How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

How to File CNMR and PNMR on the goAML Portal Under TFS Guidance, 2025

This blog elaborates on the July 2025 updates to the Targeted Financial Sanctions (TFS) Guidance. These updates introduce sharper procedures, especially around screening and reporting, and call attention to nuanced revisions, such as:
  • Fund Freeze Report (FFR) changed to Confirmed Name Match Report (CNMR)
  • Clarified screening during weekends and public holidays
  • Updated procedures related to Partial Name Match Reporting
  • Additional examples on PNMR Reporting
  • Grievance procedures were deleted and published separately on the EOCN website.

The blog also includes a detailed explanation of what TFS obligations are, an in-depth understanding of CNMR and PNMR filing obligations and step-wise processes under TFS Guidelines 2025, and the best practices that Reporting Entities can incorporate into their AML framework to ensure Sanctions Compliance.

Apart from procedural updates, this blog also provides a step-by-step walkthrough for CNMR and PMNR filing using the goAML portal, helping AML compliance professionals and Regulated Entities to understand their core TFS compliance obligations.

Guidance on Targeted Financial Sanctions, July 2025: What Reporting Entities Must Know

In order to decode the provisions of the TFS Guidelines July 2025, reporting entities must develop a sound understanding of the basic concepts, such as:

What are Targeted Financial Sanctions (TFS) in the UAE?

“Targeted Financial Sanctions” refers to an obligation to freeze the funds or other assets of designated individuals or entities, and to restrict access to such funds, assets, or related services, either directly or indirectly.

The primary purpose of TFS is to prevent designated persons and entities from accessing financial resources, thereby disrupting the use of such resources for illicit purposes or transactions that may benefit individuals or organisations involved in terrorism, proliferation financing, or other criminal activities.

TFS Compliance Obligations

Article 21 of Cabinet Decision No. 74 of 2020 has set the main TFS compliance obligations on Reporting Entities, including DNFBPs, FIs, and VASPs:

Register

Reporting Entities must register for the EOCN Notification Alert System (NAS) to receive automated email notifications on any update to the Sanctions List. In terms of practical implementation, Regulated Entities using Sanctions Screening Software can ensure that the screening software is paired up with a sanctions screening API that gives real-time data and updates as to additions and deletions of names in:
  • The UAE Local Terrorist List that contains the names of all the sanctioned individuals, entities, or groups designated by the UAE Cabinet.
  • The UNSC Consolidated List that contains the names of all the sanctioned individuals, entities, or groups designated by the United Nations Sanctions Committees or directly by the UNSC.

Screen

The “when” and “whom” of sanctions screening is covered under paragraphs 30 and 31 of the latest guidance, which provide that Reporting Entities must undertake regular and ongoing screening on the latest Sanction Lists. Sanctions Screening must be undertaken mandatorily in the following circumstances:

  • Updates, i.e., additions, deletions, and revisions of names to Sanction lists
  • Prior to onboarding a new customer, i.e., a potential customer
  • Persons or entities party to any transactions or related to parties of any transaction, including names of persons with direct or indirect relationships with designated individuals, entities, or groups
  • Upon periodic KYC reviews or if there is any material change in the nature or ownership of the customer is identified
  • Daily screening of the existing customer database
  • Daily screening of the offboarded customers or previous customers with whom the Regulated Entity had prior business relationships and transactions
    • Reporting Entities need to be mindful that they are required to SCREEN all their previous or offboarded customers on an ongoing basis for a period of five (5) years after termination or cessation of the business relationship, even if there is no active business relationship or no assets are held with the Regulated Entity at present.
  • Before processing any transactions with a counterparty.

The “what” of the sanctions screening requirement is covered under paragraphs 32 and 33, which state the “key identifiers” and “other identifiers” required to be obtained by regulated entities from their customers to screen their names against those contained in the latest sanctions lists. These key identifiers and other identifiers are:

Once the key identifier details are available with the regulated entity, the Screening Analyst can proceed with conducting sanctions screening either manually or through screening software. The latest guidance on TFS requires regulated entities to have in place an adequate screening mechanism to help ensure TFS compliance.
The sanctions screening process generates screening outcomes, which can be disambiguated into four categories, such as:
  • Confirmed Name Match: The name of the customer matches with the sanctions screening outcome.
  • Partial Name Match: The name of the customer partially matches with the sanctions screening outcome.
  • False Positive: The name of the customer does not match with the screening outcome.
  • Negative Match: The name of the customer does not generate a screening outcome.
The occurrence of any of these four outcomes requires the personnel of the regulated entity to take appropriate steps, which are more elaborately discussed in the table below:
Sanctions Screening Outcomes and Resultant Reporting Requirements
Screening ResultTFS Measures

TFS Reporting Requirement

Record-Keeping Obligation

Perfect Match or Confirmed Name Match

  • Freezing of Funds or Other Assets without any delay (within 24 hours)
  • Prohibition from Making Funds or Other Assets or Services Available
  • If the confirmed name match is of a potential customer, transaction must be immediately rejected
    (TFS measures discussed more elaborately in step 3)

Confirmed Name Match Report (CNMR) to be filed within 5 days alongwith obligatory information

 

Paragraph 46 of the TFS Guidance updated in July 2025 prescribes to maintain records for the duration of atleast five (5) years, irrespective of the screening outcome.

Partial Match
  • Immediate suspension of transaction without any delay
  • Avoid offering funds or any other services
  • Scenario-wise requirements apply

Partial Name Match Report (PNMR) to be filed within 5 days alongwith obligatory information

False Positives or False Match

Not applicable

No reporting required

No Match or Negative Match

Implement TFS Measures

Reporting Entities must either freeze all funds and assets without delay, prohibit the provision of services/funds or reject the transaction. The core elements of TFS Measures prescribed by the Guidance on TFS include:
  • Asset Freezing without delay
  • Prohibition from making funds or other assets or services available
    • Financial Assets
    • Economic Resources
    • Any other assets.
The distinction between “Freezing Measures” in the case of a Confirmed Match and “Suspension Measures” in the case of a Partial Match is discussed in depth in further paragraphs of this AML UAE blog.

Report

The mechanism to report any TFS measures taken by the Reporting Entity must be after identifying a Confirmed or Partial Name Match, reporting to the relevant Supervisory Authority and submitting one of the following two reports via goAML:
  • Confirmed Name Match Report (CNMR)
  • Partial Name Match Report (PNMR)

The TFS Guidance also requires Reporting Entities to include and enclose mandatory and obligatory information along with the CNMR and PNMR filed.

In the context of CNMR, the RE is required to enclose ID documents of the person or legal entity whose name is found in the sanctions lists, resulting in a confirmed match during screening, as without possession of ID documents, the RE cannot conclusively confirm that the screening match found is a perfect match, requiring regulatory reporting. Examples of obligatory information for CNMR are:

  • The amount of funds or other assets frozen with documentary evidence, such as bank statements, transaction receipts, investment portfolios, title deeds, account summaries, etc
  • Detailed description of rejected transactions or services.
In the context of PNMR, the RE is required to enclose documents such as ID documents (if and when available) and the full name of the person or entity whose name is found to have partially matched during screening. The examples of obligatory information that REs can attach to PNMR are:
  • Funds or other assets that are suspended
  • Detailed description of rejected transactions or services.

How to File a Confirmed Name Match Report (CNMR) While Implementing TFS Measures

The step-wise process for filing CNMR requires a well-developed internal workflow to be followed by employees of a Regulated Entity. Timely filing of CNMR is only possible when the process from match identification to submitting the report on the goAML portal flows seamlessly from one department to another. Regulated Entities need to appoint an AML Compliance Officer and register themselves on the goAML portal. Registration on the goAML portal enables REs to file reports to the UAE FIU (Financial Intelligence Unit) to fulfil regulatory reporting requirements. The step-wise process for filing CNMR includes:
The subscription to the EOCN Notification Alert System (NAS) is a prerequisite that REs must tick off their to-dos once they commence business operations concerning covered activities under UAE’s AML/CFT regime. The subscription to NAS is a one-time exercise, which enables REs to access updated Sanctions Lists in real-time.

Identification of Confirmed Name Match During Sanctions Screening

REs can opt to screen their customers manually across the Sanctions Lists obtained through NAS or rely on a Sanctions Screening Software or unified AML Software that relies on efficient Screening APIs. Using one of these or a combination of software tools ensures that Sanctions Lists relied on for screening customers are updated in real time as published by the regulator, or EOCN, in the context of TFS compliance. The process of screening customers generates screening results or screening outcomes, which need to be disambiguated by the Screening Analyst.

Regulated Entities must remain mindful that they screen across their customer databases, which include potential, existing, and former customers, with whom they had a previous business relationship during the past five (5) years

When a Screening Analyst, while disambiguating screening results, identifies a perfect match or a confirmed match, they need to assess the screening outcome to confirm its accuracy.

Assessment of Confirmed Name Match Outcome

Assessment of a Confirmed Name Match or Perfect Match outcome is quite straightforward. In the case of potential, existing, and former customers, the frontline team or the Screening Analyst is required to carefully examine and cross-verify the customer’s key identifiers and the screening outcome’s attributes to assess whether the initial identification and disambiguation of the screening is accurate or erroneous. Once the Screening Analyst or the frontline team is sure of the match outcome assessment, they need to escalate the customer profile and screening outcome findings to the AML Compliance Officer for carrying out further steps.

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

The AML Compliance Officer needs to assess the customer profile forwarded by the frontline or screening team and assess whether the customer (potential, existing, or former) is indeed a confirmed match or there is any confusion or error on part of screening or frontline team in identifying the match results accurately and proceed further with imposition of TFS Measures and fulfilling CNMR filing formalities in a timely manner.

Impose Freezing Measures on Potential, Existing, and Former Customers

Once the AML Compliance Officer is sure that the confirmed match screening outcome is correct and accurate, he needs to act fast and impose freezing measures without delay (within 24 hours of the confirmed match). The extent and manner of imposing TFS Measures shall differ on the basis of the maturity of the business relationship, as elaborated below:

In case of a Potential Customer

  • Rejection of transaction or service immediately

In case of a Potential Customer

  • Freeze all funds/assets
  • Prohibition from making funds, other assets, or services available to such customer

In case of a Potential Customer

  • If the confirmed match is that of a former customer and the RE does not have any assets or funds available with them, they can still proceed with the CNMR filing process, stating that business relationship concluded and they are not in possession of any assets.

Preparation of Mandatory and Obligatory Information & Documents for CNMR in alignment with goAML Requirements

After imposing TFS Measures, the Compliance Officer then needs to ensure that he is equipped with all the mandatory and obligatory information pertaining to the customer against whom the CNMR is supposed to be filed. The ID documents (passport, Emirates ID, trade license) are assumed to be in possession of the RE and need to be submitted with CNMR. The examples of obligatory information are:
  • Asset value proof (bank statements, portfolio summaries, title deeds)
  • Description of rejected service or transaction.

Logging in on the goAML Portal to File CNMR

The AML Compliance Officer must log into their employer’s goAML portal account using RE’s log-in details to file CNMR.

Selecting Report Type as CNMR & Entering Information and Documents

The AML Compliance Officer needs to select CNMR from the list of options given in the dropdown menu on the goAML portal. The AML Compliance Officer can either upload the CNMR in an XML format or fill in the details regarding a confirmed name match in real-time by opting for the web-report option on the goAML portal.

Saving and Submitting CNMR

Once the details regarding the confirmed name match are entered on the goAML portal successfully, the AML Compliance Officer must save the CNMR details and submit the same. The AML Compliance Officer must be mindful of the requirement to complete the legal obligation filing of CNMR on the goAML portal within 5 days after applying freezing measures.

Maintaining Records of CNMR Filed for Five (5) Years

REs are required by law to maintain records of all screening results, including CNMRs, the identification, decision, freezing measures taken, and details of the CNMR filed on the goAML portal for the period of at least five (5) years.

How to File a Partial Name Match report (PNMR) While Implementing TFS Measures

The step-wise process of filing a PNMR broadly consists of the steps elaborated in further paragraphs. However, based on the maturity of the business relationship, i.e., whether the customer is a potential customer, an existing customer, or a former customer, the employees of the Reporting Entity, such as the frontline team, Screening Analysts, KYC Analysts, and AML Compliance Officer, must make sure that they collect necessary information about the customer to ensure accurate filing of PNMR. Timely filing of PNMR can be achieved through well-coordinated efforts by all personnel concerned.
Needless to say, the prerequisite of subscription to the EOCN Notification Alert System (NAS) is implied when it comes to having a well-defined and documented process to file PNMR in place. The Reporting Entity may screen its customers manually, through updated sanctions lists and notifications received after subscribing to EOCN NAS or can rely on a Sanction Screening Software or an AML Software with Sanctions Screening API.

Identification of Partial Name Match During Sanctions Screening

Regulated Entities must ensure that they screen across their customer databases, including potential, existing, and former customers, with whom they had a previous business relationship during the past five (5) years.

When a Screening Analyst, while disambiguating screening results, comes across screening results or outcomes where only some or few of the attributes of the customer profile, and they cannot conclusively confirm whether or not such a match is a confirmed match or a false positive, then in such a scenario, they are required to escalate the customer profile and screening outcome to the AML Compliance Officer for further assessment.

Assessing Partial Name Match Outcome

Assessment of Partial Name Match Outcome after screening needs to be done to rule out the possibility of the initial match disambiguation being inaccurate, false positive, or a confirmed name match instead. However, the issue with Partial Name Match outcomes is that the Screening Analyst or frontline team cannot conclusively decide whether it’s a false or a complete match due to factors such as:
  • Lack of adequate information and non-availability of the customer’s ID documents in case of potential customers
  • Lack of information in Screening Outcomes, i.e., screening results exist but don’t provide adequate information so as to conclude successful disambiguation
  • A high number of screening outcomes or results are generated by the screening software due to lower match percentage thresholds configured, leading to high disambiguation volume with non-existent substantial information for disambiguation.

In order to simplify the Partial Name Match Outcome’s accuracy assessment, the following factors must be considered by Reporting Entities, such as:

For Potential Customers: Obtaining ID documents must be attempted when ID documents are not available, leading to a lack of information on key identifier details, so that the match can be disambiguated by having a complete set of information prior to disambiguation for accurate results.

  • If ID is received within 10 days, the RE must conduct Screening with details contained in the ID obtained. Based on the screening outcome, if the RE finds that the match is indeed a Partial Match, they must continue/implement Suspension/Freezing Measures and proceed with the PNMR/CNMR filing process. If, after fresh screening, the RE finds that the screening outcome is a false positive or no match, they must proceed with establishing a business relationship.
  • If ID is not received within 10 days, the RE must Reject/Cancel Transaction and proceed with PNMR filing process
  • If ID is received after 10 days, the RE must conduct Screening based on the recently acquired ID and implement Suspension Measures accordingly, if a Partial Match is found, or proceed with CNMR if a Complete Match is found, or establish a business relationship if false or no match found.

Existing and Former Customers: The possession of a Customer ID is assumed

  • Suspend any transaction, refrain from offering any funds, assets, or services.

Escalation by the Frontline Team or Screening Analyst to the AML Compliance Officer

The AML Compliance Officer needs to assess the customer profile forwarded by the frontline or screening team and determine whether the customer (potential, existing, or former) is indeed a partial match or confirmed match or false match, based on which further actions can be taken.

Impose Suspension Measures on Potential, Existing, and Former Customers

Once the AML Compliance Officer is sure that the partial match screening outcome is correct and accurate, he needs to act fast and impose a suspension of the business relationship and refrain from or avoid providing any service, assets, or funds to such a customer without delay (within 24 hours of the partial match).
The extent and manner of imposing TFS Measures, i.e., suspension, shall differ on the basis of the maturity of the business relationship, as elaborated below:

In case of a Potential Customer

  • Cancel the Transaction and proceed with the PNMR filing process

Existing and Former Customers

  • Suspend any transaction, refrain from offering any funds, assets, or services.

Preparation of Mandatory and Obligatory Information & Documents for CNMR in alignment with goAML Requirements

After imposing TFS Measures, the Compliance Officer then needs to ensure that he is equipped with all the mandatory and obligatory information pertaining to the customer against whom the PNMR is supposed to be filed. The ID documents of existing and former customers (passport, Emirates ID, trade license) are assumed to be in possession of the RE and need to be submitted with PNMR. The ID documents of potential customers can be submitted if and when available. The examples of obligatory information are:
  • Asset value proof (bank statements, portfolio summaries, title deeds)
  • Description of suspended service or transaction
  • Description of rejected transaction or service (when no funds are held).

Logging in on the goAML Portal for PNMR Filing

The AML Compliance Officer must log into their employer’s goAML portal account using RE’s log-in details to file PNMR.

Selecting Report Type as PNMR & Entering Information and Documents

The AML Compliance Officer needs to select PNMR from the list of options given in the dropdown menu on the goAML portal. The AML Compliance Officer can either upload the PNMR in an XML format or fill in the details regarding a confirmed name match in real-time by opting for the web-report option on the goAML portal.

Saving and Submitting PNMR

Once the details regarding the confirmed name match are entered on the goAML portal successfully, the AML Compliance Officer must save the PNMR details and submit the same. The AML Compliance Officer must be mindful of the requirement to complete the legal obligation filing of PNMR on the goAML portal within 5 days after applying suspension measures.

Following EOCN Response

REs after filing a PNMR must await and follow the EOCN instructions and maintain suspension measures until further instructions are received.

The EOCN instructions in the context of PNMR concern the treatment of suspension measures, particularly in the case of existing and former customers. The Reporting Entity must submit PNMR along with all the necessary and obligatory customer information so that EOCN can verify the PNMR submitted and give further instructions to the RE. Either of the following steps must be taken by RE, based on EOCN response:

  • If EOCN concludes PNMR filed as a False Positive, RE must cancel TFS suspension measures and proceed with the business relationship
  • If EOCN validates PNMR as a Confirmed Match, REs must freeze funds and submit CNMR.
In the case of potential customers, if customer information and documents are lacking, then EOCN will not be able to verify the PNMR report submitted into Confirmed Match or False Positive.

Maintaining Records of PNMR Filed for Five (5) Years

REs are required by law to maintain records of all screening results, including PNMRs, the identification, decision, suspension measures taken, and details of the PNMR filed on the goAML portal for the period of at least 5 years.

Key Differences Between CNMR and PNMR: Comparative Table

Differences Between CNMR and PNMR

Distinguishing AspectsCNMR (Confirmed Name Match Report)PNMR (Partial Name Match Report)
Trigger EventIdentification of Confirmed Match during Sanctions ScreeningIdentification of Partial Match during Sanctions Screening
Immediate Action NeededFreezing Measures for TFS Compliance to be applied within 24 hoursSuspension Measures for TFS Compliance to be applied within 24 hours
Filing TimelinesWithin 5 days after imposing Freezing MeasuresWithin 5 days after imposing Suspension Measures
Documents RequiredComplete Customer ID + Documents of Freezing Measures/ Transaction RejectionComplete or Partial Customer ID + Documents of Suspension Measures
Post Filing MeasuresFreezing Measures to say in place. However lift Freezing Measures if Person/Entity is Delisted from Sanctions List or Freezing Cancellation Decision given by EOCNAwait EOCN Response, maintain Suspension Measures, may need to file CNMR or mark match as False Positive

Key Differences Between Freezing and Suspension Measures

Differences Between Freezing and Suspension of Funds

Distinguishing Aspects

Freezing MeasuresSuspension Measures

Sanctions Screening Disambiguation Outcome

Confirmed or Perfect MatchPartial Match

Report to be filed on GoAML Portal

CNMRPNMR

TFS Compliance Requirements

Freezing measures remain in place until person/entity is delisted from Sanctions List or Freezing Cancellation Decision given by EOCNSuspension measures remain in place until EOCN provides further instructions on the match’s status

General Do’s and Don’ts to Ensure TFS Compliance

Compliance with Targeted Financial Sanctions (TFS) is legally mandated under UAE law and reinforced by the 2025 TFS Guidance. These emphasize proactive, risk-based screening, reporting, and asset freezing for designated persons. The following do’s and don’ts guide Reporting Entities, i.e., DNFBPs, FIs, and VASPs in meeting TFS obligations, particularly for CNMR and PNMR submissions via goAML.

Dos to Ensure TFS Compliance

Do subscribe to the Executive Office mailing list or alert system

Regulated Entities (DNFBPs, VASPs, and FIs) are required to register on the goAML platform to submit STRs and SARs to the FIU. They must also use the platform to report CNMRs/PNMRs to the EOCN and the Supervisory Authority.

Do screen continuously, even on weekends and holidays

Reporting Entities must establish internal procedures for screening against the UAE Local Terrorist List and UNSC Consolidated List during weekends and public holidays, ensuring that access to funds or assets is restricted at all times. If no transactions or customer access occur during weekends or holidays, screening must begin immediately at the start of business activity, and freezing measures should be promptly applied.

Do Report and Disclose previous transactions or business dealings with Confirmed or Partial Name Matches.

Reporting Entities must submit CNMRs and PNMRs for all relevant transactions, business relationships, and accounts held within the past five years, including those closed before the designation, even if no current assets or ties exist. The report must explicitly state that no funds or assets are presently held, no ongoing relationship exists with the designated party, and that the account in question is closed.

Do Report Matches via Email to the EOCN if You’re Not a goAML User

For an entity not registered with goAML (that do not fall under the definition of FIs, DNFBPs, or VASPs and are therefore not under an obligation to register on goAML), CNMRs or PNMRs must be reported by emailing and providing a complete set of case details that clearly explain the identified match with all relevant supporting documents attached in the message.

Do Escalate Matches Found in Criminal or Unilateral/Multilateral Sanctions Lists

Reporting Entities must consult the relevant Supervisory Authority (SA) for guidance on handling matches found with unilateral or multilateral sanctions lists, or other criminal lists, and consider submitting an STR or SAR to the Financial Intelligence Unit (FIU) if such matches are confirmed. The Reporting Entity should not use CNMR/PNMR reports in goAML for matches found on other sanction or criminal lists like OFAC, EU, HMT, or INTERPOL. These reports are only for matches with the UAE Local Terrorist List and UN List.

Do understand the change in penalty for non-compliance and inform staff

Reporting Entities must equip themselves with the awareness of changes made to the penalty imposed on TFS violations and incorporate the changes, such as imprisonment for a period of one to seven years. REs must also understand that Administrative Sanctions might be applied to them, resulting in a warning for license cancellation.

