Comprehensive AML policies, procedures, and controls: Bolstering AML efforts

Do you have a sound and robust plan to comply with the UAE AML regulations?

Are you well-prepared to prevent, mitigate, or manage money laundering and terrorism financing risks?

If you answer ‘YES’ to both these questions, you are doing it right. As a reporting entity in UAE, the government mandates that you follow the AML requirements. To do this, you must create an appropriate AML compliance program. It must contain the policies, procedures, and controls you must implement to reduce the threats of financial crimes.

Moreover, it is also crucial to document it. Once you document it, you are sincere in your approach. Also, all the employees, management, and executives know about the AML measures. People are more dedicated to following rules in a written format. So, write it down for earnest preparation and practice.

You must be cautious of common errors while writing the AML policies, procedures, and controls. These blunders can impact your measures’ efficiency or lead to imperfect compliance. So, to ensure effective AML compliance, follow the best practices.

We list the missteps that you need to be aware of. The missteps, in this case, are generally forgetting to include the necessary points and including the redundant items. If you are careful about them, you can have an impact-creating AML compliance journey.

Let’s look at the necessary inclusions first, followed by the exclusions.

Essential inclusions in AML policies, procedures, and controls

You must follow UAE’s laws and FATF’s recommendations while writing your AML policies, procedures, and controls. This is how you can align with the global AML compliance best practices. The following are the inclusions you must have:

Mandatory regulations to follow

The first thing that needs your attention is the legislation you must follow. You must mention the UAE AML regulations and rules you must follow to achieve compliance.

Ensure that they are up-to-date and accurate for your industry vertical. Also, mention the same for all jurisdictions you operate your business from.

Moreover, you must include the primary provisions to be adhered to over the period – like your annual, semi-annual, quarterly, or monthly compliance requirements. It allows you to track your compliance status with the regulatory obligations.

Goals, objectives, and commitment to AML

Your AML policy must include the significant goals you aim to achieve. These can include achieving AML compliance and improving your business reputation, among others. Mentioning this helps you and your team stay aligned and focused. You can keep striving to achieve those goals.

Prove with words your commitment to this AML policy. Many companies create an AML policy. But not everyone can commit to following it. You must show the steps to follow it and achieve the objectives. Thus, you confirm your intent to detect money laundering risks and take corrective actions.

Risk assessment procedures and system

You must include the risk identification, assessment, and management procedures. This includes listing the potential risks emitting factors like customers, products/services you offer, the geographies to associate with, delivery channels used, etc.

Explain the procedure for identifying the risks under different scenarios. Enumerate the methods you’ll use to assess each risk and assign an appropriate score. Also, describe the possible measures to manage or mitigate these risks.

KYC and CDD measures – list and process

KYC (Know Your Customer) and CDD (Customer Due Diligence) are vital measures for protecting your firm from money laundering threats. It is a way to identify and verify your customers before engaging in business relationships. You must not onboard customers who do not fulfil these requirements.

So, for this, you must mention your business’s KYC and CDD program. You must include information on the following:

What are the documents you need from customers?
What are the criteria for customer acceptance?
When will you perform the necessary checks?
What is your process of due diligence?
How will you verify the information from existing and potential customers?
How the Customer Risk Assessment would be conducted?
What information and risk criteria would be considered for assessing customer risks?
When will you conduct Enhanced Due Diligence (EDD)?
What measures would be applied as part of the EDD process?
How onboarding of Politically Exposed Persons (PEP) would be handled?

All these information points are essential in KYC and CDD measures. You must answer these questions in the AML policy to clarify their execution.

Transaction monitoring process and technology

One factor that enhances your AML compliance is the constant monitoring of transactions. You need it to identify suspicious transactions and prevent their occurrence to reduce your risks.

It would be best if you defined the red flags in your industry to detect suspicious transactions. You must also mention the technology systems or software used for transaction monitoring. Also, define the monitoring rules and threshold for monitoring transactions and its review.

The AML policy must list the actions to take – alerting, reporting, and managing – upon identifying a suspicious transaction. It must also mention the time duration for each action as a rule. In a way, it must clarify the Dos and Don’ts for the team handling transaction monitoring.

Reporting requirements under the law

Submitting reports to the FIU is a significant part of your AML compliance in the UAE. According to the AML regulations, you are required to submit the following reports:

Suspicious Activity Report (SAR)
Suspicious Transaction Report (STR)
Funds Freeze Report (FFR)
Partial Name Match Report (PNMR)
Any other sector-specific report like Dealers in Precious Metals and Stones (DMPSR) and Real Estate Activity Report (REAR)
High-Risk Country Transaction Report (HRC)
High-Risk Country Activity Report (HRCA)

You must list these reports, the relevant formats for each, and whom to report to. You must also mention the deadlines for each to avoid missing them. Specifying the person responsible, expected information to be captured, and the procedure for making reports is also crucial.

Record keeping

The AML policy, procedures, and internal controls must include your record-keeping procedures. It must have:

List of the records you must maintain
Copies of documents submitted to FIU
Format and templates
Mandatory information and data
Duration for maintaining each record
Person/team responsible

All this information is essential to ensuring the teams’ diligence in performing their duties. You might use them anytime in the future to revise AML plans or monitor the business relationship. Also, you can submit them to FIU or any other AML Supervisory Authority to provide necessary information when needed.

Internal communication and reporting workflow

Communication workflow is an essential part of the AML policy but is often ignored. Companies forget to define this segment. But, it is crucial to enable smooth and on-time occurrence of AML activities and tasks.

So, you must define the following:

The reporting structure, specifically for the AML compliance team
The reports and actions that need approvals and from whom
The cycles of feedback and reviews a report will go through
Communication between AML compliance and customer-facing teams
Communication mediums used within the business

A clear definition of these aspects will help streamline the operations.

Details on the Compliance officer and dedicated team

One of your AML policy’s crucial points is the AML compliance team and the AML Compliance Officer. You must mention this in the policy. It must include information on the following:

Name of the Compliance Officer (CO) Rights of the CO and the team Responsibilities and duties of each team member and CO The reporting structure of the team

A clear definition of these points makes it easier for the responsible persons to do their duties. Also, the top management is aware of what is happening in AML compliance in the company. It ensures the company as a whole that practical actions are being undertaken for AML compliance.

A list of the performance metrics

A plan without key performance indicators is incomplete. Since it mentions what you aim to achieve, you must have the metrics to measure its achievement. So, include the performance metrics for your AML policy, procedures, and controls.

It can be something along the lines of:

On-time submission of relevant reports
Accurate identification of suspicious transactions
Adequate completion of risk profiling of customers
Proper creation and maintenance of all records

Training needs of employees and execution plan

A crucial requirement for AML compliance is your employees’ alignment with it. AML can be a new concept for your employees, so their knowledge is vital. Also, AML compliance procedures will change internal operations, so employees must accept the changes.

Your AML policy must include information on all these points. You must list the following:

Different types of AML training programs
Methods of conducting them
Possible syllabus for each program
Duration and frequency of conducting such programs
Change management plans in the business

By mentioning these points, every new and existing employee is aware of the expectations from them. They will know what employee training programs they have to undertake. Also, you get an idea of the relevant execution plan and budget for such programs.

Audit and review strategy for AML policy

Another crucial ingredient of the AML policy is the audit and review strategy. It evaluates your existing AML policies, procedures, and internal controls.

You must have an audit strategy to determine your policy’s accuracy, quality, and completeness. It helps you to know whether the AML policy is sufficient to comply with the AML laws in UAE. This audit and review strategy assesses the following:

Risk assessment procedures
Transaction monitoring systems
KYC and CDD measures you have implemented
Training programs for your employees
Effectiveness and accuracy of reports generated and filed with FIU

Thus, you can know how efficiently your AML policy responds to money laundering threats.

Exclusions in AML policies, procedures, and controls

Impractical expectations

You have your AML goals and objectives to achieve. The AML regulations are in place in the UAE. You know you have to follow them. But that does not mean you will set unrealistic prospects for your business. So, be careful while setting processes, procedures, measures, controls, responsibilities, and commitments.

Duplicate information

Ensure there is no duplicate information while writing AML policies, procedures, and controls. Already, it is a detailed document. If you repeat the same thing, your employees may lose interest. Specifically, don’t mention the detailed laws and regulations in your policy statements. Use them as a reference to explain your point.

Ambiguous and complicated words

Using big, complicated words or jargon won’t help. Your employees will get confused. Ambiguous language might lead to errors, as your stakeholders might misinterpret it.

It’s better to keep it short and straightforward. Using clear language makes it easy for your employees to understand what the AML policy says.

Outdated data and information

Keeping yourself up-to-date with changes is the path to success. It is also the way you can enhance your AML compliance. So, review your policy frequently. Make changes and update it as and when needed to stay aligned with emerging risk typologies and recent regulatory amendments. Keeping outdated information will lead to gaps in your AML compliance.

Negative language

Using too many negative statements will demotivate your employees. Use more positive words. So, talk less about the penalties or legal actions in case of non-compliance. Focus more on how compliance with AML laws benefits you, your country, and the world. This is how you motivate your employees for ethical behaviour and AML compliance.

Your one-stop destination for AML compliance – Niyeahma

So, now you know the significant inclusions and exclusions of your AML policy. Include these in your policies, procedures, and controls for effective AML compliance.

If you are unsure of your AML policy, let us do it for you.

Niyeahma is a reliable AML compliance services provider to businesses operating in the UAE. We help you follow the relevant AML procedures on time. We also help you create a firm AML policy and control system to prevent the effects of money laundering threats. Our services strengthen your fight against the dynamic financial crime scenario. So, if you need any kind of support for complying with AML laws, you can trust us.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Why is address verification important under AML Customer Due Diligence

Customer Due Diligence is a critical aspect of the Anti-Money Laundering (AML) Program, aiming to identify the customer and the beneficial owners. One essential component of the Customer Due Diligence (CDD) process is obtaining the customer’s address details and verifying the same using reliable, independent sources.

Through this article, we shall explore why address verification is considered an important AML measure to detect red flags and discuss the right approach to adequately complete the address verification measures.

Understanding the importance of Address Verification

The UAE AML laws mandate regulated entities to design and deploy robust measures to combat financial crime. CDD is a crucial AML measure aimed at examining the genuineness of the customer and uncovering money laundering or terrorism financing instances attempts. During CDD, regulated entities must enquire about the customer’s place of domicile, business, etc. It is vital to examine the accuracy of the address details furnished by the customer. Here comes the implementation of the “address verification” process.

Address verification is a check performed to determine the realism of the customer’s address (business or residential). It is important to confirm that the customer can be traced to this address for any transactional correspondence or other requirement.

Address Verification - Necessary to complete the CDD process

The customer identification process is incomplete unless sufficient details about the customer’s location are sought. And merely collecting the customer’s address is not enough. The regulated entities have to ensure that this address exists for real.

The following encounters in the course of the address verification process boost the regulated entity’s confidence in the customer’s identity:

That the customer is cooperative and shared the required details and documents
The documents and information related to the provided address are correct and genuine
Information available to communicate with the customer

With the satisfactory conclusion of the address verification process, the regulated entity can make an informed decision about the customer’s onboarding.

With adequate information about the customer’s location, the entity can spot any potential unusual customer activities, indicating attempts to launder the money or carry out any other financial crime. The risk indicators associated with address can be:

The location of the customer and the regulated entity does not make sense (e.g., too far from the customer’s origin)
Customer’s connection with high-risk jurisdictions
Same address disclosed as correspondence address by multiple customers
Frequency change in the customer’s address (e.g., customer declaring different addresses at the time of each transaction)
Mismatch in the customer’s profile and the address provided (e.g., the customer holds nationality of country A, is working in country B, and the correspondence address offered is of country C)
Discrepancies between geolocation and the IP address associated with the transaction

Further, the address verification process also helps gauge the customer’s possible association with any suspicious activity or terrorist and, thus, enables the regulated entity to carry out customer risk profiling sufficiently.

Consequences of inadequate Address Verification process

When the address verification process is not carried out thoroughly, the regulated entities may unknowingly and unwillingly onboard the fraudsters and financial criminals, trying to penetrate the systems under cover of fake identities. This may open up a platform for criminals to exploit legitimate businesses.

Further, without adequate address verification, the customer risk assessment could have been done with incorrect details (imaginary address provided by the customer), the outcome of which may not be reliable. This may lead to classifying the high-risk customer as low, leading to short due diligence measures being applied to the high-risk posing customer. The incorrect risk profiling also adversely impacts the regulated entity’s ongoing monitoring program, causing unwarranted hiccups in detecting and reporting suspicious transactions.

It does not end here. The address verification is also a regulatory mandate imposed upon the entities as part of AML measures. The regulated entities failing to develop and implement an intense address verification process would be subject to regulatory non-compliance fines. Further, failure to comply with the legal obligations may severely affect the entity’s reputation, leading to a loss of customers’ trust and authorities’ confidence in the business.

It is important to understand that inadequacies in even one of the AML measures can jeopardize the entire efforts made towards compliance. With a flawed address verification process, the customer identification measures would be ineffective, and the risk assessed inaccurate, paving the way for criminals to slip in and hamper the integrity and security of the financial system.

Navigating the right approach to the Address Verification process

Adopting a systematic approach to address verification empowers the entities to develop a holistic customer profile, which is necessary to spot anomalies.

An address verification exercise must involve the following steps to ensure the accuracy of the process and yield the desired results of thoroughly concluding the CDD process:

– Firstly, the regulated entities must obtain the customer’s address details. This includes information about the customer’s residence and business place. In case the customer’s present and permanent address differs, the regulated entity must obtain information about both, as this may impact the invalid assessment of the geographic risk arising from the business relationship.

To ensure the collection of complete details, the entity may have predefined fields in the “Know Your Customer” form, requesting the customer to provide the complete address, including PIN or Postal Code, P. O. Box No., etc., as applicable.

– Having collected the details, the regulated entity must verify the legitimacy of these details using reliable data to confirm that the place exists for real. This may include obtaining a recent utility bill, valid tenancy contract or other documents bearing the customer’s address like the bank statement or the municipal tax records. It is important to note that if reliance is placed on the utility bill or similar documents for checking the authenticity of the provided address, such documents must not be older than three months from the date of carrying out the address verification task.

Additionally, regulated entities like financial institutions may also resort to an alternative approach to verify the customer’s declared address, that is, through using postal services. This can be done by sending some customer’s account-related documents to the given address. If the given documents get delivered, the verification process may be deemed to have been concluded satisfactorily.

In the case of online or virtual transactions, the customer’s IP address must be mapped with the customer’s declared geolocation to rule out any possibility of suspicious activity.

– Maintaining the customer’s address details up-to-date is an essential aspect of AML measures. The regulated entity must ensure the customer database captures the relevant and current address. If there is any change in the address, the revised information and the corresponding documents to corroborate the same must be sought.

– Moreover, to bring effectiveness in the overall Customer Due Diligence process, the address must be mapped with the other identification details of the customer to draw a reasonable nexus between the two and identify if any irregularities exist.

When the address verification process is followed systematically, it complements the entity’s overall AML measures. It enables the regulated entities to adequately assess the customer risk and identify suspicious transactions while adhering to the AML regulations.

Niyeahma – Your partner in combating the financial crime

The regulated entities must develop a customized AML program covering an effective and robust Customer Due Diligence process. And to help you with this, here is your one-stop AML solution provider – Niyeahma. We help the regulated entities assess the business risk and design the CDD framework, highlighting the fundamental elements necessary to complete the customer identification and verification process.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

FATF Travel Rule and Know Your Corresponding VASPs: Key Compliance Requirements for VASP in UAE

The acceptance of virtual assets is rapidly increasing worldwide, including in the UAE. This has resulted in the establishment of a number of businesses – Virtual Asset Service Providers (VASPs), to facilitate virtual asset transactions from one person or wallet to another.

The pace at which the virtual asset transactions are executed and the degree of anonymity involved pose significant financial crime risks for the VASPs. To combat this risk, the UAE AML regulations mandate the VASPs to develop AML programs following the local regulations and FATF Recommendations.

Accordingly, as one of the anti-financial crime measures, the VASPs in UAE must comply with the FATF (Financial Action Task Force) Travel Rule, setting up a mechanism for the smooth exchange of information about the originator and beneficiary amongst the VASPs. The FATF Travel Rule compliance is incomplete without the Know Your Corresponding VASP (KYV) process.

In this article, we shall discuss what the FATF Travel Rule and “Know Your Corresponding VASP” are and how to go about complying with them same.

Understanding FATF Travel Rule

As one of the Recommendations to combat money laundering and terrorism financing risk, the FATF issued international guidelines for VASPs to obtain information about the parties (originator and the beneficiary) involved in the virtual asset (VA) transaction and exchange the same with the counterparty at the receiving end.

FATF Travel Rule aims to create transparency around the customers involved in VA transactions to detect and prevent the exploitation of the virtual asset ecosystem for money laundering and terrorism financing.

What is the FATF Travel Rule?

As one of the Recommendations to combat money laundering and terrorism financing risk, the FATF issued international guidelines for VASPs to obtain information about the parties (originator and the beneficiary) involved in the virtual asset (VA) transaction and exchange the same with the counterparty at the receiving end.

FATF Travel Rule aims to create transparency around the customers involved in VA transactions to detect and prevent the exploitation of the virtual asset ecosystem for money laundering and terrorism financing

What are the core components of FATF Travel Rule compliance?

The VASP must adhere to the following fundamental elements of the FATF Travel Rule:

Collecting the information:

The ordering or the originating VASP (from whom the originator initiates the virtual asset transaction) is required to collect the necessary information about the parties to the transactions.

In addition to the information collected as part of the Know Your Customer process, the VASP must obtain the name and address of the originator and beneficiary of the virtual asset transaction and the identification number of the VA wallets used in the transaction.

In cases where the VASP cannot identify or verify the information about the originator or beneficiary, the transaction must not be executed, and the necessity for reporting the proposed transfer as a suspicious activity must be deliberated.

Sharing the information:

The originating VASP must share the collected information with the receiving or beneficiary VASP when the VA transfer is initiated. Thus, every virtual asset transfer must be accompanied by the originator and beneficiary’s information.

Verifying the customer’s information:

Verifying the collected information is critical. The ordering or originating VASP must use reliable sources to verify the originator’s information. The responsibility of verifying the beneficiary details lies with the beneficiary or receiving VASP before concluding the VA transfer. In the course of verification, the VASPs must check the parties and wallets for association with the sanctions lists or any blacklist or for involvement with any financial crime.

Maintaining adequate records:

The VASPs – sender and recipient – must maintain adequate records of the information collected and exchanged between them. The same must be made available to the authorities upon request.

As part of implementing the FATF Travel Rule, before exchanging information about the customers – originator and beneficiary- the VASPs must first identify the counterparty VASP.

Understanding Know Your Corresponding VASP (KYV)

When the transactions involving virtual assets (digital tokens, cryptocurrencies, Non-Fungible Tokens, etc.) are executed, there could be the involvement of more than one VASP facilitating the transaction (such as virtual asset exchange, wallet provider, VA administrator or custodian service provider, etc.). In such cases, for one VASP, conducting KYV is equally important as the performance of the Know Your Customer (KYC) process.

KYV is also known as Counterparty VASP Due Diligence, focusing on identifying the counterparty VASP and evaluating the potential risk of being exploited in the particular VA transaction involving a given counterparty.

KYV is similar to KYC, with the difference in the party being identified – customer in the case of KYC, while it is corresponding VASP in the case of KYV.

How to implement the KYV process?

As part of KYV, the VASP must identify the counterparty VASP involved in the transactions, including its legal status and ownership and control structure. It is crucial to ensure that the transaction involves an adequately licensed counterparty. To verify the same, necessary documents such as business licenses and corporate documents must be sought.

Further, assessing the level of regulatory supervision, the degree of applicability and compliance with AML regulations by the counterparty VASP is essential. For this, the VASP may request the counterparty’s AML/CFT policies and procedures.

Details about the VASP’s place of operations and the domains managed must be obtained, including information on the volume of high-risk transactions handled by the VASP. Further, wherever possible, the name must be verified with the jurisdictional list of regulated VASPs.

The counterparty VASP and the Ultimate Beneficial Owners (UBOs) must also be screened against the sanctions list and identify any adverse media associated with financial crime.

With the counterparty’s information, a risk assessment must be conducted to identify and evaluate the risk it poses to the business.

The KYV process must be completed before initiating the first VA transfer or sharing customer information.

Best practices to effectively ensure compliance with FATF Travel Rule

The VASP in UAE must consider the following aspects to ensure no originator or beneficiary of the virtual asset transfer is unidentified and collected information is exchanged smoothly, complying with FATF Travel Rule requirements.

Technological support

The VASPs must deploy advanced tools and solutions that enable compliance with Travel Rule requirements. Such technology must be based on some common universal language, which also empowers the smooth exchange of information between foreign counterparties.

Further, the software that supports real-time identification and verification of the customer, originator and beneficiary details must be deployed to overcome the vulnerabilities posed by the speed of VA transfer.

Mandating originator and beneficiary details:

As part of the Customer Due Diligence process, the collection of information about the originator and beneficiary must be mandated. The system must be configured to restrict the VA transfer processing must the originator and beneficiary be identified and reasonably verified.

No VA transfer with the required information:

The VASP must configure necessary rules and logic in the systems itself, ensuring that no virtual asset transfer is initiated without attaching the originator and beneficiary identification details.

Making KYV part of the AML Program:

To ensure adequate compliance with the FATF Travel Rule and identify the counterparty, a robust KYV Program must be designed and part of the AML compliance framework – policies, procedures and controls. This includes defining a comprehensive “Know Your VASP” Form, capturing the relevant fields and completing the same before the information is exchanged with the counterparty for the first time.

Niyeahma - Your professional aid to comply with FATF Travel Rule and KYV requirements!

With years of experience, knowledge of AML regulations and an understanding of the virtual asset segment, Niyeahma is your go-to-partner for your AML/CFT compliance needs. We can assist you in assessing the risk and personalising the AML program, covering policies and procedures around the FATF Travel Rule and Know Your Corresponding VASP compliance.

Together, let’s strengthen the virtual asset network to avoid its exploitation by financial criminals.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Managing the AML Inspections under UAE AML Laws

The authorities are making various efforts to combat financial crimes – money laundering and terrorism financing and safeguard the stability and integrity of the national and international economy. To create awareness and enforce strict implementation of the AML measures by the regulated entities, the AML supervisory authorities in UAE (e.g., Ministry of Economy, Ministry of Justice, ADGM’s Financial Service Regulatory Authority, etc.) have started inspecting the quality and level of entities’ AML efforts and regulatory compliance status.

This article will discuss the significance of AML inspection and how to effectively respond to the AML inspection notices issued under the UAE AML regulations.

All About AML Inspections

As mentioned above, AML inspection is one of the AML measures adopted by the regulatory authorities to assess the regulated entities’ compliance with the regulations. Not limited to this, the inspection is a powerful tool that assists the authorities in detecting any AML deficiencies in the government’s legislative framework to take immediate remediation measures and to identify any emerging ML/FT vulnerabilities rising in the country.

AML inspection demonstrates the government’s commitment to combating financial crimes. The same attitude towards AML compliance is expected from the regulated entities, and thus, these inspections serve as a signal to the entities that authorities are proactively keeping a watch on the business and their AML efforts.

As part of the AML inspection, the UAE authorities focus on the review of the following:

entity’s assessment of the exposure to the ML/FT risks
completeness and effectiveness of the AML policies, procedures, controls, and systems implemented, including Customer Due Diligence measures
AML awareness amongst the team
Senior management’s support to AML structure

AML Inspections help regulatory authorities check the AML health of the businesses, guide them in improving the AML measures to protect the business and ensure the financial integrity of the entity as well as the country’s financial system.

Being AML Inspection Ready

The AML compliance is not a bridge-gap arrangement, where the Compliance Officer put stretched efforts to develop the AML program and create the documents and information on a post-facto basis, merely to manage the AML inspection.

Instead, the regulated entity must always be inspection-ready. This is possible when there is a well-crafted AML framework for the business, which is seamlessly followed every day by every employee during regular business operations to ensure that the business is protected against potential money laundering and terrorism financing threats and is adhering to the required legal obligations.

The regulated entities must consider the following points to stay compliant and without worrying about the AML inspection:

Maintaining the AML/CFT policies, procedures and controls

The entities must develop customized AML/CFT policies and controls to manage the assessed business exposure to financial crime. This framework must be aligned with the applicable laws and regulations.

This AML program must be periodically reviewed to check its effectiveness in identifying and mitigating the risks. This shall assist the entity in identifying the policies or procedures that need immediate attention.

Periodic review of the AML compliance

The AML Compliance Officer regularly checks the comprehensiveness and quality of the entity’s AML measures and controls deployed. This review should examine the Customer Due Diligence process, ongoing monitoring program, identifying and reporting suspicious transactions, etc.

This review shall allow the AML Compliance Officer to detect any compliance instances or AML loopholes, offering required guidance in enhancing the necessary measures, implementing new controls, or modifying/upgrading the systems.

Adequate AML Record Keeping

The time and resources put into AML compliance can be substantiated only when these documents are presented to the authorities in a legitimate and easy-to-understand way. Only when the information and records are maintained in an organized manner can the same be made available to the inspecting authorities as and when requested.

Immediate submission of the requested documents demonstrates the entity’s ongoing AML activities and dedication to combating financial crime.

Support from employees and senior management

The contribution and support from the employees and the senior management is a must for the successful implementation of the AML Program. The employees, including management, must be trained on the AML policies of the business and made aware of their duties and AML responsibilities. This will ensure that the AML measures are diligently adopted in day-to-day business operations, help the Compliance Officer to strengthen the AML regime and be inspection ready.

Responding to an AML Inspection Notice

It has been observed that the UAE AML supervisory authorities issue an inspection notice over a registered email, generally addressed to the AML Compliance Officer of the regulated entity.

The notice captures the critical information about the inspection officer, the expected inspection date, the records and documents to be submitted for the authority’s desk review, the documents and information that must be made readily available when the inspecting officer visits the premise, etc. The team must respect and adhere to the timelines and data requests mentioned in the inspection notice.

The quality of the inspection notice and the level of clear and transparent communication with the authorities indicates the entity’s commitment to AML compliance.

The following steps must be followed to respond to the AML inspection notice effectively:

1. Nominating the team to handle the inspection

The regulated entity must identify the responsible person who shall manage this inspection – ideally an AML Compliance Officer and, if needed, any team member having adequate AML knowledge to assist the Compliance Officer. The senior management must be intimated about the proposed AML inspection.

If required, assistance from third-party AML professionals and consultants must be sought to avoid misinterpretation of the notice and respond to the notice to the authorities’ satisfaction.

2. Understanding the scope and requested information

The AML Compliance Officer must peruse the inspection notice thoroughly and map the same with the entity’s records. The inspection scope shall assist the Compliance Officer in understanding the areas authorities propose to review and the information to be furnished.

3. Collating the information and drafting the response

The AML Compliance Officer must begin collecting and organizing the requested information in one place. The documents and information must be arranged systemically, which assists the authorities’ review process.

The response to the questions in the inspection notice must be adequately captured, with explicit reference to any attachments.

Here are some of the best practices that must be followed to ensure a smooth AML inspection journey:

The documents to be made available to the authorities must be restricted to the ones requested. Dumping unnecessary files or information may confuse the authorities, creating hardships in concluding the inspection effectively.
There shall be cross-referenced with the serial numbers mentioned in the data request in the notice and the files submitted for review.
The naming of the files, folders and other records must be done appropriately, which enables the authorities to identify the required data set.
Unnecessary delays in submitting the reply or waiting for the deadline must be avoided. Once the requested details are all arranged, they must be promptly shared with the inspecting officers.

4. On-premise inspection

The authorities may choose to physically visit the regulated entity’s office and have first-hand experience with AML measures implemented by the entity. If requested, the Compliance Officer must demonstrate the systems and controls implemented in such cases.

The entity must also ensure that its employees are available and prepared to answer the AML questions posed by the inspecting officers during the interview.

Post-Inspection To-Do

Once the AML inspection is concluded, the authorities identify and document the findings and corresponding recommendations in a report submitted to the regulated entity. The regulated entities must comply with this inspection report to foster the AML program, maintain the reputation and authorities’ trust and avoid regulatory penalties.

The AML Compliance Officer must review the inspection report prepared by the inspecting authorities, understand the authorities’ observations and implement the remedial measures, considering the recommendations, if any, suggested by the officers. This can be related to updating the policy or deploying new AML tools and systems. The AML Compliance Officer must assess the need for AML training in specific areas and design a robust training program.

The senior management must also be involved in this finding resolution exercise. The management must set a deadline by which the gaps must be addressed. A periodic follow-up must be made with the AML Compliance Officer, and a progress report must be sought. If necessary, AML experts must be appointed to enhance the AML program and help implement the authorities’ feedback.

The regulated entity must not leave any stone unturned in ensuring that its AML compliance is absolutely in sync with the law, its business risk and there is no further AML non-compliance.

How can Niyeahma be your legal guide to smoothly respond to the AML inspection notices?

With our years of experience and subject knowledge, we at Niyeahma can offer valuable end-to-end support around AML regulatory compliance, starting from assessing the business, designing and hand-holding the implementation of the AML framework, periodically reviewing the status of the AML program implementation, imparting AML training to the team.

We help you identify gaps immediately, rectify compliance flaws, and assist in managing the required AML records in an organised manner. With this, we ensure that you stay 100% compliant, smoothly handling the AML inspection notices, building authorities’ trust and confidence in your AML efforts.

Let’s make our AML compliance ever-ready for inspection!

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Sanctions Screening Requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022

Sanctions Screening Requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022

Sanctions Screening Requirements Under IFSCA (AML, CFT And KYC) Guidelines, 2022

The International Financial Services Centres Authority (Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, provides detailed guidance on the Sanctions Screening Requirements for the entities operating within the IFSCA. The IFSCA (AML, CFT and KYC) Guidelines, 2022, apply to every regulated entity recognised, licensed, or registered by the IFSCA and to the regulated entities authorised by it to the extent specified. Further, these guidelines’ provisions also apply to the regulated entity’s financial group to the extent specified in Chapter XII of the guidelines. This article provides essential insights into the sanctions screening requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022.

Apart from the IFSCA (AML, CFT and KYC) Guidelines, 2022, the regulated entities need to pay due consideration to the following laws, rules and regulations:

The Prevention of Money-Laundering Act, 2002
Prevention of Money Laundering (Maintenance of Records) Rules, 2005
The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005
Unlawful Activities (Prevention) Act, 1967 (UAPA)

What Are Sanctions?

Sanctions are restrictive measures countries and international organisations employ to restrict specific geographies, entities, and individuals from carrying out certain activities. The primary aim behind imposing such sanctions is to mitigate various risks related to national security, peace, human rights violations, and illicit activities.

Who Imposes Sanctions?

At the international level, there are various bodies which impose sanctions. Countries sometimes impose sanctions on individuals, entities, and other geographies. The major international bodies imposing sanctions are:

Major International Bodies Imposing Sanctions

The UNSC
The Ministry of Home Affairs (MHA), India – Unlawful associations, terrorist organisations, individual terrorists
Office of Foreign Assets Control (OFAC)
His Majesty’s Treasury (HMT)
The European Union (EU)

What Are The Risks Mitigated By Imposing Sanctions?

Countries resort to the imposition of Sanctions to target and mitigate risks like:

Terrorist Activities
Weapons of Mass Destruction (WMD) Proliferation Activities
Human Rights Violations
The Annexation of Foreign Territory
Destabilisation of a Sovereign Country
Cyber-Attacks

What Are The Various Forms Of Sanctions?

Sanctions take multiple forms, including financial restrictions, trade embargos, and travel bans.

What Are The Various Types Of Sanctions?

Today, sanctions are of various types. The UNSC and various countries have enforced various sanctions to enforce specific restrictive measures to protect their interests. Here is the list of types of sanctions to counter money laundering, terrorist financing, proliferation of weapons of mass destruction and proliferation financing:

Economic Sanctions

The primary purpose behind enforcing Economic Sanctions is to cause an economic impact on the sanctioned individual, entity, or country. Economic sanctions cause ongoing damage to the sanctioned person/entity/country as they increase costs and hardships around trade. Such economic sanctions are enforced in a variety of ways:

Diplomatic Sanctions

Diplomatic Sanctions are political measures a country takes to stop having diplomatic relationships with another country. Such actions include calling off ties with a country, limiting the presence of ambassadors, etc.

Military Sanctions

These trade penalties target a country to discourage its military procurement and financing. Arms embargoes, and military-related trade restrictions are the common examples of such military sanctions.

How Do Sanctions Work?

When the Government of India imposes a sanction, the regulated entities in India must abide by it. Further, the regulated entities have to abide by the UNSC sanctions. They must ensure proper systems and procedures to meet t Sanctions compliance.

Suppose positive matches are found during sanctions screening. In that case, the regulated entities must not proceed with the related transaction and report it to the relevant authorities.

The relevant authorities will then take necessary actions like freezing assets and preventing entry into or transit through India.

Who Must Comply With Sanctions?

As per the IFSCA (AML, CFT and KYC) Guidelines, regulated entities which are licensed, recognised, registered, or authorised by the IFSCA and financial group of the regulated entity to such extent as specified in Chapter XII of the guidelines shall comply with the sanctions screening requirements.

What Is Sanctions Screening?

Sanctions Screening is an important control to counter money laundering and terrorist financing risks. Sanctions screening is a vital element of the Know Your Customer and Customer Due Diligence Process, which helps mitigate ML/TF risks.

Why Is Sanctions Screening Required?

Sanctions screening is required to ensure that the regulated entity does not end up dealing with a sanctioned individual or entity. Further, it is also required to ensure that the risks associated with the high-risk jurisdictions and sanctioned countries are adequately identified, assessed, and mitigated before onboarding a customer or entering into a fresh transaction with such customers.

Money laundering and Terrorist Financing are global menace. They affect countries, companies, and individuals in a variety of ways. By conducting a Sanctions List check before onboarding a customer or entering into a transaction with the customer, the regulated entity could fight and mitigate ML/TF risks. Further, the relevant authorities can be notified, and actions can be taken against the criminals.

It’s a regulatory requirement for IFSC-based entities to perform sanctions list checks as a part of their customer due diligence process.

Who Should Be Screened As A Part Of Sanctions Compliance?

Customers, suppliers, third parties, employees, ships, aircraft, and UBOs must be screened to comply with sanctions screening requirements.

The Importance Of Sanctions Compliance Policy

The reporting entities must have a defined Sanctions Compliance Policy. The sanctions compliance policy helps meet regulatory requirements and identify sanctions-related risks. A formal Sanctions compliance policy helps maintain a uniform way to counter ML/TF/ and PF risk.

A sanctions screening program is a set of written policies and procedures that help you comply with IFSCA (AML, CFT, and KYC) Guidelines concerning sanctions compliance. Further, the sanctions screening program is drafted keeping in view the nature and size of your business, available resources, risk-based approach adopted by your company, regulatory requirements, and international best practices. It provides you with a detailed guideline as to sanctions screening concerning:

KYC and CDD checks
Transaction Monitoring
Ongoing Sanctions Screening
Adhoc Name Screening

Key Components Of A Sanctions Screening Program

1. Governance

The sanctions screening program should lay down a sound governance framework wherein the responsibilities of the principal officer and the top management need to be defined, the program’s overall management needs to be described, and the procedures around it need to be laid down.

2. Risk-Based Approach

The sanctions screening program should revolve around the risk-based approach taken by the firm. The sanctions lists, procedures, and resources deployed should be commensurate with the associated risks and help keep the overall risk within the company’s risk appetite limit.

3. Regulatory Framework

The sanctions screening program should refer to the underlying laws, rules, and regulations. The legal requirements should be clearly mentioned to avoid misinterpretation.

4. Name Screening Procedures

The name screening procedures, whether manual or automated, need to be described, the sanctions lists to be referred to, the procedures related to high-risk customers, and the escalation matrix should be clearly outlined.

5. KPI Based Periodic Review

The sanctions screening program should be reviewed periodically, and a KPI-based review will help understand its efficiency.

6. Technology

The name screening software parameters configuration, access rights, workflow, sanctions database update frequency, etc., need to be identified and outlined.

7. Case Management Methodology

Most Sanctions screening software provides case management functionality where the partial and full hits trigger a notification for the principal officer to intervene, evaluate risks, and decide on onboarding a customer or maintaining a business relationship.

8. Regulatory Reporting

The regulatory reporting requirements around sanctions screening must be clearly defined, along with the deadlines and responsibilities around it.

How Is Sanctions Screening Performed?

The compliance department checks customers, suppliers, employees, and third parties a business deals with against the relevant Sanctions Lists. For IFSCA-based entities, the primary requirement is to screen against the UNSC and MHA lists. However, depending on the regulated entity’s risk-based approach, other relevant sanction lists like OFAC and HMT may also be considered.

When To Conduct Sanctions Screening To Comply With IFSCA (AML, CFT And KYC) Guidelines

The regulated entities must perform sanctions screening before onboarding a customer or entering into a business relationship, and on a periodic basis.

Best Practices Around Timing Of Sanctions Screening

Before onboarding a customer
Before entering into a business relationship
Before making a transaction
During ongoing CDD reviews
Upon change in customer’s information
Upon a change in the sanctions list
On a daily basis

Sanctions Screening Process

Sanctions screening is vital to ensuring that the regulated entity is not dealing with the organisations and individuals sanctioned under MHA, UNSC, and the other relevant sanction lists per the firm’s risk-based approach. The regulated entities follow the following sanctions screening process to counter their ML/TF risks and comply with the IFSCA (AML, CFT and KYC) Guidelines, 2022.

KYC

Here, the regulated entity collects KYC information from the customers. This information, in the case of natural persons, typically includes:

Full name, including any aliases
Unique Identification Number (such as an Identity card number, passport number, etc.)
Date of birth
Nationality
Legal Domicile
Current residential address (other than a post office box address)
Contact details such as personal, office or work telephone numbers.

If a customer is a legal person or legal arrangement, a Regulated Entity shall obtain at least the following information:

The full name and any trading name
Unique Identification Number (i.e., Tax identification number or equivalent where this exists)
incorporation number or business registration number
Registered or business address, and if different, its principal place of business
Date of establishment, incorporation or registration
Place of incorporation or registration

Further, in cases where the customer is a legal person or legal arrangement, a Regulated Entity shall also identify the legal form, constitution and powers that regulate and bind the legal person or legal arrangement. In addition, the Regulated Entity shall also identify and screen the related parties or connected parties of such customers and should remain apprised of any changes to connected parties. For identification of the connected parties, a Regulated Entity shall obtain at least the following information about each related or connected party:

full name, including any aliases; and
Unique Identification Number (such as an Identity card number, passport number, etc.).

The KYC analyst then verifies this information against the original documents and communicates with the customer to fulfil requirements for any missing information or documents.

Screening

Now, the Screening Analyst performs screening of the customer details against the UNSC list and MHA list at a minimum and identifies matches, if any. He also includes other sanction lists like OFAC and HMT as per the risk-based approach taken by the entity. Such screening can be conducted using sanctions screening software, which maintains the latest database of sanctions individuals and entities from various sanctions lists. The screening must be performed when onboarding a customer, entering a business relationship, and periodically.

Investigation

If there are matches while screening a customer, the screening analyst has to investigate such matches and decide if they are true matches. He can refer the case to the risk analyst for false matches for necessary risk assessment purposes. For true matches, the case is forwarded to the principal officer for necessary reporting purposes.

Reporting

The Principal Officer needs to verify the information, and he needs to identify if the positive match concerns Section 12A of “The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005” or Section 51A of the “Unlawful Activities (Prevention) Act, 1967”.

The regulated entity must not carry out a transaction with such designated individual or entity and submit the full particulars of the transaction, funds, financial assets, or economic resources by email, FAX, and Post to the applicable authorities, without delay, i.e. preferably on the same business day but not later than 24 hours in any case. For detailed information on reporting requirements, check Sanctions Screening reporting requirements.

Ongoing Monitoring

Sanctions check is not a one-time exercise. It’s an everyday effort as the sanctions lists are dynamic. Various Name Screening Software available in the market helps regulated entities run scheduled automated screenings. The principal officer is alerted for further due diligence if matches are found.

Duties Of Principal Officer In Complying With Sanctions Screening Requirements

The principal officer, along with the designated director, must ensure that the regulated entity remains compliant with the IFSCA (AML, CFT, and KYC) requirements and that the entity takes the required sanctions screening measures to counter Money Laundering, Terrorist Financing, and Proliferation Financing risks.

Consequences Of A Sanctions Breach

Failure to comply with IFSCA (AML, CFT, and KYC) guidelines severely affects regulated entities. Apart from regulatory fines and penalties, if the entity breaches an international sanction, it will have a far-reaching impact on its ability to do international business.

Manual Screening Vs Automated Screening

The regulated entities can conduct sanctions screening manually or use the software. The manual screening processes are error-prone, as one could erroneously refer to the old sanctions list or overlook a true match. Further, keeping track of ever-changing sanctions lists and conducting screening against them is too difficult.

Automated screening software helps one carry out screenings against the updated sanctions database and perform ongoing monitoring by scheduling a screening.

No matter what screening method is employed, the regulated entities have to maintain proper records around screening to meet regulatory requirements.

Choosing A Sanctions Screening Software

Choosing a sanctions screening software requires due consideration of various factors as it goes a long way in ensuring regulatory compliance with the IFSCA (AML, CFT and KYC) Guidelines, 2022. The right screening software will help reduce false positives, handle high volumes, and provide transliteration functionality.

Sanctions Lists And Obligations

The regulated entity must assess its legal obligations to finalise the name screening software. For IFSCA (AML, CFT and KYC) Guidelines, 2022 compliance, it is necessary that the AML software supports MHA and UNSC lists. Further, it should also support PEP screening and Adverse Media searches.

Integration Capabilities

The sanctions screening software should provide APIs to integrate it with the CRM or KYC software to provide a seamless user experience.

Training

The screening software vendor must provide adequate training around the use of the software and refresher training periodically to keep up with the version upgrades.

Database Refresh

Knowing how often the screening software vendor refreshes his database is essential. The smaller the duration, the higher the quality of the data.

Screening Software Features

The screening software should have a user-friendly interface, reporting capabilities, batch screening functionality, ongoing monitoring capabilities, case management and workflow functionalities.

Vendor Reliability

It is essential to know the vendor’s reliability, which can be judged from various parameters like the number of years in business, reference customers, testimonials, customer support, and the frequency of version upgrades.

Customisation Capabilities

The screening software should be customisable to meet the reporting entity’s unique requirements.

What Are The Challenges In Sanctions Screening?

There are various challenges associated with sanctions screening. Most of them stem from the fact that sanctions are dynamic in nature, and multiple bodies are issuing them.

1. Sanction Lists Are Dynamic

Sanction Lists are dynamic in nature. They keep changing in line with the geo-political tensions, criminal activities, and national and international security concerns. It makes it very difficult for SMEs to keep up with these changes and the regulatory requirements around them.

2. Complicated Sanctions Regime

Sanction regimes are complicated in nature. Sanctions could be imposed on countries, entities, individuals, ships, and aircraft.

3. Technological Issues

Technological solutions helping sanctions screening need to be validated. Most come with a proprietary database aggregating sanctions data from multiple sources. Since no single data source exists, reliability concerns exist around the implemented technological solutions.

4. Difficult To Identify UBOs

It is just too difficult to identify the Ultimate Beneficial Owners and screen them against the sanction lists due to the absence of a corporate registry and foul play by criminals.

5. Multiple Bodies Issuing The Sanctions

There are multiple national and international bodies issuing sanctions. There is no single way to keep track of all of them, and sometimes, it becomes too difficult to implement the same despite one’s willingness to comply with regulatory requirements.

6. Under/Over Screening

Due to a wide variety of sanction regimes, international trade, local laws, and complexity around identifying UBOs, there is always a risk of under-screening or over-screening.

7. Customer Friction

Sanctions screening requires the collection of data before onboarding or concluding a transaction. It results in delays in the execution of a transaction, causing customer dissatisfaction and loss of revenue for businesses.

8. Lack Of Resources

Small and medium-sized businesses often struggle with resources, and sanctions compliance becomes an extra cost for them.

Conclusion

The IFSCA (AML, CFT and KYC) Guidelines require regulated entities to perform sanctions screening to counter money laundering, terrorist financing, and proliferation financing risks. The entries must implement a proper sanctions screening program and screening software to meet the legal obligations

The regulated entities must adopt a risk-based approach and screen their customers, suppliers, employees, and third parties. If any positive matches are found, reporting must be made to the relevant authorities, and records must be maintained for at least 5 years

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

Common mistakes to avoid while submitting a Real Estate Activity Report

The UAE AML regulations mandate that real estate agents/brokers and lawyers/law firms furnish a Real Estate Activity Report (REAR) on the goAML Portal. REAR is to be filed for reporting the transactions involving the purchase and sale of freehold real estate, where the payment towards property is settled either in cash equal to or exceeding AED 55,000 or using virtual assets or funds converted from virtual assets.

This reporting requirement is the UAE AML authority’s step to track and prevent the exploitation of the real estate sector for money laundering activities – to route the illicit money and make it appear clean. Thus, to contribute towards these AML efforts, it is essential that the regulated entities timely and accurately furnish the required details in the Real Estate Activity Report.

The AML Compliance Officer is the person made responsible for adequate reporting of the specified transaction related to Freehold properties.

In this article, we shall discuss some of the common mistakes made by the entities while submitting REAR on the goAML Portal and best practices that may help avoid these errors, which can assist the AML Compliance Officer in discharging the REAR reporting duties satisfactorily.

What are common mistakes observed while filing a Real Estate Activity Report (REAR)?

Real Estate Activity Report assist the authorities in preventing the misuse of the real estate sector for conducting financial crimes. However, for optimal utilization of the REAR as an AML measure, it is necessary to furnish the details carefully, avoiding mistakes. Let’s understand what common mistakes are observed when submitting REAR on the goAML Portal and the best practices to address the same.

Incomplete or inaccurate details

Furnishing correct and complete details is very crucial to serve the purpose of submitting REAR. The regulated entities must include accurate details about the parties involved in the transaction, details of the transaction (date and time), the location of the property involved, transaction value (property value), mode of payment, etc. must be captured.

Capturing incomplete details and errors in the information furnished are the standard and most frequent mistakes observed in REAR.

Solution

The regulated entity may establish an internal reporting mechanism, developing the standard REAR form for internal reporting. The entity may design and implement a REAR template (as available on the goAML portal), wherein the client-serving team can create a draft REAR ready capturing the required details and submit the same to the AML Compliance Officer for review and final filing of the REAR on the goAML Portal. This will enable adequate workflow, bringing in a maker-checker role to ensure the details’ accuracy while ensuring no required details are missed.

Incorrect or insufficient documents are attached

While filing REAR, the regulated entities should attach the relevant documents like the identity document of the parties, the sale/purchase agreement, UBOs’ identification documents in case of a corporate buyer/seller, etc.

These documents can be helpful to the authorities to understand the transaction better, and if required, these can be used in the course of inquiry or be presented as evidence.

However, the mistake around documentation involves –

not uploading the necessary documents
uploading the incorrect or expired documents
the uploaded documents are not legible or clear

Solution

The regulated entity must have an internal checklist listing the documents to be uploaded as part of REAR filing. These documents must be obtained from the customer (buyer/seller) if the entity is not privy to the same. The checklist can be used to ensure the completeness of the information and documents to be filed with REAR.

Further, before uploading the documents, the legibility of the documents must be verified.

As required on the goAML Portal, the entity should merge the documents into a single PDF file, meeting the size criteria defined on the portal, without impacting the document’s clarity or resolution.

Delayed filing

Currently, the AML regulations in UAE do not provide any timeline within which such REAR filing is to be concluded. In the absence of any specific deadline, the regulated entities generally are seen to delay the filing beyond a reasonable period of time. This may sometimes result in absolutely missing on reporting the specific transaction in REAR.

Only when the transaction is timely intimated to the authorities will the purpose of detecting suspicious activities and preventing attempted money laundering activities be served.

Solution

The regulated entity must understand the criticality of timely reporting of REAR and set an internal timeframe within which the reporting of the designated transactions would be completed on the goAML. For this, the entity may determine a certain reasonable timeframe – such as within two weeks from the trigger event (as prescribed for filing of Dealers in Precious Metals and Stones Report on the goAML report for submitting details of designated transactions involving precious metals and stones).

Additionally, the entity may explore the possibility of deploying necessary technology or tools to review the transactions that require REAR filing and trigger a reminder to the relevant personnel.

Other best practices for effective REAR filing

In addition to the above, the following practices may assist the regulated entity in boosting the AML compliance measures and authorities’ trust in the entity’s AML program when quality REAR are furnished:

Periodic Review of REAR-related processes

It is recommended that the regulated entity conduct a periodic review of the transactions and internal processes to determine whether all the transactions warranting REAR have been furnished. Further, a sample REAR filed during the past period must be verified independently to check the quality and adequacy of the information reported on the goAML Portal.

If any weakness or gaps have been identified in the REAR reporting process, the AML Compliance Officer must immediately address them.

Training on Real Estate Activity Report

The relevant team, engaging with a client or managing the business relationship, must be trained to REAR submission requirements and identify the activities where REAR filing is mandatory. The discussion on internal reporting mechanisms and best practices must be included in the session. The team must also be trained on the details obtained from the customer and maintain the same in an organized manner that assists the Compliance Officer in timely and accurate reporting of REAR.

REAR Documentation

The regulated entities must obtain and retain a copy of the REAR furnished on the goAML Portal and copies of the documents shared with the authorities.

How can Niyeahma assist you in ensuring compliance with REAR filing?

The real estate agents and the law firms must ensure proper REAR submission, as it demonstrates the entity’s commitment towards AML compliance. Let Niyeahma be your partner in REAR submission.

We can assist you in developing an AML framework for the business, including the guidelines for identifying and reporting the transactions triggering REAR filing. These policies and procedures are customized to the entity’s ML/FT risk exposure and business activities, ensuring compliance with regulatory regimes and contribution to protecting the real estate sector against financial crime.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Common Mistakes by Chartered Accountants in AML Compliance

Chartered Accountants (CAs) manage accounting, auditing, and financial reporting services for clients, set up a company, assist in operating and managing the operations and client’s funds, etc. These services make them vulnerable to the risks of money laundering. In response, you must apply AML measures to manage and prevent risks. However, Chartered Accountants must avoid the most common mistakes during the AML compliance journey.

To avoid these mistakes, you must be aware of them. Our blog helps you with a list of common AML compliance mistakes by Chartered Accountants. The blog explores the applicable AML regulations for practicing Chartered Accountants. It also discovers the red flags the CAs may observe, indicating the potential involvement of money laundering (ML), terrorism financing (TF), and other financial crime risks such as proliferation financing (PF).

AML Regulations Applicable To Chartered Accountants In India

The primary AML laws applicable to Chartered Accountants in India are:

a. The Prevention of Money Laundering Act, 2002 (PMLA)

In this context, it is essential to note that the notification issued under the PMLA provides that the practising Chartered Accountants would be construed as “Designated Non-Financial Businesses and Professions” when conducting financial transactions in relation to the following activities in the course of their profession and on behalf of the client:

buying and selling of any immovable property
managing of client’s money, securities, or other assets
management of bank, savings, or securities accounts
organisation or arranging for any contributions to the creation, operation or management of client’s companies
creation, operation or management of companies, LLP or trusts
buying and selling of business entities

b. The Unlawful Activities (Prevention) Act, 1967

c. The Weapons of Mass Destruction and Delivery Systems (Prohibition of Unlawful Activities) Act, 2005

d. FIU-India’s AML & CFT guidelines for professionals with certificates of practice from ICAI, ICSI, and ICMAI

e. International Financial Service Centre Authority (AML, CFT, and KYC) Guidelines, 2022 (for the CAs registered with IFSCA and practising from IFSC)

f. Several rules and circulars of FIU-India govern their operations in alignment with PMLA

The above regulations and rules require the Chartered Accountants to adopt the following measures for mitigating the ML/FT risks:

Understand your business’s risk exposure by performing risk assessments
Develop appropriate AML/CFT policies, procedures, and controls
Conduct adequate KYC and Customer Due Diligence processes for identifying the customer before onboarding
Screen your customers and employees against sanctions, PEPs, and watchlists
Conduct enhanced customer due diligence of high-risk customers
Perform ongoing monitoring of the transactions and business relationships (customers’ re-KYC during the business relationship and consistency between transactions and overall risk profile)
Appoint a designated director and a principal officer to handle the AML activities
Conduct AML training for employees
File the reports on suspicious transactions to FIU-India
Do not tip off the clients on any suspicious transaction reported to authorities
Maintain records for at least five years (six years for IFSCA-regulated CAs)

You must follow each of these requirements to prevent financial crimes. You can only manage them by avoiding the most common mistakes in AML compliance. Let’s look into these mistakes individually so you can sidestep them.

Mistakes By Chartered Accountants In AML Compliance

The common AML compliance mistakes by Chartered Accountants include the following:

Lack Of Awareness Of AML Requirements

As a practising Chartered Accountant in India, you must fulfil the AML obligations. But how will you follow these requirements if you don’t know them? So, you must have complete knowledge of AML requirements you need to adhere to. Lack of awareness of AML laws is a mistake by CAs in AML compliance.

When you are aware of them, you know what obligations you need to follow. You must understand the activities notified as subject to AML compliance and be in a position to adequately separate the same from the general services which are not included in PMLA.

You must know the deadlines, formats, and procedures of submissions. Also, information on the best practices of each AML procedure – KYC, CDD, transaction monitoring, and others will make your compliance smoother.

So, have a complete awareness of these crucial points of AML.

Forgetting To Take A Risk-Based Approach To AML Compliance

The Indian AML regulations need you to conduct business risk assessments. Herein, you identify the risks to your business from:

Customers
Transactions
Geographies/jurisdictions
Nature of services (specifically the ones included in the definition of the “Designated Non-Financial Businesses and Professions” of the PMLA)
Delivery channels

Take a risk-based approach to determine appropriate AML measures based on these risks. These AML measures must align with your AML requirements. These measures help you prevent, manage, or mitigate the identified risks.

If you forget to take a risk-based approach, you treat all risks equally. That means you are making the same efforts in fighting them. It does not make sense if you conduct the same procedures for high-risk and low-risk customers. So, forgetting to take a risk-based approach to AML compliance is a critical mistake by Chartered Accountants in AML compliance.

Not Aligning The AML Policies With The Regulatory Expectations

You create your AML policies per your requirements under the AML laws. This is what alignment with regulatory expectations means. If you don’t align, it might lead to non-compliance. Maybe more money laundering risks, a drop in your reputation, and financial instability.

So, the lack of alignment of AML policies with regulatory expectations is a mistake by Chartered Accountants in AML compliance.

When you align them, you achieve the following:

Compliance with regulations saves you from fines, legal sanctions, and reputational damages.
Commitment to ethical business practices, integrity, and transparency, improving credibility.
Global AML compliance, leading to international cooperation and business expansion possibilities.
Prevention of risk exposure to money laundering, proliferation financing, and terrorism financing.
Reduction in illicit money flow, resulting in financial stability and integrity.
Better management and mitigation of risks affecting your business.
Enhanced collaboration and cooperation between entities, regulators, and stakeholders against financial crimes.

So, alignment with regulations is necessary for all these benefits to your business, country, and the world.

Disregarding Client Acceptance Principles

What’s the purpose behind conducting KYC and CDD? It’s about knowing your customers better. Know their identities, addresses, sources of funds, beneficial owners, and other details. All these details help you spot suspects.

But before this, you must define your customer acceptance. You must know what levels of information on each criterion make a customer acceptable. And what indicators in customer data points make them unacceptable. For example, customers from sanctioned countries are not okay. Customers from jurisdictions with weak AML measures are okay but subject to specific stringent AML measures.

So, you must define the criteria for accepting and rejecting a client, adopting a well-defined customer risk profiling methodology. You must take a risk-based approach to it. Consider their business’s nature, complexity, volume and frequency of transactions, reputation, and other factors. Also, regular tracking of these factors helps you consider the changes.

Missing it means you take a judgment call on a case-to-case basis. You might turn out to be wrong in some of the cases. So, disregarding a clear definition of client acceptance principles is a mistake by Chartered Accountants in AML compliance.

Neglecting Proper Procedures Of KYC, CDD, Screening, And Transaction Monitoring

One essential way of achieving AML compliance is the seamless performance of KYC, CDD, and transaction monitoring. If you commit to these processes, you can generate desired outcomes pertaining to uncovering the identity of the customer and the risk they pose to the business. So, make it a practice to execute proper KYC, CDD, and screening procedures. Neglecting these processes is a common mistake in AML compliance by CAs.

With KYC and CDD, you can know your customers better. So, ensure that you perform these processes diligently. Collect all the possible details. Verify them with customer-submitted documents and other third-party sources. For customer screening, consider the latest watchlists of sanctions, PEPs, and terrorists. Match them according to all criteria to get accurate results.

Similarly, define your method well for ongoing transaction and business relationship monitoring. Determine the transaction rules based on the red flags or warning signs of suspicious transactions. Only with proper, well-defined processes can you achieve the desired outcomes.

Absence Of Knowledge Of The Red Flags Of Suspicious Transactions In Your Business

The nature of accountancy and audit business makes it vulnerable to money laundering. Your association with clients for financial, advisory, and legal matters exposes you to financial crimes. There are specific factors that are warning signs of these risks. You must be aware of these warning signs of the danger of illicit activities.

Ignorance of this factor is a mistake in AML compliance by Chartered Accountants.

So, you must know the common and industry-specific red flags, like:

The unusual nature of the transaction, inconsistent with the client’s profile
Large-sized transactions with no apparent reasons
Unusual patterns in a transaction/s, varying from the usual ones
Complex business structure
Reluctance to answer your questions on transactions or identities
Clients from high-risk industries or geographies
Use of shell companies for several transactions
Inaccurate or fraudulent documentation
Client avoiding face-to-face meetings
The client is a PEP or related to a PEP
Client with unexplained sources of wealth

All these are crucial factors for you to know about. Knowing them lets you spot suspicious transactions and take further action.

Overseeing The Need For Timely And Format-Specific Submission Of STRs

The PMLA Act and the guidelines require CAs to file STR via their statutory regulatory bodies (SRBs), i.e., the Institute of Chartered Accountants of India.

You must submit these reports in the required format with all the necessary details. You must report these transactions immediately once suspicion is identified. It can be a suspicious transaction or only an attempt at it, irrespective of the value involved.

So, the rule requires you to submit accurate, complete, and on-time STRs. Failing to submit STRs on time or submitting inaccurate or incomplete STRs is a common AML compliance mistake by Chartered Accountants.

Tipping Off The Client On STR Filed To FIU-India

The PMLA Act, IFSCA Guidelines and other regulations do not want the clients to know about STRs filed against them. If you tip off the client before or after filing the STR, they will try to save themselves.

So, avoid informing the client about any STR filing against their transaction. If you think the client might get an inkling of the suspicion by collecting more details during due diligence, avoid doing that. Just collect all possible transaction details and file an STR to FIU-India. Tipping off the client would be a lapses by Chartered Accountants in AML compliance.

Ignoring The Periodic Review Of Policies, Due Diligence, And Risk Assessments

Your AML policies cannot stay stagnant. You must change them with respect to changes in regulations and other factors. So, ignoring the periodic review of AML policies is a common mistake by CAs in AML compliance.

Reviewing them keeps them up-to-date with the ever-changing regulatory requirements and growing business practices. You must keep them relevant to the changes in risks and threats to your business. Thus, reviews make you move in the right direction of compliance and risk management.

Moreover, by regular reviews, you can identify weaknesses and gaps in AML compliance. Thus, you can improve your AML policies to remove the gaps and improve their effects on financial crimes. You make them more productive, efficient, and robust.

Forgetting To Maintain Documentation And Records

Whatever you do for AML compliance – the activities – are also critical for future use in your AML compliance journey, like your KYC, CDD, transaction monitoring, risk assessments, and customer screening. These are the proof of your compliance with AML requirements. So, saving their records and documents is crucial.

You must maintain these records for five years after the business relationship or transaction ends (this minimum period for record-keeping is six years for entities registered with IFSCA). Also, maintain them in proper format and in a manner that enables easy access and retrieval. Generally, authorities refer to these records during audits and investigations. Also, you might need them to check a customer’s past risk profile or other details.

So, forgetting to maintain proper documentation of AML measures is a common AML compliance oversight by Chartered Accountants.

These are the common mistakes by Chartered Accountants in AML compliance. You must avoid committing these mistakes in your AML compliance framework. This is how you can improve your AML efforts and prevent financial crimes. If you need an AML consultant to help you in your journey or advice on the best AML measures for your business, AML India is right here.

AML India – Your Partner For Professional AML Consulting Services

AML India leads you on the path of AML compliance in India. We identify your AML requirements and provide our proven solutions and services for compliance. You can take your AML efforts to the next level by associating with us. This is possible through our services of:

Creating and implementing AML policies, procedures, and controls
Performing KYC, CDD, and screening of customers
Monitoring transactions
Imparting AML training to employees
Identifying suitable AML software solutions for your business

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

AML Case Management Software: Significant element of AML Compliance

With changing times where automation is impacting every aspect of business, anti-money laundering is no exception. The regulated entities in UAE – Financial Institutions, DNFBPs and Virtual Asset Service Providers (VASPs) must implement adequate financial crime risk mitigation framework to safeguard the business and comply with the applicable regulatory landscape. In this pursuit, the entities are moving towards AML Case Management solutions to bring efficiencies and effectiveness to their fight against money laundering and terrorist financing.

In this article, we will understand what AML Case Management software is and how it can revamp the face and quality of the entity’s AML efforts.

Understanding the AML Case Management Software

With emerging ML/FT trends and newer and more sophisticated methods, the timely identification of financial crime attempts is becoming challenging. In such situations, robust AML case management software can be a saviour for regulated entities to prevent financial crime vulnerabilities and avoid regulatory non-compliance consequences.

What is AML Case Management Software?

AML case management software is a platform offering automated capabilities to the regulated entities to efficiently manage the entire AML compliance cycle – from Customer Due Diligence to monitoring the transaction and identifying the potential suspicious transactions.

AML case management software is a comprehensive solution developed using advanced technologies, like artificial intelligence and machine learning, to facilitate regulated entities to navigate the AML compliance journey smoothly.

What are the Core Features of AML Case Management Software?

The following are the core features or functionalities of a robust AML case management software that fosters the AML compliance program of any regulated entity:

Customer Due Diligence:

Identification and identity verification of the customers and the beneficial owners, screening, and customer risk profiling to determine the nature and degree of the Customer Due Diligence (CDD) measures to be applied.

The CDD module of the AML case management solution is fundamental to identifying and preventing any potential financial criminals from sliding in and exploiting the business for laundering illicit funds. CDD functionality assists the regulated entities in determining the risk profile of each customer and business relationship and the CDD measures to be applied, considering the outcome of the customer identity verification and the screening against sanctions and other relevant databases. It will help in the optimal utilisation of resources, adopting the risk-based approach.

It is not a one-time activity. Instead, the AML case management solution comes in handy in KYC remediation and periodic review of the customer’s profile, including tracking the changes in the customer’s identification details.

Transaction Monitoring and Alert Management:

Real-time processing of a huge volume of financial transactional records and generating alerts for potential suspicious transactions or any unusual trend.

The AML case management software supports continuous monitoring of the transactions to detect anomalies and suspicious trends in customer activities and promptly flag the same basis the predefined rules and logic. The power of technologies like machine learning and blockchain reduces false positive alerts, allowing more time for the compliance team to focus on genuine suspicious warnings. This can be used to prioritise the alerts generated based on the nature or count of deficiencies or suspicions observed and help the entity address these alerts efficiently.

Managing the Alert Investigation Workflow:

Structured methodology and approach to investigate the flagged transactions, ensuring accuracy and consistency in the review process.

As the name suggests, the AML case management software enables the entity to manage the workflow of any alert as a “case”, starting from alert generation to its disposition, including thorough investigation capabilities. The software guides the compliance team to gather the flagged transaction-related data at one point and critically review the same. Case management software enables systematic analysis of the alerts, maintaining the audit trail and necessary records.

The standardization approach in investigation enables evaluation of all the critical information, ensuring that no ML/FT attempts go undetected and, simultaneously, no efforts are wasted on genuine transactions flagged as suspicious.

Collaboration amongst the team:

Facilitating smooth communication and coordination among various teams involved in AML compliance function.

For managing the AML compliance function effectively, collaboration and integration of various business functions are crucial – such as customer relationship manager, customer service executive, the finance and accounts team and, importantly, the AML compliance team. AML case management software enables a seamless exchange of information between the concerned teams, allowing the timely disposal of the case, be it a transaction monitoring alert or CDD process during customer onboarding.

Serves as Document Management System:

Maintenance of AML records in an organised manner, with utmost security and easy retrieval.

AML case management software is a document management system that retains the records and information in a tamper-proof system. The regulated entities can use this as an audit trail to check the progress and disposition of the alerts.

Further, it also acts as a single data repository of all AML-related documents and information, including CDD files and customer documents, transaction-related information, and records, including alerts generated and suspicions observed.

AML Reporting and Analytics:

Capabilities to generate AML reports required for submission with the AML authorities or for internal management to draw insights around AML compliance.

AML case management software empowers the regulated entities to generate AML reports required to be filed on the goAML portal – such as Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs), transactional reports like Dealers in Precious Metals and Stones Report (DPMSR) or Real Estate Activity Report (REAR), sanctions related reports like Fund Freeze Report (FFR) or Partial Name Match Report (PNMR).

Not limited to regulatory reporting, the AML case management solution can also offer capabilities to extract insights into an entity’s AML compliance. This may include information about the customers and their risk profile; the transaction flagged as suspicious and the outcome of the investigation; the number of reports filed with the Financial Intelligence Unit during the period; the ML/FT related trends and patterns, enabling Compliance Officer and the management to determine the actions to enhance the relevance and quality of AML efforts.

What factors should be considered while evaluating AML Case Management Software?

The selection of the right AML case management software is significant for advancing the AML compliance program of the entity. Thus, the entity must consider the various factors while identifying the right fit for the AML function, such as:

The solution must be feature-rich, aligned with the applicable AML regulations and offer necessary customization to work in tandem with the entity’s business operations. This requires the software to support the end-to-end AML compliance journey of the regulated entity, including AML reporting and analytics.
The module interface must be intuitive and user-friendly – easy to use and navigate. It is necessary to ensure that the software boosts compliance efficiency and productivity rather than attracting resistance from the users owning to its complex functioning mechanism.
Integration capabilities of the software, the integration between the existing system and the AML case management systems is essential for seamless transfer of data for ensuring completeness and accuracy of the data relied upon for AML compliance.
The software must be easy to scale as and when the volume and complexity of the customers and transactions increases. The solution must be capable of handling the evolving regulatory amendments and new AML compliance obligations.
The software must adhere to robust information security standards that can protect the entity’s sensitive and confidential information.

All the points mentioned above must be well considered while evaluating the AML case management software, including the pre- and post-implementation support for its successful deployment and implementation.

What are the benefits of AML Case Management Software?

The following points highlight the significance of AML case management software:

It streamlines the AML compliance activities and automates the manual tasks, improving compliance efficiency and reducing human errors.
Timely detection of the red flags enables the entity to implement necessary risk mitigation procedures.
Structure planning and deployment of resources to manage the risk, using risk-based algorithms and reduced false positive alerts.
Compliance with the UAE AML regulations, avoiding non-compliance consequences like imposition of fines, damage to the business reputation and loss of customer trust.
Provide actionable insights on AML compliance to the AML Compliance Officer and the senior management, highlighting the areas that need immediate efforts for strengthening the AML controls.

How can Niyeahma help you bring in the benefits of the AML Case Management Software?

AML case management software can be an excellent tool for regulated entities looking to upgrade their AML compliance structure. And Niyeahma is here to help you select the right AML case management solution. We understand your business operations, identify the AML compliance obligations and map them to the required AML capabilities to ensure compliance and protection against ML/FT vulnerabilities.

Let’s leverage the power of AML case management solution to detect the ML/FT attempts and timely prevent them before they influence the economy.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Suspicious Transactions around Precious Metals and Stones: Timely Identification and Reporting

To prevent the misuse of the precious metals and stones sector, the UAE authorities have brought the sector under anti-money laundering regulations. These AML regulations mandate the Dealers in Precious Metals and Stones (DPMS) implement necessary measures and controls to detect unusual transactions and activities appearing as an attempt to launder funds through the sector and immediately report the same to the Financial Intelligence Unit (FIU).

Precious metals like gold, platinum and precious stones such as diamonds and pearls have been common typologies exploited by money launderers to circulate illicit funds through the layers and make it look like they were generated from legitimate sources. Awareness of the anomalies and uncommon activities is critical for the DPMS to spot the red flags promptly and take necessary actions to prevent the laundering of funds through precious metals and stones.

In this article, let us discuss some unusual transactions that trigger an alert, internal and external reporting mechanism, and some of the best practices the dealers in precious metals and stones must adopt.

Identifying the Unusual Transactions involving precious metals and stones

Identifying suspicious transaction patterns is essential for the DPMS to protect their business from being misused for routing illicit money through the precious metals and stones mode. The UAE AML regulations mandate that dealers in precious metals and stones develop and implement a robust monitoring system to detect unusual transaction patterns and customer behaviour inconsistent with their risk profile.

One important aspect of detecting unusual transactions is knowledge of the common methods through which the launderers can exploit the industry. Only when the DPMS is aware of such trends and techniques can they be cautious towards the customer’s buying and selling activities to recognize the financial crime signals. Some of the commonly observed methods to be used by criminals to launder the funds are:

Structuring of transactions

The customer undertakes multiple weekly cash transactions, each valued between AED 50,000 and AED 53,000. This red flag indicates the customer’s intention to avoid the reporting threshold.

Involvement of high-risk jurisdictions

Frequent transactions where payment is released through a bank account located in high-risk jurisdictions.

Inconsistency with the nature of business activities

A corporate customer is making high-value purchases of precious metals with no logical connection with the business activities it is engaged in. For example, a non-profit organization buying diamonds.

Sudden change in the volume and value of transactions

A regular customer (in the case of a B2B business relationship) suddenly purchases double the value it has typically been undertaking without any economic rationale.

Abnormal customer requests for precious metal conversion

The customer makes an unusual request to convert precious metals like gold into ordinary objects to disguise the identification of gold.

Series of transactions in different names

The same person carrying out multiple transactions involving the purchase of precious metals furnishing different identity documents claimed to be close relatives. Though appearing genuine initially, it is a red flag suggesting an attempt to launder huge cash with forged IDs and fake names.

Mismatch in the transaction value and the customer’s financial profile

A customer makes transactions worth value beyond the ordinary means of the customer, as identified by a review of the customer’s financial document.

With awareness of the gaps comes the approach to staying vigilant to detect unusual transactions and prevent money laundering and terrorist financing.

Reporting of Suspicious Transactions involving precious metals and stones

The AML regulations in UAE provide that the regulated entities, including the dealer in precious metals and stones, must report the identified red flags to the Financial Intelligence Unit without any delay. To comply with this regulatory reporting requirement, the DPMS must adopt a thorough and systemic approach, following the below steps:

1. Preliminary inquiry to determine the nature of suspicion

Once the frontline employee, upon detection of any unusual activity or risk indicator, must make further inquiry into the matter. This inquiry may involve reviewing the customer’s profile, past transaction history, etc. If required, the employee may seek clarification or further details from the customer, but subject to compliance with the “non-tipping off” requirement.

The employees must evaluate the matter diligently to avoid sending unnecessary reports to the AML Compliance Officer, which, upon preliminary investigation, turns out to be genuine and legitimate activity.

2. Intimation to the AML Compliance Officer

If the employee has reasonable grounds to believe that the suspicion still prevails even after investigation and requires escalation to the AML Compliance Officer for further investigation, it must intimate the matter to the AML Compliance Officer. Such reporting or intimation to the Compliance Officer must be in writing, capturing the necessary details about the transaction, why the employee considers the subject activity or transaction suspicious, parties involved, and other details and documents necessary for the Compliance Officer to investigate the suspicion further.

3. Independent investigation by the AML Compliance Officer

Upon receipt of the internal report on observed suspicion from the employees, the AML Compliance Officer must attend to the matter immediately and independently review the facts to determine the legitimacy of the suspicion and the suspected transaction/activity. The investigation’s basis and the review’s outcome must be well documented. If the Compliance Officer believes that the transaction or activity is suspected of involving money laundering or terrorism financing, the reporting shall be done with the FIU by filing the Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR), as the case may be.

However, if the Compliance Officer is of the view that the transaction is genuine and does not involve any proceeds of crime, then such a decision must be recorded along with the rationale for the same.

4. Reporting the suspicion to the Financial Intelligence Unit (FIU)

Having determined the suspicion, the AML Compliance Officer, also known as the Money Laundering Reporting Officer, must immediately file the relevant report to the FIU, furnishing information about the parties suspected, the nature and value of the transaction, red flags observed, action taken by the authorities, etc.

Following a robust and systematic reporting mechanism, the DPMS can ensure timely and quality reporting of suspicious situations to the FIU.

Best Practices to avoid exploitation of precious metals and stones for financial crime

For effectively handling the identification and reporting of unusual transactions, here are a few best practices the dealers in precious metals and stones must adopt:

Adequately documenting the red flags

To assist the employees in understanding the unusual transaction patterns and detect the risk indicators, it is recommended that the DPMS have a list of red flags relevant to the business and circular amongst the team. With a list of potential risk indicators handy, identifying unusual transactions and evaluating the same to confirm the suspicion becomes quick and efficient.

Implementing tools and technology

When the number of customers visiting the jewellery showroom and the volume of transactions is too huge, deploying the right tools and software always proves to be the backbone of AML compliance. The emerging technologies, having data analytics capabilities, can review the transactions in real time, detect the patterns and trends that appear uncommon for the business, and generate alerts for the team to review further.

This will filter out the false positive alerts, allowing the team to focus more on the disposition of the genuine red flags.

Staying updated on the emerging trends and ML/FT typologies

The AML Compliance Officer of the DPMS must stay up-to-date on the evolving ways criminals could exploit the precious metals and stones industry. This knowledge would be crucial to proactively implement the necessary controls to detect such attempts and prevent business exploitation through innovative laundering methods.

Designing internal SAR/STR forms

To ensure accurate and comprehensive reporting, the DPMS must design internal STR/SAR forms. This shall ensure consistency in the details furnished by the frontline employees to the Compliance Officer without missing any critical information.

Furnishing complete and accurate details to the FIU

The AML Compliance Officer must ensure that the report filed with FIU has relevant, complete, and accurate information, which helps the FIU to analyze the possibility of money laundering or terrorism financing and make sure that necessary actions are initiated against the culprit.

Moreover, the Compliance Officer should avoid unnecessarily flooding the FIU with false alerts, reported just for the sake of reporting without diving into the actual nature of suspicion.

Conducting necessary training

Training is pivotal to imbibing a sense of awareness in the team toward identifying and handling unusual transactions. Adequate training on suspicion transactions promotes employee accountability, enabling them to detect and respond to the observed red flags effectively. Education around the internal reporting mechanism must be ensured to empower the team to manage the internal suspicious reporting requirement skillfully.

The above-mentioned best practices around identifying red flags and reporting thereof would offer a competitive edge to the DPMS to detect the red flag before it significantly impacts the business and stay AML compliant.

Let Niyeahma assist the DPMS sector in timely detecting and reporting suspicious activities!

A thorough understanding of the red flags and awareness of its reporting process is fundamental in detecting and reporting suspicious transactions. With our team of professionals at Niyeahma, we assist the dealers in precious metals and stones in UAE in designing the AML framework, including the list of sector and business-specific ML/FT typologies, and developing the standard reporting system to help the team in timely and accurately reporting the observed red flags to the AML Compliance Officer. We also impart training to the team on identifying and reporting suspicious transactions discussing case studies to bring a practical aspect to the learning.

Let’s unite to maintain the integrity of the precious metals and stones segment!

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

AML Risk Assessment before launch of a new product or service

The regulated entities in the UAE are required to assess the overall exposure of the business to financial crimes. For this, the Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) must conduct the Enterprise-Wide Risk Assessment (EWRA) considering the relevant risk factors. One critical scenario that impacts the business’s ML/FT risk is the potential of the new products or new practice areas being exploited by the criminals for laundering illicit money or financing terrorist activities.

When the regulated entities evaluate the risk associated with the new products or services, it would be possible for the entities to develop and deploy the necessary risk mitigation measures.

Through this article, let’s explore what business risk assessment is, the significance of assessing the ML/FT risk before introducing any new business practices, products, or services, and the best practices to assess this risk thoroughly.

Understanding the AML Risk Assessment

An AML Business Risk Assessment is an exercise conducted to evaluate the potential threats to the entity’s business operations, considering the overall profile in terms of customer base, business model, geographies in which the entity operates, the nature of products or services offered, the size, volume, and complexity of the transactions, the delivery channels and distribution methods used by the entity.

The EWRA includes the following sub-processes:

Identifying the risk factors and the relevant risk scenarios that impact the business
Determining the likelihood of the risk scenario materializing, its frequency, and the extent of the impact it can have on the business (this is an inherent financial crime risk the business may face)
Mapping the controls needed against these risk parameters (whether already in place or any additional controls or systems are required)
Analysing the strength and effectiveness of these controls
Assessing the residual risk and comparing the same against the entity’s management-approved risk appetite

The assessed risk gives insight to the regulated entity on the potential vulnerabilities and the risk mitigation measures required to overcome these risks or at least minimize the impact.

This understanding helps the entity to determine the resources required and its optimal allocation based on the severity of the risks. Moreover, EWAR forms a base for the entity for designing the internal AML/CFT policies, procedures, and controls to stay safe and compliant with AML regulations.

AML Risk Assessment before launch of a new product or service

Development and launch of a new product or service bring a good business opportunity but may expose the business to newer types of financial crime risks. Thus, the regulated entities must evaluate the potential ML/FT vulnerabilities that may surface exploitation of the new products or services. With timely assessment of the associated risk, the regulated entities can proactively determine the mitigation measures required before the financial criminals misuse the newly introduced offerings.

The regulated entities must have systems and procedures to track these regulatory changes impacting the entity’s compliance obligations. This can be achieved with the AML Compliance Officer’s active participation in the authorities’ conducted webinars, subscribing to any professional network to receive update notifications timely, and attending AML-specific industry study groups or conferences.

Best practices to be followed for assessing the potential ML/FT vulnerabilities associated with new product or service

Involving AML Compliance Team in product/service design

The product or service development team must involve the AML Compliance Officer while discussing the design and development aspects. The AML Compliance Officer’s feedback can prove valuable in managing the product design in a way that reduces the risk possibilities.

The Compliance Officer’s understanding of the AML regulations would help the entity develop a product or practice that meets the compliance requirements without specifically providing options to the criminals to place the illegal funds into the economy.

Identify the risk scenarios

The regulated entity must evaluate the possible circumstances of how the criminals can exploit the new product or services for money laundering or terrorism financing. The entity may refer to ML/FT typologies associated with similar products/services. Reference should also be made to reliable data sources publishing the information and statistics about the financial crime vulnerabilities faced by peers offering the same or similar products.

Further, the regulated entity may also rely on emerging technologies like Machine learning or Big Data to study the existing data, draw patterns, and highlight the expected risks from recently established products or services.

For example, if a dealer in precious metals and stones plans to start an eCommerce portal for selling the jewellery online. Before making this portal live, the dealer must consider the ML/FT threats, such as the possibility of criminals making multiple transactions of smaller values using different IDs or fake IDs, to what extent the online portal would favour anonymity or provide an opportunity to criminals to conceal the actual beneficiaries, etc.

Assessing the nature and degree of controls required

Once the risk associated with new products and services is identified, the regulated entity must determine the risk mitigation measures required for such risks. The nature of controls and systems needed to be well documented against the identified risk parameter and how effectively these controls can tackle the risks.

Continuing the above example, if the dealer in precious metals and stones is planning to accept the payment in virtual assets, then the entity should have controls around screening the virtual assets wallets or identifying the geolocation of the party to avoid exploitation by criminals from high-risk jurisdictions.

Creating awareness and training the team

It is essential to onboard the senior management and the staff on this new products/services AML journey. The regulated entity must impart required AML training to the team around potential risk situations that may arise with these products/services, the modified systems and controls implemented, and the expected role of the employees in managing the risks.

When the systematic approach is adopted for assessing the risk arising from new products and services, mitigating this risk and its impact on the business can be managed efficiently.

Implementing additional controls of modifying the existing ones

Once the controls have been identified, the regulated entities must check whether existing controls can be used or enhanced to manage the new product/service’s risk. If not, the additional controls must be incorporated into the existing systems, making them capable of handling the newer risk scenarios.

In the current example, the dealer in precious metals and stones would be required to enhance the existing KYC forms and the Customer Due Diligence measures to cover the identification of the customer (as non-face-to-face transactions pose a different level of risk) and inquiry around the mode of payment.

Further, the jeweller might not have the systems that allow the screening of crypto wallets. Here, the existing systems must be upgraded or replaced with an advanced tool that supports the identification of red flags related to virtual assets, monitors the crypto transactions, and triggers an alert when any suspicious activities are observed.

Significance of the AML Risk Assessment before launch of a new product or service

This beforehand assessment of the financial crime risk and implementation of the necessary controls will enable the regulated entities to check the exploitation of new products or services by the financial criminals.

The proactive approach of the entity demonstrates the entity’s commitment to combat financial crimes. It instils the trust and confidence of the customers and other stakeholders in the entity’s business practices.

Further, identifying the risk before introducing new products or services is also mandated under the UAE AML regulations. Thus, with this risk assessment, the entities avoid non-compliance fines and penalties, safeguarding the business against reputational damage and unnecessary legal hassle.

When the business and compliance goals are aligned for a newly developed product or service, the future hassle or complexities associated with the products can be eliminated, bringing the desired outcome of fresh offerings.

Let AML UAE assist in identifying and managing the ML/FT risk associated with new products or services

The ML/FT risk assessment is crucial for the regulated entities before introducing or developing any new product or services to understand the new risk vulnerabilities and deploy the timely mitigation measures without allowing the launderers to exploit these new launches. In this journey, let AML UAE help you assess the risk arising from such a new product/service while you focus on business development. With a thorough understanding of the AML regulatory framework and the industry experience, we can assist you in assessing the overall business risk, implementing the required controls, and creating awareness amongst the team to stay AML compliant.

Let’s partner in your efforts to protect the economy’s integrity and security against financial criminals.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE