Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, as amended, charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”

The purpose of this Guidance is to assist the understanding, and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) licensed insurers, agents, and brokers of their statutory obligations under the legal and regulatory framework in force in the UAE. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof.¹ As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for licensed insurers, agents, and brokers to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the Central Bank.

Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), industry best practices, and red flag indicators identified by the FATF and leading jurisdictional authorities. These are not exhaustive and do not set limitations on the measures to be taken by licensed insurers, agents, and brokers in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, licensed insurers, agents, and brokers should perform their own assessments of the manner in which they should meet their statutory obligations.

This Guidance comes into effect immediately upon its issuance by the CBUAE with licensed insurers, agents, and brokers expected to demonstrate compliance with its requirements within one month from its coming into effect.

¹ Available at: https://www.centralbank.ae/en/cbuae-amlcft.

Unless otherwise noted, this Guidance applies to all insurance and re-insurance companies, agents, and brokers that are licensed and supervised by the CBUAE.

This Guidance builds upon the provisions of the following AML/CFT related laws and regulations:

The insurance sector offers a range of products and services to individuals and companies designed to provide a guarantee of compensation for specified loss, damage, illness, or death and facilitate financial planning and risk management in the face of uncertain future events. At the most general level, insurance products can be divided into two categories:

Both types of insurance may be offered in the UAE by conventional and Takaful insurance companies. The classes and types of the above-mentioned insurance categories are defined by Articles 3 and 4 of the Executive Regulation² of the Federal Law No. (6) of 2007 on the Establishment of the Insurance Authority & Organization of Its Operations as amended by Federal Law No. 3 of 2018 (“Insurance Law”)).

Under Article 2.16 of the AML-CFT Decision as amended, only life insurance and other investment-related insurance products are subject to the UAE’s AML/CFT legal and regulatory framework. It is therefore critical that each licensed insurer, re-insurer, agent, and broker undertakes a comprehensive assessment of its ML/FT risks, including especially the risks associated with its life insurance and other investment-related insurance product offerings, and that it designs and implements an AML/CFT compliance program that is commensurate with those risks.

Insurance sector participants include operators in the insurance sector, which sell or facilitate the sale of insurance products and must be licensed by the CBUAE, and customers who own, pay for, and/or are covered by or the beneficiaries of insurance products.

Principal insurance sector operators, as defined by the Insurance Law, include:

Under the Insurance Law and supporting Insurance Authority Board Resolutions³, insurance operators also include:

However, as these participants are not involved or play a very limited role in selling or facilitating the sale of insurance products, and as per Article 2 of the AML-CFT Decision, they are not included under Section 1.2. Applicability of this Guidance.

Principal insurance sector customers include:

² Insurance Authority – The Board of Directors’ Resolution No2 of 2009 on Issuance of the Executive Regulation of the Federal Law No6 f 2007 on Establishment of the Insurance Authority and Organization of the Insurance Operations (Published in the Official Gazette No504 on 31/01/2010).
³ Including Insurance Authority Board Resolution No. 9 of 2011 Concerning the Instructions for Licensing Health Insurance Third Party Administrators and Regulation and Control of their Business, Insurance Authority Board of Directors’ Decision No. 12 of 2018 Concerning the Regulation on Licensing and Registration of Insurance Consultants and Organization of their Operations, Insurance Authority Board of Directors’ Resolution No. 27 of 2020 Concerning the Instructions for Licensing Insurance Producers, and Insurance Authority Board of Directors’ Resolution No. 18 of 2020 Concerning the Electronic Insurance Regulations.
⁴ Unlike agents and brokers, consultants are not authorized to complete insurance sales (or to “bind coverage”) on behalf of an insurer.
⁵ A policyholder’s insurable interest is an interest in the value of the subject of insurance, including any item, event, action, or legal or financial relationship whose loss would cause a financial or other hardship. An insurable interest may result from property rights, contractual rights, or potential legal liability.

Criminal actors may use life insurance and other investment-related insurance products to place illicit proceeds into the financial system, especially (though not exclusively) where the insurer or intermediary accepts premium payments in cash. Such products may be purchased with the intention of either holding the insurance policy over its standard duration or canceling coverage before maturity and, where permitted, withdrawing premiums paid less a penalty (a practice known as “early surrender”) so as to free up funds for alternative uses. Illicit actors may also deliberately overpay premiums and request a refund for the amount overpaid to the insurance carrier in order to trigger payout under a policy. Reimbursed premiums, withdrawn contributions, and payout proceeds (whether legitimate or fraudulent) can then be deposited into a bank account or used to purchase other financial instruments without necessarily revealing the ultimate origin of the funds.

As noted above, life and other investment-related products are generally considered to present higher ML/FT risk, particularly where they have high cash values upon surrender. The following methods may be employed to launder funds through life insurance and other investment-related insurance products or relationships:

In addition to these vulnerabilities, the insurance sector is also vulnerable to abuse from other types of economic crime, particularly orchestrated fraud. Moreover, even where insurance products or relationships are not directly abused to launder money or perform other illicit transactions, insurance may be purchased by illicit actors to provide an appearance of legitimacy to the underlying, insured activities. As per Article 11.2 of the AML-CFT Decision, LFIs must consider the customer and the beneficiary of life insurance and family Takaful policies as risk factors when determining the applicability of enhanced due diligence procedures (EDD).

The remainder of this section presents additional examples of key ML/FT risk factors relevant to the insurance sector for life insurance and other investment-related insurance products, organized by risks related to insurance products, services and transactions, distribution channels and intermediaries, customers, and geographies. These should be considered by insurance sector operators when performing their financial crimes risk assessments (see section 3.1) and determining the risks presented by specific customers or business activities. Individual risks may be heightened in view of the UAE’s national and regional circumstances and the composition of the local insurance sector. Where a risk factor is coupled with one or more of the red flag indicators provided in Annex 1 of this Guidance, insurance sector operators should consider assigning additional resources or controls to the area of heightened risk, such as by applying enhanced due diligence (“EDD”) or heightened ongoing monitoring.

Insurance operators are expected to perform and document an enterprise ML/FT risk assessment and keep the risk assessment up to date given material changes to their risk profile or legal, regulatory, or supervisory environment. Additional details on the enterprise risk assessment process and the use of risk assessment findings to support a risk-based approach are provided in section 3.1.

Under article 4 of the AML-CFT Decision, the insurance operator is required to perform, document, and keep up to date an enterprise risk assessment for the purposes of identifying, assessing, and understanding its ML/FT risks for life insurance and other investment-related insurance products, including those arising in relation to its:

The insurance operator is expected to document the methodology and findings of the risk assessment, considering all relevant risk factors before determining the level of overall risk and the appropriate type and extent of mitigation to be applied. Insurance operators must keep their risks assessments up to date and ensure that identified risks are within the institution’s risk appetite and that identified deficiencies are appropriately tracked and remediated. Risk assessments should provide a consolidated assessment of the insurance operator’s ML/FT risks across all business units, product lines, and delivery channels, including those of branches, subsidiaries, parent entities, or other affiliates located outside the UAE.

ML/FT risk factors relevant to the insurance sector for life insurance and other investment-related insurance products can be found in section 2.2 above, and red flag indicators for the UAE insurance sector are provided in Annex 1. Please consult also the CBUAE’s AML/CFT Guidelines for Financial Institutions, section 4⁸ for further information.

⁸ Available at: https://www.centralbank.ae/en/cbuae-amlcft.

Under Article 23 of the AML-CFT Decision, an insurance operator is required to identify and assess the ML/FT risks for life insurance and other investment-related insurance products that may arise in relation to:

An operator must undertake such risk assessments prior to the launch or use of new products, practices, and technologies and must take appropriate measures to manage and mitigate the identified risks. Operators should pay special attention to new products, practices, or technologies that favor anonymity.

The AML-CFT Law and AML-CFT Decision require insurance operators to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the United Nations Security Council (“UNSC”) under Chapter VII of the Charter of the United Nations (“UN”). In furtherance of this requirement, the Cabinet Decision No. (74) of 2020 sets out the legislative and regulatory framework regarding the Targeted Financial Sanctions (“TFS”), including the Local Terrorist List and the UN Consolidated List. As per Cabinet Decision 74 and in particular its Article 15, all insurance operators without any exception, are obliged to apply policies, procedures and controls to implement TFS to those sanctioned and designated in the Local Terrorist List and the UN Consolidated List.

For more information and details on their obligations in relation to their sanctions obligations, insurance operators should consult the Executive Office for Control and Non-Proliferation (former Executive Office of the Committee for Goods and Materials Subjected to Import and Export Control‘s – referred to as the Executive Office) “Guidance on Targeted Financial Sanctions for Financial Institutions and designated non-financial business and professions”¹³; the CBUAE’s Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions as well as the CBUAE’s Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening and any of their amendments or updates thereof. Insurance operators should also consult the CBUAE’s and the Executive Office’s websites as updated from time to time, and refer to the Executive Office’s list of Frequently Asked Questions (FAQ) for the insurance sector.

¹³ Available at: https://www.uaeiec.gov.ae/en-us/un-page.

As noted above, insurers are permitted to delegate the performance of specified controls to insurance agents or other intermediaries, using either a third-party reliance or an outsourcing model.

Under either model, the insurer retains ultimate responsibility for the implementation of applicable AML/CFT preventive measures.

Insurance operators should have in place screening procedures to ensure high standards when hiring employees, appointing officers, or engaging agents or brokers (including but not limited to outsourced entities, as described in section 3.6.2 above). Employee, officer, and agent or broker screening procedures should include:

In addition, insurance operators should conduct credit history checks on a risk basis. The operator should be aware of potential conflicts of interest for staff with AML/CFT responsibilities and should act to reduce or manage such conflicts of interest, for example by reallocating responsibilities or by instituting quality controls and “four-eye” reviews of the conflicted employee’s work.

Operators should also monitor on an ongoing basis for possible indicators of suspicious or illicit behavior by employees, such as:

As with all risks to which the operator is exposed, the AML/CFT training program should ensure that employees are aware of the risks facing the insurance sector for life insurance and other investment-related insurance products, familiar with the obligations of the operator, and equipped to apply appropriate risk-based controls. Training should be tailored and customized to the operator’s risk and the nature of its operations, and should be clearly documented in the operator’s AML/CFT compliance program and associated training policies, procedures, plans, materials, and attendance records.

The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the operator faces and organized in accordance with the “three lines of defense” model. All three lines of defense must report up to and have the active support and oversight of the operator’s senior management, defined broadly to include executives, senior leadership, and the Board of Directors.

Under the model, an operator’s business units, sales or relationship managers, and other frontline personnel represent the units or functions that create risk and should therefore serve as the first line of defense against ML/TF, and other forms of illicit activity. They should scrutinize customers and their related parties at onboarding and performing periodic and risk-based reviews to update customer information and the operator’s understanding of the customer’s risks.

The operator’s AML/CFT compliance function, in turn, constitutes the second line of defense, supporting the frontline units’ risk management activities through its system of internal controls and related monitoring, reporting, and risk assessment responsibilities. The core of an effective risk-based program is an appropriately experienced AML/CFT compliance officer, located within the second line of defense, who understands the operator’s risks and obligations and who has the resources and autonomy necessary to ensure that the operator’s program is effective.

Finally, under article 20.6 of the AML-CFT decision, operators must be subject to independent testing by internal or external auditors, who represent the third line of defense by providing independent assurance to the Board and executive management on the effectiveness and adequacy of the operator’s governance, risk management, and internal controls. Auditors should have sufficient expertise and understanding of ML/FT risks and requirements and should be fully independent of the activities and reporting structure of the functions subject to independent testing.

Additionally, as per article 32 of the AML-CFT decision, operators with overseas branches, subsidiaries, or other affiliates or legal entities must ensure that all entities within the affiliate network are subject to the AML/CFT policies, procedures, and controls that are at least as stringent as those in place at the entity located in the UAE. Likewise, all entities within the affiliate network should be included in the operator’s enterprise risk assessment and subject to AML/CFT independent testing and consolidated governance and oversight.

According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, insurance operators must maintain detailed records associated with their ML/FT risk assessment and mitigation measures as well as records, documents, data and statistics for all financial transactions, all records obtained through CDD measures for both the originators and the beneficiaries, account files and business correspondence, copies of personal identification documents, including STRs/SARs and results of any analysis performed. Operators should maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. Operators must make the records available to the competent authorities immediately upon request.

The statutory retention period for all records is at least five (5) years, from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.