Don'ts to Ensure TFS Compliance

Don’t overlook changes in ownership structures, as even minority holdings may evolve into controlling stakes.

Reporting Entities are required to impose freezing measures on any entity that is majority-owned (more than 50%) by designated persons or entities. During implementation, REs must determine whether a designated person owns or exercises control over more than 50% of the proprietary rights. If the designated individual holds only a minority stake (50% or less), the entity is not subject to freezing measures unless ownership shifts, and the designated person gains a majority stake or controlling interest. Furthermore, all funds or assets owed to designated individuals must be frozen and must not be made accessible under any circumstances.

Don’t notify customers before freezing measures, as doing so may be considered tipping off

Reporting Entities must avoid informing customers about freezing measures before they are applied, as this may constitute tipping off. Customers may be notified once the measures have been implemented.

Don’t Forget to Document False Positives

Reporting Entities do not need to report a False Positive result to the EOCN and may proceed with the business transaction. However, they must maintain internal records of the screening alert and all actions taken.

Don’t rely solely on third-party screening services to meet compliance obligations

Reporting Entities must not consider third-party screening services as a guarantee of compliance. Reporting Entities remain responsible and must assess the reliability and robustness of external systems before using them.

Don’t Rely on Assumptions or Unverified Links

When a Confirmed or Partial Name Match is identified, the Reporting Entity must obtain and review the customer’s identification documents. Following the review, appropriate freezing or suspension actions should be taken and properly documented.

Best Practices for CNMR and PNMR Filing on the goAML Portal to Ensure TFS Compliance

Filing of CNMRs and PNMRs via goAML portal is a key compliance requirement for Reporting Entities, including DNFBPs, FIs, and VASPs. By implementing the following best practices, Reporting Entities can ensure effective compliance with the UAE’s Latest Guidance Targeted Financial Sanctions (TFS):

Establish Comprehensive Sanctions Compliance Policies and Internal Controls

Reporting Entities must set and implement policies, procedures, and internal controls that align with the requirements of the latest TFS Guidance. These should ensure compliance with freezing obligations, include reasonable measures to identify beneficial owners, signatories, and strictly prohibit staff from disclosing freezing actions to customers or third parties. REs must allocate appropriate human and technical resources to fulfil TFS obligations effectively.

Using Sanctions Screening Software for Accuracy

REs must deploy Sanctions Screening Software that enables high-accuracy detection of designated individuals and entities across the UAE Local Terrorist List and the UNSC Consolidated List. The software should allow configurable thresholds to minimise false positives while ensuring true matches are not missed. The software must support real-time updates to watchlists, automatic batch screening, and ongoing monitoring of customer databases and transactions. These capabilities are critical for ensuring that CNMRs and PNMRs are identified without delay.

Providing Sanctions Compliance Training to Employees

REs must conduct regular and role-specific training for employees, especially those in compliance, operations, and client onboarding teams. The training must cover the detection and handling of CNMRs and PNMRs, the use of sanctions screening software, and the regulatory obligations outlined in the latest TFS Guidance. Training should also emphasise the importance of confidentiality (prohibition of tipping off) and include practical case scenarios to ensure readiness for real-life detection and reporting situations.

Group Oversight Across All Branches and Trade Zones

REs must establish Group Oversight to ensure consistent application of CNMR and PNMR processes across all branches and trade zones. This includes unified match thresholds, centrally managed screening tools, and standardised escalation procedures. Group Compliance must include overseeing implementation, conducting regular audits, and providing training to ensure effective and consistent Sanctions Screening. Central oversight ensures that potential matches are identified and resolved promptly, reducing the risk of sanctions breaches across the institution’s entire operational footprint.

Tamper-Proof Record-Keeping

REs must maintain tamper-proof record-keeping systems to ensure the integrity and security of data related to CNMR and PNMR activities. Records of screening results, match investigations, and escalation decisions must be securely maintained with access controls that restrict unauthorised viewing or editing. The system must include audit trails that log all user actions and prevent any undetected alterations or deletions.

Implementing Centralised Record Management Systems

REs must implement Centralised Record Management Systems to ensure consistent, secure, and traceable handling of data related to CNMR and PNMR processes. These systems should consolidate customer and transaction records across all business units and branches, enabling efficient access and retrieval during sanctions screening, investigations, and regulatory inspections. Centralisation ensures that relevant data is readily available as a single source of truth, supporting timely identification, review, and escalation of potential matches. Easy access to accurate records is essential for demonstrating compliance with TFS obligations and facilitating smooth regulatory visits.

Internal Reporting & Escalation Module

REs must establish a structured Internal Reporting & Escalation Module to manage alerts generated through CNMR and PNMR processes. This module should define clear roles, timelines, and procedures for the review, escalation, and resolution of potential sanctions matches. Automated workflows should support timely alert handling, while ensuring that all actions are logged for audit purposes. Effective internal reporting and escalation are essential for preventing delays, ensuring regulatory compliance, and facilitating prompt decision-making in line with TFS obligations.

Bringing It All Together: TFS Measures, Match Outcomes, and goAML Reporting

The advent of TFS Guidance, July 2025, calls for more than reactive and passive compliance measures; it requires proactive internal policies and procedures that take care of timely screening, clear escalation protocols, and accurate CNMR/PNMR reporting through the goAML portal and reposting to the relevant Supervisory Authority. Irrespective of dealing with confirmed or partial match in case of potential, existing, or former customers, regulated entities must implement appropriate freezing or suspension measures, document actions taken, and maintain records for a period of five (5) years.

Incorporating these practices into daily workflows helps ensure regulatory compliance while reinforcing operational resilience. With right Sanctions Screening Software, Role Specific AML Training, and governance, REs in UAE can go beyond reactive compliance and master proactive and risk-based TFS Compliance.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

What is MENAFATF, and who are its members and observers?

What is MENAFATF, and who are its members and observers?

The Middle East and North Africa (MENA) region has its dedicated and focused FATF-Style Regional Body (FSRB), known as MENAFATF. This blog embarks upon a journey to introduce its members and overserves while providing a glimpse at MENAFATF’s mission, structure, governance, members, observers, and their key role in strengthening the region’s financial integrity.

What is MENAFATF, and who are its members and observers?

In a world highly interlinked with finance, trade, and technology, the risk associated with money laundering (ML) and the financing of terrorism (FT) has grown significantly. These activities pose a threat to economies, global security, and the integrity of financial systems. Recognising the threats posed by money laundering and terrorist financing operations to countries in the Middle East and North Africa Region, the Middle East and North Africa Financial Action Task Force (MENAFATF) stands out as a critical regional body dedicated to combating money laundering (ML) and financing of terrorism (FT).

The countries in the MENA region work conjointly to comply with MENAFATF’s standards that establish an effective system which countries need to implement in a way that does not contradict their cultural values, constitutional frameworks, and legal systems.

Establishment and Background of MENAFATF

MENAFATF was established in Manama, Bahrain, on 30th November 2004 at an inaugural Ministerial Meeting wherein the Governments of 14 countries decided to establish MENAFATF as a FATF Style Regional Body (FSRB).

MENAFATF operates as an independent body, distinct and separate from any other international body and regionally focused organisation which is designed to reflect the unique political, economic and social culture of the region, and follows the model of the Financial Action Task Force (FATF), the global organisation that sets standards for AML/CFT.

Objectives and Functions of MENAFATF

The primary function of MENAFATF is to combat money laundering (ML) and terrorism financing (TF) by promoting regional cooperation and ensuring that the member countries implement effective measures aligned with international standards, particularly the FATF 40 recommendations. MENAFATF Member countries strive towards achieving the following objectives:
  • To encourage member nations to set up and implement a comprehensive AML/CFT structure, according to the FATF recommendations, and ensure implementation of relevant UN treaties and agreements and the UNSCRs (United Nations Security Council Resolutions).
  • To conduct a mutual evaluation of member nations to assess their adherence to international AML/CFT standards and identify the gaps that need to be taken care of.
  • To provide guidance, training, and support to member nations in developing, implementing, and enhancing their legal, regulatory, and institutional AML/CFT structure.
  • To facilitate the sharing of information, typologies, and best practices among member nations and international partners.
  • To take measures throughout the region to combat money laundering and terrorist financing in a manner that respects the cultural values, constitutional frameworks, and legal systems of the member countries.

MENAFATF Structure And Governance

MENAFATF follows a well-defined governance structure that ensures both strategic and operational efficiency. Key components of this structure include two bodies, i.e., the Plenary Meeting of Representatives of member countries, also referred to as the Plenary for the sake of simplicity, and the Secretariat:

The Plenary

The plenary is the decision-making body consisting of the representatives from all member nations. The Plenary meets at least twice a year to discuss policies, approve evaluation reports, and oversee the organisation’s activities. It nominates the President and Vice President among the member countries.
  • President and Vice President: The president and vice president are elected among the members for a term of one year. The president and vice president represent the MENAFATF at international forums.
More details about the plenary session are discussed in the following paragraphs.

Secretariat

The Secretariat is responsible for the day-to-day activities of MENAFATF. It is in Bahrain and supports the implementation of plenary decisions, coordinates evaluations, and manages communication with member nations and observers.
The Secretariat performs the following functions:
  • Prepare the annual report, work plan, and estimated budget, and submit them to the Plenary.
  • provide technical and administrative preparation for convening the plenary, working groups, and any established committees;
  • implement and follow up on the work plan as approved by the Plenary;
  • Submit regular reports on MENAFATF work to the Plenary and the President.
  • manage the expenditure of the approved budget and carry out mutual evaluation exercises;
  • Identify the training and technical assistance needs of member states and facilitate the provision of such needs in consultation with these countries.
  • Monitor worldwide AML/CFT developments and provide appropriate information to the Plenary;
  • carry out any other tasks assigned by the Plenary.

Working Groups

MENAFATF has different specialised working groups that work on areas such as mutual evaluation, typologies, research, technical assistance, and training. These groups help to bring together the experts from member nations to collaborate on specific projects.

Members of MENAFATF

MENAFATF comprises 21 countries from the region of the Middle East and North Africa. Each member is required to implement the FATF 40 recommendations and actively participate in MENAFATF’s activities. The member countries are-
1. Algeria 2. Bahrain 3. Djibouti 4. Egypt 5. Iraq 6. Jordan 7. Kuwait 8. Lebanon 9. Libya 10. Mauritania 11. Morocco 12. Oman 13. Qatar 14. Palestine 15. Saudi Arabia 16. Somalia 17. Sudan 18. Syria 19. Tunisia 20. United Arab Emirates 21. Yemen
MENAFATF comprises 21 countries from the region of the Middle East and North Africa. Each member is required to implement the FATF 40 recommendations and actively participate in MENAFATF’s activities. The member countries are-

Observers of MENAFATF

In addition to the member nations, MENAFATF associates with several observers, including international organisations as well as countries. They participate in MNAFATF’s meetings, provide technical expertise, and contribute to the overall mission of effective regional AML/CFT efforts. The international organisations that are members of MENAFATF are:
1. International Monetary Fund 2. World Bank 3. Co-operation council for the Arab states of Gulf 4. Financial Action Task Force 5. Egmont Group of Financial Intelligence units 6. Asia/Pacific Group on Money Laundering 7. World Customs Organization 8. Arab Monetary Fund 9. Eurasian Group on combating money laundering and financing of terrorism 10. United Nations 11. European Commission 12. Russian Federation
The countries that are the observers of MENAFATF are:
1. France 2. United Kingdom 3. United states of America 4. Spain 5. Australia 6. Germany
The countries listed above often have bilateral partnerships with MENAFATF members and play a significant role in international AML/CFT initiatives.

Key Activities and Achievements of MENAFATF

Over the past few years, MENAFATF has made key progress in enhancing the AML/CFT framework across the region. The key activities and achievements of MENAFATF are:

Mutual Evaluation

MENAFATF conducts several rounds of mutual evaluation of the member nations to assess their AML/CFT compliance with FATF standards. These rounds of mutual evaluation are discussed in further paragraphs. These evaluations help nations identify areas for improvement in their AML/CFT frameworks.

Capacity Building

MENAFATF provides extensive training to government officials, regulators, law enforcement agencies, and financial intelligence units through workshops, seminars, and technical missions.

Typology reports

MENAFATF publishes reports on regional ML/TF trends and methods. These reports help member nations identify and mitigate emerging threats.

Global Collaboration

MENAFATF works closely with FATF and other organisations like the Asia-Pacific Group on Money laundering (APG).

Public Awareness

MENAFATF supports efforts to educate the public about AML/CFT obligations and the importance of these compliances.

The Role of MENAFATF Plenary

The Plenary in MENAFATF is the highest decision-making body and plays a significant role in contributing to MENAFATF’s mission. It comprises representatives from each member nation, typically experts in AML/CFT or senior officials from the Ministry of Finance, Central Banks, or Financial Intelligence agencies.

The Plenary assembles at least twice a year and may hold extraordinary meetings if necessary.

In a plenary meeting, a wide range of issues are discussed by the members as well as observers and decided upon, which includes:

  • The approval of mutual evaluation reports
  • Adoption of strategic plans
  • Discussion of typology findings
  • Endorsement of training programs
The Plenary approves the MENAFATF work program and performs the following functions:
  • establish and approve the policies of MENAFATF;
  • determine the rules and procedures of MENAFATF;
  • approve annual report, work plan, and estimated budget, and ratify the financial report and auditor’s report of MENAFATF;
  • appoint the Executive Secretary and independent auditor, and approve the Secretariat’s organisational structure and other functions;
  • decide upon new member countries and observers;
  • adopt any amendments to the Memorandum of Understanding (MOU) that may be significant in the future;
  • identify technical assistance needs of member States and coordinate delivery of technical assistance in consultation with such nations and in co-operation with countries as well as international and regional organizations providing such assistance, particularly those holding observer status;
  • consider and approve mutual evaluation reports of members’ compliance with FATF standards;
  • establish working groups and committees when needed to undertake special tasks;
  • consider any other subjects proposed by any of the member countries, the President, or the Secretariat.

The Plenary also elects president and vice-president, and annually reviews the organisation’s work plan and budget. The rules of the Plenary are designed to encourage transparency, inclusiveness, and effective decision-making.

Moreover, the Plenary provides a platform for observer organisations and countries to interact and participate in the discussions, although they do not have any voting rights. The Plenary is important for ensuring that MENAFATF remains dynamic, responsive, and aligned with the international AML/CFT framework.

Mutual Evaluation Working Group

The Mutual Evaluation Working Group (MEWG) is one of the important components of MENAFATF’s operational structure. It includes the task of managing and overseeing the process of mutual evaluation and follow-up reports of member nations. MEWG ensures that the evaluation is conducted in accordance with FATF standards, and the result reflects an accurate assessment of the country’s AML/CFT system.

MEWG focuses on two reports-

Mutual Evaluation Report

The mutual evaluation process involves an extensive peer review where a team of experts assesses the member country’s compliance with the FATF 40 recommendations. The evaluation includes both the technical and effectiveness compliance. Furthermore, this Evaluation Report is responsible for coordinating evaluations, selecting review teams, guiding on-site visits, and reviewing draft evaluation reports before they are submitted to the Plenary for approval. These reports highlight areas of strength, areas for improvement, and potential red flags. Once these reports are approved by the Plenary, the evaluation report will be accessible to the public.

Follow-up Report

Once a mutual evaluation is completed, the member nations initiate a follow-up process to ensure they take corrective measures. The MEWG monitors this progress by reviewing follow-up reports submitted by the nations.

These reports elaborate on the steps taken to address the areas of improvement identified in the mutual evaluation report. Depending on the level of progress, nations may be subject to enhanced follow-up or regular follow-up with the timelines for submitting these progress reports. MEWG reviews these reports and assesses whether the nation can exit the follow-up process or require further monitoring.

Therefore, MEWG plays a crucial role in maintaining accountability and promoting continuous improvement among its members. This rigorous evaluation and effective follow-up help strengthen the nation’s AML/CFT compliance in accordance with the FATF’s 40 recommendations.

Withdrawal and Suspension of Membership

MENAFATF includes the provision for the withdrawal or suspension of membership of a member nation.

A member, if voluntarily wants to withdraw, may submit a written notice of withdrawal to the Secretariat. This process takes effect after a stipulated period, generally six months from the date of notification, unless an earlier date is decided.

In certain cases where a member nation fails to fulfill its obligations, such as mutual evaluation, continuous non-compliance with the AML/CFT framework, or a lack of cooperation, that member may be subject to suspension by MENAFATF. The Plenary, with a two-thirds majority vote, makes the decision regarding suspension. The decision to suspend results in the loss of voting rights and the ability to influence decisions within the organisation until the issues leading to the suspension are resolved.

The withdrawal and suspension of membership provision of MENAFATF enables better accountability and engagement among members, and facilitates a hassle-free exit process or disciplinary actions in cases of persistent non-cooperation.

Challenges and Future Outlook

Challenges faced by MENAFATF

MENAFATF has achieved notable success in recent times, but even today, it faces several challenges:
  • Political Instability: The member nations can be affected by ongoing political conflicts and governance, which can hinder their AML/CFT framework.
  • Resource Constraints: Not all member nations have enough resources; some may face resource constraints with respect to financial and human resources, which can impact their AML/CFT framework.
  • Diverse Legal System: The varied legal system among different member nations can hinder the standard AML/CFT framework.
  • Technological Evolution: The rise of advanced technology leads to the rise of digital currencies and fintech, which requires constant updates to regulatory approaches that can hinder their AML/CFT standards.
The challenges listed above need to be addressed, and MENAFATF must continue to strengthen its partnerships, enhance technical assistance, and promote the adoption of new technologies.

Outlook for MENAFATF

MENAFATF is expected to
  • Enhance their research and typology to be aware of emerging threats.
  • Boost the Mutual Evaluation processes to ensure efficient ongoing compliance.
  • Deeper integration with the international financial system and standards.
  • Boost greater private sector engagement in the AML/CFT framework.

MENAFATF: The Watch Continues

MENAFATF plays a significant role in ensuring financial transparency and security in the Middle East and North Africa (MENA) region. It stands as a cornerstone of regional cooperation in the fight against Money laundering and financing of terrorism.

By aligning their efforts with international standards and tailoring them to address the challenges of the MENA region, organisations play a significant role in strengthening financial systems, enhancing legal frameworks, and promoting transparency. As financial crime continues to evolve, the MENAFATF’s role remains important not only as a monitor and advisor but also as a driver of sustainable reform. Through continued commitment and innovation, MENAFATF can further empower its members to build more resilient and secure economies.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Dissecting Hawala – Its Vulnerability and Misuse for Financial Crime

Dissecting Hawala – Its Vulnerability and Misuse for Financial Crime

What is Hawala?

Hawala Meaning

Hawala is an informal value transfer system in which one person transmits funds to another without using formal money transfer mechanisms, such as banking. It’s a system based on trust in which transmitting funds from one place to another is made possible without the actual movement of cash through a nexus of hawaladars facilitating such fund or value transfer for a fee or percentage.

Historical Context for Hawala Transactions

To understand the concept of hawala better, it’s important to understand that it started centuries ago. Traders and merchants intending to send funds home would make a deposit with a hawala broker at their location, and the broker would communicate within their nexus to let the designated recipient collect funds from a hawala broker located in that region.

Key Participants in Hawala Transactions

Remitter:

A person who wants to transfer funds to someone without using formal banking channels.

Hawaladars:

A Hawala transaction cannot take place without the involvement of a hawaladar. There could be one or more Hawaladars involved in a single transaction at the point of origin and the destination. Hawaladars receive and make payments on behalf of their clients and settle those transactions among themselves as trade transactions.

Beneficiary:

The intended recipient of the Hawala transaction.

Hawala Transaction Process

The hawala process generally has the following steps, as discussed.

Approach:

A person intending to transfer value to the recipient at another location, i.e., the originator, gets in touch with a hawaladar and finalises the terms of fund transmission. At this stage, the originator and recipient decide on the secret key or passcode type. This passcode or secret key is communicated to the hawaladar and the intended recipient of the funds.

Coordination:

The said hawaladar, i.e., the originator’s hawaladar, coordinates with other hawaladars in his network to identify who can disburse payment to the client’s intended recipient on his behalf while discussing other terms. At this stage, the originator hawaladar conveys the secret key or passcode to the hawaladar in the recipient’s region so that they can confirm the same prior to disbursing funds to the recipient.

Passcode or Secret Key Confirmation:

The recipient approaches the hawaladar in their region, which is responsible for disbursing payments, and gives the secret key or passcode that acts as a signal for the hawaladar to release funds. The hawaladars decide how they want to confirm or validate the fund originators’ and recipients’ identification based on the regulations, if any, in their jurisdiction.

Account Settlement:

The trust factor amongst hawaladars is the key component on which the entire hawala network and business exists. They trust one another adequately that the funds disbursed on the word of the other will be settled in time, along with their share of fees or commission as agreed. The entire business of hawala runs on mutual trust and understanding, where hawaladars settle each other’s accounts by way of trade transactions.

Legitimate Vs Illegitimate Uses of Hawala

Hawala, as an informal value transfer system, attracts legitimate as well as users with devious motives to launder or transfer illicit proceeds for funding illegal activities. Hawala has both legitimate and illegitimate uses, as discussed below.

Examples of legitimate uses of Hawala include:

  • Avoidance of bank fees for fund transfers
  • Lack of banking access in the remittance-receiving jurisdiction
  • Cultural preference
  • Lack of trust in formal banking.

Examples of illegitimate uses of Hawala include:

  • Transfer of funds for illicit purposes
  • Evasion of regulatory scrutiny about the source of funds
  • Sanctions and trade embargo or restriction evasion
  • Evade disclosure of the identities of actual beneficiaries of the transaction, which, if resorted to the formal banking system, would have required disclosure of Ultimate Beneficial Owners (UBOs)who might turn out to be sanctioned or Politically Exposed Persons (PEPs), triggering regulatory reporting or enhanced due diligence (EDD) measures, respectively.

Characteristics of Hawala Transactions

Some of the distinguishing characteristics of Hawala transactions are as follows:
  • There is No Physical Movement of Cash From Point A to Point B. It’s the hawaladar’s nexus that makes the funds available to the recipient as finalised between the sender and the hawaladar. The sender does give funds to the hawaladar, but those exact funds or currency are not disbursed or transferred. Those funds are rather settled by the mode of trade transactions among a nexus of hawaladars.
  • Hawala Transactions are Unregulated and hence circumvent the requirement of customer identification and verification, contrasting with formal value transfer systems.
  • There is No Element of Mandatory Regulatory Record-Keeping obligations that hawala transactions or hawaladars have to adhere to.
  • The Information of the Hawala Transaction is Coded: The subject matter of each transaction, such as sender, recipient, agreed-upon fees, secret passcode, etc., is transferred across in a coded manner that ensures the privacy and anonymity of the parties involved.
  • Geographical Spread: The geographical spread of hawala networks facilitates recipients’ receiving funds in any part of the world based on information or possession of documents containing identifiable and verifiable information that the hawaladar can confirm to disburse funds.

Why is Hawala Preferred Over Formal Banking Systems?

The very characteristics of the Hawala system that make it appear more appealing than the formal banking system are the lack of regulation, documentation, and compliance obligations.

Why Hawala Attracts Money Launderers?

Hawala system attracts money launderers due to its abovementioned characteristics, but the following two are the major reasons discussed as follows:
  • No paper trail: As launderers do not prefer to be linked to their transactions and are always trying to separate their illicit proceeds from their origin, hawala helps by quickly getting rid of large sums of cash that an unwitting hawaladar accepts, not knowing the origin of those illicit proceeds.
  • Anonymity: The Hawala system does not follow the stringent practice of ID verification and customer due diligence that regulated entities under AML obligations do. Hence, money launderers can almost anonymously send and receive funds across the world through the hawala network.

At Which Stages of ML Can Hawala Take Place?

Money laundering takes place in three stages: placement, layering, and integration. Hawala network can be misused by money launderers at any stage of the money laundering process. The hawala system can facilitate placement, as it readily accepts large sums of cash without knowing that those could be illicit proceeds. The same goes for the layering stage, where funds are structured and remitted to and fro, and the integration stage, where the funds come back to the launderer after placement and layering, making it impossible to trace the origin of such proceeds.

Why Hawala Attracts Terrorism and Proliferation Finance Actors?

Hawala attracts terrorism and proliferation financing (TF and PF) actors for similar reasons as money laundering. The element of anonymity and lack of a paper trail that can be traced back to the actual person makes the hawala system highly vulnerable to misuse for TF and PF.

At Which Stages of the TF/PF Can Hawala Take Place?

TF has stages such as collect, store, move, and use, and PF has stages such as program fundraising, disguising the funds, and procurement of proliferation-sensitive materials. The misuse of hawala can be done at the moving stage of TF. With regards to PF, hawala can be misused for concealing as well as making payments for procurement of proliferation-sensitive materials in a high-risk, blacklisted, or sanctioned country. The limited amount of scrutiny and the existence of unlicensed or unregistered hawaladars who do not keep up with regulatory obligations are prone to be misused by TF and PF actors.

ML, FT, and PF Typologies Associated with Hawala Transactions

Typologies related to hawala transactions:
  • Structuring: Criminals break down a large sum of illicit money into small sections and launder the funds through several hawala transactions to avoid any suspicion.
  • Back-to-Back Transfers: Matching one client’s need to send money to another’s need to receive money in the opposite direction creates a circular or offsetting mechanism that avoids any actual money movement.
  • Trade-Based Settlement: Settling Hawala debts through over- or under-invoicing of goods. Hawaladars may run import-export businesses and manipulate trade values to balance their books.
  • Use of Third Parties or Mules: Criminals use third parties or mules to transfer funds among countries. These third parties or mules are often unaware that they are being misused for illicit fund transfers.
  • Integration with Criminal Proceeds: Criminals use hawala transactions to legitimise their illicit proceeds by disguising them as legitimate payments.
  • Use of False Invoices and Shell Companies: False invoices are often used to legitimise the transfer of illicit funds, creating the appearance of genuine transactions to meet regulatory requirements. Shell companies may also be established solely for the purpose of laundering money, with illicit funds disguised as proceeds from legitimate business activities.
  • Charities and Non-Profit Organisations: Funds are sent through Hawala to support terrorist organisations or individuals in high-risk jurisdictions, often linking them to charitable organisations or seemingly legitimate donations.
  • Cross-border Value Transfer Without Currency Movement: Hawaladars never physically transfer money; rather, one hawaladar contacts another hawaladar in another jurisdiction to give the same amount of money to the recipient without actually moving it.
  • Reverse Hawala Flows: Hawaladars settle their accounts without physically moving money. They maintain running accounts of corresponding Hawaladars, offset the balances against other transactions, and, if needed, settle the accounts periodically.

Harnessing Technology for Mitigating ML, FT, and PF Risk Emanating from Hawala Transactions

FIs, DNFBPs, and VASPs can rely on technology, such as transaction monitoring powered by data analytics and artificial intelligence, to detect patterns indicating hawala activities and help identify and report illegal hawala activity to comply with AML/CFT and CPF obligations. Implementing robust transaction monitoring systems helps detect any illegal and unregulated hawala transactions.

Concept of Hawala: Concluding Remarks

Conducting or encouraging hawala transactions comes with the inherent risk of being linked to illegal activities and funds for ML, FT, or PF activities. Regulated Entities must exercise caution when dealing with customers who might be using funds from questionable origins. Seeking sources of funds and sources of wealth to corroborate a paper trail of funds helps mitigate ML, FT, and PF risks, particularly from hawala, to a great extent, followed by senior management approval and enhanced due diligence measures.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Mitigating “Tipping Off” Risk to Ensure AML/CFT Compliance

Mitigating “Tipping Off” Risk to Ensure AML/CFT Compliance

This blog discusses the intricate subject of tipping off in the context of AML Compliance by taking the reader through the topics covering the following:
  • What is Tipping Off
  • A nuanced analysis of the specific exemption from filing STRs available to professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries when providing privileged services
  • Obligation to file STR by complying with no-tipping-off requirements when performing services or activities coming under the purview of AML/CFT obligations.
  • Do’s and Don’ts to avoid tipping off
  • Best Practices to avoid tipping off
  • Suggestive Checklist to Avoid Tipping- Off Customers While Filing STR With UAE FIU.

What is Tipping Off in AML Compliance?

What Does The Word “Tip-Off” Mean?

The act of informing a person about an upcoming event, information, or any action against them so that they can take precautionary measures or prepare themselves for the consequences of such event, action, or information is known as tipping off.

Tipping Off in the Context of AML Compliance

Before delving into understanding tipping off in the context of AML/CFT and TFS compliance, a rewind or refresh of AML compliance and suspicious transaction reporting (STR) obligations is required. The Federal Decree Law No (20) of 2018 on AML/CFT requires the reporting entity (FIs, DFNBPs, or VASPs) to report to the FIU about the suspicious transaction without any delay, while ensuring confidentiality. This confidentiality requirement is two-pronged, requiring reporting entities to ensure confidentiality in two stages:
  • Not disclosing the information, contents, and subject matter of the STR to anyone, particularly the customer themselves, except the concerned team members (which include senior management, AML compliance officers, and other compliance team members) or personnel working on the particular case.
  • Not disclosing the act of reporting itself, except for the concerned team members, that regulatory reporting measures are being carried out for a particular customer regarding their transaction with the entity.
Any violation of this confidentiality requirement, particularly resulting in the customer being forewarned, informed, or given any hint or disclosure of impending or concluded reporting by the regulated entity to the authorities, is known as tipping off.
In simple words, when a customer is reported to the authorities, the regulated entity must ensure that such customer does not know through any staff member of the regulated entity that they are being or are reported, either intentionally or unintentionally.

Consequences of Tipping Off on Regulated Entities

If the customer gets to know about STR because of a lapse of confidentiality on the part of the regulated entity, then such a lapse would amount to tipping off and a consequential fine of not less than one hundred thousand (100,000) AED being capped at five hundred thousand (500,000) AED and imprisonment for a minimum of one year would be imposed on the regulated entity and its employee responsible for such a lapse. Tipping off affects the integrity of a regulated entity.

The goodwill or the reputation of a regulated entity gets affected in the eyes of customers as it undermines the trust and faith of customers by showing that the regulated entity is non-compliant with the legal requirements.

Balancing Act: Navigating Specific Exemption from Regulatory Reporting & STR Confidentiality Obligations For Professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries

Unlike other DNFBPs, professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries providing services such as the following:
  • Assessment of customer’s legal position
  • Defending or representing customers before the court of law or authorities
  • Assisting with or providing services such as arbitration or mediation
  • Providing legal advice or opinion in the context of legal proceedings
  • Consulting services for avoiding or commencing legal proceedings or their completion of such services

are exempt or waived from the responsibility of reporting and filing an STR with the FIU due to direct invocation of professional secrecy in order to avoid conflict of interest and safeguard the privacy of communications with the client, ensuring that the best interest of the clients is served through the professional services. To put it simply, reporting suspicious transactions is not required if the service rendered by these professionals comes directly under the purview of legal professional privilege.

Nevertheless, activities and services under the scope of AML compliance but outside the purview of direct professional privilege, having any suspicious element (pertaining to ML, TF, and PF) in transactions, must be reported to the UAE FIU without any delay. These activities and services are discussed more at length in further paragraphs. This portion of UAE AML/CFT compliance obligations is drawn in alignment with the Financial Action Task Force (FATF) Recommendation Nos. 20, 21 and 23 for Suspicious Transaction Reporting and Tipping Off.

Caution to be Exercised by Lawyers and Accountants to Prevent Tipping Off While Complying with UAE’s AML/CFT Regulatory Reporting Obligations

By virtue of specific exemption from reporting STRs granted to professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries, they need not file STR with the UAE FIU, apparently freeing them up from no tipping-off obligations with regard to services impacting the legal standing of the client as described earlier.

However, the catch exists as professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries need to file STR if they come across suspicious transactions when their service is outside the scope of the specific exemption, but under the purview of AML obligations. Examples of such services or activities include, but are not limited to, activities and services such as illustrated and enumerated:

  • Purchase/Sale of Real Estate
  • Management of Client Funds
  • Management of Bank Accounts, Savings Accounts, or Securities Accounts
  • Organising contributions for the establishment, operation or management of companies
  • Creating, or managing Legal Persons of Legal Arrangements
  • Purchase and Sale of Commercial Entities

Interestingly, dissuading or advising the client or customers against engaging in any activity or transaction pertaining to ML/TF does not amount to tipping off by professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries.

Professionals like accountants, independent legal auditors, lawyers, and notaries must exercise caution when formulating AML/CFT policies and procedures. Their AML/CFT Policies and Procedures must be crafted in such a way that the processes for customer due diligence (CDD) for activities within the scope of a specific exemption from reporting and those activities covered under AML/CFT compliance and resultant statutory reporting, such as STR should have distinct workflows, escalations and protocols in place so that there is no under or over-reporting or wrongful or missed reports on part of the accountants, independent legal auditors, lawyers, and notaries. This also helps eliminate the risk of the occurrence of tipping off event as there are distinct services where exempted services do not need reporting and the ones under the scope of AML compliance are reported accurately in the event of suspicious transaction in a timely manner, without the risk of breaching professional secrecy.

How Can All Regulated Entities Prevent Tipping Off

It is important to strike a balance between tipping-off prevention and complying with AML/CFT regulatory reporting obligations. Regulated Entities need to maintain this balance smartly. This section addresses how all Regulated Entities, including professionals like Accountants, Independent Legal Auditors, Lawyers, and Notaries, can prevent tipping off while ensuring compliance with reporting obligations.

The primary recourse available with the regulated entities is to delay the processing or conclusion of the suspicious transaction or the proposed transaction attempted by the subject customer of the SAR/STR.

  • Delay Processing of Transaction: Rejecting or terminating the business relationship with the reported customer may tip off the person. Thus, the regulated entities are required to avoid tipping off by delaying the transaction until the entity has received any recommendation, feedback, or additional information request from the Financial Intelligence Unit (FIU).
  • Delay Internal Approval Process: The regulated entities can delay the processing of the transaction by informing the customer that it is pending due to the internal approval process, rather than disclosing that the entity is awaiting feedback from FIU or that it is reconsidering the decision to engage with the person on account of observed red flag. For example, regulated entity may inform the customer that the delay has occurred due to the review of their transaction as part of the internal compliance process, which includes verifying the information and obtaining the necessary internal approval.
  • Increase Paperwork: The regulated entities can avoid tipping off by informing the customer that the paperwork has been misplaced and needs to be resubmitted. This process may take some time, during which the FIU may respond or provide further guidance around the reported suspicion.
  • Demand Additional Information: The regulated entities can ask for additional information or documents like more identification documents or bank documents for verification, thereby delaying the execution of the transaction or trying to create botheration for the customer, which may result in the customer withdrawing from the proposed transaction.
  • Any Other Reason: Apart from the above-mentioned reasons, regulated entities can make other excuses, such as the delay being caused by a technical glitch that might take some time to resolve or that the business relationship cannot be continued on account of commercial reasons or that the fees/charges need re-negotiation.

General Do’s and Don’ts to Avoid Tipping-Off

There are certain general Dos and Don’ts that all Regulated Entities can imbibe in their daily operations discussed below:

Do’s to Avoid Tipping Off

  • Report Suspicious Transactions Confidentially: Regulated entities are required to report suspicious transactions while maintaining the confidentiality of both the reporting act and the information being reported. This protects the essential purpose STR serves in combating financial crimes.
  • Formulation of Proper Protocols and Controls Within AML/CFT Policy and Procedures To Prevent Tipping Off: Regulated entities need to formulate the guiding principles, protocols, and controls regarding the confidentiality of STR within their AML/CFT Policy and Procedures. Moreover, policies should also talk about staff training, which needs to be documented and approved by senior management.
  • Training The First Line of Defence to Avoid Tipping Off: The first line of defence are the employees who directly interact with customers. Training them about cases of suspicious transactions, questions they have to ask the customers, and information that should not be disclosed helps minimise the risk of breaching the NO tipping off requirement.

Don’ts to Avoid Tipping Off

  • Disclose Customer About Ongoing Investigation: Disclosing information about the ongoing investigation to the customer results in the breach of no tipping-off obligation, resulting in the regulatory fine and/or imprisonment to the employees of the regulated entity and the regulated entity itself. For this, the Company must ensure that customer communication post reporting is handled by the expert compliance team member who understands the tipping-off risk.
  • Discuss AML Reports With Anyone: The information about STR should not be discussed with anyone unless such information is necessary for the recipient to discharge their official duties within DNFBPs or its affiliated groups entrusted with the identification and prevention of ML/FT and PF risk.

Best Practices to Avoid Tipping Off a Customer Through Strengthening Internal Controls Within the Regulated Entity

  • Establish AML/CFT policies, procedures and controls by identifying the situations that may lead to tipping off and applying the control measures to prevent it.
  • Maintain robust security practices, such as an electronic document storage system with strong password protection, to avoid information leakage and access to such confidential information by authorised personnel only.
  • Maintain the customer files and documents with digital user verification and password protection to avoid easy access to customer files by unauthorised personnel within the organisation, leaving an audit trail.
  • Apply internal controls appropriate for business, such as restricting the sharing of information to only those who have a genuine need to know.
  • Balance the obligations of data privacy and protection with the requirement to file STRs involving disclosure of only the necessary information to authorities while ensuring the protection of the customer’s personal data, as discussed in the context of lawyers and accountants.
  • When appointing a third party to undertake Customer Due Diligence (CDD) measures, the regulated entity should consider the internal controls deployed by the third party to prevent tipping off.
  • Formulate policies that outline the terms and conditions for sharing information with the customers by clearly identifying situations where sharing information could constitute tipping off and specifying the circumstances in which sharing of the specified information is restricted.
  • Provide staff training, particularly those in the first line of defence, on how to maintain the confidentiality of STR filings and the necessary steps to avoid tipping off.
  • Use legally enforceable agreements when disclosing confidential information to third-party employees.
  • Clearly define the penal consequences an employee may face in case of tipping off and communicate the same to all the employees within the organisation.

Suggestions to Avoid Tipping Off

Establishing robust AML compliance procedures requires DNFBPs to have a checklist to avoid tipping off. Any regulated entity’s AML Compliance Officer can refer to the suggestions mentioned below and use them as their checklist to rule out potential breaches of the tipping-off obligations by taking remedial measures.
  • Does the person handling the customer communication understand the requirement of “No Tipping Off”?
  • Whether any activity, event, or communication took place with the customer, which can be inferred as the AML compliance team has filed or is going to file STR?
  • Did any activity, event, or communication take place with the customer informing that the regulated entity received notice from the FIU for additional information?
  • Did any activity, event, or communication take place with the customer regarding suspicion of their involvement in ML/FT or PF-related transactions?
  • Does the customer-facing team and AML compliance team follow AML/CFT Policies and Procedures in place, having protocols to avoid tipping off?
  • Has the transaction processing been delayed with reasonable justification given to the customer or rejected on commercial grounds?

Tipping Off & Robust Regulatory Reporting: A Final Thought

Avoiding tipping off and establishing robust regulatory reporting is essential for complying with the AML/CFT obligations. By establishing clear policies and procedures and conducting proper training, regulated entities can ensure that they meet the regulatory requirements.
AML/CFT/CPF Training for staff of the Financial Institutions operating in capital markets ensures that each employee understands their role in the AML/CFT/CPF Program of the Financial Institutions and performs their responsibility properly.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Securing Capital Markets against Financial Crime Risks

Securing Capital Markets against Financial Crime Risks

Capital Markets provide platforms where buyers and sellers trade stocks, bonds, and other financial assets, fuelling economic growth by connecting businesses with investors. However, these markets are vulnerable to exploitation by financial criminals. In this blog, we will examine Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF) measures for securing capital markets against financial crime risks.

Let us begin by first understanding the meaning of capital markets.

What Are Capital Markets?

Capital Markets connect those who need capital and those who have capital and want to invest the same. Capital markets thus facilitate economic growth. Entities operating in the capital market sector offer various types of products and services, such as:
  • securities and commodities brokerage,
  • investment advice and management,
  • securities consultation and analysis,
  • fund service businesses,
  • exchanges, depository services, etc.

These products and services encourage investment. In UAE, the capital market sector is supervised by the Securities and Commodities Authority (SCA). It is the apex authority in-charge of overseeing and regulating the capital markets in the UAE. This includes monitoring the AML/CFT/CPF compliance of Financial Institutions operating within the UAE’s capital markets. However, there’s an exception to this – the Financial Services Regulatory Authority (FSRA) and the Dubai Financial Services Authority (DFSA) oversee the operations of the capital market players registered and operating from the Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), respectively.

Now, let us discuss exactly what types of Financial Institutions operating in the capital market are subject to and regulated under AML/CFT/CPF regime of UAE.

Financial Institutions Operating in Capital Markets that Are Regulated under AML/CFT/CPF Regime of UAE

Under Cabinet Decision No. (10) of 2019, the following types of financial activities or operations are relevant in the context of Capital Markets:
  • Providing Monetary brokerage services
  • Engaging in securities transactions, issuing securities, providing financial services related to issuing of securities, finance, and finance leasing
  • Trading, making investments in, operating or managing:
    • Assets
    • Options contracts
    • Future financial contracts
    • Exchange and interest rate transactions
    • Financial derivatives
    • Negotiable financial instruments
  • Providing custody of funds services
  • Management of investment and other types of funds and portfolios
Further, the SCA provides to the following categories:

Category 1: Entities Dealing in Securities

This category includes trading and clearing brokers, global market trading brokers, trading brokers of OTC derivatives, OTC commodities contracts, currencies in spot market, financial products dealers, etc.

Category 2: Entities Dealing in Investments

These entities include those involved in investment fund management, family business investment management, portfolio management, fund administration, profit sharing investment account management, etc.

Category 3: Entities Dealing in Custody, Clearing, and Registration

These include custody, general clearing, issuer of covered warrants, depository bank of depository receipts, depository bank agents of depository receipt, registrar of private joint stock companies, etc.

Category 4: Credit Rating Agencies

Category 5: Entities Dealing in Arrangement and Advice

These include entities such as financial consulting, financial advisor, listing adviser, introducing services, promotion services, etc.

Category 6: Crowdfunding Platform Operators

Category 7: Virtual Assets Services Providers

This category includes entities engaged in virtual asset brokerage and custody of virtual assets. VASPs operate as a distinct category of regulated entities under AML, CFT, CPF and TFS regime of UAE, alongside Financial Institutions and Designated Non-Financial Businesses and Professions (DNFBPs).

Therefore, all Financial Institutions licensed by the SCA and providing any of the financial transactions or activities associated with the capital market listed under Cabinet Decision No. 10 of 2019 are regulated under AML/CFT/CPF regime of UAE.

Now, let us understand why capital markets are vulnerable to financial crimes, highlighting why Financial Institutions operating in the capital markets of UAE need strong AML/CFT/CPF compliance programs.

Why are Financial Institutions in the Capital Market Sector Vulnerable to Financial Crime Risks

Capital markets provide access to the financial system. Certain characteristics of the capital market make it susceptible to criminals seeking to commit financial crimes such as Money Laundering (ML) , Terrorism Financing (TF), and Proliferation Financing (PF) . These characteristics include the following:

Large Volume and Value of Transactions:

Financial Institutions operating in the capital markets process an enormous volume of transactions daily, often involving substantial sums of money. The large volume and value of transactions makes monitoring difficult, allowing illicit activities to sometimes go undetected.

Rapid Execution of Transactions:

Transactions in the capital market are executed at high speed, often within seconds or minutes. This rapid movement of funds makes it challenging for Financial Institutions to detect and intervene in real-time. Financial criminals often exploit this feature to quickly transfer dirty money before suspicious patterns are identified.

Involvement of Multiple Intermediaries:

Transactions conducted in the capital markets often involve a complex network of intermediaries, including brokers, investment funds, custodians, and clearing houses. This fragmentation of transactions provides anonymity to financial criminals, as no single intermediary has full visibility of the entire audit trail of the transaction. This lack of oversight enables illicit fund movements.

Complexity of Financial Transactions, Instruments, and Products:

Capital markets provide a wide range of financial products and services, such as derivatives, bonds, multiple types of securities, investment options, etc. Criminals exploit these sophisticated instruments offered by Financial Institutions to create intricate money trails that make it difficult to track and trace illicit funds

High Liquidity:

The high liquidity of the Financial Institutions in the capital market instruments allows assets to be quickly converted into cash or other financial instruments. This makes it easier for criminals to integrate illicitly gained funds into the formal economy.

Movement of Capital across Various Geographies:

The capital market is global, with funds moving across different jurisdictions and financial systems. Cross-border transactions make it difficult to detect ML/TF/PF risks, monitor suspicious activities, and adopt appropriate risk mitigation measures.

Pre-Emptive Detection of ML/TF/PF is Challenging

Financial criminals often structure transactions in a way that makes them appear legitimate at face value. This makes it difficult for Financial Institutions to proactively identify illicit activities before they occur. By the time suspicious patterns emerge, the funds may have already been moved.

Lack of Visibility of the Entire Chain of Transactions:

The sophisticated nature of capital market transactions, coupled with the use of intermediaries, makes it difficult to keep track of the entire chain of transactions. This lack of visibility hinders the detection of ML/TF/PF risks.

These characteristics make Financial Institutions in the Capital Market Sector in the UAE vulnerable to financial crime risks. Now, let us discuss the common financial crime typologies that criminals misuse to conduct ML/TF/PF through Financial Institutions.

Financial Crimes Through Capital Markets: Common Typologies

To effectively detect and prevent the misuse of capital markets for financial crimes, Financial Institutions operating in the capital market must stay informed about common and emerging ML/TF/PF typologies. These typologies include the following:

“Free of Payment” Movement of Securities:

Free of payment movement is essentially a transfer of securities and other capital market instruments without any corresponding payments. It is used to conduct ML/TF/PF by creating layers of transactions. For example, criminals may transfer securities between multiple trading accounts through the services of many brokers across different jurisdictions without any payment, making it difficult to trace the original source of funds. Each broker that facilitates these transactions may have limited visibility regarding the entire audit trail, making it difficult to detect the financial crime involved.

Cash-Based Money Laundering:

While capital markets are not usually considered a cash-intensive sector, financial criminals often try to place illicitly sourced cash in trading accounts and quickly move them through multiple securities trading accounts to avoid detection. Often trading accounts are held with different Financial Institutions, and therefore, they have limited visibility with respect to entire trail of transactions.

“Free of Payment” Movement of Securities:

While capital markets are not usually considered a cash-intensive sector, financial criminals often try to place illicitly sourced cash in trading accounts and quickly move them through multiple securities trading accounts to avoid detection. Often trading accounts are held with different Financial Institutions, and therefore, they have limited visibility with respect to entire trail of transactions.

Mirror Trading:

Mirror trading can be exploited for financial crimes by executing identical buy and sell transactions across different jurisdictions through two connected individuals. To brokers in separate countries, these individuals may appear unrelated. A criminal may deposit illicit funds into a brokerage account and simultaneously buy securities in one country while selling them in another (as only these two transactions match each other and are settled at the prices determined by these two connected parties). Since the trades cancel each other out, there is no market risk, but the money appears as a legitimate trade transaction. This technique effectively launders illicit funds across borders and disguises their origin.

Wash Trading:

In this typology, a trader buys and sells the same financial asset at nearly identical prices to give the trading activity an appearance of legitimacy. Despite the trading activity, no market risk is assumed, and the financial criminal’s market position remains unchanged.

Parking:

In this typology, a person transfers assets to another, often without any legitimate reason or economic rationale, with an understanding that the person will repurchase the same later.

Using Illiquid Securities:

Financial criminals often make use of illiquid securities to conduct financial crimes. Illiquid securities are those assets that do not have a real market, or are low volume, or are of obscure companies, etc. Illiquid securities are used because their prices can be easily manipulated. Trading in illiquid securities is conducted to move around illicitly gained funds.

The typologies discussed in the above section can be detected pre-emptively through red flags that indicate financial crime risks. Let us now discuss these red flags.

Red Flags Indicating Financial Crime Risks in Capital Markets

  • False or Misleading Information: The customer gives Financial Institutions false, misleading, or incorrect information
  • One Directional Transactions: The customer has some accounts mainly for deposits and other accounts primarily for outgoing payments in relation to securities trading activities
  • Customer Hesitant to Provide CDD Information: The customer is hesitant or declines to provide Financial Institutions with CDD information such as Source of Funds or Source of Wealth
  • Frequent and Small Deposits: The customer frequently deposits small amounts of cash, which are later used to buy a specific securities product that is quickly sold or redeemed
  • Third-Party Involvement: The customer’s account receives deposits from third parties, which corresponds to outgoing transfers to other third parties
  • Trading in Securities not in the Name of the Customer: The security, bonds, or any other capital market instrument that the customer seeks to trade, or deposit is not in the customer’s own name.
  • Parties to the Transaction are Interconnected: On each side of a trading transaction, the parties are interconnected, have the same UBOs, business transactions, personnel, etc.
  • No Economic Rationale: The trading strategies of the customer has no economic rationale, or logical reason. The transactions seem irrational. For example, the customer is making a loss, trading at a value below market price, redeeming long-term funds within a short span of time, etc.
  • Transactions in Quick Succession: Customers conduct transactions in quick succession in a short span of time
  • Circumventing De-Risking: Previous customers of the Financial Institutions seek to reapply and seek services of the entity through a different legal person in order to circumvent de-risking or client exit measures adopted by the Financial Institutions for those previous customers.
  • Misalignment with Known Customer Profile: The transaction does not match the customer’s profile, trading history, and trading position. Customer uses denominations or amounts of currencies that do not align with their profile
  • Rapid Change in Customer Details: There may be small but quick changes in CDD details of the customer such as address, directors, Ultimate Beneficial Owners (UBOs), etc.
  • Funding Patterns Are Abnormal: The customer’s account receives funds from third parties with no apparent connection to the customer, or the deposits are done through multiple payment methods, significant funds received in a short time, etc. For example, the customer deposits a significant sum of money in small-denomination currency to fund the account or purchase securities
  • Trading Account Linked by Many Devices: Trading account of the customer is accessed through multiple devices such as PC, different mobile handsets International Mobile Equipment Identity (IMEI) numbers, etc.
After having understood how capital markets are exploited by financial criminals, and how financial crimes can be detected, understanding the common typologies and red flags, let us now discuss AML/CFT/CPF measures Financial Institutions operating in the capital markets can take to strengthen their defence against financial crimes.

AML/CFT/CPF Measures for Financial Institutions Operating in Capital Markets: Challenges and Best Practices

Financial Institutions, DNFBPs, and VASPs are regulated under AML/CFT/CPF regime of UAE and need to adhere to certain compliance obligations. We have detailed these obligations, through an easy-to-understand infographic on AML Compliance Requirement in UAE.

Let us now discuss and focus on specific AML/CFT/CPF measures, challenges in their implementation, and best practices to conduct them effectively, specifically for financial institutions operating in the capital markets.

Enterprise-Wide Risk Assessment (EWRA)

Financial Institutions operating in the capital markets are exposed to financial crime risks – both directly through transactions undertaken by their customers, and indirectly, through ML/TF/PF risks emanating from customers themselves. EWRA helps in assessing these risks on an institutional level, facilitating adoption of proportionate and effective ML/TF/PF risk management system and controls, suitable to the nature and size of the business.

Challenges Contributing to the Ineffective Implementation of EWRA:

  • Adopting Generic EWRA: Financial Institutions may use generic or template EWRA or fail to fully assess the specific financial crime risks they face due to their specific business model. As a result, there may be a lack of awareness across the entity about how criminals could exploit them, leaving a few vulnerabilities unidentified and unattended.
  • Not Defining EWRA Methodology: Failing to define an EWRA methodology weakens a Financial Institution’s ability to identify and mitigate ML/TF/PF risks. Without a structured approach, EWRA may become inconsistent, emerging threats may go unnoticed, and resources invested in AML/CFT/CPF compliance processes may be misallocated.
  • Not Updating EWRA when ML/TF/PF Risk Exposure Changes: ML/TF/PF risk exposure of the Financial Institutions may change due to many reasons, such as the introduction of new financial products, expansion of business to other countries, etc. When Financial Institutions do not update their EWRA to incorporate ML/TF/PF risk exposure arising from their changed circumstances, it may lead to the adoption of inadequate risk mitigation measures, which in turn may lead to failure in preventing financial crimes.
  • Not Considering How EWRA Feeds into ML/TF/PF Controls: The risk assessed through EWRA must translate into risk controls adopted by the Financial Institution. When this is not done, the risk control measures adopted are not relevant or adequate to mitigate the specific ML/TF/PF risks the Financial Institutions is exposed.

Best Practices for Effective Implementation of EWRA:

  • Adopting Tailored and Relevant EWRA: EWRA should be customised to assess the actual ML/TF/PF risks a regulated entity is exposed to. It must take into consideration the ML/TF/PF risks emanating from the customer base of the Financial Institution, the geographies it operates in, its own products and services, the delivery channels used, the transactions it is exposed to, etc. It must also assess the financial crime typologies it is vulnerable to and adopt necessary controls accordingly. EWRA must also incorporate a red flag analysis to ensure that ML/TF/PF typologies are detected and dealt with.
  • Clearly Documenting EWRA Methodology: A clear, documented methodology ensures consistency and enhances ML/TF/PF risk detection capabilities of the Financial Institution. The methodology must include both qualitative and quantitative assessment parameters.
  • Defining Triggers and Updating EWRA when They Occur: Financial Institutions should define scenarios that would trigger a need to update their EWRA. Whenever these triggers occur, the financial crime risk exposure of the Financial Institutions changes, and therefore, EWRA must be updated to incorporate the ML/TF/PF risks emanating from such incidents. These triggers include incidents such as the Financial Institutions introducing new products, the Financial Action Task Force (FATF) updating its Grey List, etc.
  • Ensuring that ML/TF/PF Risks Assessed through EWRA is Mitigated through Appropriate Controls: Adopting proportional and relevant risk controls based on the particular risk exposure of a Financial Institution is the very essence of a risk-based approach. The risks assessed through the EWRA must be mitigated through the Financial Institution’s AML/CFT/CPF Policies, Procedures, and Controls.

Customer Due Diligence (CDD)

Customer Due Diligence (CDD) is the process of understanding the identity of a customer, the ML/TF/PF risks emanating from them, and adopting risk-based ML/TF/PF controls to manage these risks.

Challenges Contributing to the Ineffective Implementation of CDD:

  • Not Documenting Information on Expected Account Activity and Client’s Expectations: One of the challenges in implementing effective Customer Due Diligence (CDD) is the failure to document expected account activity and client expectations. Without a clear record of how an account is expected to function, Financial Institutions may struggle to identify unusual transactions that may indicate financial crime risks.
  • De-Risking in a Wholesale Manner without Considering ML/TF/PF Risks: Some Financial Institutions restrict services to entire customer groups without properly conducting ML/TF/PF risk assessment for them. Effective risk management requires a targeted, risk-based approach rather than broad de-risking measures. Simply cutting off services without sufficient rationale can lead to unintended consequences such as financial exclusion and regulatory non-compliance.
  • Not Re-conducting CDD when Customer’s Circumstances Change: CDD is not a one-time process, it must be dynamic and responsive to changes in a customer’s profile. If a customer’s CDD information undergoes changes, such as a change in ownership, business structure, transaction patterns, etc., but the Financial Institution does not conduct a fresh CDD review, it may lead to incomplete CRA, resulting in the adoption of inadequate ML/TF/PF control measures for the customer.
  • CDD Review is Conducted in an Alphabetical Manner and not a Risk-Based Manner: Some Financial Institutions may conduct periodic CDD reviews in a systematic but ineffective manner, such as reviewing customers alphabetically rather than based on the degree of ML/TF/PF risks they pose. This method does not prioritise high-risk clients, leaving potential financial crime risks undetected for extended periods.

Best Practices for Effective Implementation of CDD:

  • Collecting Adequate Information on Expected Account Activity and Client’s Expectations: Financial Institutions operating in capital markets usually offer financial services geared toward investments and trading in securities. Their clients may have certain expectations as to their account activity and expected returns. Financial Institutions should understand the same to ensure that any mismatch is identified in the future.
  • Creating a Matrix of AML Requirements for Each Customer Type Based on Risk-Based Approach: A one-size-fits-all approach is ineffective in AML/CFT/CPF compliance. Financial Institutions should develop a structured matrix, questionnaire, or checklist outlining specific AML/CFT/CPF tasks that need to be completed for each customer based on different customer types and their associated ML/TF/PF risk levels. This risk-based approach allows for improved efficiency and ensures the optimum allocation of resources.
  • Conducting Periodic Review of CDD in a Risk-Based Manner: Regular CDD reviews are important for maintaining up-to-date customer risk profiles. Financial Institutions should establish triggers for periodic reviews, such as extended periods of non-trading, changes in account activity, updates in regulatory requirements, Financial Action Task Force’s Grey List or Blacklist updates, etc. Further, for periodic reviews, risk-based approach should drive the review schedule, ensuring that high-risk customers receive more frequent and thorough CDD reviews than low-risk ones.
  • Clearly Defining CRA Parameters, Methodology for Calculating Risk Scores and Overrides: A well-defined Customer Risk Assessment methodology is important for consistency and accuracy in the evaluation of ML/TF/PF risks each customer poses to a Financial Institution. Therefore, they should establish clear parameters for assessing financial crime risk, document the methodology for calculating risk scores, and outline procedures for overriding default CRAs where justified.Further, Financial Institutions should tailor their CRA methodologies to include parameters specific to capital markets, such as trading behaviours and investment patterns. This enhances the effectiveness of ML/TF/PF risk management for Financial Institutions.

Transaction Monitoring and Reporting Suspicious Transactions

Financial Institutions operating in the capital markets need to report suspicious activities and transactions by filing Suspicious Activity Report (SAR) and Suspicious Transaction Report (STR) with UAE’s Financial Intelligence Unit (FIU).

Challenges Contributing to Ineffective Implementation of Transaction Monitoring and STR/SAR Reporting Mechanisms:

  • Conducting Transactions Monitoring Manually: Manual transaction monitoring poses challenges for Financial Institutions, including difficulty in assessing and applying relevant transaction monitoring rules and insufficient resources to review suspicious transactions effectively. These factors can lead to inefficiencies, increased operational costs, and potential compliance risks, which hinder the Financial Institution’s ability to manage large volumes of transactions.
  • Mismatch between Increase in Volume of Trade and Scalability of Transactions Monitoring Solution: A mismatch between transaction monitoring capacity and trade volumes undertaken by the Financial Institutions can create risks of AML non-compliance. Financial Institutions may fail to upgrade their transaction monitoring systems in line with their business expansion, leading to them being overloaded and causing delays in detecting suspicious transactions. This issue becomes aggravated when Financial Institutions rely on outdated technologies or systems that cannot handle large datasets efficiently.
  • Not Utilising Capital Market Specific Transaction Monitoring Rules: When Financial Institutions utilise generic transaction monitoring rules that do not give sufficient importance to capital market-specific risks, they reduce their suspicious transaction detection capabilities. Without industry-specific rules, Financial Institutions may fail to detect complex financial crime typologies that target capital markets.
  • Not Considering Contextual Information while Monitoring Transactions: Often, transactions may not appear suspicious when considering them on their own, without assessing them in the context of a customer’s KYC information, CRA profile, Screening results, changes in Ultimate Beneficial Owners (UBOs), etc. This results in suspicious transactions slipping notice.
  • Transactions Monitoring Systems are not Regularly Reviewed: Transaction monitoring systems require periodic reviews and vulnerability assessments to ensure they remain effective in detecting financial crime risks. Failure to assess the adequacy of transaction monitoring systems regularly may lead to outdated detection mechanisms that use ineffective rules and thresholds, produce excessive false positives, etc.
  • Knowledge Gained Through Transaction Monitoring Not Fed Back into EWRA, Controls, and Staff Training: A key challenge is the failure to integrate insights gained from transaction monitoring into EWRA internal controls, and staff training. Transaction monitoring generates valuable intelligence on patterns of financial crimes, their red flags, and typologies. If these insights are not used to refine the existing EWRA, financial crime controls, and staff training, AML/CFT/CPF measures adopted by the Financial Institutions will remain outdated, inefficient, and static, increasing the likelihood of financial crimes slipping through the cracks.
  • Not Documenting Transaction Monitoring Alerts in a Customer’s Profile: Whenever a suspicious transaction alert related to a customer is generated, it must be recorded in the customer’s profile. When alerts are not stored against customer profiles, Financial Institutions may find it difficult to track the history of red flags of suspicious behaviour over time.

Best Practices for Effective Implementation of Transaction Monitoring and STR/SAR Reporting Mechanisms:

  • Utilising Scalable and Customised Transaction Monitoring Software: Financial Institutions should invest in advanced transaction monitoring software that is scalable and tailored to the capital market sector. AI-driven and machine-learning enabled systems can help detect unusual patterns, even in complex transactions involving sophisticated financial instruments. These solutions should have the ability to scale with business growth and volume of transactions. Additionally, implementing real-time monitoring capabilities enables firms to detect suspicious transactions promptly and take immediate action on submitting STR or SAR.

  • Defining and Utilising Risk-Based Transaction Monitoring Triggers     To improve detection capabilities, transaction monitoring rules should be customised based on the specific risks associated with different clients, products, and services. For example, customers engaging in high-frequency trading may require different monitoring parameters than customers opting for long-term investment funds.
  • Monitoring Transactions in a Contextual Manner: Effective transaction monitoring goes beyond simple analysis of transactions and investigating alerts, it requires evaluating activities in the broader context of customer risk profiles, historical behaviour, KYC data, screening results, etc. By doing so, Financial Institutions can improve their capabilities of detecting sophisticated financial crime typologies that may not be apparent on the face value from the transactions alone.
  • Regularly Reviewing Transaction Monitoring Software: Transaction monitoring systems should undergo periodic reviews and vulnerability assessments to assess the effectiveness of transactions monitoring rules and thresholds, and overall system performance. Updates should be made in response to new regulatory requirements, emerging financial crime typologies and red flags, change in Financial Institution’s financial crime risk exposure, etc.
  • Incorporating Knowledge Gained Through Transaction Monitoring Into EWRA, Controls, and Staff Training: Financial Institutions should establish a feedback loop that integrates insights and knowledge gained through transaction monitoring into their EWRA, internal controls, and staff training programs. By doing so, they can continuously improve the effectiveness of their AML/CFT/CPF Program. Transaction monitoring alerts and their resolution can also provide case studies as a way to train staff members on the practical aspects of detecting financial crime risks.
  • Documenting Transaction Monitoring Alerts in Customer’s Profile: Transaction monitoring alerts related to a customer should be documented in that customer’s profile. Systematically storing alerts, and the investigation conducted to resolve the same ensures that Financial Institutions create valuable data on customer behaviour. This helps tracking patterns of suspicious transactions over time. 

AML/CFT/CPF Staff Training

AML/CFT/CPF Training for staff of the Financial Institutions operating in capital markets ensures that each employee understands their role in the AML/CFT/CPF Program of the Financial Institutions and performs their responsibility properly.

Challenges Contributing to Ineffective Implementation of AML/CFT/CPF Staff Training:

  • Conducting Generic AML/CFT/CPF Training: One of the most prevalent deficiencies in AML/CFT/CPF training is the use of generic, one-size-fits-all training programs. Many Financial Institutions rely on broad-based modules that fail to address the specific financial crime risks faced by the Financial Institution.
  • Not Conducting Role-Based Training: Financial Institutions often fail to tailor their AML/CFT/CPF training to different employee roles and responsibilities. Effective training programs must differentiate between front-line employees, compliance officers, risk managers, senior management, and other stakeholders.
  • Not Compiling and Incorporating Near-Miss Data: A major oversight in AML/CFT/CPF training programs is the failure to analyse and incorporate near-miss incidents, cases where financial crimes almost occurred but were ultimately prevented. Near-miss data is a valuable resource for refining training strategies and improving employees/ ability to detect and respond to suspicious activities.
  • Not Regularly Testing the Effectiveness of Training: Even when AML/CFT/CPF training is conducted, Financial Institutions often neglect to assess its effectiveness. Without regular testing and evaluation, it is difficult to determine whether employees have truly learned key concepts and can apply them while performing their roles.

Best Practices for Effective Implementation of AML/CFT/CPF Staff Training

  • Tailoring Training to the Financial Institution’s Needs: Each Financial Institution has a different business model, ML/TF/PF risk exposure, products and services, size, customer-base, etc. Training should be tailored, keeping in mind the specific characteristics and needs of the business.
  • Conducting Role-Specific Training: Role-specific training ensures that each employee understands their specific responsibilities in the AML/CFT/CPF program of the Financial Institutions properly and executes the same effectively.
  • Using Near-Miss Data to Improve Training: A near-miss is an incident that could have resulted in issues such as non-compliance, missing the attempted ML/TF/PF activity, etc., but did not result in the same. These incidents must be reported to ensure continuous improvement in the AML/CFT/CPF compliance function of the Financial Institutions. Financial Institutions should ensure that data regarding these near-misses are incorporated into training material so that the likelihood of them occurring reduces or the possibility of their timely prevention by the staff increases.
  • Testing the Effectiveness of Training: The effectiveness of staff training should be checked through measures such as tests, quizzes, spot checks, feedback, etc.

AML/CFT/CPF Governance and Oversight

The AML/CFT/CPF measures discussed are important components of AML/CFT/CPF Policies, Procedures, and Controls. These measures need proper governance and oversight to ensure their proper functioning.

Challenges Contributing to Ineffective Implementation of Governance and Oversight Mechanisms

  • Not Inculcating a Culture of AML/CFT/CPF Compliance: Financial Institutions may struggle to instill a culture of AML/CFT/CPF compliance due to a lack of commitment from senior management, insufficient training, and failure to integrate AML/CFT/CPF compliance into everyday operations. This may result in risks of non-compliance.
  • Not Documenting Senior Management Decisions and Discussions: Financial Institutions may fail to document management discussions and decisions related to AML/CFT/CPF compliance. Without proper documentation, it becomes difficult to track compliance discussions, ensure accountability for decision-making, or communicate the decisions to the employees of the Financial Institutions. This lack of documentation can also result in an inability to audit past compliance actions effectively.
  • Not Having Open Communication Channels in Place: The absence of open communication channels hinders the timely escalation of ML/TF/PF risks. Employees may be hesitant to report suspicious transactions due to fear of retaliation or unclear reporting structures.
  • Not Having Proper Mechanisms to Address Possible Conflict of Interests: Conflicts of interest can undermine the integrity of AML/CFT/CPF measures. Financial Institutions that lack mechanisms to identify, report, and prevent conflicts of interest may find themselves vulnerable to ML/TF/PF risks. For example, if an employee of a Financial Institution is in any way related to a customer, such conflict of interest may be exploited by financial criminals and, therefore, is important to prevent.

Best Practices for Effective Implementation of Governance and Oversight Mechanisms

  • Setting an AML/CFT/CPF Compliance Culture: To establish a strong culture of AML/CFT/CPF compliance, senior management of the Financial Institution should lead by example by emphasising the importance of compliance through consistent messaging and actions. Such a culture leads to an atmosphere where AML/CFT/CPF compliance is prioritised throughout the organisational structure of the Financial Institution. Other methods, such as AML/CFT/CPF training for employees, AML/CFT/CPF program evaluations through regular audits, etc, also facilitate establishing a strong compliance culture.
  • Properly Documenting Senior Management Decisions and Approvals: Comprehensive documentation of Senior Management discussions and decisions related to AML/CFT/CPF compliance ensures internal accountability. This documentation serves as an audit trail, ensuring that decisions related to AML/CFT/CPF compliance are communicated and implemented effectively and can be reviewed when necessary.
  • Setting a Transparent Channel of Communication: Financial Institutions should establish clear and accessible communication channels for any concerns related AML/CFT/CPF compliance processes. Employees must have designated reporting structures and whistleblower protections to encourage the reporting of suspicious transactions without fear of retaliation.
  • Adopting Mechanisms to Address Conflict of Interests: Effective governance requires financial institutions to proactively identify and address conflicts of interest. Establishing clear policies on conflict disclosure, independent oversight committees, and regular audits can help minimise biased decision-making, reducing the risk of occurrence of ML/TF/PF. Employees should be required to declare potential conflicts of interest. For example, financial criminals may use their connections within the Financial Institutions to influence its AML/CFT/CPF compliance processes for that customer. Having conflict of interest disclosure requirements reduces this risk.

Customer Risk Assessment (CRA) Questionnaire: Sample Parameters That Financial Institutions Can Imbibe

Let us now discuss some Customer Risk Assessment (CRA) parameters that Financial Institutions operating in Capital Markets can incorporate. Giving due weightage to capital market sector-specific CRA parameters helps Financial Institutions operating in capital markets comprehensively and accurately analyse the ML/TF/PF risks emanating from their customers. These parameters can be used in conjunction with general CRA parameters.

Customer-Related CRA Parameters

CRA Parameter 

Yes/No

Observations 

Are there indicators that suggest an unconfirmed suspicion with respect to the customer’s KYC/CDD data?

 

 

Is the customer’s ownership structure complex or unclear?

 

 

Is the customer or legal person that is primarily established to hold or manage personal assets?

 

 

Does the customer have bearer shares issued or involve nominee shareholding structure? (Bearer shares makes ownership structures anonymous or untraceable)

 

 

Is the customer a cash-intensive company?

 

 

Is the customer’s organisational structure unusual or excessively complex relative to the nature of its business?

 

 

Is the customer a Politically Exposed Person (PEP) or related to a PEP?

 

 

Does the customer’s primary source of income originate from a high-risk country?

 

 

Geography-Related CRA Parameters

CRA Parameter

Yes/No

Observations

Is the country that the customer or transaction involves is a FATF Grey Listed Country?

 

 

Is the country that the customer or transaction involves is a FATF Blacklisted Country?

 

 

Has the country that the customer or transactions involves, been identified by reliable sources such as IMF, OECD, etc as having ineffective AML/CFT/CPF regime?

 

 

Has the country that the customer or transactions involve been identified by reliable sources to have high levels of corruptions, financial crimes, or drug trafficking? 

 

 

Is the country that the customer or transaction involves, subject to United Nations sanctions? 

 

 

Is the customer a securities provider, acting as an intermediary?

 

 

Products/Services Related CRA Parameters

CRA Parameter

Yes/No

Observations

Does the product/service have a feature that enables non-disclosure or anonymity of identity?

 

 

Are payments for products/services being received from unidentified individuals or third parties not associated with the customer?

 

 

Is the trading account, or products/services being operated or utilised for the benefit of a third person?

 

 

Is the client’s account coded or abbreviated?

 

 

Does the product/service have a geographical reach to high-risk jurisdictions?

 

 

Are the securities being purchased using cash?

 

 

Delivery Channels Related CRA Parameters

CRA Parameter

Yes/No

Observations

Has the customer been onboarded through non-face-to-face manner?

 

 

Is the customer engaging with the business through an agent or intermediary?

 

 

If intermediaries are involved, does the intermediary have adequate AML/CFT/CPF systems?

 

 

Is the customer acting on behalf of a third-party unrelated to the transaction? 

 

 

Transactions Related CRA Parameters

CRA Parameter

Yes/No

Observations 

Do the business relationships or transactions take place indirectly with the client through modern technologies like electronic signatures?

 

 

Does the transaction involve anonymous or fictitious accounts?

 

 

Does the transaction involve penny/microcap stocks?

 

 

Does the transaction involve payment through new technologies not usually used by the Financial Institution?

 

 

Is the transaction unusually complex? 

 

 

Securing Capital Markets against Financial Crime Risks: Concluding Remarks

Criminals exploit vulnerabilities in capital markets to engage in Money Laundering, Terrorism Financing, and Proliferation Financing, making it imperative for Financial Institutions to implement strong and effective AML/CFT/CPF compliance measures. By understanding financial crime typologies in capital markets, recognising red flags, and adopting best practices as discussed in the blog, Financial Institutions can strengthen their defences against financial crimes.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

AML/CFT Learning and Development Strategies for DNFBPs

AML/CFT Learning and Development Strategies for DNFBPs

AML/CFT Learning and Development Strategies for DNFBPs

In accordance with AML/CFT laws in UAE, the Designated Non-Financial Businesses and Professions (DNFBPs) are required to have adequate policies, procedures, and controls in place to conduct and impart employee training to ensure AML/CFT Compliance. This goal can be achieved with the help of a well-formulated AML/CFT Learning & Development (L&D) Strategy. Some of its elements are as discussed hereunder:
  1. Analysis of AML/CFT Training Needs
  2. Specification of AML/CFT Learning Objectives
  3. Formulation of AML/CFT Training Module Design
  4. AML/CFT L&D Monitoring & Evaluation
Let us discuss each of the elements in further detail:

Analysis of AML/CFT Training Needs

Identifying Organisational Needs:

Identifying Organisational Needs based on:

  • Size of the DNFBP
  • Sector of the DNFBP
  • ML/FT Risk to which the Business is exposed to
  • Degree, extent, and efficacy levels of AML/CFT Control Measures as defined in the Enterprise-Wide Risk Assessment (EWRA)

Mapping Skills at the Functional Level and Defining their AML/CFT L&D Needs:

These functions include but are not limited to the following:
  • Front Office Staff facing clients such as the sales team to identify ML/FT red flags
  • Screening Analyst: In the context of their knowledge and experience regarding:
    • When and how to Screen DNFBP’s customers across Relevant and applicable Sanctions Lists such as UAE Local Terrorist Lists, UNSC Consolidated List, etc.
    • Proficiency with the use of Screening Tools or Software
    • Proficiency with Batch or Bulk Screening and Matches Disambiguation
    • Distinction in individual and corporate screening requirements
  • KYC Analyst: In the context of their knowledge and experience regarding:
    • Customer Document Handling
    • Extracting and Interpreting Useful Information from KYC Documents
    • Questions to be included in the KYC Questionnaire and their implications
    • Entering KYC information into KYC Registers and its maintenance in alignment with UAE’s regulator-specific Record-Keeping requirements such as DIFC, ADGM, VARA, and SCA

AML/CFT Risk Analyst: In the context of their knowledge and experience regarding:

    • Conducting Customer Risk Assessment (CRA)
    • Developing Customer Profile and assigning appropriate Risk Rating/Scoring
    • Risk Rating Matrices Development, Meeting Record-Keeping Requirements, and maintaining Risk Registers
    • Knowledge of Inherent, Residual, Gross/Net Risk in consonance with DNFBPs EWRA

Transaction Monitoring Analyst: In the context of their knowledge and experience regarding:

    • Ability to assist with Scenario Development, Ongoing Monitoring, and Transaction Monitoring
    • Handling Rule Management, Alerts Prioritization, Review & Investigation
    • Case Management and Record-Keeping
    • Implementation and Compliance with Designated Transaction Reporting Requirements such as DPMSR and REAR

AML Compliance Officer (AML CO) or Money Laundering Reporting Officer (MLRO)

    • Preparation and Implementation of DNFBP’s AML/CFT Policies, Procedures, & Controls
    • Proficiency in preparation and filing of AML/CFT Semi-Annual Report
    • Proficiency with Inhouse AML/CFT Compliance Department Management
    • Internal SAR/STR investigation & Regulatory Reporting to UAE FIU through goAML Portal for filing reports such as SAR/STR, FFR, PNMR, HRC, HRCA, and Designated Transaction reports such as REAR (for Real Estate sector) or DPMSR (for Precious Metals and Stones sector)
    • Obtaining Senior Management Approval

Senior Management

    • Proficiency in Reviewing AML/CFT Reports
    • Appointment of AML CO or MLRO
    • Approving and Signing off AML/CFT Policies, Procedures, and Control Measures
    • Understanding High-Risk Customers to approve their onboarding
    • AML/CFP Policies, Procedures, and Controls Update and Remediation

Identifying Individual Performance-Driven Needs:

  • Performance Reviews
  • Developing Performance Metrics to identify proficiency in handling AML/CFT Compliance tasks
by identifying KPIs for relevant functions such as:
    • Screening Analyst
    • KYC Analyst
    • AML/CFT Risk Analyst
    • Transaction Monitoring Analyst
    • AML CO or MLRO
    • Senior Management

Specification of AML/CFT Learning Objectives

Aimed to fulfill the gap between the existing skill level of relevant functions and desired skill, proficiency, and performance output expected from relevant functions to meet organizational goals in achieving AML/CFT compliance excellence through the strengthening by L&D of relevant personnel. This can be achieved by considering factors such as:
  • Outcomes of topical risk assessment and UAE’s National Risk Assessment (NRA)
  • Making the right selection of screening and other automation tools and their compatibility with employee skills
  • Identifying internal and external sources for L&D strategy implementation and formulation of AML/CFT training module design

Formulation of AML/CFT Training Module Design:

Aimed to connect with and impart AML/CFT L&D to relevant functions through organizing and finding the right balance with the following elements to suit DNFBP’s organizational needs:
  • Guest Lectures/ Workshops
  • Experiential Activities such as Case Studies, Scenario Building, Role Playing in Situational Simulations
  • Job Shadowing for lateral as well as linear knowledge transfer for improved decision-making across different AML/CFT compliance roles
  • Mentoring by the second and third lines of defense to their subordinates

AML/CFT L&D Monitoring & Evaluation:

Aimed to evaluate and link AML/CFT L&D Program Learning Outcomes with Personnel Performance Outcomes to ensure that the L&D Program delivers the desired outcome for achieving AML Compliance excellence.

AML/CFT L&D Strategy acts as a tool to feed two birds with one scone!

  • The First Bird is the Regulator, requiring the DNFBP to adhere to AML/CFT Compliance requirements by ensuring adequate AML/CFT training of its employees to avoid noncompliance fines and penalties and
  • The Second Bird is the problem of filling the knowledge and skill gap of employees to meet organizational AML/CFT compliance goals.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

KYC Documentation Guide for KYC Analysts

KYC Documentation Guide for KYC Analysts

KYC Documentation Guide for KYC Analysts

This article serves as a guide for KYC Analysts when handling KYC documents by discussing the process of extracting useful information from KYC documents. Let us begin with understanding the meaning of KYC. Know Your Customer (KYC) is an important component of the Customer Due Diligence (CDD) process. The Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) obligations. The Regulatory regime of the UAE obligates regulated entities to conduct KYC to identify their customer and verify their identity. For this purpose, regulated entities collect KYC documents to establish the identity of their customers and validate the same from reliable, independent sources.

What is KYC?

KYC, which is Know Your Customer, is a systematic process that is used by business entities to verify the identity of their potential customers, and Re-KYC is the process of periodically updating and refreshing the KYC details of existing customers. Verifying customers’ identities ensures that they are the ones they claim to be and the information contained in the identity document is valid, accurate, and relevant.

What is a KYC Analyst?

A KYC Analyst is the person responsible for carrying out the KYC process in a regulated entity. While performing the KYC process, the KYC Analyst has to ensure compliance with the AML regulations. The KYC Analyst helps regulated entities, such as Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Service Providers (VASPs), counter financial crime risk by verifying the identity of their potential customer. They weed out suspicious individuals or entities and assist the AML Compliance Officer with timely identification, escalation, and reporting of suspicious activities and transactions. The KYC Analyst is responsible for conducting the KYC process and ensuring compliance with the customer onboarding guidelines that are prescribed within the regulated entity’s AML/CFT/CPF Policies and Procedures.

Guiding KYC Analyst with KYC Documentation through the Customer Onboarding Process

KYC Analysts play a pivotal role in handling KYC documentation and extracting useful information from KYC documents. This can be done after collecting identity documents from the customer and verifying the validity and authenticity of the ID document, followed by verifying the extracted information across valid and reliable independent sources or validation gateways to verify the identity of the customer.
Conducting KYC is important for regulated entities as it protects the business from being misused as a vehicle for conducting illegal financial transactions by identifying customers with criminal intentions. It also helps in ensuring compliance with Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) laws and regulations.

Key Responsibilities of KYC Analyst

Here are some key responsibilities of KYC Analyst that help guide with KYC documentation management:

Customer Due Diligence (CDD):

CDD is the procedure by which the KYC Analyst satisfies himself if the information obtained from the customer is sufficient to establish a profile of the customer.

Let us discuss the key information that the KYC Analyst must collect as a part of his customer due diligence process:

  • Full name and aliases
  • Identification Document Number
  • Official Address Detail
  • Date of Birth or Place of Incorporation
  • Current Nationality
  • Details as to persons associated (UBOs in case of corporate entity)
In this process, he identifies and assesses risks associated with a customer and determines if additional documents are required to complete the due diligence. After collecting the basic information, the KYC Analyst provides that information to the screening analyst for sanctions screening. The screening analyst then provides findings and comments regarding the screening, adverse media, and Politically Exposed Persons (PEP) checks. The Risk Analyst gives the risk rating based on the findings and comments of the Screening Analyst. There are 3 types of CDD measures that are undertaken based on the risk-based approach adopted by the reporting entity. These are Simplified Due Diligence, Standard Due Diligence, and Enhanced Due Diligence.

Customer Onboarding:

The KYC Analyst helps in customer onboarding by becoming a link between the compliance team and the customer. He communicates with the customer if there are additional requirements, if any, and finally helps onboard the customer.

Regular Monitoring:

The other responsibility of KYC analysts is to monitor customers’ information regularly and keep it updated all the time. There can be changes at the customer end after the initial onboarding. Say, change in the structure of the company, expiry of trade licenses, etc. The KYC Analyst communicates with the customer and keeps this information updated.

Documentation and Reporting:

The KYC Analyst is responsible for maintaining and recording the documents related to the CDD process. These documents include customer verification processes, risk assessments, monitoring activities, etc.

Documents to be Collected for KYC of Individual Customers

KYC documents are required for identity verification and address verification. Here are the KYC documents required for individual customers.

For the Customer Identity verification: Emirates ID/Passport/Driving License/Any other government-issued document having a photograph

For the Customer’s address verification: Utility Bill (not older than 3 months)/Municipal Tax Record/Property Purchase or Rent Agreement/Bank Statement/Insurance Policy/Any other Government document capturing address.

Role of KYC Analyst in KYC Document Management by Extracting Useful Information from an Individual Customer's KYC Documents & its Validation

What should a KYC Analyst look for in Key KYC Documents?

When extracting and interpreting useful information from KYC documents, the KYC Analyst must consider the following:

Passports and Identity Documents:

  • Validate Authenticity and Expiry Dates: The passport and identity documents should be checked carefully to see whether they are authentic or not. It can be checked by comparing the attributes of the document as mentioned on the applicable government websites. Moreover, the expiration date of a document is important to check, as expired documents cannot be used in the normal course of business.
  • Cross-Check Personal Details Against Other Provided Documents: The personal details of clients, like name, date of birth, etc, should match the other provided documents. This information is not likely to change, so it should be matched with the details provided in some other documents.
  • Examine Security Features to Detect Forgeries: Forgery is an act of falsifying information or a document with the intention of defrauding the other person. The security feature of the KYC document must be checked to detect forgeries, which will help in curbing instances of fraud. For instance, security features in identity documents include holograms, specially made intricate designs, the embedding of electronic chips containing biometric information, and the use of Public Key Infrastructure (PKI) to prevent misuse or forgery of identification documents. The examination of security features can help detect false information, thereby making the KYC Analyst aware of forged documents or information.

Memorandum and Articles of Association (MOA and AOA):

  • Verify the Company’s Purpose and Business Activities: MOA and AOA provide the complete information about a company. With the help of MOA and AOA, the name, address, purpose, and work of any business can be understood. It even verifies that the business is legally registered. Before proceeding with a corporate customer, the KYC Analyst must verify the corporate customer’s MOA and AOA.
  • Confirm Authorised Share Capital and Shareholding Structure: It is also important to be aware of the company’s share capital and shareholding structure. It provides information regarding the distribution of power, decision-making authority, etc. This also throws light on the ultimate beneficial owner (UBO) of the corporate entity.
  • Assess Provisions Related to the Appointment of Directors and Decision-Making Processes: The provisions related to the appointment of directors and decision-making processes provide a brief understanding of the company. Knowing a company’s policy and procedures will help in making informed decisions as to whether the customer is authentic or not.

Trade License:

  • Ensure Validity and Authenticity: A Trade license is an important document as it provides information about the legal registration of a company. The document needs to be valid and authentic, as this will help determine whether a customer is genuine and whether an entity can proceed further with the customer. The validity and authenticity of a trade license reduce the chances of any fraud by the customer. The trade license helps identify the type of business activity the customer conducts and compares it with the actual purpose of the business relationship to identify if there is an inconsistency between the business’s intended purpose and actual business activity.
  • Confirm the Scope of Permitted Business Activities: The scope of permitted business activities should also be checked. It helps in identifying if the nature of the business relationship is in alignment with the scope of permitted business activities; if the subject matter of the business relationship is not aligned with the business’s approved scope, this should raise a red flag as such deviation might indicate involvement of ML, FT, of PF activities.
    For instance, if the customer of a regulated entity is a company whose permitted scope of business is jewellery manufacturing and sales but the subject matter of business with the regulated entity is the purchase and sale of real estate property not for corporate but for private purpose, then this must alert the AML compliance officer to look into the business relationship closely for suspicious activity.
  • Check for Any Restrictions or Special Conditions: The entity should also check for any restrictions or special conditions imposed upon a company. Compliance with such conditions will help the regulated entity know more about the customer company and that it is complying with all the requirements. It will help safeguard the entity from potential ML, FT, or PF threats.

Questions that help KYC Analysts Determine Customer Risk from KYC Documents Collected

KYC Information Collection Considerations

Ensuring Accuracy and Completeness of Collected Data

While collecting the documents for verification, it is important to extract & interpret useful information from KYC documents to verify each and every piece of information accurately, such as the name, address, etc. Moreover, it should also be ensured that the data provided in the document is complete. All the relevant data should be collected carefully.

Implementing Secure Data Storage Solutions:

The data collected should be stored safely. For this, secure data storage solutions should be considered. The storage of data can be helpful in retracting the data afterwards as well. It will even be helpful if the customer has already been in a business relationship with the entity. In this situation, verifying the information and assessing the customer’s risk would be easy.

Regularly Updating Customer Information:

Along with collecting and storing the information, the periodic updation of customer information is also very important and mandated by UAE’s AML laws. KYC analysts can refer to AML UAE’s eBook: A Complete Guide on Re-KYC Process in AML Compliance to learn more about Re-KYC requirements in UAE.

The KYC Analyst should carry out the ongoing monitoring of business relationships to ensure that customer information is up-to-date. For example, if the customer’s address has been changed, it should be updated accurately. Updating information will help in ensuring compliance with the requirements of UAE’s AML, CFT, and CPF provisions contained in the Federal Decree Law and the Cabinet Decision, requiring regulated entities to ensure that customer details and records maintained with the regulated entity are updated and contain latest customer information. Ongoing monitoring must be done in accordance with the established customer risk profile.

Obtaining Customer Consent for Data Processing:

The KYC Analyst must exercise caution while extracting & interpreting useful information from KYC documents in the context of upholding data privacy and data protection requirements. The Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data protects the personal data of natural persons in the UAE. It states that customer consent is necessary before processing any personal data. This requirement of consent can be exempted in cases where the processing of personal data is important in the public interest.

Complying with Data Protection Regulations:

The Federal Decree-Law No. 45 of 2021 governs data protection in the UAE. While collecting information for KYC, it is necessary to comply with the above-mentioned law. Under this law, before processing personal information, the person’s clear consent is required. The person even has the right to get the personal information corrected.

Detecting Fraudulent Documents During KYC

  • Common Indicators of Document Fraud: There are certain common indicators of document fraud, like inconsistencies in font sizes and issues in formatting. The expired document is also an indication of document fraud. Alterations in name, photo, and other details are also common indicators of document fraud. While checking a document, every minute detail should also be checked to prevent the chances of document fraud.
  • Techniques for Manual and Automated Document Verification: The manual technique for document verification includes checking all the details in the documents themselves. In manual document verification, each and every detail should be checked carefully, for example, by matching the photograph of the customer. If the entity has any doubt about a mismatch of information, then they can video call the person to check whether the person is the same or not. Apart from manual document verification techniques, there are automated document verification techniques in which the entity has software that checks the document. The use of software makes the verification task easy and fast. The chances of error are also very low in this case. AML UAE’s article What Is The Role of Technology In Anti-Money Laundering Compliance can be referred to by KYC Analysts.
  • Utilising Third-Party Verification Services: In third-party verification services, the entity can take the services of some third party for document verification. The third-party verification provides a double check on the document verification, thereby removing the chances of any fraud. However, KYC analysts must be mindful that utilising third-party services does not shift the KYC obligation of the regulated entity under UAE’s AML laws.
  • Establishing Protocols for Handling Suspected Fraud: There should be certain protocols in place by means of AML policies, governance structures and workflows for handling suspected ML, FT, or PF activities or transactions requiring the filing of SAR/STR and conducting the proper internal investigation in case of any suspicion. The appropriate steps, like offboarding the customer and informing the government regarding the fraudulent documents, should also be taken.

