Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”

The purpose of this Guidance is to assist the understanding and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) licensed financial institutions (“LFIs”) of their statutory obligations under the legal and regulatory framework in force in the UAE. It should be read in conjunction with the CBUAE's Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof.¹ As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for LFIs to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the Central Bank.

Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), industry best practices and red flag indicators. These are not exhaustive and do not set limitations on the measures to be taken by LFIs in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, LFIs should perform their own assessments of the manner in which they should meet their statutory obligations.

This Guidance comes into effect immediately upon its issuance by the CBUAE with LFIs expected to demonstrate compliance with its requirements within one month from its coming into effect.

¹ Available at https://www.centralbank.ae/en/cbuae-amlcft

Unless otherwise noted, this guidance applies to all natural and legal persons, which are licensed and/or supervised by CBUAE, in the following categories:

(AML-CFT Law Articles 9.1, 15, 24, 25, 27; AML-CFT Decision Articles 16-18, 20.2, 21.2, 40-43)

The requirement to submit Suspicious Transaction Reports (“STRs”) to the Financial Intelligence Unit ("FIU”) is outlined in the (i) Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and Financing Illegal Organisations and Federal Decree law No. (26) of 2021 To amend certain provisions of Federal Decree-law No. (20) of 2018, on anti-money laundering and combating the financing of terrorism and financing of illegal organisations (the “AML-CFT Law”); (ii) Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organisations (the “AML-CFT Decision”); and (iii) Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution.

Under the UAE AML-CFT legal and regulatory framework, all LFIs are obliged to promptly report to the FIU suspicious transactions and any additional information when there are suspicions, or reasonable grounds to suspect, that the proceeds are related to a crime, or to the attempt or intention to use funds or proceeds for the purpose of committing, concealing, or benefitting from a crime. “Crime” is defined in Article 1 of the AML-CFT Law as “money laundering crime and related predicate offences, or financing of terrorism or illegal organisations.” There is no minimum reporting threshold; all suspicious transactions, including attempted transactions, should be reported regardless of the amount of the transaction. LFIs are also required to put in place and update indicators that can be used to identify possible suspicious transactions.

Although the AML-CFT Law uses the term “STRs” to mean both suspicious transactions and activity, for the purposes of this Guidance document, suspicious activity involving transactions should be reported (in the first instance) to the FIU as STRs; suspicious activity that does not involve transactions, on the other hand, should be reported (in the first instance) to the FIU as Suspicious Activity Reports (“SARs”). Examples of scenarios that warrant a SAR filing include, but are not limited to: the customer is the subject of material adverse media; the customer alerts as a positive sanctions match; the prospective customer acts in a manner that is suspicious upon account opening (e.g., refusing to answer account opening questions; providing falsified or counterfeit documentation; exhibiting reluctance to provide detailed information about a business account, etc.); or the customer exhibits other suspicious behavior (e.g., inquiring about ways to circumvent certain reporting thresholds). STRs, SARs, and other report types (referenced in greater detail in Section 3.2 (“Basic Structure of an STR or SAR”)) align with the FIU’s current reporting regime and utilization of the goAML system.

Under federal law and regulations, whether the LFIs operate in the mainland UAE or in a Financial or Commercial Free Zone, the designated competent authority for receiving report of suspicious transactions or activity is the FIU. The UAE’s minimum statutory obligations that apply to LFIs are covered in the following requirements:

Employees within the first line of defense (e.g., relationship managers, business executives, and backoffice operations functions) should understand the AML/CFT risks posed to the business in which they work. First line of defense employees are central to the management of customer and third-party risk and the timely escalation of potentially suspicious activity. LFIs should not rely solely on transaction monitoring systems to identify unusual and potentially suspicious activity in their customer population. First line of defense employees play a critical role in the detection and prevention of money laundering and the financing of terrorism and illegal organisations. Appropriately trained employees are in fact well-placed to identify suspicious transactions and assess that information once deemed reasonable—collected through interactions with a customer—now appears suspicious. They should therefore be trained regarding potential risk and risk mitigation and reporting within their business area. Employees should understand the regulatory requirements within the scope of their role; red flags associated with their customers, products, services, delivery channels, and geographies; and the appropriate escalation procedure both to their management and to the second line of defense without compromising their responsibility to report suspicious transactions.

The second line of defense (e.g., compliance employees) provides policy advice, guidance, assurance, oversight, and challenge to the first line of defense. While employees in Financial Crime Operations Units (possibly in the first line of defense) can investigate suspicious transactions and document the resultant investigation, the ultimate filing of the STR or SAR must be made by the Compliance Officer or the MLRO (in the second line of defense). To this end, the second line of defense is charged with overseeing the investigations programme comprised of both automated and manual monitoring processes. The second line of defense is also charged with monitoring risks facing the LFI, such as noncompliance with UAE laws and regulations, and reporting directly to senior management on the LFI’s risk exposure, including through financial crime-related metrics. Specifically, the second line of defense and first line of defense (as applicable) should generate financial crime-related metrics (e.g., STRs or SARs filed, alert backlogs) to provide senior management with an adequate overview of the LFI’s compliance program, including the timeliness and quality of the LFI’s handling and resolution of transaction monitoring alerts and the STR or SAR filing process. The second line of defense should retain records of all information relating to transaction monitoring and suspicious activity reporting for a period of no less than five (5) years as provided in Article 24 of the AML-CFT Decision.

The independent testing function is responsible for evaluating the design and operational effectiveness of an LFI’s compliance program controls, including technical compliance with AML/CFT policies and procedures. This function serves as a “third line of defense” to identify gaps, deficiencies, and weaknesses in operational controls owned or overseen by an LFI’s business, operations, and compliance functions. Independent testing should be conducted by an internal audit department, outside auditors, consultants, and/or other qualified, independent third parties. At a minimum, employees responsible for conducting independent testing should not be involved in the function being tested or in other AML/CFT functions that could compromise their independence. Risk-based auditing assists an LFI’s Board of Directors and senior management in identifying areas of weakness, prioritizing those areas for remediation, and ensuring the provision of adequate resources, oversight, and training for affected employees.

The purpose of transaction monitoring is the ongoing, retrospective monitoring of customers’ and prospective customers’ transactions or activity to identify activity anomalous from normal behavior. This may, on further investigation, generate knowledge or reasonable suspicion of financial crime and thereby require reporting to the appropriate law enforcement and/or regulatory authority as an STR, SAR, or equivalent local report in line with AML/CFT regulatory and/or UAE FIU reporting requirements. LFIs may choose to use a combination of automated transaction monitoring scenarios and exception-based (manual) transaction reports to monitor for potentially suspicious activity. The aim of the alert review process is to identify and respond to potential indicators of money laundering, associated predicate offenses, financing of terrorism and illegal organisations , financing of proliferation, and any potentially unusual activity that does not align to a customer’s or account's profile including by deploying a risk-based approach. An LFI’s transaction monitoring systems and manual processes should be reviewed, assessed, and revised periodically—at least annually—and otherwise as appropriate, justified by the required circumstances. Additionally, this review should include both an evaluation of transaction monitoring system thresholds and a fine tuning of the LFI’s transaction monitoring system as well as an evaluation of its effectiveness. The individuals responsible for the review should have a proper understanding of the LFI’s framework-including the LFI's business and customer base—to generate a meaningful output.

In order for an LFI’s transaction monitoring and suspicious activity reporting program to be effective, it must be based on the foundation of a sound governance structure. Namely, an LFI’s internal organization is important to appropriately identifying unusual or potentially suspicious activity. Internal organization comprises an LFI’s policies, procedures, and processes designed to oversee and manage risks and to achieve compliance with UAE AML/CFT laws and regulations. In particular, an LFI’s internal organization addresses the core organizational elements of an LFI’s compliance program: governance and management oversight; policies and procedures; clear lines of responsibility and reporting; and ongoing training to account for changes in the UAE’s legislative and regulatory frameworks.

The five key components to an effective transaction monitoring and reporting system are: (i) identification of unusual or suspicious activity; (ii) managing alerts with an alert risk scoring model; (iii) STR or SAR decision making; (iv) STR or SAR completion and filing; and (v) monitoring and STR or SAR filing on continuing activity. To effectively identify unusual or potentially suspicious activity, LFIs should first maintain a transaction monitoring program based on an underlying AML/CFT risk-based assessment. The transaction monitoring program should take into account the AML/CFT risks of the LFI’s customers, prospective customers, counterparties, businesses, products, services, delivery channels, and geographic markets in addition to helping prioritize high-risk alerts. However, the sophistication of monitoring systems can differ based on an LFI’s AML/CFT risks. Monitoring systems typically include employee identification or referrals, transaction-based (manual) systems, surveillance (automated) systems, or a combination of these. Overall, LFIs must adopt monitoring processes and procedures to monitor customer activity that are commensurate with the size and nature of the line of business and the money laundering and the financing of terrorism and illegal organisations’ risks posed by their relevant customer base. The monitoring system and/or manual processes must reasonably demonstrate that transactions that carry the highest risk of money laundering and financing of terrorism and illegal organisations are subject to enhanced scrutiny.

As part of a risk-based approach to AML/CFT, in the case of customers or Business Relationships identified as high-risk, LFIs are expected to investigate and obtain more information about the purpose of transactions, and to enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities. In the case of customers or Business Relationships that are identified as low-risk, LFIs may consider monitoring and reviewing transactions at a reduced frequency.

Examples of some of the methods that may be employed for the ongoing monitoring of transactions include, but are not limited to:

The information generated from an STR, SAR, and other report type is important for identifying and combatting financial crime. First, the quality of STRs, SARs, and other report types is imperative for increasing the FIU’s analytical function to identify vulnerabilities and threats to the UAE financial system and develop an overall understanding of money laundering and the financing of terrorism and illegal organisations’ risks based on emerging trends and patterns. Relatedly, STRs, SARs, and other report types also assist law enforcement in detecting criminal actors and preventing the flow of illicit funds through the UAE financial system. Law enforcement uses the intelligence generated from STRs, SARs, and other report types to initiate and supplement money laundering or terrorist financing investigations and other criminal cases. As a result, it is critical that the information provided in all reports of suspicious activity be as accurate, timely, and complete as possible.

The Compliance Officer or MLRO and other concerned employees responsible for using the goAML system must be aware of the different report types. As such, the LFI should select the correct report type when filing a report through the goAML system. The STR and SAR are the primary (or first instance) reports which must be used to report a new suspicion, whereas Additional Information File without Transactions (“AIF”) and Additional Information File with Transactions (“AIFT”) report types are supplementary reports which can be used to escalate additional information or transactions that correspond to a previously filed STR or SAR. When filing an AIF or AIFT, the LFI should input the Reference Number that corresponds to the STR or SAR.

When all applicable information is collected, analyzed, and documented and the LFI decides that an STR or SAR is required, the information should be described in the narrative within an investigative narrative report template in a concise and chronological format. The LFI should divide the narrative into three sections: an introduction, a body, and a conclusion. The investigative narrative report template is considered as an addition to the goAML report (due to the potential text limitation within the “goAML description of the report” field).

² https://www.namlcftc.gov.ae/en/high-risk-countries.php
³ Idem note

In general, a narrative should identify the five core components - who? what? when? where? and why? -of the suspicious activity being reported to the FIU. The method of operation/modus operandi (or how?) is also important and should be included in the report narrative. An LFI should ensure that the following five questions are answered prior to submitting an STR, SAR, or other report in the FIU’s goAML system.

Who is conducting the suspicious activity or transaction?

Even though information may not always be available, information should be included to the extent possible. For instance, addresses for suspects are important; filing LFIs should note not only the suspect’s primary street addresses, but also, other known addresses. Any identification numbers associated with the suspect(s) such as passport and driver’s license numbers are also important to document.

What instruments or mechanisms are being used to facilitate the suspicious activity or transaction(s)?

When did the suspicious activity or transaction take place?

Where did the suspicious activity or transaction take place?

Why does the LFI think the activity or transaction is suspicious?

These answers will vary based on the LFI type (for example, a depository institution versus an insurance company) and an LFI should also consider such factors as:

How did the suspicious activity or transaction occur?

LFIs are required to submit suspicious transaction and activity reports directly to the FIU using the “goAML” portal, and registration in the system is mandatory for all entities under CBUAE’s supervision. According to the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions, the FIU has launched the goAML system for the purposes of facilitating the filing of STRs, SARs, and other report types by all LFIs. LFIs should register themselves on the goAML system by following the “GoAML Registration Guide” and maintaining their registration in an “active” status. An entity’s Compliance Officer or MLRO can register as the user of the system. GoAML provides a secure link from each LFI to the FIU through their respective supervisory authorities. The system also has an .xml schema for filing batches of STRs. All newly licensed LFIs should register themselves immediately after obtaining their financial services license. Failure to register within the goAML system may result in a breach of the LFI’s AML/CFT obligations and will be dealt with in accordance with the prevailing legal provisions related to non-compliance.

According to the “goAML XML Submission Guide,” the goAML system reflects multiple mandatory fields, business rules, and various binding scenarios. Combined, the system only accepts reports that pass through the minimum requirements set by the FIU. Mandatory fields for submitting a report in the goAML system are noted below:

Upon completion of all the mandatory fields (noted above) and submission of the report in the goAML system, the report will be provided to the FIU. It is mandatory for the LFI’s filer to attach supplemental documents to accompany the submission—including but not limited to—Know Your Customer (“KYC”) documentation, copies of identification documentation, account opening forms, transaction receipts, financial statements, and other documents relevant to the investigation. In the instance that the LFI conducted due diligence or internal investigations, the corresponding documents must also be attached. This will assist the FIU in reviewing the report with all the appropriate documentation to support its review and analysis.

⁶ The UAE FIU has noted that there have been instances of reports being received whereby upon review, the LFI’s MLRO and related team members’ contact details were not updated in the goAML system, which included email addresses and phone numbers. Keeping contact information updated helps with the two-way communication between LFIs and the FIU while helping to shorten the turnaround time of report analysis. It also enhances the ability of the FIU to analyze and subsequently process reports in a timely manner. The contact information should be kept updated at all times.
⁷ The UAE FIU has noted that in some cases LFIs file reports while choosing RFRs that, upon closer examination, are not linked to the actual suspicions of the report. As an example, reports have been received with RFRs related to the financing of terrorism and illegal organisations with no evidence of any activity connected to the financing of terrorism and illegal organisations. Selecting incorrect RFRs hinders the FIU’s analysis, and the LFI should expect multiple requests by the FIU for further clarification in these cases. LFIs should be prudent and diligent when choosing RFRs and submitting reports to the UAE FIU. RFRs should be chosen correctly and in relation to the actual suspicions of the STR or SAR being submitted.

Once a report is submitted and accepted in the system, neither the Compliance Officer, MLRO, nor FIU employees can apply any changes and amendments to the report for missing or incorrect information. However, LFIs may be requested to file a corresponding AIF, AIFT, RFI, or RFIT, and mention in the “Description of the Report” field the reason of filing. LFIs should ensure that the filer uses the correct web reference number of the initial report. In order to avoid such incident(s) and in order to safeguard the system data integrity, LFIs should adopt a maker and checker process/concept to verify the quality and accuracy of uploaded information.

An efficient alert management and dispositioning process is essential to safeguarding the financial integrity of LFIs, assisting law enforcement in the identification and investigation of criminal activity, and satisfying regulatory expectations concerning timely suspicious activity reporting. The alert management and dispositioning process should be adequately staffed and free of bottlenecks and should include a process for the expedited filing of urgent reports in appropriate cases. For purposes of this guidance, “alerts” shall be understood to include automated transaction monitoring alerts, employee referrals, and law enforcement requests. The LFI should apply a risk-based approach to the alert review process by prioritizing alerts based on their risk category. For instance, alerts generated on suspicious transactions of higher-risk customers should be risk-scored higher and prioritized for review.

Alert Review: An LFI’s employees should review an alert and determine whether further investigation is warranted. The underlying basis for the determination should be documented in accordance with an LFI’s investigations procedures. An LFI may choose to have alert review decisions subject to Quality Control (“QC”) review, prior to final dispositioning.

Where the facts available at the alert review stage are or may be sufficient to warrant an STR or SAR filing without further investigation, or where the transaction may otherwise require immediate attention (per criteria set forth below in 4.4 Activity Requiring Immediate Attention), employees should immediately escalate the alerted activity to the designated STR or SAR decision authority for expedited review.

Case Investigation: For any alerted activity determined to require further investigation, employees should conduct and complete (at least preliminarily) an investigation of the alerted activity, document the results of any research or analysis performed, and make a recommendation as to whether an STR or SAR should be filed.

Where a case investigator becomes aware of activity that requires immediate attention (per criteria set forth below in 4.4 Activity Requiring Immediate Attention), employees should immediately escalate the activity to the designated STR or SAR decision authority for expedited review.

If, in the case investigator’s judgment, the facts available at the filing recommendation deadline meet one or more of the UAE regulatory definitions of suspicious activity, the case investigator should submit a recommendation to file an STR or SAR, even if certain aspects of the activity remain unexplained. Unanswered requests for information (RFIs) made in the course of a case investigation should not delay the timely submission of recommendations with respect to an STR or SAR filing. LFIs should define the reasonable RFI timeframe to allow the customer to respond to quires raised during a case investigation as part of the RFI process. 

In the event of escalation for expedited review, the Compliance Officer or MLRO should review the activity and make a determination as to whether it is suspicious within 24 hours of the date of escalation. Where appropriate, the Compliance Officer or MLRO also should escalate the activity for potential exit and account closure.

In the absence of escalation for expedited review, LFIs are expected to file an STR/SAR within a maximum of 35 business days from the date of automated alert generation. The establishment of adequate grounds of suspicion may involve the investigation procedures as per the LFIs' AML and/or Financial Crime Compliance policies and procedures. LFIs are expected to complete the required investigative procedures as expeditiously as possible. LFIs must maintain adequately detailed records of investigative procedures performed against alerts and when filing an STR/SAR, must include a summary justifying the time taken to establish grounds of suspicion.

In the event of escalation for expedited review, the Compliance Officer or MLRO should file an STR or SAR to the FIU within 24 hours of the determination. All prospective STRs or SARs should be reviewed for accuracy and completeness prior to filing, in accordance with applicable procedures.

LFIs are ultimately responsible under UAE’s AML-CFT Law to report suspicious activity without delay and should seek to file STRs and SARs ahead of the prescribed timeline.

Upon filing an STR/SAR pertaining to an account holder, LFIs are expected to implement enhanced monitoring on such account holders. In the case of continued suspicious activity detected against said account holder, LFIs are expected to expeditiously file an STR/SAR with the FIU.

Situations requiring immediate attention include reportable violations that are ongoing (e.g., part of an ongoing money laundering scheme as indicated by an appropriate law enforcement authority) and transactions that the LFI suspects are related to the financing of terrorism and illegal organisations.

There may be instances when the LFI encounters potentially unusual or suspicious activity that is of a “complex” nature. The following is a non-exhaustive list of factors that should be considered to determine whether investigated activity qualifies as a complex investigation: employee-related investigations; significant investigations involving multiple customers, multiple jurisdictions, multiple accounts, multiple transactions, and/or multiple subpoena requests; and legal referred investigations.

If the LFI designates an investigation as “complex”, the LFI should submit an initial STR or SAR to the FIU within 15 business days of the alert generation. The initial STR/SAR should be labelled as a “Complex investigation” to the FIU. Following the initial STR or SAR filing, the LFI has an additional 30 business days to obtain all necessary information related to the complex investigation and submit a follow-up STR or SAR to the FIU.

The following table summarizes the recommended suspicious activity review, investigation, and reporting timelines in the absence of escalation for expedited review. Please note – the following table captures the maximum timeline by which LFIs should identify and report suspicious activity and transactions. LFIs are ultimately responsible under UAE’s AML-CFT Law to report suspicious activity without delay and should seek to file STRs and SARs ahead of the below timelines.

In certain cases, an alert or case may need to be dispositioned and an STR or SAR filed more rapidly than usual processes allow. In such cases, the alert will be dispositioned and the STR or SAR filed according to the expedited review timeline as laid out below.

Circumstances where expedited review is expected include:

The following table summarizes the recommended suspicious activity review, investigation, and reporting timelines in the event of escalation for expedited review.

As a standard practice and as specified in Article 9.1 of the AML-CFT Law, the FIU can reach out to LFIs to provide additional requested information pertaining to an STR or SAR. Therefore, when responding to the FIU’s inquiries, details should be provided in a way that is precise and outlined as per the request. LFIs should maintain clarity on the presented information and provide it in the required format (e.g., tabular format, pdf, etc.). Moreover, LFIs should avoid adding unnecessary codes and abbreviations or any raw information extracted directly from the core databases, which are unknown to the FIU. It is important to understand that the details pertaining to the source and destination of funds are essential for investigating the reported activity. Therefore, names; account numbers; country of origin and destination; currencies; dates; source and purpose of transactions; and other related information should be detailed in LFI’s response. Once the report is filed, LFI should send the report web reference number and inform the FIU via the goAML Message Board.

Following an STR or SAR filing, the FIU may or may not revert to the LFI with specific instructions, requests for additional information, feedback or further guidance related to the STR or SAR, or to the business relationship in general. In such cases, these communications will generally be directed to the Compliance Officer or MLRO of the LFI. However, LFIs may not receive instructions, additional information requests, or other feedback from the FIU regarding STRs or SARs that have been filed; or the receipt of such communications may be delayed beyond what they consider to be a reasonable time period. In such instances, LFIs must follow their internal policies in relation to such customers and should determine the appropriate handling of the STR or SAR and of the business relationship in general, taking into consideration all of the risk factors involved.

Specifically, once a suspicious transaction or other suspicious information related to a customer or business relationship has been reported to the FIU, the LFI should take the following immediate responses:

Unless specifically instructed by the FIU to do so, LFIs are under no obligation to carry out transactions they suspect, or have reasonable grounds to suspect, of being related to a crime. Furthermore, unless specifically instructed by the FIU to maintain the business relationship (for example, so that the competent authorities may monitor the customer’s activity), it should be the LFI’s responsibility to take appropriate steps in order to decide whether or not to maintain the business relationship based on their risk appetite. However, LFIs should consider the risk of tipping off a customer when taking these restrictive measures on the account. These steps may include, but are not limited to:

LFIs that determine to maintain the business relationship should, commensurate with the nature and size of their businesses:

In such cases, beyond EDD measures, LFIs should also implement additional control measures such as, but not limited to:

LFIs should also document the specific EDD, ongoing monitoring, and additional control measures to be taken. In this regard, LFIs should obtain senior management approval for the plan, including its specific conditions, duration and any requirements for its removal, as well as the roles and responsibilities for its implementation, monitoring and reporting, commensurate with the nature and degree of the money laundering and the financing of terrorism and illegal organisations risks associated with the business relationship.

Thus, retaining a customer relationship, exiting the relationship, restricting an account, or any other actions taken by an LFI following the filing of an STR, SAR, or other report is a decision based on the LFI’s internal policies and procedures, including its risk appetite, to safeguard the LFI from relevant risks. This is unless the entity receives instructions from the FIU or any other competent authority that should be immediately implemented without delay. In cases where the LFI decides to reject a new customer or to exit an existing relationship due to an STR or SAR filing (or other report), the LFI should ensure that the subject of the filing is added to internal watch lists, (e.g., a list of individuals and entities that have been exited for financial crime-related reasons and that should be screened by the LFI to avoid future on-boarding).

While individual STRs, SARs, or other reports that pose particular risk may require escalation and review for potential exit, repeated filings on a single account or group of related accounts should trigger consideration of customer exit. Repeat filings should also prompt a review of risks associated with accounts of a similar type and of whether internal controls are effectively mitigating risk. An LFI should determine a threshold for which an account that has been subject to a certain amount of STR or SAR filings (or other report) will be escalated to senior management for consideration of account closure, possible restrictions on the account, and/or enhanced monitoring.

LFIs should also maintain a customer exit policy that outlines the process for reviewing the overall customer relationship and deciding on next steps, including ending the relationship and notifying law enforcement and/or other group affiliates, as appropriate. Customer exit policies should include criteria for when these actions are appropriate and outline how the LFI should monitor the activity of a customer it decides to retain. The LFI should contact law enforcement before closing an account if the entity has knowledge of an ongoing law enforcement investigation involving that account or customer, or the LFI has filed an STR(s), SAR(s), or other report types on the customer or account due to continuing suspicious activity. LFIs should be aware that law enforcement may have an interest in ensuring that certain accounts remain open notwithstanding suspicious or potential criminal activity in connection with those accounts. If a law enforcement agency requests that an LFI keep a particular account open, the LFI should ask for a written request. The written request should indicate that the agency has requested that the LFI maintain the account along with the purpose and duration of the request. Ultimately, the decision to maintain or close an account should be made by an LFI in accordance with its own standards and guidelines.

LFIs should have mechanisms to inform the Board of Directors (or a committee of the Board) and senior management of compliance initiatives, compliance deficiencies, STRs, SARs, or other regulatory reports filed, and corrective actions taken. LFIs should also develop and maintain a system of reporting that provides accurate and timely information on the status of the AML/CFT program, including statistics on key elements of the program, such as the number of transactions monitored, alerts generated, cases created, and STRs, SARs, or other report types filed.

Employees should report the number and types of STRs, SARs, or other regulatory reports filed to the Board of Directors or a Board-designated committee. While employees are not required to provide actual copies of STRs, SARs, or other regulatory reports to the Board (or a committee of the Board), such notifications should contain sufficient information to enable the Board or its committee to provide appropriate oversight over the LFI’s AML/CFT program. Where an individual filing documents activity that poses a particular risk, management may provide a copy of the report to the Board or Board-designated committee. Where appropriate, the suspicious activity or transaction underlying the filing of an STR, SAR, or other regulatory reports should be communicated to those individuals responsible for managing the risk associated with the customer and/or activity that is the subject of the STR, SAR, or other regulatory reports in order to permit such employees to respond appropriately to the AML/CFT risks identified. Although all such communications are subject to the confidentiality restrictions, it should be noted that the confidentiality requirement does not pertain to communication within the LFIs or its affiliated group members (foreign branches, subsidiaries, or parent company) for the purpose of sharing information relevant to the identification, prevention, or reporting of suspicious transactions and/or crimes related to money laundering and the financing of terrorism and illegal organisations, according to Article 39.1 of the AML-CFT Decision (also referenced in Section 5. Confidentiality and Prohibition against “Tipping Off”).

According to Article 24 of the AML-CFT Decision, LFIs are required to retain all records and documents pertaining to STRs and the results of all analysis or investigations performed for at least five (5) years from the date of completion of the transaction or termination of the business relationship. Such records relate to both internal STRs and those filed with the FIU, and should include but are not limited to: