4.3. Customer Due Diligence and Enhanced Due Diligence
CDD, and, where necessary, EDD are the core preventive measures that help LFIs manage the risks of legal person and legal arrangement customers. Because of this, LFIs are prohibited from maintaining anonymous accounts, and from onboarding any account or customer with fictitious names or characteristics. LFIs must perform CDD on every customer.
The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Therefore, the LFI must identify customers that are legal persons and legal arrangements. When the customer is a legal person or arrangement, the process of understanding the customer (“knowing your customer”) is more complex and requires additional steps.
Where an LFI cannot satisfy itself that it understands a legal person or legal arrangement-including when it has doubts that it has identified the individuals who truly own and control the legal person or legal arrangement—then it must not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report, as discussed 4.4 below.
4.3.1. Core Elements of Customer Due Diligence
LFIs are reminded that all elements of CDD (and EDD) apply to customers that are legal persons and legal arrangements. LFIs should refer to the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions for a full discussion of CDD obligations. CDD obligations include, but are not limited to, the requirement that LFIs, using a risk-based approach:
• Identify the customer and verify if the customer’s identity is reliable by using independent sources (discussed in this section); • Identify beneficial owners of the customer (discussed in section 4.3.2 below); • Assess and understand customer risk (discussed in section 4.2 above); • Obtain information on the purpose and intended nature of the account (discussed in section 4.3.3 below); and • Ensure ongoing due diligence is conducted and that the business relationship and transactions are scrutinized in the course of the relationship (discussed in section 4.3.4 below).
LFIs must maintain records of the customer information obtained through CDD to enable the LFI to demonstrate compliance to CBUAE and to comply with requests for information from competent authorities.
As discussed above in section 4.1, LFIs must identify legal person customers by collecting the following information and verifying it using independent, reliable sources:
• The name [this may not apply for legal arrangements], Legal Form and Memorandum of Association; • Headquarters’ office address or the principal place of business; in addition, if the legal person or arrangement is a foreign entity, the name and address of its legal representative in the State; • Articles of Association or any similar documents, approved by the relevant authority within the State; • Names of relevant persons holding senior management positions in the legal person or legal arrangement.
Verification of information collected to identify the customer should be risk-based. In standard cases, verification should rely on government-issued or certified documents, such as business licenses and notarized copies of the legal person’s memorandum of association. Where risks are lower, LFIs may consider using non-documentary sources, such as public registries, including the registries maintained by company registrars in the UAE. Consulting a registry, however, is not a replacement for collecting the documents specifically required by the AML-CFT Decision, even if the customer was required to submit the same documents to the registry.
4.3.2. Identification of Beneficial Owners and of Ownership and Control Structure
4.3.2.1. UAE Requirements
As discussed in section 4.1 above, the UAE requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI must identify and verify the identity of the individual holding the senior management position in the entity.
The AML-CFT Decision does not define “senior management position,” and LFIs should make a judgment, based on the specific facts and circumstances, as to the individual who meets this description. The senior management official should be a single individual with significant responsibility to control, manage, or direct a legal person customer. This may include the entity’s Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Director, General Partner, or President.
LFIs should consider whether the individual’s background, experience, and expertise make it plausible that they would indeed hold a position of responsibility at a legal person of the customer’s size. Where a customer identifies a relatively young or inexperienced individual as its senior manager, that may be a sign that the individual does not in fact control the customer and instead takes orders from another individual who wishes to obscure his or her identity.
For legal arrangement customers, LFIs must verify the identity of the settlor and the trustee (or anyone holding equivalent positions for non-trust legal arrangements), the beneficiaries or class of beneficiaries, and any other individuals in control of the legal arrangement.
The beneficial owner of a legal person or arrangement must be an individual. Another legal person or arrangement cannot be the beneficial owner of a customer, no matter what percentage it owns. LFIs must continue tracing ownership all the way up the ownership chain until it discovers all individuals who own or control at least 25% of the LFI’s customer.
When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision. Where the customer is a UAE legal person, LFIs may require the customer provide the beneficial ownership report it has submitted to its company registrar as per Cabinet Decision (58). This should not be a substitute, however, for independent identification of beneficial owners by the LFI.
LFIs are also required to understand the customer’s ownership and control structure. This means that LFIs must be aware of who owns the customer, even if they have not verified the identity of the individuals owning every company in the customer’s ownership chain. LFIs should have confidence that they fully understand who has the power to direct and control their customer’s actions.
4.3.2.2. Applying a Risk Based Approach
It is important to note that the legal requirements mentioned above (section 4.3.2.1) are baseline obligations rather than definitions of beneficial ownership. A beneficial owner, as defined in AML-CFT Decision, is any individual who owns or controls all or part of a legal person. This means that a legal person can have several beneficial owners, not all of whom are required to be identified under the law. LFIs should always identify and verify the identity of all individuals owning or controlling at least 25% of a legal person, but they should also make a risk-based decision as to whether to identify and verify the identity of additional beneficial owners. For legal person customers that require EDD, whether as a function of law or because they are higher risk, LFIs should always consider lowering the ownership threshold below 25%.
LFIs should be aware that even minority owners of a legal person customer can exercise control over the legal person through information arrangements, family relationships, and specific governance arrangements (e.g. preferred stock), among other methods. Customers whose minority owners include individuals that are subject to United Nations or UAE sanctions may also create serious risks for LFIs, even if the individual only owns a small share of the customer (see section 4.5 below). Thus, particularly in higher risk scenarios, LFIs should consider completing an ownership and control chart that includes at least the names of all beneficial owners of every legal customer, or all individuals owning at least 5% of the customer. Collecting the names of beneficial owners is distinct from identifying them and verifying their identity and does not require the LFI to collect identifying information. LFIs must still identify and verify the identity of all individuals owning at least 25% of legal person customers.
Beyond lowering the ownership threshold, EDD methods related to identification of ownership and control can include requiring the beneficial owners of customers to verify their ownership by presenting share certificates or contracts.
Example 1: Company A is a UAE-based company that leases office space. Company A applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company A is 50% owned by Mr. Y and 40% owned by Ms. W. Bank Lion is aware that Company A has additional owners, but knows they own less than 10% of Company A.
Because Company A is a low-risk domestic firm, Bank Lion is not required to identify the additional owners of Company A.
Example 2: Company B is a Cayman Islands-based company with no business operations and a letterbox address on the premises of a known Cayman Islands TCSP. Company B applies to open an account with Bank Lion, a CBUAE-supervised LFI. Bank Lion verifies that Company B is 50% owned by Mr. Y, a citizen of Russia and 40% owned by Ms. W, a citizen of Malta.
Company B is likely a shell company, and its known beneficial owners are from high-risk jurisdictions. Therefore, Bank Lion decides to take the step of identifying and verifying the identity of the individuals who owns the remaining 10% of the company before accepting Company B as a customer. It discovers that the remaining 10% of shares are owned by Mr. Y’s father, a well-known Russian businessman. Because Mr. Y is only 22 and a recent university graduate, Bank Lion suspects that Mr. Y is a nominee and that his father may be the true controlling owner of Company B.
4.3.2.3. Legal Persons – Common Situations
In many cases, identifying the beneficial owners of a legal person customer will be a straightforward process. A customer may be directly owned by one or two individuals:
In such cases, an LFI is obliged to identify and to verify the identity of both individuals, Mr. X and Ms. Y.
Legal persons may have more complex ownership structures, however, in which other legal persons are involved in the ownership chain. In such cases, LFIs must continue up the chain until they identify an individual:
In this situation, the owners of Company A are as follows:
Owner Share Ownership Type Mr. X 30% Direct Ms. Y 30% Direct Ms. E 28% Indirect - Ms E owns 70% of Company B, which in turn owns 40% of Company A Mr. D 12% Indirect - Mr. D owns 30% of Company B, which in turn owns 40% of Company A Mr. X, Ms. Y, and Ms. E must all be identified under UAE law, as they own at least 25% of Company A. Mr. D owns 12%, so he is not required to be identified. But the LFI should make a risk-based decision as to whether to identify him.
Illicit actors may seek to use complex ownership structures to hide the fact that they own 25% or more of the customer. This is why it is important for LFIs to use a risk-based approach and to be confident that, at the end of the process, they fully understand who controls their customer.
In this situation, although it at first appears that Ms. Y and Mr. X each own less than 25% of Company A, in fact between them they own 100% of the company. Their ownership interests can be calculated as follows:
Mr. X:
• 20% of Company B, which owns 40% of Company A: 20% of 40% is 8%; plus • 100% of Company E, which owns 75% of Company C, which owns 60% of Company A: 100% of 75% of 60% is 45%. • Mr. X owns 53% of Company A.
Ms. Y:
• 25% of Company C, which owns 60% of Company A: 25% of 60% is 15%; plus • 100% of Company D, which owns 80% of Company B, which owns 40% of Company A: 100% of 80% of 40% is 32%. • Ms. Y owns 47% of Company A.
Both Mr. X and Ms. Y must be identified under UAE law. In addition, LFIs should be aware that Mr. X and Ms. Y are likely associated parties and should question whether there is a legitimate economic purpose for the ownership structure of Company A.
4.3.2.4. Legal Arrangements - Common Situations
Legal arrangements may not present the layered ownership structures seen in legal persons. This does not mean, however, that identifying the beneficial owners of legal arrangements is always straightforward. In particular, the very different forms of legal arrangements that may be formed in different jurisdictions can make it difficult to identify the individuals who hold roles analogous to settlor, trustee, and beneficiary. LFIs should always identify the following individuals:
• The legal entities or individuals who have the power to control the property of the legal arrangements. These legal entities or individuals are analogous to trustees. If a legal entity (such as a financial institution) acts as trustee, LFIs must identify the beneficial owners of that legal entity. • The legal entities or individuals for whose present or future benefit the trustees are safeguarding the legal arrangement property. These legal entities or individuals are analogous to the beneficiaries. o Beneficiaries may be defined as a class which can change over time (e.g., “all the underage grandchildren of the settlor”). o LFIs should identify the class of beneficiaries, and all beneficiaries currently in existence, at the time of onboarding the customer. During periodic CDD refresh, they should ascertain whether additional identifiable individuals have joined or left the beneficiary class (e.g. a new child has been born, a beneficiary has come of legal age). o If a legal entity is the named beneficiary, LFIs must identify the beneficial owners of that legal entity. • The legal entities or individuals who assigned control of the legal arrangement property to the trustees (or individuals holding a similar position). This individual or legal entity is analogous to the settlor. A settlor may or may not retain underlying legal ownership of the legal arrangement property. If a legal entity acts as settlor, LFIs must identify the beneficial owners of that legal entity.
In addition, where trustees are financial institutions, lawyers or any other professional with secrecy rules in a foreign jurisdiction, it may be difficult to obtain the information LFIs need. LFIs should be aware that if they cannot obtain this information, they should not establish the business relationship or continue an existing relationship.
Legal arrangements may also be part of the ownership structures of other legal persons or arrangements. Because trusts do not have shares or equity, LFIs should treat all participants in a trust or similar legal arrangement as if they own 100% of the legal arrangement.
In the example above, Company A is 40% owned by Company B, which is in turn wholly owned by a trust established in the Isle of Jersey. Ms. Y and Mr. X are beneficiaries of the trust and also indirectly own shares of the Company A through Company C. Mr. X has to be identified and verified based solely on his indirect 45% ownership of Company A through Company E. Ms. Y and Mr. Z, must also be identified and verified because they are beneficial owners of a legal arrangement that owns 40% of Company A.
4.3.3. Understanding the Purpose of the Account and Nature of the Customer’s Business
For all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s services. Because almost all legal persons and arrangements are created to make it easier to do business, invest assets, or engage in some form of organized activity, this element of CDD is critical to understanding customers who are legal persons and arrangements.
Legal persons and arrangements engage in an extremely wide variety of financial activity, potentially a wider variety than individual customers are likely to display. The activity profile of a cash-intensive business such as a taxi firm will be completely different from that of an investment vehicle or of a waqf that collects revenues from real property and distributes them to charitable causes. But specific legal person and arrangements customers are also likely to engage in patterns of activity that remain constant from month to month and year to year. Understanding the purpose of the account allows LFIs to develop expected patterns and compare them to actual behaviour. For example:
• A taxi company is likely to see substantial cash inflows and make regular, predictable transfers to cover payroll and to a limited set of suppliers (e.g. mechanics, gas stations). If a taxi company starts making transfers to a foreign jurisdiction, even a low-risk one, that behaviour may not fit the expected pattern and if so would require investigation. • A waqf managing an apartment building should receive very regular monthly rent payments from residents, whether by cash, check or Automated Clearing House. The waqf should have regular expenses for maintenance and property taxes, as well as predictable payments to the beneficiaries of the waqf. If the waqf suddenly doubles its cash deposits, the LFI will need to investigate to understand why the customer’s behaviour has changed.
Understanding the nature of the customer’s business can be a straightforward process. Most legal person customers will be engaged in familiar, easily identifiable activities in recognized sectors: manufacturing, retail, agricultural production, etc. In other cases, it may not be so simple. A legal person customer may be formed solely to facilitate a complex financial transaction. In other cases, the legal person may not have fully determined their business model or may plan to engage in a business activity that is out of keeping with the owners’ and managers’ resources and expertise, or that don’t seem to make economic sense. Finally, a customer may try to conceal its actual business; for instance, a company that is engaged in computer hacking and fraud may describe itself as a software engineering firm or a call centre.
As LFIs advance efforts to understand their customer’s business and financial activities, they should consider whether aspects of the customer profile require EDD. The following are some situations in which EDD may be appropriate:
• The customer has business or other ties to high-risk jurisdictions (if the customer or its beneficial owners are based in a high-risk jurisdiction, EDD is mandatory). • The customer is engaged in a high-risk sector. High-risk sectors can include, but are not limited to: o Sectors with high flows of cash; o Other financial sectors (e.g. customers who are MSBs or payment processors); o Sectors that involve the import or export of dual-use technology (technology that may be used for proliferation); o Sectors that are at high risk for human trafficking (bars and dance venues; construction; cleaning); o Charitable activities, especially those involving high-risk jurisdictions. • The customer is a state-owned-enterprise (SOE). SOEs engage in a wide variety of business activities; their close relationship to government and government officials means that they may be at higher risk for corruption-related transactions. • The customer intends to use high-risk financial products and services, such as bulk cash services or purchase and exchange of virtual assets. • The LFI does not fully understand the customer’s business model or activities. Customers that generate revenue, but that have no apparent business activities, are perhaps the highest risk.
When conducting EDD on the business activities and account use of legal persons and arrangements, LFIs should use techniques designed to manage the specific risks of the customer. These may include, but are not limited to:
• Requiring the customer to provide invoices documenting incoming and outgoing transfers; • Requiring the customer to provide its Economic Substance Report; • For customers operating in licensed sectors, requiring the customer to provide proof that it has a valid business license; • Inspecting payroll documents and other business records; • Visiting the customer’s business premises and interviewing its personnel; • Requesting a reference from a current customer or other well-known firm with which the new customer claims to do business, or which operates in the same sector as the new customer.
4.3.4. Ongoing Monitoring
Like all customers, legal persons and arrangements must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
4.3.4.1 CDD Updating
LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of legal person and arrangement customers, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction.
LFIs should update CDD on legal person and arrangement customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers, including legal persons and arrangements, should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular must ascertain that:
• The customer’s beneficial owners remain the same; • The customer continues to have an active status with a company registrar (this may not apply to legal arrangement customers); • The customer has the same legal form and is domiciled in the same jurisdiction; • The customer is engaged in the same type of business, and in the same geographies; • The customer’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established.
If any of the above characteristics have changed, the LFI should risk-rate the customer again.
The LFI should conduct EDD when the revised risk rating demands it or if the customer’s history of transactions is not consistent with its profile and with the expectations established at account opening. LFIs must always conduct EDD when this is required by law (a beneficial owner of the customer is a PEP, as defined in Article 15 of AML-CFT Decision, or the customer or its beneficial owner is domiciled in a high-risk jurisdiction).
LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but must still update CDD on a schedule appropriate to the customer’s risk rating.
4.3.4.2. Transaction Monitoring
As with all customers, LFIs must monitor activity by legal person and arrangement customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (see section 4.4 below). Legal persons, especially those that engage in commerce, are likely to engage a wider range of financial activity than are individual and most legal arrangement customers. This can make identifying suspicious behaviour by legal persons difficult.
As with other customer types, LFIs that use automated monitoring systems should apply rules that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.
Where possible, monitoring systems should also flag unusual behaviour that may indicate that a legal person customer’s business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business model in such a way as to require a higher risk rating.
A list of red flags for illicit behaviour involving legal persons and arrangements is provided in the Annex to this Guidance.