Skip to main content

4.2. The Risk-Based Approach, Customer Risk Rating, and the Institutional Risk Assessment

Effective from 7/6/2021

LFIs should take a risk-based approach to the preventive measures they put in place for all customers, including legal persons and arrangements. A risk-based approach means that LFIs should dedicate compliance resources and effort to customers, business lines, branches, and products and services in keeping with the risk presented by those customers, business lines, branches, and products and services, as assessed in accordance with Article 4 of AML-CFT Decision.

The risk-based approach has three principal components:

1. Conducting an enterprise risk assessment, as required by Article 4.1 of AML-CFT Decision.

The enterprise risk assessment should reflect the presence of legal persons and arrangements in an LFI’s customer base. The risk assessment should consider the most common forms of legal persons and arrangements in the LFI’s customer base and should assess the risks of each form. This assessment should carefully consider and incorporate the ML/TF risks legal persons and arrangements pose to LFIs discussed above (section 2.1), although LFIs may have legal person and arrangement customers from outside the UAE whose risks will also need to be assessed. These assessments should in turn be reflected in the LFI’s inherent risk rating.

In addition, the LFI’s risk assessment should take into consideration the strength of the controls that the LFI has in place to mitigate the risks posed by its legal person and arrangement customers, including the preventive measures discussed below.

2. Identifying and assessing the risks associated with specific customers.

The LFI should assess the risk of each customer to identify those that require enhanced due diligence (EDD). Customer risk assessment for legal person and arrangements should incorporate at least all elements of the customer risk assessment for individuals, but should apply them both to the legal person or arrangement customer itself and to the individuals prominently associated with it. For example, the assessment of the legal person or arrangement’s jurisdictional risk should take into consideration not just the customer’s jurisdiction of establishment, but also the residence and nationality of the beneficial owners, senior manager, and directors.

Other risk assessment considerations that are unique to legal person and arrangement customers include:

 The legal form of the customer, and the controls in place to ensure transparency;
 The status of the beneficial owners and senior management. For example, if a beneficial owner or senior manager of a customer is a PEP, as defined in Article 15 of AML-CFT Decision, the customer may also need to be treated as PEP, depending on the extent of the PEP’s ownership and control and his or her relationship to the other beneficial owners or managers.
 
3.Applying EDD and other preventive measures to customers the LFI determines to be higher-risk, as required by Article 4.2(b) of AML-CFT Decision, or to specific customer types, no matter their risk rating, as required by AML-CFT Decision.
 

Many EDD measures for legal persons and arrangements are the same as those applied to individual customers. EDD measures that are specific to legal person and arrangement customers are discussed in section 4.3 below.

Under AML-CFT Decision, the legal person customer types for which enhanced or special due diligence is required are:

 Legal persons based in high-risk countries (Article 22);
 
 Financial institutions with which the LFI proposes to enter into a correspondent relationship (Article 25);
 
 Legal person customers that are fully owned or controlled by PEPs, their direct family members, or their close associates (Article 15). If a PEP, a direct family member, or an associate is a partial owner of a customer, LFIs may take a risk-based approach to applying EDD to the customer.
 
 Non-Profit Organisations (Article 33).