Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”

The purpose of this Guidance is to assist the understanding and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) licensed financial institutions (“LFIs”) of their statutory obligations under the legal and regulatory framework in force in the UAE. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof.¹ As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for LFIs to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the Central Bank.

Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), industry best practices and red flag indicators. These are not exhaustive and do not set limitations on the measures to be taken by LFIs in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, LFIs should perform their own assessments of the manner in which they should meet their statutory obligations.

This Guidance comes into effect immediately upon its issuance by the CBUAE with LFIs expected to demonstrate compliance with its requirements within one month from its coming into effect.

¹ Available at https://www.centralbank.ae/en/cbuae-amlcft

Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

This Guidance builds upon the provisions of the following laws and regulations:

Legal persons and arrangements offer many advantages to illicit actors. Most importantly, however, they could be abused to hide the identity of natural persons and allow bad actors to seek to open an account or carry out a transaction with an LFI under a name other than their own. Weak laws governing the formation of legal persons and arrangements, could allow for bad actors to abuse legal persons and arrangements and enable them to conduct a transaction or transactions almost without the LFI understating the real risks and the involvement of the bad actors—an action that would otherwise be prohibited under the laws of most jurisdictions. This ability to conceal identity has a number of ramifications for financial institutions.

At a high level, features and controls that affect the vulnerabilities of legal persons and arrangements can be divided into four categories:

The subsections that follow briefly discuss the various measures that—if effectively implemented—can help mitigate the vulnerabilities of legal persons and arrangements.

LFIs should be aware of the risks associated with all customer types, including legal persons and arrangements established outside the UAE. Appropriately assessing these risks will often involve developing an understanding of the controls in place to ensure transparency.

CBUAE recognizes that LFIs do not control the legal frameworks governing their customers. Nevertheless, CBUAE recommends that LFIs familiarize themselves with the features of the company forms most commonly found within their customer base, and the controls in place in the jurisdictions where their legal person customers are most commonly registered. LFIs should also consider seeking some or all of the following information in order to understand legal person and legal arrangement risks, particularly when conducting enhanced due diligence on legal person and legal arrangement customers that pose higher risks.

Under AML-CFT Decision, all registrars of legal persons in the UAE must comply with the following requirements:

In addition, all legal persons in the UAE are required to:

Cabinet Decision No. (58) of 2020 Regulating the Beneficial Owner Procedures further defined these requirements. All legal persons in the UAE must be licensed or registered, must identify their beneficial owners, and must hold accurate, up-to-date information on their beneficial owners in a Register of Beneficial Owners. They must also report the same information to the relevant registrar. The Resolution also requires that nominee directors identify themselves to the legal person for which they serve as director, and this information must also be included in the legal person’s Register.

There are certain limited exemptions to this requirement. For example, legal persons that are publicly traded on a stock exchange, or that are owned by such a company, do not have to identify or report their beneficial owners because of other transparency-related measures and obligations associated. In addition, if no individual meets the threshold by owning at least 25% of a legal person, that entity can report an individual who controls the entity (such as its managing director) instead of a true beneficial owner.

Together, these requirements aim to ensure that customers that are legal persons established and registered under the laws of the UAE must identify their beneficial owners and must always have up-to-date information on these individuals available. LFIs cannot rely solely on customers’ statements and must verify the identity of beneficial owners independently. But a UAE-based legal person customer that claims to be unfamiliar with the requirements, or represents that it has never been required to identify its beneficial owners, may not be in compliance with the law and should be treated as at least high risk.

Two types of legal arrangements can be formed under UAE law:

Under AML-CFT Decision, Articles 9 and 37, trustees of legal arrangements, or persons holding analogous positions in other legal arrangements, are required to hold accurate and up-to-date information on the beneficial owners of the trust or other legal arrangement. For legal arrangements, the beneficial owners are defined as the settlor, the trustee, and the beneficiaries or identifiable class of beneficiaries, along with any other individual exercising ultimate effective control over the legal arrangement. Under Article 9 of AML-CFT Decision, LFIs must identify these individuals as the beneficial owners of their legal arrangement customers.

