Skip to main content
  • 3.1 Risk-Based Approach

    LFIs must take a risk-based approach to the preventive measures they put in place for all customers, including cash-intensive businesses. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision. The risk-based approach has three principal components:

    • 3.1.1 Conducting an Enterprise Risk Assessment

      As required by Article 4.1 of AML-CFT Decision, the enterprise risk assessment must reflect the presence of higher-risk customers, including cash-intensive business customers, in an LFI’s customer base. These assessments should in turn be reflected in the LFI’s inherent risk rating. In addition, the LFI’s controls risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its cash-intensive business customers, including the preventive measures discussed below.

    • 3.1.2 Identifying and Assessing the Risks Associated with Specific Customers

      The LFI is expected to assess the risk of each customer to identify those that require EDD and to support its entity risk assessment. In assessing the risks of a cash-intensive business, LFIs should consider:

       i.Geographic Risk: LFIs should assess the risks associated with the jurisdictions in which the business is registered/headquartered and where it operates, including the jurisdictions where it has subsidiaries, where it sources its products (where relevant), and where its main counterparties are based. These may include the overall risk of money laundering, financing of terrorism and illegal organisations, and financing of proliferation, as well as what is known regarding the prevalence of abuse of entities in these sectors. There are a number of sources that LFIs can use to develop a list of high-risk countries, jurisdictions, or regions. LFIs should consult any publications issued by the National Anti-Money Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee (NAMLCFTC)7, the UAE Financial Intelligence Unit (UAE FIU), and the FATF, including the FATF’s list of jurisdictions subject to countermeasures and to increased monitoring. LFIs may also use public free databases such as, for example, the Basel AML Index8 or the Transparency International Corruption Perceptions Index.9 LFIs should not solely rely on public lists, however, and should consider their own experiences and the nature of their exposure to each jurisdiction when assessing the risk of that jurisdiction.
       
       ii.Customer Risks: LFIs should assess the type of cash-intensive business, the maturity of that relationship (if the relationship is a long-term business relationship of the LFI), and other characteristics of the business relationship, such as the customer’s ownership structure. Cash-intensive businesses that have a complex legal ownership structure, for example, may be higher risk than those with simpler ownership structures.
       
       iii.Product, Service, and Delivery Channel Risk: LFIs should assess risk in this category based on the products and services that the customer intends to use, and the delivery channels through which the LFI will provide these services. LFIs should draw on their entity risk assessment to assess the risk of the products and services each customer uses or intends to use. (See also Section 3.2.3 below in relation to understanding the nature of the customer’s business and purpose of the business relationship.)
       

      Questions that an LFI may ask to determine the risk profile of a cash-intensive business include, but are not limited to:

       Where is the business incorporated? Where does it operate? Are these high-risk jurisdictions?
       What type of industry does the cash-intensive business operate in?
       What types of products and services is the business requesting?
       What is the intended volume, frequency, and nature of cash transactions that the cash-intensive business intends to conduct through its account?
       What is the regulatory environment in the jurisdiction(s) where the cash-intensive business is incorporated/has operations?
       What is the ownership structure of the customer? Do the customer’s beneficial owners, shareholders, directors, and senior managers reside in a high-risk jurisdiction?
       What is the availability of information on the customer? Is the customer cooperating with the LFI to provide all the necessary customer due diligence (“CDD”)/EDD information to the LFI?
       If the customer is an existing customer, does the customer have a history of Suspicious Transaction Report (“STR”) filings?
       

      7 Available at: https://www.namlcftc.gov.ae/en/high-risk-countries.php
      8 Available at: https://baselgovernance.org/basel-aml-index
      9 Available at: https://www.transparency.org/en/cpi/2020/index/nzl

    • 3.1.3 Applying EDD and other Preventive Measures

      Where the LFI determines a customer to be higher-risk, Article 4.2(b) of AML-CFT Decision requires that the LFI apply EDD. EDD is also required for specified higher-risk customer types, no matter their risk rating:

       Customers who are Politically Exposed Persons (“PEPs”) or that are owned or controlled by PEPs;
       
       Customers from higher-risk jurisdictions; and
       
       Customers with whom the LFI is establishing a correspondent relationship.
       

      EDD measures should be designed to mitigate the specific risks identified with particular customers. Examples of EDD measures are described below in Section 3.2.