3.2 Customer Due Diligence and Enhanced Due Diligence
CDD, and where necessary EDD, are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers. As discussed below, each stage of the CDD process gives LFIs an opportunity to collect the information they need to identify and manage the specific risks of higher-risk customers.
The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFIs services. Where an LFI cannot satisfy itself that it understands a customer, then it should not accept it as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a STR, as discussed in Section 3.3.2.
Under Article 5 of AML-CFT Decision, LFIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. Although Article 5 permits CDD to be delayed in circumstances of lower risk, the potential higher risk of cash-intensive businesses makes it unlikely that delayed CDD will be appropriate in the context of onboarding such customers. To this end, at the time of account opening, the LFI should seek to understand the cash-intensive business’ operations and business structure, the intended use of the account (including anticipated transaction volume, products, and services used), the geographic location(s) involved in the relationship, and jurisdiction(s) of operations. As part of collecting this information, the LFI should also assess the availability of information on the cash-intensive business and cooperation of the business in providing information to the LFI.
The following elements of CDD should be carried out for all customers, no matter the customer type.
3.2.1 Customer Identification and Verification
Under Article 8 of AML-CFT Decision, LFIs are required to identify and verify the identity of all customers. As stipulated in the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations for Financial Institutions, the identification and verification of the identity of customers is a fundamental component of an effective ML/FT risk management and mitigation program. Please see Section 6.3.1 of the above-mentioned Guidelines for further information on customer identification.
3.2.2 Beneficial Owner Identification
The majority of cash-intensive businesses will be legal persons. Article 9 of AML-CFT Decision requires all financial institutions to identify the beneficial owners of a legal person customer by obtaining and verifying the identity of all individuals who, individually or jointly, have a controlling ownership interest in the legal person of 25% or more. Where no such individual meets this description, the LFI should identify and verify the identity of the individual(s) holding the senior management position in the entity.
The beneficial owner of a legal person must be an individual. Another legal person cannot be classified as the beneficial owner of a customer, no matter what percentage it owns. LFIs should continue tracing ownership all the way up the ownership chain until it discovers all individuals who own or control at least 25% of the LFI’s customer. When the LFI has identified qualifying beneficial owners, it should perform CDD on each individual beneficial owner, in accordance with the requirements of Article 8.1(a) of AML-CFT Decision (10). If no individual qualifies as a beneficial owner, LFIs should identify the individual(s) holding the position of senior management officer(s) within the customer. This option should be used only as a last resort, however, and when the LFI is confident that no one individual, or small group of individuals, exercises control over the customer. Please see the CBUAE's Guidance for LFIs providing services to Legal Persons and Arrangements10 for more information on identification of beneficial owners.
10 Available at https://www.centralbank.ae/en/cbuae-amlcft.
3.2.2.1 EDD: Beneficial Ownership
If the LFI has followed the steps described above and is still not confident that it has identified the individuals who truly own or control the customer, or when other high-risk factors are present, the LFI should consider intensifying its efforts to identify the beneficial owners. The most common method of doing so is to identify additional beneficial owners below the 25% ownership threshold mandated by UAE law. This may involve identifying and verifying the identity of beneficial owners at the 10% or even the 5% level, as risk warrants. It should also involve requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks.
3.2.3 Nature of the Customer’s Business and Purpose of the Business Relationship
Under article 8 of AML-CFT Decision, for all customer types, LFIs are required to understand the purpose for which the account or other financial services will be used, and the nature of the customer’s business. This step requires the LFI to collect information that allows it to create a profile of the customer and of the expected uses to which the customer will put the LFI’s products and services. This element of CDD will have important implications for the customer risk rating.
It is critical that LFIs have processes and controls in place to ensure that they are able to identify cash-intensive business customers. In line with a risk-based approach, LFIs should interview the customer, review the customer’s business license, request recent financial statements (audited if available), tax returns or additional information, search company databases and assess the primary business activity, products, and services offered by the customer to understand the full scope of the customer’s business.
If an LFI determines that a customer or prospective customer has materially misrepresented itself or its business, it should not onboard the customer and should exit the relationship if one has been established. In addition, the LFI should consider filing a Suspicious Transaction Report (STR), Suspicious Activity Report (SAR) or other report types to the UAE FIU as discussed in section 3.3.2 below. The LFI may also consider adding the customer, its beneficial owners, directors, and its managers to internal watchlists.
High-risk customers should be treated as high risk no matter the financial services they use. Even so, the risk to which the LFI may be exposed can vary based on the purpose of the account and the types of financial products and services the customer wishes to use. LFIs should fully understand the uses to which the cash-intensive business intends to put the account and the expected activity on the account, to the extent that it can generally predict activity on the account and identify activity that does not fit the profile. To that end, the LFI should seek to assess the expected volume, frequency, and nature of cash transactions that the customer intends to conduct through its account, as this will be an important risk factor for identifying money laundering and financing of terrorism and illegal organisations risks associated with the cash-intensive business. In addition, the LFI may wish to consider whether the expected volume of cash coming through the account is consistent with the declared sales income and whether the expected volume of cash appears reasonable compared to other similar cash-intensive customers of the LFI (i.e., operating as similar business types in similar markets).
3.2.4 Ongoing Monitoring
Under Article 7 of AML-CFT Decision, all customers must be subject to ongoing monitoring throughout the business relationship. Ongoing monitoring ensures that the account or other financial service is being used in accordance with the customer profile developed through CDD during onboarding, and that transactions are normal, reasonable, and legitimate.
3.2.4.1 CDD Updating
LFIs are expected to ensure that the CDD information they hold on all customers is accurate, complete, and up-to-date. This is particularly crucial in the context of customers that are companies or that engage in cash-intensive business. The risk associated with a cash-intensive business can change overnight if the customer changes its business activities. LFIs should update CDD for all customers on a risk-based schedule, with CDD on higher-risk customers being updated more frequently. EDD on all customers should involve more frequent CDD updates.
CDD updates should include a refresh of all elements of initial CDD, and in particular should ascertain that:
• The customer’s beneficial owners remain the same; • The customer continues to have an active status with a company registrar; • The customer has the same legal form and is domiciled in the same jurisdiction; and • The customer is engaged in the same type of business, and in the same geographies.
In addition to a review of the customer’s CDD file, the LFI should also review the customer’s transactions to determine whether they continue to fit the customer’s profile and business and are consistent with the business the customer expected to engage in when the business relationship was established. In this capacity, the LFI should pay particular attention whether the volume of cash coming through the account is consistent with the declared sales income of the cash-intensive business customer. This type of transaction review is distinct from the ongoing transaction monitoring discussed below. The purpose of the review is to complement ongoing transaction monitoring by identifying behaviours, trends, or patterns that are not necessarily subject to transaction monitoring rules.
The techniques used for transaction review will vary depending on the customer. For lower-risk customers, a review of alerts, if any, is likely to be sufficient. For higher risk customers, such as cash-intensive businesses rated as high-risk, a more intensive review may be necessary. For customers with a large volume of transactions, LFIs may use data analysis techniques to identify unusual behaviour. If the review finds that the customer’s behaviour or information has materially changed, the LFI should risk-rate the customer again. New information gained during this process may cause the LFI to believe that EDD is necessary or may bring the customer into the category of customers for which EDD is mandatory (i.e., customers that are PEPs; customers that are based in high-risk jurisdictions; etc.).
LFIs may consider requiring that the customer update them as to any changes in its beneficial ownership or business activities. Even if this requirement is in place, however, LFIs should not rely on the customer to notify it of a change but should still update CDD on a schedule appropriate to the customer’s risk rating.
3.2.4.2 EDD: Ongoing Monitoring
When customers are higher risk, such as for cash-intensive businesses rated as high-risk following the completion of the CDD process, monitoring should be more frequent, intensive, and intrusive. LFIs should review the CDD files of higher risk customers on a frequent basis, such as every six or nine months for very high-risk customers. The methods LFIs use to review the account should also be more intense and should not rely solely on information supplied for the customer. For example, LFIs should consider:
• Reviewing more or all transactions on the account, rather than a sample of transactions;
• Conducting site visits at the customer’s premises, whenever the LFI is not satisfied with the documentation provided by the customer, and requesting a meeting between an appropriate LFI representative and the customer’s managing director or Chief Financial Officer. Site visits can be particularly important for certain cash-intensive businesses, including those that use an LFI’s cash management services on a large scale, as they allow the LFI’s compliance personnel to inspect the institution’s cash management program and the controls it has in place to prevent illicit cash being commingled with legitimate funds; and
• Conducting searches of public databases, including news and government databases, to independently identify material changes in a customer’s ownership or business activities or to identify adverse media reports. Such searches should include adverse media searches of public records and databases, using relevant key words, including but not limited to, allegation, fraud, corruption, laundering.