In both cases, it is important for financial institutions to be aware that these legal arrangements allow for an individual to legally hold and control funds that he or she does not own and does not have the right to benefit from. A trustee of a trust or waqf may open an account for trust funds under his or her own name, so that the account appears to belong to an individual rather than a legal arrangement. Although trustees are required to disclose their status, LFIs, as part of Customer Due Diligence (CDD), should take a proactive approach to identifying whether a customer is a trustee. This may include directly asking customers whether they are acting as trustees.

Under Cabinet Resolutions (31) of 2019, (7) of 2020, and (57) of 2020, UAE legal persons operating in certain sectors with relevant income must meet requirements related to the level of core business activities that they carry out in the UAE (the Economic Substance Test). All firms conducting any of the following activities must pass the annual Economic Substance Test:

In order to pass the test, these firms are required to make an annual report, the Economic Substance Report, to their registrar showing that they in fact carry out core income-generating activities within the UAE, that these activities are directed and managed from the UAE, that the firms maintain an appropriate number of employees, and that the firms have appropriate physical premises. The report is then reviewed by the Federal Tax Authority, which makes a determination as to whether the criteria for economic substance have been satisfied. The Economic Substance Report is not currently available to financial institutions directly, but LFIs may request an attested copy of the Report from their customer or prospective customer.

The Economic Substance Test could help reduce the likelihood that UAE companies in these sectors are shell companies. The Economic Substance Test is retroactive, however, with companies required to submit Reports at the end of the twelve-month period in which the qualifying activity took place. In addition, Reports may not be promptly reviewed. LFIs should not rely on a customer’s assertion that it has passed the Economic Substance Test and must conduct appropriate customer due diligence, as discussed in section 4.3 below. This may include requesting the customer’s Economic Substance Report from the customer itself.

Under Article 8(b) of AML-CFT Decision, when conducting CDD on legal persons and arrangements, LFIs must collect the following information and verify it based on documents from a reliable and independent source:

Legal persons and arrangements, by definition, cannot take action on their own and must be represented by a natural person. Therefore, for all legal persons and arrangements the LFI must verify that the individual acting on behalf of the customer is authorized to do so, and conduct CDD on that person as required by Article 8(a) of AML-CFT Decision.

In addition to the information described above, under Article 9 of AML-CFT Decision, the LFI must take reasonable measures to identify the beneficial owner(s) of all legal person and legal arrangement customers.

As stipulated by Article 10 of AML-CFT Decision, LFIs may omit collecting information from the customer to identify the beneficial owner of a legal person or arrangement customer only in two narrowly defined circumstances, which both apply to legal persons only:

In both cases, LFIs must still identify the beneficial owner(s) using reliable public sources. LFIs must also verify that the customer does in fact qualify for the exemption. LFIs remain responsible for using a risk-based approach and for ensuring that they understand their customer. LFIs should not seek to take advantage of this exemption if they cannot identify the beneficial owner(s) using reliable public sources. LFIs are unlikely to find reliable public information on the beneficial owners of privately-held holding companies.

In all cases, LFIs are also required by Article 8.4 of AML-CFT Decision to understand the customer’s ownership and control structure.

LFIs should take a risk-based approach to the preventive measures they put in place for all customers, including legal persons and arrangements. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision.

The risk-based approach has three principal components:

1. Conducting an enterprise risk assessment, as required by Article 4.1 of AML-CFT Decision.

The enterprise risk assessment should reflect the presence of legal persons and arrangements in an LFI’s customer base. The risk assessment should consider the most common forms of legal persons and arrangements in the LFI’s customer base and should assess the risks of each form. This assessment should carefully consider and incorporate the ML/TF risks legal persons and arrangements pose to LFIs discussed above (section 2.1), although LFIs may have legal person and arrangement customers from outside the UAE whose risks will also need to be assessed. These assessments should in turn be reflected in the LFI’s inherent risk rating.

In addition, the LFI’s risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its legal person and arrangement customers, including the preventive measures discussed below.

2. Identifying and assessing the risks associated with specific customers.

The LFI should assess the risk of each customer to identify those that require enhanced due diligence (EDD). Customer risk assessment for legal person and arrangements should incorporate at least all elements of the customer risk assessment for individuals, but should apply them both to the legal person or arrangement customer itself and to the individuals prominently associated with it. For example, the assessment of the legal person or arrangement’s jurisdictional risk should take into consideration not just the customer’s jurisdiction of establishment, but also the residence and nationality of the beneficial owners, senior manager, and directors.

Other risk assessment considerations that are unique to legal person and arrangement customers include:

Many EDD measures for legal persons and arrangements are the same as those applied to individual customers. EDD measures that are specific to legal person and arrangement customers are discussed in section 4.3 below.

Under AML-CFT Decision, the legal person customer types for which enhanced or special due diligence is required are:

CDD, and, where necessary, EDD are the core preventive measures that help LFIs manage the risks of legal person and legal arrangement customers. Because of this, LFIs are prohibited from maintaining anonymous accounts, and from onboarding any account or customer with fictitious names or characteristics. LFIs must perform CDD on every customer.

The goal of the CDD process is to ensure that LFIs understand who their customer is and the purpose for which the customer will use the LFI’s services. Therefore, the LFI must identify customers that are legal persons and legal arrangements. When the customer is a legal person or arrangement, the process of understanding the customer (“knowing your customer”) is more complex and requires additional steps.

Where an LFI cannot satisfy itself that it understands a legal person or legal arrangement-including when it has doubts that it has identified the individuals who truly own and control the legal person or legal arrangement—then it must not accept that legal person or legal arrangement as a customer. If there is an existing business relationship, the LFI should not continue it. LFIs should also consider filing a Suspicious Transaction Report, as discussed 4.4 below.

As required by Article 15 of AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a Suspicious Transaction Report (STR) with the UAE Financial Intelligence Unit (UAE FIU) when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, the proceeds of crime, is related to a crime, or is intended to be used in a crime. STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE FIU, LFIs alert law enforcement about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs.

In addition to the requirement to file an STR when an LFI suspects that a transaction or funds are linked to a crime, LFIs should consider filing an STR in the following situations involving legal persons or arrangements:

Please consult the CBUAE’s Guidance on Suspicious Transaction Reporting for further information.

Legal persons can be included on international sanctions lists. In addition, the obligation to freeze the funds of a listed person, imposed by AML-CFT Decision and by articles 15 and 21 of Cabinet Decision (74) of 2020, extends to funds that a Listed Person owns or controls through ownership or control of a legal person or through a legal arrangement.

Listed individuals and legal persons are known to seek to evade sanctions by hiding their interest in a transaction via complex layers of control and ownership, through informal nominee arrangements, and through the assistance of complicit professionals. Listed Persons may also use front companies-companies mixing legitimate and illicit economic activity—to conceal their activities. For this reason, identification of beneficial ownership through the entire corporate ownership structure is critical for effective sanctions implementation, as is fully understanding the nature of the customer’s business.

LFIs that employ automated screening technologies to identify matches to sanctions lists must ensure that their screening tools include all individuals associated with a legal person customer, including beneficial owners, authorized signatories, directors, and senior management.

Legal persons and arrangements that are directly or indirectly (i) owned 50% or more in the aggregate, or (ii) controlled, by one or more Listed Person, including subsidiaries of a Listed Person, and entities where a listed person is a controlling shareholder, are subject to the same prohibitions as the Listed Person, even if such entities are not specifically listed by the UAE or the United Nations.

Financial institutions should observe caution when considering a transaction with an entity that is not a Listed Person in which one or more Listed Persons have a significant ownership interest that is less than 50 percent or which one or more Listed Persons may control by means other than a majority ownership interest. Such non-listed entities, to include affiliates, may become the subject of future designations or enforcement actions. As discussed above, LFIs should make a risk-based decision as to whether to identify beneficial owners who own or control less than 25% of the legal persona or arrangement. LFIs are not required to identify every beneficial owner in order to conduct sanctions screening. But should an LFI, in the course of enhanced due diligence, discover that a Listed Person owns a minority interest in a legal person, this information must be taken into consideration in risk-rating that customer.

Please see the Guidance on Targeted Financial Sanctions for more information on this issue.

LFIs should consult the CBUAE and the Supreme Council for National Security if they have any questions regarding implementation of UN or UAE sanctions. LFI employees must be trained on these issues as part of comprehensive ongoing training.

As will all risks to which the LFI is exposed, the AML/CFT training program must ensure that employees are aware of the risks of legal persons and arrangements, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls.