of other companies, particularly high-profile multinational corporations;
        ouse an email address with an unusual domain (such as Hotmail, Gmail, Yahoo, etc.);
        oare registered at an address that does not match the profile of the company;
        oare registered at an address that cannot be located on internet mapping services (such as Google Maps);
        oare registered at an address that is also listed against numerous other companies or legal arrangements, indicating the use of a mailbox service;
        owhere the director or controlling shareholder(s) cannot be located or contacted;
        owhere the director or controlling shareholder(s) do not appear to have an active role in the company;
        owhere the director, controlling shareholder(s) and/or beneficial owner(s) are listed against the accounts of other legal persons or arrangements, indicating the use of professional nominees;
        ohave declared an unusually large number of beneficiaries and other controlling interests;
        ohave authorised numerous signatories without sufficient explanation or business justification;
        oare incorporated/formed in a jurisdiction that is considered to pose a high money laundering or terrorism financing risk;
        oare incorporated/formed in a low-tax jurisdiction or international trade or finance centre;
        oregularly send money to low-tax jurisdictions or international trade or finance centre;
        oconduct a large number of transactions with a small number of recipients’
        oconduct a small number of high-value transactions with a small number of recipients;
        oregularly conduct transactions with international companies without sufficient corporate or trade justification;
        omaintain relationships with foreign professional intermediaries in the absence of genuine business transactions in the professional’s country of operation;
        oreceive large sums of capital funding quickly following incorporation/formation, which is spent or transferred elsewhere in a short period of time without commercial justification;
        omaintain a bank balance of close to zero, despite frequent incoming and outgoing transactions;
        oconduct financial activities and transactions inconsistent with the corporate profile;
        oare incorporated/formed in a jurisdiction that does not require companies to report beneficial owners to a central registry;
        ooperate using accounts opened in countries other than the country in which the company is registered;
        oinvolve multiple shareholders who each hold an ownership interest just below the threshold required to trigger enhanced due diligence measures.
       
       There is a discrepancy between the supposed wealth of the settlor and the object of the settlement.
       Individuals, legal persons and/or legal arrangements:
       
        omake frequent payments to foreign professional intermediaries;
        oare using multiple bank accounts without good reason;
        oare using bank accounts in multiple international jurisdictions without good reason;
        oappear focused on aggressive tax minimisation strategies;
        odemonstrate limited business acumen despite substantial interests in legal persons;
        oprovide falsified records or counterfeit documentation;
        oappear to engage multiple professionals in the same country to facilitate the same (or closely related) aspects of a transaction without a clear reason for doing so.
       
       Examination of business records indicate:
       
        oa discrepancy between purchase and sales invoices;
        odouble invoicing between jurisdictions;
        ofabricated corporate ownership records;
        ofalse invoices created for services not carried out;
        ofalsified paper trail;
        oinflated asset sales between entities controlled by the same beneficial owner;
        oagreements for nominee directors and shareholders;
        ofamily members with no role or involvement in the running of the business are listed as beneficial owners of legal persons or arrangements;
        oemployees of professional intermediary firms acting as nominee directors and shareholders;
        othe resignation and replacement of directors or key shareholders shortly after incorporation;
        othe location of the business changes frequently without an apparent business justification;
        oofficials or board members change frequently without an appropriate rationale.
       
       Complex corporate structures that do not appear to legitimately require that level of complexity or which do not make commercial sense.
       Simple banking relationships are established using professional intermediaries.
       

      Indicators of shell companies

       Nominee owners and directors:
       
        oformal nominees (formal nominees may be “mass” nominees who are nominated agents for a large number of shell companies);
        oinformal nominees, such as children, spouses, relatives or associates who do not appear to be involved in the running of the corporate enterprise.
       
       Address of mass registration (usually the address of a TCSP that manages a number of shell companies on behalf of its customers).
       Only a post-box address (often used in the absence of professional TCSP services and in conjunction with informal nominees).
       No real business activities undertaken.
       Exclusively facilitates transit transactions and does not appear to generate wealth or income (transactions appear to flow through the company in a short period of time with little other perceived purpose).
       No employees (or only a single employee). Pays no taxes, superannuation, retirement fund contributions or social benefits.
       Does not have a physical presence.
       

      Indicators about the transaction

       The customer is both the ordering and beneficiary customer for multiple outgoing international funds transfers.
       The connections between the parties are questionable, or generate doubts that cannot be sufficiently explained by the client.
       Finance is provided by a lender, whether a natural or a legal person, other than a known credit institution, with no logical explanation or commercial justification.
       Loans are received from private third parties without any supporting loan agreements, collateral, or regular interest repayments.
       The transaction:
       
        ois occurring between two or more parties that are connected without an apparent business or trade rationale;
        ois a business transaction that involves family members of one or more of the parties without a legitimate business rationale;
        ois a repeat transaction between parties over a contracted period of time;
        ois a large or repeat transaction, and the executing customer is a signatory to the account, but is not listed as having a controlling interest in the company or assets;
        ois executed from a business account but appears to fund personal purchases, including the purchase of assets or recreational activities that are inconsistent with the company’s profile;
        ois executed from a business account and involves a large sum of cash, either as a deposit or withdrawal, which is anomalous, or inconsistent with the company’s profile;
        oappears cyclical (outgoing and incoming transactions are similar in size and are sent to, and received from, the same accounts, indicating that outgoing funds are being returned with little loss) (aka “round-robin” transactions);
        oinvolves the two-way transfer of funds between a client and a professional intermediary for similar sums of money;
        oinvolves two legal persons with similar or identical directors, shareholders, or beneficial owners;
        oinvolves a professional intermediary without due cause or apparent justification;
        oinvolves complicated transaction routings without sufficient explanation or trade records;
        oinvolves the transfer of real property from a natural to a legal person in an off-market sale;
        oinvolves the use of multiple large cash payments to pay down a loan or mortgage;
        oinvolves a numbered account;
        oinvolves licensing contracts between corporations owned by the same individual;
        oinvolves the purchase of high-value goods in cash;
        oinvolves the transfer of (bearer) shares in an off-market sale;
        oa loan or mortgage is paid off ahead of schedule, incurring a loss;
        oincludes contractual agreements with terms that do not make business sense for the parties involved;
        oincludes contractual agreements with unusual clauses allowing for parties to be shielded from liability but make the majority of profits at the beginning of the deal;
        ois transacted via a digital wallet.
       
       The funds involved in the transaction:
       
        oare unusual in the context of the client or customer’s profile;
        oare anomalous in comparison to previous transactions;
        oare sent to, or received from, a foreign country when there is no apparent connection between the country and the client; and/or are sent to, or received from, a low-tax jurisdiction or international trade or finance centre;
        oare sent to, or received from, a jurisdiction that is considered to pose a high money laundering or terrorism financing risk.
       
       Unexplained use of powers of attorney or other delegation processes (for example, the use of representative offices).
       Unexplained use of express trusts, and/or incongruous or unexplained relationships between beneficiaries and the settlor.
       Unexplained or incongruous classes of beneficiaries in a trust.
       
    • Annex 2. Synopsis of the Guidance

      introduction PurposeThe purpose of this guidance is to assist Licensed Financial Institutions (LFIs) understand and mitigate the risks when providing services to legal persons and arrangements, and to guide them in fulfilling their AML/CFT obligations.
      ApplicabilityThis guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:
      • national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers and other LFIs; and
      • insurance companies, agencies, and brokers.
      Understanding and Assessing the Risks of Legal Persons and ArrangementsML/TF Risks of Legal Persons and ArrangementsLegal persons and arrangements are attractive to illicit actors because they can assist criminals and their associates to:
      • Hide the identify of the individuals directing a transaction or controlling an account;
      • Obscure the true nature and purpose of an account or transaction; and
      • Conceal the source of funds involved in a transaction or account.
      Features and Controls that Mitigate RisksCertain rules governing the formation and operation of legal persons and arrangements can, if enforced, reduce the risk that they will be abused by illicit actors:
      • Formation processes that deter creation of shell companies;
      • Collection of beneficial ownership information for all legal persons and arrangements;
      • Requiring legal persons and arrangements to keep certain records and make regular reports;
      • Supervision and monitoring by appropriate government authorities.
      Legal persons and

      arrangements in the UAE

      Identification of Beneficial OwnersAll legal persons and arrangements in the UAE (except those traded on a stock exchange, or owned by a company traded on a stock exchange) are required to identify all individuals who own or control at least 25% of the legal person or arrangements. Legal persons and arrangements must hold this information, and legal persons must also report it to their registrar. They must maintain and update this information when their beneficial owners change.
      Legal Arrangements Under UAE LawUAE law allows for the creation of two types of legal arrangements: trusts and awqaf. Trustees and waqf supervisors must comply with certain requirements related to identifying the individuals party to the legal arrangement.
      Economic Substance RequirementsAll companies operating in certain sectors must prove on an annual basis that they actually conduct substantive activities in the UAE by submitting certain required information to their registrar. Although this information is not directly available to LFIs, they should be aware of these requirements and can request the information from legal person customers.
      Mitigating Risk: Requirements for LFls Risk-Based ApproachLFIs must take a risk-based approach in their AML programs and to individual customers. This means that they should assess all customers, including legal person/legal arrangement customers, to determine their degree of risk.

      In assessing the risk of a legal person or arrangement customer, LFIs should consider at least the following factors:

      • The legal form of the customer;
      • The controls governing the formation of that type of customer;
      • The controls in place to ensure that the customer identifies and reports its beneficial owners;
      • Whether the customer is subject to recordkeeping and reporting requirements;
      • Whether the customer is appropriately supervised for its compliance with these requirements.
      Customer Due DiligenceFor all customers, LFIs must perform Customer Due Diligence with the following components:
      Customer Identification: For all legal person and legal arrangement customers, LFIs must collect the following information
      • The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association;
      • Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State;
      • Articles of Association or any similar documents, approved by the relevant authority within the State;
      • Names of relevant persons holding senior management positions in the legal person or legal arrangement.
      Identification of Beneficial Owners: For all legal person and legal arrangement customers, LFIs must identify the following individuals:
      • For legal persons, all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. If no individual can be identified, the LFI must identify the individual(s) holding the senior management position(s) within the legal person customer.
      • For legal arrangements, the individuals acting as the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement.
      Understand the Purpose of the Account and the Nature of the Customer's Business: LFIs must understand the business in which their customer engages as well as the reason for creating the account. The answers to these questions can have a significant impact on the risk the customer poses for the financial institution and therefore should be reflected in the customer risk rating.
      Perform Ongoing Monitoring: For all customers, LFIs must ensure that the customer information on file is up to date and accurate, and that the customer's activities are in line with the expectations set at onboarding. If not, the customer risk rating may need to be changed.
      Suspicious Transaction ReportingFor customers of all types, LFIs must report any behavior that they reasonably suspect may be linked to money laundering, the financing of terrorism, or a criminal offence. Please consult the CBUAE's Guidance on Suspicious Transaction Reporting for further information.
      Implementation of TFSA legal person or arrangement that is not itself designated on a sanctions list may be owned by someone who is designated. LFIs should screen the beneficial owners of all legal person and legal arrangement customers against sanctions lists, and should freeze any accounts or transactions related to a legal person or legal arrangement that is more than 50% owned or controlled by a designated person.