Signature Verification Methods: KYC Analyst's Toolkit

  • Comparing Signatures with Official Records: In the process of verifying the documents, signature verification is an important step. The first and foremost step is to compare the signature with the official records. The signature should match the signature in the official record. The writing style and spelling should be the same. A slight mismatch in the signature might be a sign of fraud, which might be disguising potential ML, FT, or PF activities. Though it will be difficult for the regulated entities to verify signatures, a comparison of the same with past KYC records will help ensure that they are not forged.
  • Employing Digital Signature Verification Tools: The digital signature verification tools provide a more secure way of verification. These tools use multi-factor authentication methods such as email, SMS verification, or biometric data. The signer needs to sign the document electronically. If any change occurs in the signature, the hash value will change, which indicates tampering with the signature. Digital signature verification tools make the verification process more robust and secure for KYC Analysts.
  • Understanding Legal Implications of Electronic Signatures: It is important to understand the legal implications of electronic signatures before employing them. The electronic signatures are legally binding, provided they are reliable. It means that while creating the signature, it was under the control of the signer and should be uniquely linked to the signer.
  • Training Staff in Handwriting Analysis Techniques: Training the relevant staff in handwriting analysis techniques will help in building a strong system for handwriting analysis. If the relevant staff members are trained properly, the chances of missing out on identifying forged signatures are minimal. The training should include verifying the customer’s handwriting style and spelling, etc.

KYC in Remote Onboarding: Best Practices

KYC in Remote Onboarding: Best Practices

  • Implementing Secure Digital Identity Verification Processes: Secure digital identity verification processes make remote onboarding seamless, AML measures for non-face-to-face customers: Combatting money laundering threats can be referred to know more on AML measures to ensure during remote onboarding. Digital identity verification includes biometric authentication methods and PIN or password validation. By implementing a secure digital identity verification process, the chances of any fraud are nil.
  • Utilising Biometric Authentication Methods: Biometric authentication is the most secure identification method. The biometric methods include face identification, iris recognition, and fingerprint recognition. These methods verify the face, iris, and fingerprint of the person and match them to see whether the customer is the same or not. It is an accurate method of proving the identity of the customer.
  • Ensuring Robust Cybersecurity Measures: In the case of remote onboarding, the chances of cybersecurity challenges are high, making it prone to cyber-attacks, phishing, etc. Robust cybersecurity measures can protect against data breaches. The measures can include providing training to staff regarding cybersecurity so that they can become aware of the ways to protect themselves from such cyber-attacks. The entity can also conduct regular risk assessments to identify potential threats.
  • Providing Clear Guidance to Customers on Remote Verification: Remote verification is a bit complicated, so clear guidance will be helpful to customers. The clear guidance will remove the possibility of any mistake, thereby reducing the chances of any ID fraud by the customers.
  • Monitoring Remote Transactions for Unusual Activities: Monitoring transactions is important for preventing any instances of fraud or money laundering. An unusual activity in the case of remote transactions can be monitored with the help of software. The software can trace doubtful transaction-related activity. It can be done using a geolocation discrepancy alert, multiple failed login attempts alert, unusual time to transact alert, etc.
    Monitoring the activities can help in detecting unusual activity before it can cause harm to an entity. Checkout AML UAE’s infographic on Streamlining Video KYC: A Guide to Best Practices to Understand the best practices when relying on Video KYC.

Challenges in KYC Processes

  • Dealing with Complex Corporate Structures: The complex corporate structure used by criminals to disguise beneficial ownership poses a challenge in KYC processes, making tracing ultimate beneficial owners difficult. Moreover, complex corporate structures make the way for criminals to create the way for illegal funds. It is important to understand the complex corporate structure to avoid AML non-compliance.
  • Identifying Ultimate Beneficial Owners (UBOs): Identifying the ultimate Beneficial Owners is important to know about the authenticity of the people controlling the business. The legitimacy of UBOs provides the insight that the company is authentic.
  • Managing High Volumes of Data and Documentation: It is difficult to derive, analyse, verify, and maintain high volumes of customer information and documentation. The use of technology must be considered to streamline and meet record-keeping requirements in the UAE.
  • Keeping Up with Evolving Regulatory Requirements: The regulatory requirements are subject to change. To keep up with it is a difficult task. It is difficult to be aware of each and every new guideline and requirement which is introduced frequently. Non-compliance with these requirements might cost the regulated entity badly by way of fines and penalties.
  • Balancing Customer Experience with Compliance Needs: It becomes difficult to fulfil the customer’s expectations with the compliance procedure. The compliance procedure is long and tiresome, but the customer wants a seamless procedure. It becomes difficult to balance these two.

Leveraging Technology in KYC

  • Overview of KYC Software Solutions: Using technology in KYC makes the process easy, fast, and error-free. KYC software is used for identity verification, document verification, compliance checks, etc. As this method is more accurate, it helps in avoiding the risk of any fraud.
  • Criteria for Selecting Appropriate KYC Tools: There are certain criteria for selecting appropriate KYC tools. For example, the tool should be able to grasp the slight change in the customer’s situation and should be able to provide an alert regarding this. Moreover, it should be able to perform customer remote customer verification. The KYC tool should be able to facilitate easy communication with the customer.
  • Integration of Artificial Intelligence and Machine Learning: The integration of Artificial intelligence and Machine Learning makes the verification process seamless. It is time-efficient and cost-efficient, and it even limits the possibility of any error. With the help of AI, thousands of transactions can be verified quickly. It can even detect any unusual transaction, removing the possibility of fraudulent transactions.
  • Benefits of Automated Document Verification: Automated document verification helps verify lots of information within less time. It saves time and cost. It is more accurate, removing the chances of any discrepancy. As the process of verification has become seamless, it results in more customer satisfaction.
  • Ensuring System Security and Data Integrity: Using the technology in KYC ensures data integrity, which further ensures the accuracy and consistency of data. The technology even ensures system security, like the privacy of information. System security and data integrity build the confidence of the customers in the entity. Along with confidence, the chances of any error are minimal.

Best Practices in KYC Implementation

  • Adopting a Risk-Based Approach to Customer Verification: The risk-based approach includes identifying, assessing, mitigating, and monitoring risk. This approach helps the KYC analyst when making decisions while detecting and preventing instances of ML, FT, and PF. This approach helps the KYC Analyst to segregate the customer into three categories: low-risk customers, medium-risk customers, and high-risk customers, thereby making it easy to conduct thorough scrutiny of high-risk customers while continuing CDD of low-risk customers with lenient measures.
  • Utilising Advanced Technologies for Identity Verification: The use of technology makes identity verification seamless and error-free. Advanced technologies can be used to verify identification documents in less time. The chances of errors are very low, which ultimately reduces the chances of any financial crimes. Apart from this, the use of advanced technology is cost-effective.
  • Regular Training for Staff on KYC Procedures and Updates: For efficient work, regular staff training is important. Regular and focused training makes the staff aware of all the updates and procedures related to KYC. Regularly Training the staff will ultimately contribute to improved work quality and decreased chances of errors. In case of any unusual transaction, the staff can identify it easily and promptly escalate it to relevant personnel.
  • Maintaining Comprehensive Records of Customer Interactions: Maintaining records of customer interactions ensures adherence to KYC protocols and record-keeping requirements in the UAE. It shows that customers’ information is properly documented and stored, which can help in conducting an investigation, due diligence, and risk assessment.
  • Ensuring Data Privacy and Protection Compliance: In this digital world, data is a valuable asset. It is important to ensure that customer data is protected adequately. Data privacy and adherence to data protection requirements build the trust of customers and protect the entity from any legal repercussions.
  • Establishing Clear Escalation Protocols for Suspicious Activities: Establishing clear escalation protocols for reporting suspicious activities ensures that prompt action is taken in the event of ML, FT, or PF activities detected.

KYC Document Management by KYC Analyst through Extracting & Interpreting Useful Information from KYC Documents: A Summary

KYC is the process through which an entity can know about its customers, which helps the regulated entity identify, assess, and mitigate the risks associated with the customers. Certain specific information can be extracted from each document. The use of technology in extracting information from KYC documents makes the process of extraction and interpretation of documents easy, seamless, and reliable.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Financial Watchdogs: The Role of Gatekeepers in Combatting Financial Crimes

Financial Watchdogs: The Role of Gatekeepers in Combatting Financial Crimes

Financial Watchdogs: The Role of Gatekeepers in Combatting Financial Crimes

Gatekeepers are coveted professions, often considered as ‘entry points’ to the legitimate financial system. Due to this uniquely positioned role, Gatekeepers act as financial watchdogs by detecting, preventing, and mitigating financial crimes. In this blog, we will discuss the role of Gatekeepers in combating financial crimes such as Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF).

Let us first discuss the professions that comprise Gatekeepers.

Who Are the Gatekeepers?

Gatekeepers are those professions that act as an entry point or a gateway to the legitimate financial system. Due to this placement, Gatekeepers are uniquely situated to prevent the infiltration of illicit funds into the formal financial system.

Gatekeepers include the following professions:

  • Lawyers, notaries, and other legal professionals and practitioners
  • Auditors and accountants
  • Trust and Company Service Providers (TCSPs)
  • Real estate agents and brokers.

These professions are at high risk of being unknowingly or unwittingly misused as conduits to commit financial crimes by criminal actors. Therefore, they are regulated under UAE’s Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF) regulatory regime, to protect them and the larger financial system from the menace of ML/TF and PF.

Let us now understand why financial criminals seek to exploit Gatekeepers to conduct ML/TF and PF.

Why Do Gatekeepers Appeal to Financial Criminals?

Financial criminals seek to misuse Gatekeepers due to several reasons highlighted below:
Commonly used methods of identity verification include:
  • Access to Financial Systems: Gatekeepers are considered ‘entry points’ to the financial system due to the nature of their services. Financial criminals seek to use their services to gain access to the legitimate economy.
  • Skills and Expertise: Gatekeepers possess specialised knowledge in creating and managing corporate structures such as shell corporations, facilitating real estate transactions, managing funds, etc. Financial criminals seek this expertise to undertake ML/TF and PF, especially to obscure the origin of illicit funds.
  • Perception of Legitimacy: Engaging reputable professionals such as Gatekeepers lends an appearance or veneer of legitimacy to financial transactions. This perceived credibility is sought by financial criminals to deter scrutiny from regulatory bodies, allowing illicit activities to go unnoticed.
Therefore, due to the potential misuse by financial criminals, gatekeepers are regulated under UAE’s AML/CFT/CPF regulatory regime and required to comply with certain obligations. Let us understand these obligations.

AML/CFT/CPF Regulatory Obligations of Gatekeepers in UAE

The following are the AML/CFT/CPF regulatory obligations of Gatekeeper professionals in UAE, such as Lawyers, notaries, other legal professionals and practitioners, Auditors and accountants, Trust and Company Service Providers (TCSPs) and Real estate agents and brokers are as follows:

1. Appointing AML/CFT/CPF Compliance Officer:

To oversee the gatekeeper’s entire AML/CFT/CPF compliance processes, an AML/CFT/CPF Compliance Officer must possess relevant qualifications and expertise and should be a fit and proper person.

2. Conducting Enterprise-Wide Risk Assessment

To identify and assess its ML/TF and PF risk exposure and adopt risk control measures accordingly. This helps the gatekeeper professional to identify the types of risks they are exposed to and tailor adequate and appropriate risk mitigation measures. Some of the examples of such risks include geographic risks, customer risks, transaction risks, etc. Gatekeeper professionals can make use of this checklist to assess or evaluate the efficacy of their risk management measures and take adequate measures to fortify them.

3. Establishing AML/CFT/CPF Policies, Procedures, and Controls:

To effectively comply with AML/CFT/CPF obligations.

4. Establishing Customer Due Diligence Procedures:

To understand the identity of customers and the degree of ML/TF and PF risks they pose to the gatekeeper professional, and adopt risk-based ML/TF and PF risk management measures.

5. Putting in Place Indicators to Detect ML/TF and PF Risks:

This facilitates swift identification of suspicious transactions and suspicious activities indicating ML/TF and PF risks. Some of the literature that can assist gatekeeper professionals in identifying ML/TF and PF indicators, commonly known as red flags effectively are listed hereunder:
  • Red flags associated with high-risk jurisdictions
  • Red flags associated with smurfing
  • Reg flags pertaining to tax evasion

6. Organising Awareness and Training Program for Staff

To ensure that the AML/CFT rules and regulations and the policies and procedures adopted by the company are consistently followed across the company and potential ML/TF/PF concerns are identified and suitably reported.

7. Establishing Systems for Regulatory Reporting:

To ensure internal reporting and investigation of suspicious activities and transactions, as well as its reporting through the filing of
  • Suspicious Activity Report (SAR) or
  • Suspicious Transaction Report (STR)
  • High-Risk Country Transaction Report (HRC) or High-Risk Country Activity Report (HRCA)
Through the goAML portal.

8. Complying with Targeted Financial Sanctions (TFS) Requirements:

To comply with TFS obligations and conduct sanctions screening and promptly report any client sanctioned under the UNSC Consolidated List or UAE Local Terrorist List through the Fund Freeze Report, Partial Name Match Report, etc.

9. Ensuring Record-Keeping:

To maintain detailed records of information related to CDD measures, transaction records, AML/CFT/CPF compliance for at least 5 years in mainland UAE.

10. Following Specific Requirements:

For example, Real Estate Activity Report (REAR) for Real Estate Agents.

Let us now discuss the important role Gatekeepers play as financial watchdogs in combating ML/TF and PF.

Role of Gatekeepers in Combating Financial Crimes

Let us discuss the role of each Gatekeeper in combating financial crimes by understanding how Gatekeepers can detect and combat financial crimes through insightful examples.

Lawyers, Notaries, and Other Legal Professionals and Practitioners

Consider the case of a legal professional in the UAE. A client approaches the legal professional for the management of their funds. During such management, the legal professional notices that the funds involved have their source of origin from third parties. However, the third party has no apparent connection with the client. Further, the funds are then transferred to a foreign jurisdiction that is a high-risk country due to being Blacklisted by FATF.

In this case the following ML/TF and PF red flags are detected:

  • The money being transacted has been funded by a third-party with no apparent connection, or any legitimate explanation
  • The funds received by the client are transferred to a FATF Blacklisted country, which is considered a high-risk country.
Actions that can be taken by the legal professional to prevent ML/TF and PF:
  • The legal professional should file the High-Risk Country Report because the transaction involves a high-risk country
  • The legal professional should reconduct the Customer Risk Assessment (CRA) and categorise the client as high-risk due to the red flags detected
  • The legal professional should verify the Source of Funds and Source of Wealth of the client and ask for further details as part of the Enhanced Due Diligence (EDD) process. If ML/TF and PF risks are detected, the same should be reported through the STR.

Auditors and Accountants

Consider the example of an auditor in the UAE. The auditor is approached by a client to conduct an audit of their business. However, the client is reluctant to provide information and other relevant information required for the audit process. Further, the client makes a request for the auditor to expedite the process and complete the audit process quickly. When the auditor makes further requests for data, the auditor comes to know that the client is unable to provide evidence for real activity, such as business operations. The auditor is unable to get further relevant information due to the client’s hesitancy.

In this case, the following ML/TF and PF red flags are detected:

Actions that can be taken by the auditor to prevent ML/TF and PF:
  • Since various red flags are detected, and the auditor is unable to investigate further due to lack of information, the auditor can deboard the client to derisk itself, which is one of the risk treatment strategies
  • Since the red flags detected by the auditor are common typologies used to conduct financial crimes, the auditor should report the same through SAR if funds have not been transferred or STR if money has exchanged hands.

Trust and Company Service Provider

Consider the case of a TCSP in the UAE. It is approached by an agent of a client to establish a company in UAE, as well as provide nominee services. The client preferred not to communicate with the TCSP directly. While conducting Know Your Customer (KYC) procedures, TCSP finds that the client’s Ultimate Beneficial Owner (UBO) has several companies in many jurisdictions worldwide, which appear to be shell companies due to a lack of business operations.


In this case, the following ML/TF and PF red flags can be detected:

  • The client refused to communicate with the TCSP directly
  • The client was a UBO of many shell companies around the world. Misusing shell companies is a common typology used by financial criminals.
Actions that can be taken by the TCSP to prevent ML/TF and PF:
  • Categorise client as ‘high-risk’ during the Customer Risk Assessment (CRA) process
  • Conduct Enhanced Due Diligence (EDD) for the client, and understand their nature and purpose of establishing the company
  • If the occurrence of financial crimes is detected, report the same through SAR or STR.

Real Estate Agents and Brokers

Consider the example of a Real Estate Agent in the UAE. A trustee of a trust established in an offshore jurisdiction approaches the Real Estate Agent to purchase luxury property. The trust was established in a known tax haven company, and the trustee insisted on paying for the real estate property upfront. Upon inquiry, the Real Estate Agent finds that the ownership structure of the trust is complex and difficult to ascertain.
In this situation, the following red flags can be detected:
  • The trust is registered in a known tax haven
  • The ownership structure of the trust is complex, and may be so to obscure the identities of Ultimate Beneficial Owners
  • The trustee is ready to pay for a luxury property upfront
Actions that can be taken by the Real Estate Agent to prevent ML/TF and PF:
  • Conduct Enhanced Due Diligence (EDD) for the trustee and the trust and ascertain the Source of Funds and Source of Wealth
  • Ask for additional information to ascertain the identity of the UBOs
  • Investigate suspicions of ML/TF and PF and report the same through STR or SAR.
Now, let us discuss the best practices that can be adopted by the Gatekeepers to enhance their efforts in combating financial crimes.

Best Practices for Gatekeepers to Combat Financial Crimes

Gatekeeper professionals such as Lawyers, notaries, other legal professionals and practitioners, Auditors and accountants, Trust and Company Service Providers (TCSPs) and Real estate agents and brokers must adopt the following best practices to safeguard their business against ML/FT and PF by:

Developing and Implementing Effective AML/CFT/CPF Program

Gatekeeper professionals should make, establish, and implement a clear and concise AML/CFT/CPF Program. The AML/CFT/CPF Program includes policies, procedures, controls, governance structures, and other components that help Gatekeepers meet their AML/CFT/CPF compliance obligations and promptly detect, manage, and mitigate ML/TF and PF risks.

Ensuring Thorough Customer Due Diligence

Customer Due Diligence (CDD) is a Gatekeeper’s weapon against illicit actors that seek to misuse the Gatekeeper to commit financial crimes. A new age CDD process must make use of Video-KYC and Perpetual KYC tools. CDD facilitates the Gatekeeper professional to understand the identity of their customers, the ML/TF and PF risks the customer poses to the Gatekeeper.

It enables the Gatekeeper to adopt risk mitigation measures proportionate to the degree of ML/TF and PF risks posed by the customer.

Establishing Systems to Proactively Detect and Mitigate ML/TF and PF Risk

Gatekeepers should establish strong monitoring systems to proactively detect potential ML/TF and PF activities by installing transaction monitoring systems.

Gatekeepers can leverage technologies such as advanced data analytics, Artificial Intelligence, Machine Learning, etc. Gatekeepers should also ensure that they understand the red flags and common typologies of ML/TF and PF, and the same is part of the AML/CFT/CPF Training for their employees.

Establishing a Culture of AML/CFT/CPF Compliance, Integrity, Accountability and Transparency

Gatekeepers should inculcate a culture of AML/CFT/CPF compliance and values such as integrity, accountability, and transparency throughout their organisational structure. Such a culture plays a key role in shaping the actions of the various stakeholders, ensuring that they act ethically in all their functions. Senior management should take the initiative to set the tone of compliance and ethical values from the top, and make sure that the same permeates at every level of the organisational structure.

Regularly Conducting AML/CFT/CPF Training

Gatekeepers should conduct regular AML/CFT/CPF training for employees to enable them to effectively perform their role in the AML/CFT/CFP compliance process of the Gatekeeper. Training should cover key topics such as recognising ML/TF and PF red flags and typologies, Gatekeeper’s AML/CFT/CPF compliance obligations, reporting suspicious activities and transactions, etc.

Encouraging Open and Transparent Communication

Gatekeepers should encourage open communication and promote a ‘speaking up’ culture. Doing so would ensure that any stakeholder who comes across a suspicious activity or transaction that indicates financial crime risks would promptly report the same internally.

Gatekeepers should also establish a clear process for internal reporting. It should also implement whistleblower policies to ensure their anonymity and protection. The UAE government has become proactive in developing laws requiring various reporting entities and professions to draw up whistleblower policies to ensure regulatory compliance.

Engaging in Cross-Industry and Cross-Sector Collaboration

Gatekeepers should proactively engage with a broad network of organisations across industries and sectors to share useful information, best practices, red flags, etc., that detect and combat financial crimes.

Some organisations have immense experience in detecting ML/TF and PF typologies, while others may be experts at technological solutions to tackle financial crimes. Sharing information ensures that all participants learn from each other’s strengths while addressing their own vulnerabilities. Through this, gatekeepers can strengthen market integrity through collaborative efforts in mitigating ML/TF and PF.

The Role of Gatekeepers in Combatting Financial Crimes: Final Thoughts

Gatekeeper professions, therefore, are responsible for maintaining the financial system’s integrity by detecting and preventing financial crimes. By adhering to AML/CFT/CPF regulatory requirements and implementing the best practices discussed above, these Gatekeepers can effectively mitigate financial crime risks and contribute to a safer financial environment.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

A Complete Guide to ID Verification: Best Practices and Tools

A Complete Guide to ID Verification: Best Practices and Tools

A Complete Guide to ID Verification: Best Practices and Tools

What are ID documents?

Commonly known ID documents are government-issued identity documents such as passports, resident identity cards or driving licenses, among many such Identity (ID) documents, varying in terminology according to the jurisdiction where the authority is located.

For example- a government-issued identity document is commonly called an Aadhaar Card in India, an Emirates ID in UAE, a Pinyin Card in China, a National Identity Card (NIC) in Europe and a Social Security Number (SSN) in the USA to name a few.

What is ID verification?

Identity verification or ID verification is a process wherein the identity of the person they claim to be is verified against the document purported to be officially issued by the government or semi-government authority that such an individual presents to support such claim.

In simple words, ID verification is a security measure deployed to confirm the authenticity of an individual’s identity and the validity of a document supporting the identity claimed by such an individual.

The ID verification process has become one of the routinely sought requirements for the Customer Due Diligence (CDD) process across various sectors such as Banking and Finance, Designated Non-Financial Businesses and Professions (DNFBPs), IT Services, healthcare, real estate, Virtual Assets activities and services, and many other sectors.

What is Digital Identity Verification?

The Digital Identity Verification is aimed at confirming an online identity. It uses various methods, such as biometric verification and facial recognition, to authenticate that the person is the one he claims to be.

What Are the Common Methods of Identity Verification?

Commonly used methods of identity verification include:

Document Verification

Document verification is the most common method to verify a person’s identity. The ID document is verified by examining its security features and details.

Biometric Verification

Using biometric information such as facial recognition, voice recognition, iris and retina scanning, and fingerprint matching with a database to confirm a match with the actual ID holder.

Credit Bureau-Based Authentication

This method relies on information from various credit bureaus, which hold vast credit information repositories on consumers, such as their names, addresses, and ID numbers.

Database Identification Methods

Database ID methods collect information from multiple sources to confirm a person’s identity. These sources include various social media platforms, including offline databases.

Database Identification Methods

Database ID methods collect information from multiple sources to confirm a person’s identity. These sources include various social media platforms, including offline databases.

Knowledge-Based Authentication

Knowledge-based authentication (KBA) validates a person’s identity by prompting them to answer security questions specific and unique to that individual, which can be answered only by the person in question and not anyone else within a specified timeframe.

Online Verification

The online verification process includes determining whether a government-issued ID belongs to the person claiming it. Further, it includes using biometrics, AI, and human review. This method usually performs validity checks by prompting the person to share a selfie to ensure that the person holding the ID (during ID Verification) is the same person shown in the ID photo.

Two-Factor Authentication [2FA]

2FA includes two steps. As the name suggests, it requires the person to provide personal identification called a token and this token is requested to be provided when prompted for the same. Some of its examples are signing into a Google account using prompts provided on the registered email ID/device and phone number and entering the token to the login page from where it originated, in addition to entering the password.

Device Verification

The device verification method checks for the device’s legitimacy used to conduct a transaction.

The Identity Verification Process

The ID verification process covers numerous stages aimed at confirming and validating a person’s identity, and these stages differ from business to business depending on their unique individual requirements. The infographic provides the usual flow of the ID verification process.
To sum it up, the ID verification process entails.
  • Assessing ID verification needs
  • Determine, implement, test, and revise the right ID verification method – whether offline/online, whether API to be used.
  • Inform Customers and request for documents.
  • Receive, verify, and validate ID documents.
Further steps include screening, risk assessment, ongoing monitoring, and record keeping.

Why is digital identity verification necessary?

Compliance with Regulations

Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Laws worldwide and recommendations of the Financial Action Task Force (FATF) call for identity verification as a requisite to prevent money laundering and terror financing (ML/TF). Thus, implementing identity verification programs helps businesses comply with AML/CFT laws.

Digital ID verification ensures that ID verification checks and balances are uniformly applied across the organization, records can be extracted whenever needed, and API integration with the government/regulator database ensures up-to-date compliance.

Cost Efficiency

Digital ID verification is undeniably more cost-efficient than manual ID verification as it brings down operational costs because most of its process is automated, and the verification process that requires intricate scrutiny is digitized, thus reducing human efforts significantly and bringing down operational costs.

Improved Customer Experience

Customer experience derived from Digital ID verification methods such as self-service login and filling of questionnaires, quick verification through QR code scanning at kiosks/counter-tops saves the customer from waiting in long queues and providing remote access to fulfil formalities instantly, thus ensuring customer satisfaction retention and low rates of abandonment.

Fraud Prevention

The very purpose of ID verification is to prevent financial crime in its initial stage by successfully identifying whether the person whose identity is being verified is an authentic person or not. Fraud can enter the organization through identity theft, online scams, account hacking, identity cloning, etc. By verifying an individual’s identity, fraud risk can be significantly prevented.

Security Enhancement

Confirming and validating individuals’ identities before entering business relationships ensures that only authorized individuals can access services and sensitive information, thus reducing the risk of data breaches and cyber-attacks.

Recent Developments in Identity-Related Offences

There has been a rise in the use of “deepfakes”, i.e., the creation of pictures, videos or audio that appear realistic but, in fact, are generated using artificial intelligence. Criminals are using this technology to generate fake identification documents like driver’s licenses and passports and create false pictures by modifying a stolen source picture or creating an entirely new image using AI.

Digital ID Verification Software Features

Identity Verification

Digital ID Verification Software helps verify government-issued IDs and performs biometric selfie matches.

Liveness Check

Liveness Check ensures the genuineness of the ID holder using a selfie video. One can also add various prompts to make this process more robust.

Sanctions Check

The underlying software performs sanctions checks against the UNSC and local sanctions lists as per the regulatory requirements and helps identify full, partial, or false matches.

PEP Check

The Screening Software comes with a global Politically Exposed Persons (PEPs) database and helps identify high-risk customers.

Adverse Media Check

The Digital ID Verification Software also comes with a feature where one can perform adverse media checks and identify risks associated with a customer.

Address Verification

The Digital ID Verification Sofware supports Optical Character Recognition (OCR) and saves valuable time. It validates proof of address documents like utility bills, bank statements, property lease agreements, etc.

Multi-Party Video Verification

Multi-Party Video Verification facilitates collective confirmation of the KYC information. It helps eliminate the risk of impersonation or fraudulent activities.

Customer Due Diligence (CDD) Questionnaire

One can customize the KYC form and add customer due diligence questions as per the regulatory requirements and risks associated with an individual.

Biometric MFA

Biometric MFA adds an extra layer of protection, making it difficult for unauthorized individuals to forge authentication, and it mitigates the risk of impersonation.

Phone Verification

Phone Verification helps perform Two-Factor Authentication.

Email Verification

Email Verification helps perform Two-Factor Authentication.

eSignatures

eSignature helps perform seamless customer onboarding and ensures legal compliance.

What is an Online ID Verification Service?

Online ID verification services are those that compare the identity a person claims to possess with data that proves it; these are identity proofing solutions which usually confirm/verify and validate government documents such as the passport, driver’s license, resident identity card, etc. with the person providing the same or claiming the same to be their ID.

Online ID verification services use APIs as discussed above to balance customer experience and security and help enterprises conduct business in a fast, efficient, safe, and compliant manner by preventing the imposition of penalties for non-compliance with AML/CFT, KYC and sanctions regulations – laws which call for robust identity verification.

Traditional Identity Verification vs. Digital ID Verification API

The pitfalls of the Traditional ID verification process entail
  • Customer abandonment: The traditional ID verification process is elaborate and time-consuming and leads to incidences of onboarding abandonment while seeking to enrol with other companies that use API-based digital ID verification, which is much easier, faster, and grants a world-class customer onboarding experience.
  • High Cost: The cost of ID document collection, scanning and verification is relatively high, especially when done in large quantities.
Digital ID verification by using an API has numerous benefits, such as
  • Eliminating the need to re-verify customers who are previously or already registered.
  • There is no need to verify and cross-check documents physically.
  • Reduction in operational costs while using digital ID verification API as it provides a high return on investment.
  • Improved end-customer experiences and increased onboarding success.
Thus, shifting to Digital ID Verification API is highly beneficial as it is secure, accurate and scalable for businesses with different needs.

How Can Technology Maximize the Effectiveness of Identity Verification?

Shifting from the traditional method of collecting ID verification documents to the utilization of technology is essential in this age as it’s necessary to keep up with the advancement of technology.

It is only logical that organizations optimize the use of their resources by implementing fast, efficient, reliable, highly accurate, and compliant methods that can be used remotely and in real-time.

Digital Identity verification processes consist of a combination of biometric, AI-driven end-to-end feature sets powering workflows from ID capture and verification to proof of address and AML screening.

In simple words, the use of technology Increases the effectiveness of the ID verification process:

  • Lowers the operational costs
  • Reduces infrastructure costs while entering new markets without the need for a physical presence
  • Increases the chances of fraud detection, thereby lowering the compliance cost
  • Increasing customer satisfaction, thus lowering abandonment rate by having fully remote and almost instant access through mobile apps.

How to Choose the Right ID Verification API

Due to stringent regulatory requirements, such as customer due diligence, ID verification has become a mandatory process for businesses when onboarding individuals to prevent fraudulent activities and AML/CFT violations. The ID verification Application Programming Interfaces (API) are tools that enable efficient ID verification for the same.

What is an API and how it works?

API is a software intermediary that allows two applications/software to communicate using a set of protocols. A simple daily use example is the Weather Department’s software system, which contains daily data and updates of the status of weather reports, and the ‘weather app’ on our cell phones communicates (using API) with weather department software and provides us with real-time information on weather updates.
A similar example from the AML/CFT perspective would be the Sanctions and Targeted Financial Sanctions lists maintained by the United Nations Security Council Resolution (UNSCR), Office of Foreign Assets Control (OFAC), etc., that are accessed by various ID Verification and Sanctions Screening APIs to give results across the name of individual/businesses screened for compliance purposes.

Selecting the suitable ID Verification API

Picking the suitable API that meets your business needs is a crucial step, which first includes surveying the market for the kinds of APIs that could suit your unique and specific requirements. From an AML/CFT compliance viewpoint, the correct API for you must entail ticking off several checkboxes, such as
  1. ID verification API should be easy to embed into the onboarding workflow, enabling quick and efficient ID verification that is compliant with local and international AML/CFT laws
  2. API should be able to carry out an age verification process for several age-restricted products and services such as online gaming, online dating, online gambling, etc.
  3. API should be able to capture IDs through OCR and extract ID information.
  4. API should be able to verify the authenticity of the information captured from supposed ID documents provided by the customer
  5. API should be able to validate ID document numbers such as passport number, driver’s license number, Social Security numbers (SSNs), Emirate ID number (EID), etc., across the document provided to validate the same.
  6. API should verify the phone numbers provided by customers
  7. API should be ideally ISO certified GDPR compliant and should provide options such as
  • direct integration
  • Integration Via Core Providers
  • Integration Via 3rd Parties
  1. API should provide a unified solution for AML/CFT compliance, client onboarding and client self-service for the customer due diligence process.
  2. The API provider should ideally provide sufficient development support, tutorials, cloud SaaS, usage tier-based pricing, and on-premise integration.
  3. The API should be white-labelable to suit businesses’ branding and privacy requirements.
  4. Ultimately, the API should
    • Lower Operational Costs
    • Lower Infrastructure Costs
    • Lower Compliance Costs
    • Lower Fraud Rate
    • Lower Abandonment Rate
    • Thus giving a Return on Investment that is sizeable in nature.

How Does Identity Verification Weave Its Magic Across Different Sectors?

The need for digital ID verification is no longer limited to the banking or finance sector. Its scope has widened to curb illegal activities and ensure compliance with regulations imposed by authorities. Sectors that require ID verification to conduct their business in a safe and compliant manner are:

Banking and Finance

Due to the inherently risky nature of business, the banking and finance sector is most prone to fraud. It requires digital ID verification to comply with regulations such as AML/CFT laws and KYC requirements.

Digital ID verification helps automate compliance with citizenship and sanction regulations. KYC needs are fulfilled through AI data extraction and validation from the provided Proof of Address documents.

Regulatory compliance is ensured through global regulations that involve validation of customer ID, addresses and information for AML/CFT and KYC compliance.

Designated Non-Financial Businesses and Professions (DNFBPs)

DNFBPs comprise a wide range of entities and individuals involved with activities outside the scope of the traditional financial sector. Still, they can be exploited for ML/FT purposes or other illicit financial activities.

The Financial Action Task Force/FATF prescribe DNFBPs to combat ML/FT as they are vulnerable and responsible for identifying and mitigating risks associated with financial crimes. Broad categories of DNFBPs include:

Lawyers, Notaries, Conveyancers, and Other Independent Legal Professional
Legal professionals such as lawyers and notaries provide legal services, including property conveyancing, trust creation, and company formation.

Accountants, Auditors, and Tax Advisors

Accountants, auditors, and tax advisors are responsible for maintaining financial records, conducting audits, and guiding individuals and businesses on tax matters.

Real Estate Agents, Developers, and Brokers
Professionals in the real estate industry, including agents, developers, and brokers, facilitate property transactions, such as buying, selling, and leasing real estate properties.

Dealers in Precious Metals, Jewels, and Stones
This category encompasses businesses engaged in buying, selling, or trading precious metals like gold and silver and dealing with jewellery and valuable gemstones.

Trusts and Company Service Providers
These entities specialize in creating, managing, and administering trusts, companies, or other legal structures for clients.

Casinos, Online Gaming, and Gambling Establishments
Casinos, online gaming platforms, and gambling establishments fall into this category, as they handle financial transactions related to gambling activities

Insurance Firms, Agents, and Brokers

Insurance companies, agents, and brokers are involved in selling and providing insurance products and services.

Virtual Asset Service Providers (VASPs)

Entities involved in cryptocurrency trading, exchange platforms, and virtual currency wallet services.

The abovementioned sectors have to implement an ID verification process and record keeping as a part of their AML/CFT compliance framework to maintain the integrity of the economic system.

ID verification is the first step for the mandatory customer due diligence (CDD) process, following which risk assessment, enhanced due diligence and ongoing monitoring of business relationships are conducted.

Age Restrictive Sectors

Alcohol, Dating Services, Online Gambling, Online Gaming
 They fall under the restricted goods category globally and require compliance with age-restriction law provisions. Age Verification APIs can provide quick and efficient age validation tools.

What Are the Legal and Regulatory Requirements for Identity Verification?

Compliance with global ID verification regulations is essential for businesses while collecting, handling, and using personal information.

Non-compliance with regulations could lead to imposition of fines and penalties and loss of reputation. Awareness of and compliance with ID verification regulations can help businesses detect and prevent non-compliance with regulations and prevent events such as identity theft, account hacking and other fraud.

A few general ID verification regulations include:

AML/CFT Regulations

AML/CFT laws across the globe include but are not limited to:
  • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations applicable in the UAE.
  • Guidance for Licensed Financial Institutions on Digital Identification for Customer Due Diligence issued by the Central Bank of the UAE.
  • Anti-Money Laundering Directives (AMLD) and Sixth Anti-Money Laundering Directive (6AMLD) by the European Union
  • Money Laundering, Terrorist Financing and Transfer of Funds Act 2017, the Proceed of Crime Act 2002, and the Terrorism Act 2000 are applicable in the UK.
  • Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1997, also referred to as the Anti-Money Laundering Act (AMLA), is applicable in Switzerland.
  • The Bank Secrecy Act (BSA), the Patriot Act, and the Anti-Money Laundering Act 2020 (AMLA) are applicable in the USA.
  • The Monetary Authority of Singapore (MAS) provides AML/CFT supervision in Singapore.
  • Financial Transaction Reports Act 1988, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Australian Transaction Reports and Analysis Centre (AUSTRAC) provide AML/CFT supervision in Australia.
  • Prevention of Money-Laundering Act, 2002, applicable in India.

United Nations Security Council Resolutions

UNSCR mandates its member states to implement measures to prevent terrorism, including identity verification, sanctions screening, and business relationship monitoring requirements for regulated businesses.

Financial Action Task Force (FATF) Recommendations

FATF 40 recommendations are applicable globally, and these provide guidance on AML/CFT measures, including customer due diligence and identity verification requirements to be implemented while applying Risk Based Approach (RBA) to mitigate the risk that business is exposed to from their potential customers, further, the risk is prioritized according to attributes the customer risk poses such as demographic, age distribution, homogeneity, market size etc.

These regulations prevent criminals from using established financial systems and businesses for ML/FT and require regulated institutions to verify the identities of their customers.

Data Protection and Data Privacy Laws

Compliance with global regulations encompassing the rights of an individual and their rights over the use of their data by the data controller and data processer, to name a few; data protection regimes across the globe include but are not limited to
  • The Personal Data Protection Law, UAE, Federal Decree-Law No. 45 of 2021, regarding the Protection of Personal Data
  • General Data Protection Regulation (EU GDPR)
  • California Consumer Privacy Act (CCPA)
  • The California Privacy Rights Act of 2020
  • Digital Personal Data Protection (DPDP) Act, 2023, India
  • The Personal Data Protection Act (PDPA), Singapore

Know Your Customer KYC Regulations/Requirements

KYC regulations usually originate from AML/CFT and FATF recommendations and require regulated businesses to identify and verify the identity of their customers to prevent money laundering, fraud, and terrorist financing.

Electronic Identification, Authentication and Trust Services (eIDAS) regulation

This EU-based regulation provides a legal framework for electronic identification and trust services, including digital signatures, seals, and timestamps.

Payment Card Industry Data Security Standard (PCI DSS)

This global standard applies to businesses that accept credit card payments and includes requirements for identity verification to prevent fraud.

Electronic Signatures in Global and National Commerce Act (ESIGN)

It is a US law providing a legal framework for electronic signatures and verification recognized globally.

Red Flags Associated with Digital Identity Verification

Regulated businesses must verify their prospective clients’ ID to ensure regulatory compliance. Red flags are indicative of potential issues that could arise while carrying out the ID verification process, including but not limited to the unwillingness to provide identification information, including:
  • Concealment of true Identity or Lack of valid identity proof
  • PO box or phone number associated with an answering service or is a foreign national with no significant dealings in the country and apparent economic or other rationale for doing business with the business/organization conducting verification.
  • Concealment of Beneficial ownership (for corporate clients).
    • Fund sources.
    • Transaction reasons.
  • Inconsistent or Altered Documents
    • Documents that appear fake, altered, or otherwise inauthentic.
    • Inconsistent identity document numbers
    • Suspicious or inconsistent personal information (such as a wrong address on a document)
  • Personal information is inconsistent across multiple sources.
  • Personal information is associated with known fraud activity and cases.
  • An existing customer is unable to answer challenge questions correctly.

What Are the Challenges and Risks Associated with Identity Verification?

Challenges faced with the ID verification process include:

Fraud and Impersonation

After establishing a business relationship, it is natural for businesses to exchange sensitive information with their counterparties. Fraudsters and Identity thieves create fake accounts and impersonate legitimate users to gain access to confidential information. It leads to violation of the Data Protection and Privacy rights of individuals.

Customer Experience

Manual ID verification processes are paper-based and time-consuming. Businesses need to strike a balance between customer experience and compliance requirements. Digital ID Verification solutions provide a world-class experience and security while handling the customer onboarding processes.

Malicious Acts - Identity Theft and Fraud

Using stolen private data or creating fake identities to gain unauthorized access harms the business reputation, leads to loss of customers, and brings down customer trust.

Authenticity of Documents

Authenticating the validity of identity documents is a necessary step in the verification method. Coming across fake identities, whether modified or forged, out of the documents that are hard to distinguish from the original, while document cross-verification may lead to false positives against ID verification checks. This makes it essential for businesses to install advanced document verification techniques.

Installation of Authentication Software

Incorporating identity verification tools such as APIs into existing applications can be complicated if not taken care of, especially for large-scale businesses with diverse systems and platforms. Ensuring a smooth integration process without disrupting existing systems is essential.

What Are the Best Practices for Identity Verification?

By implementing best practices, businesses can ensure compliance with identity verification requirements prescribed in AML/CFT regulations across the globe and protect their customers’ personal information from identity fraud and other illicit activities.

Some of the suggestive best practices include:

Adoption of Risk Based Approach (RBA)

Implementing and formulating ID verification measures commensurate with the risk the business is exposed to is important as not all ID verification APIs or programs are the same and constantly evolve to meet business needs. By using RBA, businesses can customize the ID verification process to the level of risk it is exposed to for a particular client or transaction.

AML/CFT Compliance Framework

A formally drafted and approved Compliance Framework can help businesses ensure that they adhere to all relevant identity verification, AML/CFT, data protection and data privacy regulations.

The compliance framework should include policies and procedures for collecting, retaining, and using personal information for future use, as well as processes for monitoring and reporting any violations of regulations, such as suspicious activity reports.

Data Encryption and Security

Implementing data encryption protocols and cybersecurity measures through a reliable ID verification API solution that safeguards sensitive user information from breaches.

Obtaining Explicit Consent

Obtaining explicit consent from customers is a legal requirement prescribed by various global data protection and data privacy regulations for collecting and using their personal information. Businesses should ensure that customers know what information is being collected and how it will be used and obtain their consent before verifying.

Customer Behaviour Observation

APIs that can assess odd user behaviour in real-time and respond quickly to any security threat.

Global Compliance Regulatory Standards

Ensure that the business is equipped with the latest fraud-detecting techniques. Also, ensure that the ID verification and authentication methods align with regional compliance standards to minimize legal risks.

Multi-Factor Authentication (MFA) Implementation

Implementing MFA ensures that an extra layer of security is provided to customers. This could include something customers already know (password), device access (a mobile device/laptop/PC), and biometric data.

The Importance of ID Verification Apps in Ensuring World-Class Customer Experience

An ideal ID verification App ensures World-Class Customer Experience by facilitating the end-customer with
  1. Global coverage supporting ID types from all over the world, ensuring seamless accessibility.
  2. Accurate verification of good customers against fraud by keeping fraud attempts negligible, thus reducing inherent risk.
  3. Multi-factor authentication – adding biometric authentication that enhances security, data protection and customer experience.
  4. Password reset and account recovery through self-service solutions.
  5. Enable real-time, multi-party transactions through live video verification that is remotely accessible
  6. Provide for eSignatures feature wherever required to ensure the legality of electronic contracts and agreements.
  7. Automated verification of the identity of customers to avoid duplication of efforts.
  8. Ability to detect and incorporate NFC chip damage into adaptive process flow, reducing the requirement of asking for fresh IDs in case of damaged IDs.
  9. Enabling self-verification through self-service on their device through QR codes or kiosks by filling out Customer Due Diligence questions and activating their accounts for said service.

What Future Trends and Innovations Illuminate Identity Verification's Path?

As the saying goes, “Necessity is the mother of all inventions.” The same holds true for any innovation that comes into being; the very need to innovate or improvise arises from a lack of accessible and practical solutions to problems encountered by the public at large. Such issues and their future ‘fixes’ – which are innovations and future trends, include:

Liveness Check and Proof of Humanity:

When it comes to ensuring the genuine presence of an individual whilst conducting online/remote Identity verification using a video call, ‘Liveness check’ detects if the subject is a real live human or a bot. It provides an additional layer of security to ensure that the user is a real and unique person, thus enhancing the value of online platforms.

Digital Avatars:

Digital IDs (DIDs)or Digital Avatars are created on open-source, public blockchains, are unique, and can be independently controlled by the individual, thus eliminating the need to depend on third parties for identity verification.

The Digital Avatar will complete the KYC/ID verification procedures, such as verifying the identity of any person seeking to create an account, maintaining records of the information used to verify the person’s identity and ultimately determining whether the person appears on any government-provided lists of known or suspected terrorists or terrorist organizations.

Centralized ID:

The need for centralized ID is the most pressing one. Think of the current situation; most of us have at least one bank account, but the minute we decide to open a second one, we must go through all formalities, such as the elaborate and time-consuming ID verification process. Having a centralized framework will eliminate the need for repeated ID verification processes.

Fraud reduction:

Future IDs will undoubtedly have features or attributes that would be near impossible to forge, steal or mimic, which shall play a significant role in cancelling out the events of identity theft.

Checking for Deepfakes during ID Verification

Although it is not easy to identify deepfakes through plain visual inspection, there are tested techniques that can be used during ID verification. Some of these techniques include:

Reverse Image Search

Reverse image search is very similar to text, where instead of writing text in the search column, a picture or image URL or associated keywords are uploaded. These serve as the focal point in identifying similar pictures that match the identity pictures and their relevant details, like the owner/administrator of the websites where the images appear.

Specific Manipulations Detectors

A vast majority of the deepfakes are created using a combination of visual landmarks. This can include emotions, facial expressions, the position of the head and its alignment, and even lip-syncing. Deep learning-based AI detectors can, therefore, identify image or video manipulation, such as manipulation of facial features, face swaps, and facial reenactment.

Digital Forensics Devices

Various software examines metadata, inconsistencies in pixels and other kinds of image transformation, such as resizing, cropping, colour changes and edits, to identify the subtle artefacts that are left out while creating deepfakes.

Conclusion

ID verification is essential to ensure compliance with AML/CFT laws. Digital ID verification is the need of the hour, and companies would experience smooth customer onboarding and significant time and cost savings by implementing it.

AML UAE provides end-to-end consulting services to help you identify the right Digital ID Verification software, assess and analyze associated risks, and suggestive solutions to ensure world-class customer experience while balancing AML/CFT compliance requirements.

In AML/CFT compliance, customer identification and verification are crucial. The right AML software allows complying with the rules and regulations efficiently. It helps to build customer trust and promote business growth. AML UAE is a popular and reliable AML consultant that offers a comprehensive range of AML compliance services.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

The Role of Residual Risk in Financial Crime Compliance

The Role of Residual Risk in Financial Crime Compliance

The Role of Residual Risk in Financial Crime Compliance

Conducting a business comes with accompanying risks, including the risk of financial crime, which are inherent in nature. The key is to manage this gross risk, also known as inherent risk, as much as possible by implementing effective control measures, thereby minimising the net risk, also known as residual risk.

In this article, we will discuss residual risk, how it is different from inherent risk, and examples of residual risk. The article also explores the process of identifying residual risks, challenges in Managing Residual Risk, Best Practices for Managing Residual Risk, and Future Trends and Development in risk management.

What is Residual Risk in Financial Crime Compliance

Residual risk is the remaining or leftover risk after implementing the control measures adopted by the businesses. In terms of financial crime compliance, residual risk is the risk of a business being exposed to financial crime after implementing all measures and controls aligned with the financial crime compliance laws, such as Anti Money Laundering (AML), Counter Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) Laws and regulations in UAE to control or mitigate the risk.

Compliance with AML/CFT & CPF regulations involves recognising inherent risk and deploying adequate control measures, thus minimising the residual risk appropriately. Residual risk is not eliminated entirely; it reflects the uncertainty that remains even after controls are applied. Businesses must continuously assess and adjust their risk management strategies to address residual risks effectively.

What is Financial Crime Compliance

Compliance, in a general sense, means actions taken by individuals or organisations to follow laws, rules, policies, or guidelines that are expected to be followed. In case of non-compliance, they need to pay a price in the form of financial penalties, legal repercussions, and reputational damage. Financial Crime Compliance is a set of policies, procedures, and practices that the business needs to put in place in order to comply with and follow laws and regulations to prevent and detect financial crimes, such as money laundering (ML), Financing Terrorism (FT), fraud, corruption, proliferation financing (PF), etc.

Difference between Inherent Risk and Residual Risk

Inherent risk and residual risk are key concepts in AML, CFT and CPF risk management, and they represent different aspects of risk within the business. In order to keep residual risk in check, businesses need to implement control measures. To understand the role of residual risk, it is crucial for businesses to know what inherent risk is and how it is different from residual risk.

The following is an analysis of the inherent risk vs. the residual risk based on different factors

How to Identify Residual Risk in AML, CFT and CPF Compliance

Here’s a step-to-step approach to identifying residual risk to help businesses understand and manage their exposure to financial crime effectively.

Identify Inherent Risks

The foremost step is analysing the business’s activities, products, and services to identify areas vulnerable to financial crimes, including ML, FT, and PF. Inherent risk emerges from various factors such as:
  • Customers
  • Countries
  • Delivery Channels
  • Products, Services, Transactions
  • Staff, Third-parties.

Assess Inherent Risks

After identifying inherent risks, businesses need to assess and evaluate the likelihood and potential impact of each identified inherent risk, considering factors like regulatory environment, customer profiles, and geographic exposure.

Prioritise Risks

Based on the assessment, businesses should rank the inherent risks. Such ranking can be based on their severity and likelihood, which would help businesses to focus on those that pose the greatest threat to the business. Risk prioritisation is based on the fundamentals of a risk-based approach (RBA).

Identify Existing Controls

After prioritising the risks, businesses need to identify control measures applied to fight against identified ML, FT, and PF risks. As part of this, they need to catalogue current AML and compliance measures, including policies, procedures, and technologies designed to mitigate identified risks

Evaluate Control Effectiveness

Based on the implementation and application of control measures, businesses must analyse the performance of existing controls through testing, audits, and reviews to determine how well they counter the inherent risks. Only then can businesses actually fill the gaps and analyse control effectiveness.

Determine Residual Risk

After evaluating the control effectiveness, all that is left is calculating the remaining risk, that is, residual risk. Such is determined by subtracting the effectiveness of existing controls from the assessed inherent risks, giving businesses a clear view of remaining ML, FT, and PF vulnerabilities.

Example of Residual Risk: The Complete Lifecycle

Considering a situation where a Designated Non-Financial Business and Profession (DNFBP) named ABC Corp. needs to conduct an Enterprise-Wide Risk Assessment (EWRA).

Risk Identification

A DNFBP conducts a thorough EWRA by considering factors such as customers, countries, staff and third parties and identifying risk scenarios to assess which ML, FT, or PF risks may materialise and what form they may take by assessing the impact on business. The impact on business was catagorised into low, medium, and high basis the loss or damage such risks would have on the business.
And conduct a thorough analysis of Scenarios to determine likelihood of occurrence and resulting impact for each probable scenario.

Deploying Control Measures and Analysis of Controls

To mitigate risks identified, the DNFBP, ABC Corp. deployed various control measures such as:
  • AML/CFT & CPF Compliance Framework
  • AML/CFT & CPF Policies & Procedures
  • Systems & Controls.
Following which analysis of control measures was conducted for each scenario identified.

Determining Residual Risk, Assessing Risk Appetite

After implementing these measures, determination of residual risks is possible.

Evaluating Control Effectiveness and Deploying Additional Measures if Required

The DNFBP, ABC Corp. recognises that while it has taken significant steps to mitigate the identified risks, some risk still exists due to factors beyond its control. ABC Corp. is required to regularly monitor and evaluate control effectiveness

How to Manage Residual Risk in AML, CFT & CPF Compliance

Managing residual risk in AML, CFT & CPF compliance is very important for businesses in mitigating potential ML, FT, or PF risks. Here’s an approach that lays down the basis for managing residual risk:

Define Risk Appetite

Defining the risk appetite gives clarity in the risk level that a business can take and its objectives related to financial crime compliance. For this purpose, businesses need to ensure that risk appetite aligns with overall business strategy and operational goals, as it cannot restrict or keep loose strands.

Enhance the Design and Implementation of Existing Controls

It is crucial for businesses to regularly review and assess current controls to identify any gaps and weaknesses. Based on the assessment, businesses need to customise existing controls by aligning them with best practices. When doing so, businesses need to keep in mind the specific residual risk of their business and operations.

Introduce New Controls

As mentioned above, residual risk is the risk after employing effective measures; thus, for managing residual risk, it is essential for businesses to introduce new controls. Such new controls can include implementing new technologies and processes to address gaps identified.

Ongoing Residual Risk Assessment & Monitoring

Conducting ongoing assessments and monitoring of residual risk is essential for maintaining an effective compliance program. This involves continuously evaluating potential risks as new threats emerge as business operations evolve. Utilising key risk indicators and factors when undertaking ongoing monitoring and employing effective measures for dealing with residual risks allows for timely adjustments to the compliance strategy.

Continuous Transaction Monitoring

Implementing continuous real-time transaction monitoring systems is key for identifying suspicious activities promptly. Businesses should adopt advanced analytics that can detect anomalies and adapt to emerging patterns of financial crime, including ML, FT, and PF and provide a system to deal with the impact of residual risks.

Businesses need to incorporate insights from monitoring activities into the compliance framework, which allows businesses to continuously adapt and improve. By focusing on these strategies, they can effectively manage residual risks associated with financial crime compliance, enhancing their ability to detect, prevent, and respond to financial crime threats, including ML, FT, and PF.

Staff Training

Staff training is fundamental to an effective compliance program. Regular training sessions should cover compliance procedures, emerging threats, and the importance of individual roles in the compliance framework. Creating awareness through training fosters a culture of compliance, empowering employees to identify any suspicious activities.

Suspicion Reporting and SAR/STR Submission

Managing residual risk is important to keep the business in check. When assessing residual risk, if there is any suspicion, businesses need to promptly report it to their regulatory authorities. Businesses should also keep checking and streamlining the process of submitting Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) on the goAML portal. In doing so, they need to ensure that the submission process is efficient and compliant with regulatory requirements for timely reporting. As part of this, businesses need to look over and manage residual risk by monitoring submission trends that can provide insights for improving the compliance framework.

AML Software

Investing in comprehensive AML software is crucial for integrating various compliance functions. When choosing AML software for managing residual risk, businesses should employ robust and customisable, allowing them to tailor it to their specific risk profiles and operational needs. A well-integrated AML solution enhances the efficiency and effectiveness of the compliance program and also continuously helps to identify and manage any ML, FT, and PF risks.

Data Analytics

Leveraging data analytics is essential for uncovering hidden patterns that may indicate financial crime, including ML, FT and PF-related crimes. Advanced analytics tools and technology can identify correlations and trends that manual processes might overlook. Regular reviews of these analytics methods will help businesses stay ahead of emerging risks, allowing for proactive adjustments to their compliance strategies.

Health-Checks

Conducting periodic health checks on the compliance program is key to ensuring its ongoing effectiveness. These assessments evaluate whether the current policies, controls, and procedures remain relevant and efficient or if there are any gaps in their effectiveness. As part of health checks, businesses should benchmark against industry standards to identify areas for improvement and enhance overall compliance performance.

Independent Audits

Engaging independent auditors to review the compliance program adds an extra layer of assurance to the AML/CFT framework’s effectiveness. These audits provide an objective assessment of the effectiveness of financial crime compliance measures. The findings from independent audits should be used to drive enhancements, ensuring that the compliance program evolves in response to new challenges.

AML/CFT & CPF Program Review and Enhancement

Regularly reviewing and enhancing the AML/CFT program is a must for adapting to the changing regulatory framework and evolving risks. This includes evaluating existing policies, procedures, and controls to ensure they are effective and up-to-date. Implementing necessary enhancements will strengthen the overall compliance framework.

Industry Collaboration

Collaborating with industry peers provides valuable insights and best practices in managing financial crime risks, including ML, FT, and PF. Sharing information on emerging threats and effective strategies enhances collective knowledge and strengthens the overall industry response to financial crime.

Regulatory Engagement

Active engagement with regulatory bodies is essential for staying informed about compliance requirements and expectations. Businesses should establish open lines of communication with regulators, ensuring that they are aware of any changes in regulations and can adapt their compliance programs accordingly.

Risk-Based Approach in Managing Residual Risk in AML, CFT, and CPF Compliance

The risk-based approach (RBA) requires entities such as DNFBPs to deploy ML, FT, and PF risk mitigation in proportion to the extent to which ML, FT, and PF are exposed. RBA can be used to effectively manage residual risk due to the following reasons:

Efficient Resource Allocation

By identifying and prioritising residual risks, businesses can allocate resources to the areas that pose the greatest remaining threat, optimising their compliance efforts.

Proactive Risk Identification

Even after controls are in place, a risk-based approach facilitates the ongoing identification of new or evolving risks, ensuring that residual risks are continuously monitored and addressed.

Dynamic Adaptation

Businesses can adjust their compliance strategies in response to changes in the ML, FT, PF, and other financial crime risks, ensuring that residual risks are effectively managed as circumstances evolve.

Enhanced AML/CFT and CPF Compliance

By focusing on residual risks, businesses can enhance their compliance with AML/CFT regulations, ensuring that they remain vigilant even after initial controls are applied.

Greater Agility

The ability to quickly adapt to new information about residual risks allows businesses to respond more effectively to potential financial crime threats.

Informed Decision Making

Analysing residual risks using a risk-based approach provides critical insights that guide management decisions regarding additional controls or modifications to existing ones, enhancing overall risk management.

Regulatory Compliance

Understanding and managing residual risks is essential for demonstrating compliance with regulatory expectations, reducing the likelihood of violations even after implementing controls.

Brand Image Protection

A risk-based approach helps in effectively managing residual risk and helps safeguard the business’s reputation, as proactive measures convey a commitment to ethical standards and compliance.

Tailored Controls

The risk-based approach allows for the development of specific controls targeting identified residual risks, enhancing their effectiveness and relevance.

Focused Training

Training programs can be designed to address the specific residual risks faced by the business, ensuring that employees are prepared to handle these challenges effectively.

Risk-Based CDD

By implementing Risk-Based Customer Due Diligence (CDD) procedures, businesses can focus their efforts on high-risk clients, mitigating residual risks associated with less scrupulous actors.

Transparency

Maintaining a clear framework for understanding and managing residual risks fosters transparency within the business organisation and builds trust with regulators and clients.

Trust

Proactively addressing residual risks reinforces stakeholder trust, as it demonstrates a commitment to effective risk management and ethical business practices.

Challenges in Addressing Predicate Offences

Here is the list of challenges usually faced by businesses in managing residual risk:

Evolving ML/FT & PF Typologies

ML/FT & PF typologies are dynamic in nature, constantly changing as criminals adapt their methods. This evolution can be driven by advancements in technology or changes in the financial market. As a result, businesses face the challenge of keeping their risk assessments relevant and effective, as outdated information can lead to undetected risks.

Evolving Regulations

With dynamic ML/FT typologies and to combat them, regulation needs to be amended, making the regulatory environment surrounding financial crimes dynamic, with frequent updates and new requirements. Businesses need to navigate a complex landscape of laws, which also vary based on jurisdiction. This constant flux in the regulatory framework can lead to confusion, leaving businesses open to non-compliance if they fail to keep a pace that exposes them to ML, FT, and other financial risks.

Cross-Border Jurisdictional Differences

For any cross-border multinational organisation, following differing regulations across countries is necessary and can complicate compliance efforts. Each jurisdiction has its own AML rules, which can create a patchwork of requirements that are difficult to manage. This complexity can lead to gaps in compliance and increased vulnerability to ML, FT, and PF risks.

Resource Constraints

Businesses operate under budgetary and staffing limitations, which can hinder their ability to implement effective risk management practices. Limited resources may result in inadequate AML compliance functions and ineffective technology solutions. This scarcity can ultimately leave businesses exposed to ML, FT, and PF risks they cannot adequately address.

Data Silos

Data silos occur when information is isolated within specific systems, preventing a holistic view of risk. This fragmentation can obscure insights and hinder collaboration, making it challenging to identify trends or correlations that could indicate risk. The lack of comprehensive data integration can lead to blind spots in risk management efforts.

Data Quality

Data quality can severely impact risk assessments and compliance efforts. Poor, inaccurate, incomplete, or inconsistent data can lead to misguided conclusions and decisions. The reliance on large volumes comprising poor-quality data makes it difficult to ensure high standards of data integrity across and in the AML compliance implementation measures.

Legacy Systems

Many businesses rely on outdated legacy systems that may not support current risk management needs. These systems can be inflexible, difficult to integrate with new technologies, and incapable of processing modern data requirements. The reliance on legacy systems can impede the business’s ability to respond to emerging risks effectively.

False Positives

Transaction monitoring systems are prone to high rates of false positives, which can overwhelm compliance teams, leading to inefficiencies and a significant drain on resources. When too many alerts are triggered, it can create alert fatigue, causing critical risks to be overlooked or deprioritized. This reduces the effectiveness of compliance efforts and undermines staff morale.

Staff Resistance

Residual risk requires implementing new controls or procedures often meet with resistance from staff. This resistance can stem from a fear of change, a lack of understanding of new processes, or the perception that additional compliance requirements increase their workload. Such resistance can hinder the adoption of necessary changes, ultimately impacting the effectiveness of risk management efforts.

Best Practices for Managing Residual Risk

Regulated Entities such as DNFBPs can manage residual risk through the implementation of the following best practices:

Regular Enterprise-Wide Risk Assessments

Conduct comprehensive risk assessments on a regular basis to identify and evaluate potential risks across the business. This proactive approach helps adapt to evolving threats and ensures a consistent understanding of the risk landscape.

Strong Controls

Implement robust internal controls that are tailored to the business’s specific risk profile. These controls should address key vulnerabilities and ensure compliance with regulatory requirements.

Ensuring Control Effectiveness

Regularly test and review the effectiveness of controls to identify any weaknesses. Utilise key performance indicators to monitor control performance and make necessary adjustments.

Automation

Leverage technology to automate routine compliance and monitoring tasks. Automation can enhance efficiency, reduce human error, and allow staff to focus on higher-level analysis and decision-making when managing residual risks.

Ensuring Data Quality

Leverage technology to automate routine compliance and monitoring tasks. Automation can enhance efficiency, reduce human error, and allow staff to focus on higher-level analysis and decision-making when managing residual risks.

Automation

Leverage technology to automate routine compliance and monitoring tasks. Automation can enhance efficiency, reduce human error, and allow staff to focus on higher-level analysis and decision-making when managing residual risks.

Ensuring Data Quality

Prioritise data quality through governance practices, validation processes, and regular audits. High-quality data is essential for accurate risk assessment and compliance efforts.

Ongoing Monitoring

Establish continuous monitoring systems to detect anomalies and assess risk in real time. This allows organisations to respond promptly to potential threats before they escalate.

Independent Audit

Conduct independent audits of risk management practices and compliance programs to provide an objective assessment of their effectiveness. Audits help identify areas for improvement and reinforce accountability.

Training and Awareness

Invest in regular training programs to ensure staff understand their roles in risk management and compliance. Foster a compliance culture that emphasises the importance of vigilance and ethical behaviour.

Top Management Oversight

Ensure that senior management is actively involved in risk management efforts. Their commitment and oversight are crucial for setting the tone at the top and ensuring alignment with strategic objectives.

Clearly Defined Policies and Procedures

Develop and communicate clear policies and procedures related to risk management and compliance. This provides staff with a framework for understanding their responsibilities and ensures consistency in execution.

Defined Risk Appetite

Clearly articulate the business’s risk appetite to guide decision-making and resource allocation. A well-defined risk appetite helps align risk management strategies with the business’s overall objectives and ensures a balanced approach to risk-taking.

Future Trends and Development in the Management of Residual Risks

Future Trends and Development for Residual Risk Management in AML, CFT and CPF Compliance.

Artificial Intelligence

AI will play a crucial role in enhancing fraud detection and compliance processes. By leveraging AI algorithms, businesses can automate the identification of suspicious activities, analyse patterns, and reduce false positives, ultimately streamlining compliance operations.

Machine Learning

Machine learning models will continuously improve risk assessments by learning from historical data. These models can adapt to evolving financial crime tactics, enhancing the accuracy of predictions and helping institutions stay ahead of emerging threats.

Blockchain

Blockchain technology offers a transparent and immutable ledger that can enhance traceability in financial transactions. Its application can help verify the authenticity of transactions and reduce the risk of fraud, thus strengthening compliance measures.

Robotic Process Automation

RPA can automate repetitive tasks such as data entry and reporting, allowing compliance teams to focus on more strategic activities. By improving efficiency, RPA helps manage residual risks more effectively and reduces the likelihood of human error.

Big Data Analytics

The integration of big data analytics enables businesses to analyse vast amounts of data from various sources. This holistic view helps identify potential risks and anomalies that may indicate financial crime, allowing for proactive measures to mitigate those risks.

Increased Regulatory Scrutiny

As financial crimes become more sophisticated, regulators are tightening compliance requirements. Businesses will need to adopt more robust residual risk management frameworks to meet these evolving standards and avoid hefty penalties.

Public-Private Partnership

Collaboration between public institutions and private businesses can enhance intelligence-sharing regarding financial crime trends. These partnerships can lead to more effective strategies for managing residual risks and improving overall compliance frameworks.

Dynamic Risk Assessment Models

The development of dynamic models that can adjust in real time to reflect changes in risk profiles. This agility will enable businesses to respond promptly to emerging threats and manage residual risks more effectively.

Scenario Analysis and Stress Testing

Regular scenario analysis and stress testing will become integral in understanding potential impacts of financial crime. Businesses will simulate various scenarios to gauge their risk exposure and develop mitigation strategies accordingly.

Governance Frameworks

Strengthening governance frameworks will be essential for managing residual risks. This includes establishing clear roles, responsibilities, and accountability mechanisms within businesses to ensure effective compliance and risk management.

Conclusion

Regulated Entities, when assessing residual risk, must document their assessment of residual risk as part of their AML compliance frameworks, ensuring they remain vigilant and prepared to respond to potential threats. Residual risk is an inevitable aspect of AML, CFT and CPF compliance that businesses must navigate effectively.

Assessing residual risk is a challenging task and requires businesses to implement effective measures using a risk-based approach. Continuous assessment and adaptation of controls, along with a proactive approach to training and technology, are essential in mitigating residual risks.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik