AML Governance for VASPs in the UAE: Building trust and strengthening compliance

Virtual assets are increasing their acceptance and significance in the financial system of the UAE. However, with this comes the increased risk of money laundering and terrorist financing, given the inherent nature of anonymity and speed of virtual asset transactions. The UAE authorities have brought the Virtual Assets Service Providers (VASPs) under the Anti-Money Laundering (AML) regulatory landscape to mitigate these financial crime risks. Here, it becomes critical for VASPs in UAE to establish an effective AML governance and oversight function to manage financial crime vulnerabilities.

Why is AML Governance important for VASP in UAE?

The VASPs expose themselves to huge ML/FT risks while onboarding customers across the world without any boundaries. Further, as all the transactions are done virtually, the risk of unidentified originators and virtual asset beneficiaries is involved, which can be exploited for laundering illegal funds or financing terrorist activities.

The authorities have established specific regulatory guidelines, mandating the VASPs to adhere to them and safeguard themselves against financial crime risks. VASPs operating in UAE must register with the relevant authorities and comply with the AML/CFT regulations. Failure to comply with these compliance obligations can result in hefty administrative fines and reputation damage.

The AML regulations in UAE require the VASPs to conduct Enterprise -Wide Risk Assessment to identify the ML/FT risks, adopt a risk-based approach to design and implement internal AML/CFT policies, procedures, and controls, and report any identified suspicion to the Financial Intelligence Unit (FIU).

To mitigate the ML/FT risks and avoid regulatory non-compliance penalties, the VASPs must establish and maintain a robust AML governance and oversight function.

For the law firms licensed in UAE, other than Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), the Ministry of Justice is the AML supervisory authority.

How to establish a robust AML Governance Function in VASP?

As a first step to AML governance, the VASPs must understand the AML regulations and compliance obligations imposed upon the organization. With a basic understanding of AML compliance requirements, let us understand the critical component of an effective AML governance framework.

Effective AML governance framework

As a first step to AML governance, the VASPs must understand the AML regulations and compliance obligations imposed upon the organization. With a basic understanding of AML compliance requirements, let us understand the critical component of an effective AML governance framework.

Appointment of AML Compliance Officer or Money Laundering Reporting Officer

VASPs must appoint a competent person with adequate knowledge and experience in AML compliance to act as the AML Compliance Officer or the MLRO.

The compliance officer shall be responsible for overall AML/CFT program management.

Identifying the business risks

VASP must perform an Enterprise-Wide Risk Assessment (EWRA) to identify and assess the ML/FT risks that the organization faces. The risk assessment must be based on qualitative and quantitative analysis of the relevant risk factors such as customer base, geographies of operations, nature of transactions, products or services offered by VASP, etc.

As the business activities and ML/FT risk typologies keep evolving, the business risk assessment must be dynamic. VASPs must regularly assess the risk to factor in the changes in business activities, regulatory amendments, and emerging financial crime trends. The risk assessment results should be used to develop the internal AML/CFT policies, procedures, and controls to manage the identified ML/FT risks.

Developing the comprehensive AML/CFT framework

VASPs must have in place a well-defined internal AML/CFT program, including policies, procedures, systems, and controls that can adequately identify and manage the ML/FT risks of the organization’s virtual assets operations.

The AML policies and procedures must reflect the VASP’s overall risk and be practical to mitigate the risks.

Having an AML policy is not enough. The VASP must periodically review the policies and procedures to ensure their adequacy, effectiveness, and relevance in combating financial crimes. The AML/CFT framework must, at all times, be effective in addressing the identified business risks and is compliant with AML regulatory requirements.

The policy should document the VASP’s AML obligations, the controls adopted by the VASP to manage the risks, and the roles and responsibilities of the AML Compliance Officer, employees, and senior management towards the AML program.

Robust Customer Onboarding Process

Millions of transactions related to the transfer of virtual assets are conducted amongst multiple originators and beneficiaries worldwide. For an effective AML/CFT compliance framework, an effective customer onboarding process is one of the key elements.

It is pertinent for VASPs to identify these originators and beneficiaries of the transactions and verify their identity. The VASP must screen these customers to understand their connection with the Sanctions List, or Politically Exposed Person (PEP), and the presence of adverse media suggesting criminal history.

