4. Program Governance and Oversight
The following sections outline program governance expectations relating to TM and sanctions screening systems and processes.
4.1. Oversight, Management Reporting, and Auditing
The LFI’s board of directors and senior management should exercise active oversight of the institution’s key financial crimes risks and the controls in place to mitigate those risks. The board (or a board-designated committee) and senior management should receive regular reports on the institution’s key risks and trends and the overall performance of AML/CFT and sanctions controls, and should review the institution’s financial crimes risk assessment, any AML/CFT and sanctions audit and regulatory reports, and the institution’s written AML/CFT and sanctions program. The AML/CFT and sanctions program should be subject to senior management approval, and the board and senior management should ensure that clear, current, and appropriate policies and procedures are put in place and that there are effective TM and sanctions screening systems supported by adequate internal expertise and resources.
TM and sanctions screening functions should be given clear and distinct responsibilities for their respective tasks in the TM and sanctions screening process chain (e.g., for alert handling and the filing of STRs/SARs). Additionally, as detailed above, LFIs are expected to implement effective reporting systems, to include quantitative MIS report as well as qualitative analysis of key risks and trends as appropriate, to ensure that their board and senior management are updated on key financial crimes risks in a timely manner. Any data quality or system functionality or output issues should be documented and tracked, and the status of remedial actions should be reported regularly to senior management.
TM and sanctions screening programs should be subject to independent testing by internal or external auditors with sufficient technological expertise and understanding of ML/TF/PF and sanctions risks and requirements. The LFI’s independent testing function (whether internal or external) should ensure adequate TM and sanctions screening coverage of the LFI’s customers, products, services, delivery channels, and geographies and may perform model testing and validation, as detailed above, as part of its AML/CFT and sanctions independent testing plan and methodology; otherwise, model testing and validation should be performed at periodic, risk-based intervals by a qualified and independent third party.
4.2. Use of Vendors and Other Third Parties
LFIs may use externally provided TM or sanctions screening services and other third-party providers to fulfil their legal and regulatory obligations to monitor and screen their customers and transactions. However, LFIs are ultimately responsible for complying with AML/CFT and sanctions requirements, even if they choose to use third-party models to assist with their compliance obligations.
The selection of third-party system or service should be guided by the LFI’s size, geographic footprint, business and technology environments, and financial crimes risks, as well as functional requirements, such as the volume of data to be screened, the degree to which TM and sanctions screening processes will be centralized across business lines within the LFI, the nature of existing data integrity processes, and the ability of the application to integrate effectively within an LFI’s technological infrastructure. When selecting a vendor, LFIs should require the vendor to provide developmental evidence explaining the product components, design, and intended use, so as to determine whether the model is appropriate for the LFI’s products, exposures, and risks. Vendors should provide appropriate testing results that show their product works as expected. They should also clearly indicate the model’s limitations and assumptions and where the product’s use may be problematic. LFIs should expect vendors to conduct ongoing performance monitoring and outcomes analysis, with disclosure to their clients, and to make appropriate modifications and updates over time.
LFIs are expected to validate their own use of vendor products. External models may not allow full access to computer coding and implementation details, so the LFI may have to rely more on sensitivity analysis and benchmarking. Vendor models are often designed to provide a range of capabilities and so may need to be customized by an LFI for its particular circumstances. An LFI’s customization choices should be documented and justified as part of validation. If vendors provide input data or assumptions, or use them to build models, their relevance for the LFI’s situation should be assessed. LFIs should obtain information regarding the data used to develop the model and assess the extent to which that data is representative of the LFI’s situation. The LFI also should conduct ongoing monitoring and outcomes analysis of vendor model performance using the LFI’s own outcomes. Systematic procedures for validation help the LFI to understand the vendor product and its capabilities, applicability, and limitations. Such detailed knowledge is necessary for basic controls of an LFI’s operations. It is also very important for the LFI to have as much knowledge in-house as possible, in case the vendor or the LFI terminates the contract for any reason, or if the vendor is no longer in business. LFIs should have contingency plans for instances when the vendor model is no longer available or cannot be supported by the vendor.
4.3. Role-Specific Training
LFIs should ensure that personnel responsible for performing TM and sanctions screening roles receive training that covers key financial crimes risks faced by the institution (such as common ML/TF/PF or sanctions evasion typologies), complex and higher-risk customer and transaction types relevant to TM and sanctions screening processes, applicable legal and regulatory requirements, and internal policies, procedures, and processes. Training should be tailored to each individual’s specific responsibilities and include desktop procedures or instructions for the use of any TM or sanctions screening systems or other technology relevant to the individual’s role.
An LFI’s TM and sanctions screening training should be based on an assessment of the institution’s training needs, incorporated into wider AML/CFT and sanctions training plans and programs, and subject to completion tracking and escalation procedures to ensure timely completion of mandatory training by all relevant personnel. Mandatory training should also be extended to any staff located abroad whose responsibilities cover accounts booked in or activity flowing into, out of, or through the UAE.
4.4. Record Keeping
According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, LFIs must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, copies of personal identification documents, including STRs/SARs and results of any analysis performed. LFIs must maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions.
Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. LFIs must make the records available to the competent authorities immediately upon request.
The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.