The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the operator faces and organized in accordance with the “three lines of defense” model. All three lines of defense must report up to and have the active support and oversight of the operator’s senior management, defined broadly to include executives, senior leadership, and the Board of Directors.

Under the model, an operator’s business units, sales or relationship managers, and other frontline personnel represent the units or functions that create risk and should therefore serve as the first line of defense against ML/TF, and other forms of illicit activity. They should scrutinize customers and their related parties at onboarding and performing periodic and risk-based reviews to update customer information and the operator’s understanding of the customer’s risks.

The operator’s AML/CFT compliance function, in turn, constitutes the second line of defense, supporting the frontline units’ risk management activities through its system of internal controls and related monitoring, reporting, and risk assessment responsibilities. The core of an effective risk-based program is an appropriately experienced AML/CFT compliance officer, located within the second line of defense, who understands the operator’s risks and obligations and who has the resources and autonomy necessary to ensure that the operator’s program is effective.

Finally, under article 20.6 of the AML-CFT decision, operators must be subject to independent testing by internal or external auditors, who represent the third line of defense by providing independent assurance to the Board and executive management on the effectiveness and adequacy of the operator’s governance, risk management, and internal controls. Auditors should have sufficient expertise and understanding of ML/FT risks and requirements and should be fully independent of the activities and reporting structure of the functions subject to independent testing.

Additionally, as per article 32 of the AML-CFT decision, operators with overseas branches, subsidiaries, or other affiliates or legal entities must ensure that all entities within the affiliate network are subject to the AML/CFT policies, procedures, and controls that are at least as stringent as those in place at the entity located in the UAE. Likewise, all entities within the affiliate network should be included in the operator’s enterprise risk assessment and subject to AML/CFT independent testing and consolidated governance and oversight.