As part of the Customer Due Diligence (CDD) process, the VASP should also perform a customer risk assessment to identify the risk each customer poses to the business. Basis the outcome of the customer risk profiling, the VASP must adopt a risk-based approach and perform Enhanced Due Diligence (EDD) measures to manage the increased risk posed by high-risk customers.

CDD does not end here. The VASP must implement systems to monitor the transactions and business relationships on an ongoing and real-time basis to identify unusual or suspicious activities.

Suspicious activities identification and reporting procedures

AML framework is incomplete without adequate internal systems and procedures to identify the ML/FT risk indicators or red flags, suggesting involvement in money laundering activities, criminal proceeds, or terrorism financing. A clear mechanism must be in place to guide the employees to actions to be taken once any suspicious activities are observed and how the reporting shall be done to the AML Compliance Officer.

Further, the guidelines about external reporting to the FIU must also be well defined to ensure the timely filing of a Suspicious Activity Report (SAR) or Suspicious Transactions Report (STR) with the FIU.

Support from the senior management

No business function can be successful without the support from senior management. Similar is the case of the AML function. The senior management plays a critical role in ensuring the effectiveness of the AML governance framework by setting the right compliance tone at the top and providing strategic oversight of the implemented AML/CFT policies and procedures.

The management must establish the VASP’s ML/FT risks appetite and review and approve the VASP’s business risk assessment and the developed AML/CFT compliance program. Management should ensure that the risk assessment and AML policies, procedures, and controls are periodically reviewed and updated to manage the risks effectively.

Further, the one important role of senior management is ensuring its compliance department is well-staffed with adequate resources necessary to manage the ML/FT risks and stay AML compliant.

As part of the AML governance and oversight function, the senior management and board of directors must seek periodic reports from the AML compliance officer capturing the VASP’s ML/FT exposure, identify suspicious actions taken by the compliance officer, any AML gaps observed, etc.

Effective oversight function with periodic AML review and independent AML audit

To ensure the effectiveness of the AML/CFT measures adopted by the VASPs, it is important to establish an independent AML audit and also an internal periodic AML review function. The policies, procedures, systems, and controls implemented by the VASPs must be periodically reviewed to test the quality, adequacy, and effectiveness of the AML/CFT program.

A periodic AML review and interviews with the AML compliance team must be conducted to check whether the AML policies are effectively followed across the organization and to identify any gaps in policies, procedures, or implementation flaws. This periodic review shall assist the VASPs in remediating the AML non-compliance or vulnerabilities before it has a multifield impact on the operations. The internal reviews can be considered as frequent routine checks on the effectiveness of AML/CFT systems and controls, necessary to ensure that the AML measures are up-to-date and capable of identifying the financial crime risks.

Further, the VASP must appoint an independent person, having adequate AML understanding and experience to conduct the AML review. An independent AML audit shall be a more focused and unbiased review by a third party (possibly an external person) to ensure that VASP has an appropriate framework to manage the risks and stay AML compliant.

AML training program

AML governance function is incomplete without the involvement of the entire staff and their contribution towards the AML/CFT program. AML Compliance Officer of the VASP must develop a robust and comprehensive AML training program for the staff, including senior management, to ensure that all the employees of the organization understand the ML/FT risks, compliance obligations, and their roles and responsibilities towards VASP’s AML/CFT efforts.

AML training shall ensure that staff is well aware of internal AML/CFT policies and procedures and can exercise sound judgement when any suspicion is observed.

AML governance using technology and data analytics

AML governance and oversight would be challenging without deploying adequate technology and data analytics tools in this virtual asset world where everything is online. With technology, VASPs can automate the ML/FT risk assessment and deploy adequate measures to mitigate the same. With the humungous volume of virtual asset transactions, technologies like Artificial Intelligence and Machine Learning make transaction monitoring easy and real-time, generating alerts for unusual activities and reducing false positives.

Further, data analytics algorithms can be trained to identify unusual customer behaviour, detect suspicious transactions, and identify patterns that may indicate money laundering or terrorist financing.

VASPs can effectively detect and prevent money laundering and terrorist financing involving virtual assets by integrating technology and data analytics in their AML governance and oversight functions.

Collaborating with regulatory authorities and industry partners

As an element of effective AML governance, VASPs are recommended to stay connected with AML regulatory and supervisory authorities to seek guidance on various AML/CFT compliance obligations. Further, seeking the authorities’ feedback on implementing AML measures is also critical to enhance and improve the AML/CFT function.

Webinars and awareness sessions conducted by the authorities can also be helpful for VASPs to manage their ML/FT risks and detect emerging ML/FT typologies.

Collaboration with other VASPs can also help understand the industry’s best practices to identify and manage the ever-evolving ML/FT risks arising from virtual asset transfers.

Measuring the effectiveness of your AML governance and oversight function

VASPs need to review and enhance their AML governance and oversight function. This can be done using key performance indicators (KPIs) such as –

Periodicity of AML/CFT report furnished by AML Compliance Officer to senior management
Identified gaps and time and actions taken to remediate the same
Feedback received from the authorities
Number of suspicions observed
Quality and frequency of the AML training program
Finding of internal AML review and independent AML audit

Though not exhaustive, assessing certain factors can give insights into the effectiveness of the VASP’s AML governance and oversight function.

How can Niyeahma assist VASPs in UAE in establishing effective AML Governance Function?

Effective AML Governance and Oversight functions are critical for VASPs to stay AML compliant and manage the financial crime risks.

A robust AML/CFT program, commitment, and support from senior management, deployment of emerging technologies, comprehensive AML training, periodic AML review, audit, etc., can enhance the quality and relevance of the VASP’s AML/CFT framework.

Niyeahma is one of the leading AML firms in UAE, supporting regulated entities, including VASP, to establish and maintain a strong internal AML/CFT compliance program aligned with its overall ML/FT risks and regulatory requirements. We also help the VASPs set up solid AML governance and Oversight functions, constantly contributing towards enhancing the effectiveness of the VASP’s AML/CFT measures.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

AML Compliance Requirements for Law Firms in UAE

With the increase in financial crimes, the introduction and implementation of anti-money laundering and combating the financing of terrorism (AML/CFT) regulations is increasing. In the UAE, lawyers and independent legal firms are covered under the purview of AML regulations. As the vulnerability of the lawyers, notaries, and legal service providers to financial crime, law firms, and legal professionals have been put under AML regulatory regime to identify and prevent money laundering and terrorism financing.

This article lets us navigate AML requirements for law firms operating in or from the UAE.

What AML regulations apply to Law Firms in the UAE?

The primary legislation governing AML compliance is the Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations and its implementing guidelines under Cabinet Decision No. 10 of 2019. The federal AML regulations identify the regulated entities and establish a comprehensive framework for such entities to be followed to identify, report, and mitigate the money laundering and terrorist financing risks.

One of the regulated entities defined under the UAE AML regulations as Designated Non-Financial Businesses and Professions (DNFBPs) include:

Lawyers, notaries, and other independent legal professionals, when preparing, conducting, or executing financial transactions in relation to the following activities on behalf of the customers:

Purchase and sale of real estate
Management of customer’s funds
Managing customer’s bank accounts, saving, or securities accounts
Organizing contributions for the establishment, operation, or management of the company
Creating, operating, or managing legal persons
Selling and buying commercial entities

For the law firms licensed in UAE, other than Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), the Ministry of Justice is the AML supervisory authority.

With reference to the Federal AML regulations, the Ministry of Justice (MoJ) has also issued Ministerial Decision No. (533) of 2019 on Anti-Money Laundering and Combating Terrorism Financing related to Lawyers, Notaries, and Legal Independent Professionals and a detailed guide to help the law firms effectively implement the AML/CFT measures and prevent financial crimes.

Accordingly, law firms must comply with Federal AML legislation and the decision and guide issued by the Ministry of Justice.

What are the AML Compliance requirements of a Law Firm in UAE?

As a regulated entity, law firms and legal professionals are responsible for identifying and reporting ML/FT-related suspicious transactions to the Financial Intelligence Unit. In this context, law firms must comply with Federal AML legislations and the decision and guide issued by the Ministry of Justice.

The following are the AML compliance obligations for a law firm in UAE:

goAML Registration

Every law firm in UAE must be registered with the Financial Intelligence Unit’s (FIU) goAML Portal.

Appointing an AML Compliance Officer

To ensure the effective implementation of the AML Compliance program, law firms must appoint a competent AML Compliance Officer. The appointment of the compliance officer must be approved by the supervisory authority, which is sought during the pre-registration stage of the goAML registration.

Conducting Enterprise-Wide Risk Assessment

The law firms must assess the overall money laundering and financing of terrorism (ML/FT) risk their firm is exposed to. The AML Enterprise-Wide Risk Assessment must be conducted based on the nature of the customers, associated geographies, nature of services offered, volume and complexities of the transactions, etc.

Establishing AML/CFT Policies, Procedures, and Controls

Based on the overall business risk assessment outcome, law firms and legal professionals must design and implement internal AML/CFT policies, procedures, and controls to manage ML/FT risks.

The internal AML/CFT framework must be aligned with applicable AML regulations and the nature and size of the business.

Client Due Diligence Measures

One of the key AML requirements for law firms in the UAE is to identify the customers and the beneficial owners and verify their identity.

The companies must adopt “Know Your Customer” (KYC) procedures to identify the customer, their activities, the purpose of the business relationship, etc.

The law firms must also conduct screening to determine whether any of the customers, their beneficial owners, or the senior management is mentioned on the Sanctions Lists. Screening must be conducted to identify the customer’s status as a Politically Exposed Person (PEP) or a relative or close associate of the PEP.

Adverse media checks must also be conducted to see whether the customer has been linked or alleged to any financial crime-related matters in the past.

Based on the customer identification details and screening results, law firms and legal professionals must identify each customer’s risk to the business and classify the customers as high, medium, or low based on the assessed ML/FT risks.

In cases where the customers are identified as high-risk, the law firms in UAE must seek additional information and adopt enhanced due diligence measures. The lawyers must take necessary actions to understand the customer’s source of wealth and funds and determine its legitimacy.

Ongoing Monitoring of transactions and business relationships

Law firms are required to maintain customer information up-to-date. The CDD information must be closely monitored to ensure that the legal professionals have complete and accurate data about their customers and beneficial owners and that any changes therein are promptly identified.

Further, ongoing monitoring of the transactions is also very important to identify any unusual or suspicious customer activities related to money laundering and terrorist financing. For high-risk customers, enhanced and more stringent monitoring measures must be applied.

Compliance with Targeted Financial Sanctions

Law firms are required to implement the Targeted Financial Sanctions (TFS) measures. Accordingly, the law firms must subscribe to the Executive Officer for Control and Non-Proliferation (EOCN) Notification System to receive regular updates about changes in the sanctions lists – United Nations Consolidated List and the UAE Local Terrorist List.

All the customers, beneficial owners, and the customer’s senior management must be screened against these sanctions list. If any confirmed match is found, the law firms must immediately terminate the business relationship (existing customer) or reject the customer (prospect customer) and submit Fund Freeze Report (FFR) on the FIU’s goAML portal. In case of a partial name match where the law firm cannot conclude the match type, the business relationship must be suspended, and a report must immediately be filed on the goAML Portal – Partial Name Match Report (PNMR).

Identifying and reporting suspicious activities or transactions

Law firms must establish adequate procedures and controls to identify any potential ML/FT risk indicator and report suspicious activities to the FIU. The suspicions related to ML/FT must be reported to the FIU by filing the Suspicious Activity Report or Suspicious Transaction Report (STR), as the case may be.

The list of red flags and the internal procedures to be followed for reporting must be well documented as part of the AML/CFT framework.

AML Training

AML training for the staff is one of the critical compliance obligations for law firms. Regular training must be provided to the staff and senior management to create awareness about AML compliance obligations and their roles and responsibilities.

AML Governance

To ensure a robust AML Compliance culture, the senior management must support and contribute towards the law firm’s AML/CFT efforts.

The Compliance Officer must furnish a periodic AML report to the senior management, updating them on the firm’s AML measures, the requirement for any additional AML resources, any AML non-compliance identified, and the action taken by the compliance officer, along with routine AML matters. Senior management must review and provide feedback to the Compliance Officer.

The law firms must implement an independent AML Audit function to periodically test the quality and adequacy of the AML/CFT measures to identify and mitigate the financial crime risks effectively.

Filing Real Estate Activity Report (REAR)

The lawyers and the legal professionals are required to file a Real Estate Activity Report (REAR) with the goAML portal to report the transaction pertaining to the buy/sale of Freehold Real Estate, which involves cash (equals to or exceeding AED 55,000) or virtual assets or funds converted from virtual assets.

AML Record Keeping

All AML-related records and documents, including CDD files and transactions with customers, must be maintained by law firms for at least five (5) years.

How can Niyeahma assist Law Firms in UAE to stay AML Complaint?

AML compliance is critical for law firms operating in the UAE to safeguard their practice from being exploited by financial criminals and avoid non-compliance penalties.

To understand the AML regulatory landscape and effectively meet the compliance obligations, reach out to AML experts – like Niyeahma, your partner in making AML journey a smooth experience.

Niyeahma is a leading AML consultancy service provider in UAE, assisting DNFBPs, including law firms, to identify overall ML/FT risks and implement best AML practices to prevent money laundering and terrorism financing crimes.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

What is smurfing in money laundering? Smurfing technique, risks, and protective measures

Employee-training-on-effective-suspicious-activity-reporting

What is smurfing in money laundering? Smurfing technique, risks, and protective measures

What is smurfing in money laundering? Smurfing Technique, Risks, and Protective Measures

One of the widely used money laundering techniques, smurfing, poses a high risk to Financial Institutions worldwide. Smurfing meaning: smurfing is breaking down large amounts of cash into smaller amounts deposited with financial institutions to avoid detection and reporting thresholds. Owing to its characteristics of manipulating the transaction values, the technique is also known as “Structuring.”

Laundering of illegal money using the smurfing method can be carried out by individuals or organized crime groups, which leaves devastating consequences on the financial institution and society.

This article will provide insights into identifying smurfing instances and how financial institutions can safeguard themselves against them and prevent the same.

Before discussing how to prevent smurfing, it is important to understand what it is and how it affects financial institutions.

What is smurfing in financial institutions?

Smurfing involves splitting a large sum of cash into smaller amounts of multiple transactions below the AML reporting threshold to avoid the applicability of AML measures and detection by financial institutions and regulatory authorities.

Smurfing is often used to facilitate the placement of illegal funds into the valid financial system of the economy.

How does smurfing affect financial institutions?

As smurfing is used to launder funds by facilitating the entry of proceeds of criminal activities into financial institutions, it is a significant risk to the security and integrity of the financial institution. When financial institutions allow criminals to use the smurfing technique, knowingly or unknowingly, the financial institutions face legal consequences for aiding in money laundering activities and the breach of regulatory obligation of reporting the money laundering-related suspicious activities. Further, smurfing damages the reputation of financial institutions and adversely impacts public trust.

Thus, to avoid the loss of public trust and heavy fines for AML non-compliance, it is pertinent that the financial institutions design and implement robust procedures and controls to identify, report and prevent exploitation by smurfing.

What are the commonly used smurfing techniques in Money laundering?

Smurfing or the structuring of transactions can be conducted in many forms, and thus, awareness about the most common smurfing techniques is essential. The most frequently used smurfing technique is to divide the large cash amount into multiple smaller value transactions to deposit or withdraw cash from different financial institution locations or branches.

Other methods include using multiple accounts in the name of multiple individuals to conduct transactions and making payments using wire transfers or other electronic means of fund transfer to avoid AML scrutiny.

Financial institutions must monitor transactions and look for suspicious patterns or customer behaviour suggesting using smurfing. E.g., multiple withdrawals of the same amount through different accounts simultaneously but with the same beneficiary.

What are the regulatory measures against smurfing in money laundering?

The AML regulatory framework is important to detect and prevent money laundering through smurfing. Financial institutions must understand the risk associated with smurfing and, accordingly, implement the guidelines in the regulations to prevent financial crimes and stay compliant.

Anti-Money Laundering Regulations against smurfing

Since smurfing is associated with money laundering typologies, the AML regulations in UAE provide for adopting strong and comprehensive AML procedures, controls, and systems to identify and prevent money laundering activities, including laundering through the smurfing method.

The AML regulations in UAE mandate that financial institutions assess the money laundering risk, including the risk posed by smurfing. Further, the financial institutions must develop and implement a robust AML framework, including policies for performing customer due diligence and regularly monitoring transactions to identify suspicious activities and transactions contrary to the customer profile.

Financial institutions may implement solid transaction monitoring programs to identify the smurfing instances, using advanced algorithms or Artificial Intelligence to identify unusual patterns or suspicious activity. These systems should be able to trigger transactions inconsistent with a customer’s known financial behaviour. Further, the financial institutions should also conduct periodic reviews of customer due diligence files to identify any update to the customer information or risk assessment of the customers that may be considered suspicious.

Know Your Customer (KYC) and Customer Due Diligence (CDD) Policies against Smurfing

KYC policies include identifying the customer and verifying their identities to ensure that the customer the financial institutions are dealing with is legitimate and has no criminal history or active connection. Financial institutions can reduce the risk of enabling smurfing activities through their activities by implementing an effective KYC process. Please note that KYC is one of the starting measures to identify and prevent smurfing, but it is not sole-sufficient.

Financial institutions should implement additional Customer Due Diligence measures in case of high-risk customers or where any suspicion has been observed. These additional checks to verify the legitimacy of customer transactions may include understanding the purpose of the transaction, the customer’s source of funds and wealth, etc.

Reporting suspicious activities to UAE’s Financial Intelligence Unit (FIU)

UAE AML regulations mandate that financial institutions identify and report any suspicious activity to FIU by filing a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR).

Financial institutions must comply with the regulatory framework and implement the necessary controls and systems to detect and prevent smurfing.

What are the risk indicators related to the smurfing in money laundering?

Here is a list of potential red flags that the financial institutions must be cautious of, suggesting possible involvement of smurfing:

Multiple small cash deposits a person or group makes into the same account but through different branches.
Regular deposits or withdrawals in amounts exactly matching the AML Compliance cut-off.
Transactions not matching the customer’s usual patterns, such as sudden large cash deposits or frequent transfers to offshore accounts unrelated to the customer or its business.
A customer opening multiple accounts with little to no activity to distribute the funds.
Frequent funds transfers between multiple accounts, specifically to high-risk jurisdictions.
Unnecessary involvement of intermediaries to facilitate transactions without any business sense.

What measures should a Financial Institution adopt to prevent smurfing in money laundering?

Implementing effective internal controls

Financial institutions must develop and implement internal solid AML policies, procedures, and controls to detect and prevent smurfing timely. The key AML measures to prevent smurfing are:

Employee training and awareness

Awareness among financial institutions’ employees is crucial to identifying smurfing-related red flags. Employees must be trained to understand the risks associated with smurfing, identify smurfing activities attempted through the financial institution, and report suspicious activities.

Employees must be trained in-house by the Compliance Officer, or some third-party expert can be hired to impart the training. The training program should include discussion around risk indicators and case studies based on actual real-life scenarios. Case studies can help employees better understand the technique and related red flags. This helps the employees correlate the training with on-job activities and, thus, helps employees understand their roles and responsibilities in preventing smurfing.

Another important aspect of employee training is ensuring employees stay updated with regulatory amendments and evolving ML typologies, including smurfing methods. Thus, ongoing training of the employees must be ensured through periodic sessions (refreshers course), internal circulars, etc.

Ongoing Monitoring Systems

Real-time or Ongoing Monitoring systems help financial institutions detect unusual transactions or suspicious activities. These systems should be based on robust logic and monitoring rules, suggested being fully automated, and intelligent data analytics should be used to ensure their relevance and effectiveness.

Using Artificial Intelligence (AI) can help financial institutions identify inconsistent patterns or trends in large datasets considering the past records, overall business risk, and the customer risk profile, suggesting potential risk indicators. AI can also help financial institutions detect new techniques that criminals may use for laundering illegal money.

Another important aspect of monitoring transactions to identify suspicious activities is to use reliable and independent data sources, such as watchlists and adverse media, to support the internal alerts generated during ongoing monitoring.

Risk assessment and management

To effectively manage the risk, financial institutions must first identify the risk exposure, specifically the vulnerabilities to smurfing. A periodic Enterprise-Wide Risk Assessment must be conducted, and basis the risk assessed, the necessary risk mitigation measures must be deployed.

Moving one step ahead, the finical institutions must also assess the risk each customer poses to the business – customer risk profiling must be conducted using risk scoring models. Considering each customer’s risk profile, the monitoring program can be designed and applied, i.e., high-risk customers should be subject to frequent and increased monitoring.

Designing and implementing effective internal controls is very important for a financial institution to safeguard itself against smurfing. Financial institutions can help reduce risk exposure and avoid reputational damage with adequate employee training, a strong and comprehensive monitoring program, and timely risk assessment of the business and customers.

Enhancing customer due diligence

Financial institutions are critical in preventing money laundering activities, especially smurfing. Financial institutions must adopt additional checks and measures while performing customer due diligence to prevent smurfing.

Customer due diligence involves identifying the customer and verifying the customer’s identity, customer risk classification, and ongoing monitoring of the customer’s information and transactions. Financial institutions can timely identify money laundering activities by implementing effective customer due diligence processes and avoid non-compliance regulatory fines and reputational damage.

Verifying customer identity

Verifying customer identity is the first and most crucial step of the CDD process. Financial institutions must ensure that their customers are genuine and not associated with criminal activities. Customer identity verification includes obtaining customer identification documents such as passports, driver’s licenses, and national identity cards. Financial institutions must also conduct screening against the Sanctions List and perform background verification to ensure the legitimacy of the person and the identity documents.

Verifying customer identity is essential for preventing money laundering activities and exposing the business to the hands of financial criminals.

Monitoring customer transactions

Monitoring customer transactions is another vital aspect of CDD. Financial institutions must regularly monitor customer transactions to detect and report suspicious activities such as depositing or withdrawing vast sums of cash divided into multiple small-value transactions.

Financial institutions can use various tools and technologies to monitor customer transactions, such as transaction monitoring systems built upon AI or machine learning. These tools can analyze customer transactions in real-time and identify inconsistent customer activities.

Identifying high-risk customers

Identifying customers posing the business with higher risk is important to prevent smurfing. High-risk customers include persons whose transactions are inconsistent with the customer’s business activities, persons reluctant to share identity documents, individuals or businesses with active connections with high-risk countries, or politically exposed persons (PEP).

Financial institutions must develop and implement increased checks and verification measures for high-risk customers. Enhanced Due Diligence (EDD) shall be performed, which includes obtaining information about the customer and beneficial owners’ source of funds and wealth, understanding the purpose of the transaction and business relationship, and seeking senior management approval before establishing a business relationship or conducting transactions with high-risk customers.

EDD is one of the important measures to identify and prevent smurfing activities, using adequate customer verification processes, continuous transaction monitoring, and identifying high-risk customers, increasing the financial institution’s overall risk.

Collaborating with regulatory authorities and other financial institutions

Collaboration with other financial institutions and regulatory authorities is essential to prevent smurfing. This involves smooth information of information, best AML practices, conducting joint investigations, and developing industry-wide control standards.

Sharing relevant information and best practices to prevent smurfing

Financial institutions must share information and best practices to identify and prevent smurfing activities. This includes sharing information about known smurfing syndicates, account numbers, and techniques and collaborating on research and development of effective solutions to identify and reduce the impact of smurfing activities.

Financial institutions can also share the best practices for identifying and reporting suspicious activity related to smurfing to the FIU.

Joint investigations and operations

Joint investigations can help to identify and prosecute the individuals and groups involved in smurfing activities. Financial institutions should collaborate with regulatory authorities and other financial institutions to facilitate these investigations, such as providing corroborative evidence to support investigations.

Developing the best industry-wide standards

Collaboration and cooperation between financial institutions are necessary to implement industry-wide best measures and standards to identify and prevent smurfing. This includes developing standard operating procedures, AML framework, and aligning AML regulatory requirements.

Collaboration between financial institutions and regulatory authorities aids in combating smurfing activities. Financial institutions can reduce the impact of smurfing and safeguard the financial system by sharing information on already proven smurfing elements, supporting investigations, and developing the best industry-wide standards.

Leveraging technology to fight smurfing

Smurfing is a common technique used to launder illegal money, given its simple nature of breaking large values into smaller amounts to surpass the AML threshold. Here, financial institutions can deploy technology to detect and prevent smurfing activities.

