4.3.4. Ongoing Monitoring
Like all customers, legal persons and arrangements must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
4.3.4.1 CDD Updating
LFIs are required to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of legal person and arrangement customers, which, by their very nature, can change their fundamental identity overnight. With the stroke of a pen, a company engaged in a low-risk business and owned by reputable UAE residents can move its activities to a high-risk sector and can transfer ownership to nationals of a high-risk foreign jurisdiction.
LFIs should update CDD on legal person and arrangement customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers, including legal persons and arrangements, should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular must ascertain that:
• The customer’s beneficial owners remain the same; • The customer continues to have an active status with a company registrar (this may not apply to legal arrangement customers); • The customer has the same legal form and is domiciled in the same jurisdiction; • The customer is engaged in the same type of business, and in the same geographies; • The customer’s transactions continue to fit its profile and business, and are consistent with the business the customer expected to engage in when the business relationship was established.
If any of the above characteristics have changed, the LFI should risk-rate the customer again.
The LFI should conduct EDD when the revised risk rating demands it or if the customer’s history of transactions is not consistent with its profile and with the expectations established at account opening. LFIs must always conduct EDD when this is required by law (a beneficial owner of the customer is a PEP, as defined in Article 15 of AML-CFT Decision, or the customer or its beneficial owner is domiciled in a high-risk jurisdiction).
LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change, but must still update CDD on a schedule appropriate to the customer’s risk rating.
4.3.4.2. Transaction Monitoring
As with all customers, LFIs must monitor activity by legal person and arrangement customers to identify behaviour that is potentially suspicious and that may need to be the subject of a Suspicious Transaction Report (see section 4.4 below). Legal persons, especially those that engage in commerce, are likely to engage a wider range of financial activity than are individual and most legal arrangement customers. This can make identifying suspicious behaviour by legal persons difficult.
As with other customer types, LFIs that use automated monitoring systems should apply rules that are designed to detect common typologies for illicit behaviour. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD, including the identities of beneficial owners. For example, a series of transactions between two unconnected companies may not be cause for an alert. But if the companies are all owned or controlled by the same individual(s), the LFI should investigate to make sure that the transactions have a legitimate economic purpose.
Where possible, monitoring systems should also flag unusual behaviour that may indicate that a legal person customer’s business has changed—for example, a first transfer to or from a high-risk jurisdiction, or a large transaction involving a new counterparty. LFIs should follow up on such transactions with the customer to discover whether the customer has changed its business model in such a way as to require a higher risk rating.
A list of red flags for illicit behaviour involving legal persons and arrangements is provided in the Annex to this Guidance.