Advanced technologies like Artificial Intelligence (AI) and Machine Learning (ML) can help understand the trends and track customer behaviour to identify smurfing activities. AI and ML algorithms can analyze the massive volume of transactions and customer information to identify unusual or inconsistent activities.

Even emerging technologies – Blockchain and Distributed Ledger Technology (DLT) can also provide a secure transactional trail, reducing the risk of manipulating or structuring the transactions, thus reducing the risk of smurfing activities. By leveraging blockchain and DLT, financial institutions can create a transparent and immutable transactional record, making it difficult for criminals to disguise or conceal their activities or conduit financial crime.

The other technologies that can significantly assist financial institutions in combating smurfing are advanced analytics and data mining that can identify unusual patterns of transactions indicating the possibility of smurfing or other money laundering activities.

Financial institutions can prevent smurfing activities with the right technology and AML solution. With AI and ML, blockchain and DLT, and advanced analytics and data mining, financial institutions can up their AML compliance and safeguard their operations from the risk of smurfing.

How can Niyeahma assist financial institutions in developing a robust AML framework to prevent smurfing?

Niyeahma is an AML consultancy service provider offering end-to-end AML support to financial institutions, Virtual Asset Service Providers (VASPs), and Designated Non-Financial Businesses and Professions (DNFBPs). Niyeahma can assist financial institutions in designing robust AML/CFT policies and procedures, implementing adequate internal controls, enhancing the Customer Due Diligence framework, and training employees to stay vigilant in detecting smurfing instances.

Financial institutions must identify, report, and timely prevent smurfing activities. Niyeahma assists financial institutions in identifying the right technology and AML tool to identify the unusual activities suggesting smurfing.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Reliance on Third Parties for Customer Due Diligence

The regulated entities operating in the International Financial Services Centres (IFSC) in India are required to comply with the IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, including the requirement to identify and assess the money laundering (ML) and terrorist financing (TF) risk the customer pose to the business and apply adequate Customer Due Diligence (CDD) measures to mitigate the same. To comply with this AML requirement, the regulated entity can place reliance on third parties for Customer Due Diligence measures.

In the context of reliance on third parties for CDD, let us understand what Customer Due Diligence is, what the third parties can be relied upon for CDD, and the regulatory conditions prescribed under IFSCA (AML, CFT & KYC) Guidelines.

What Is Customer Due Diligence?

Customer Due Diligence is the process where the regulated entity:

Collects information and identification documents of the customers
Verifies their identity documents and authenticates whether the customers are actually who they claim to be
Enquires about the nature and purpose of the intended business relationship
Identifies the beneficial owners of the corporate customer and verifies their identified
Assesses the potential ML/FT risk such customers may pose to the business

CDD is one of the AML/CFT measures deployed when establishing a business relationship with the customer and on an ongoing basis to manage the risk.

What Are The Third Parties The Regulated Entities Can Rely Upon For CDD?

When the proposed customer of the regulated entity has an existing business relationship with the following third parties, then the regulated entity can use the data available with such third parties for CDD and customer verification of the particular customer:

a financial institution that is subject to and is supervised by a financial regulator; or
the regulated entity’s branches, subsidiaries, parent entity, the branches and subsidiaries of the parent entity, or any other related corporations.

Thus, a ‘third party’ on which the regulated entity can place reliance for Customer Due Diligence would be a regulated financial institution or the regulated entity’s associated entities (part of the same Financial Group) having an existing relationship with the person subject to CDD measures.

What Does It Mean By “Reliance On Third Parties For Customer Due Diligence”?

Reliance on third parties for CDD means that a regulated entity relies upon and uses the CDD information pertaining to a particular person with whom the third party already has an existing client relationship, and such third party has performed necessary CDD processes, including customer identification and identity verification. This is not restricted to just obtaining the name and address of the customer; rather, it would include all the CDD information and documents.

The third party’s relationship with the person is distinct or separate from the business relationship proposed by the customer, with the regulated entity relying on the third party for CDD.

Thus, reliance on a third party for CDD indicates the regulated entity’s reference to the CDD measures applied to the customer the regulated entity is proposing to onboard instead of conducting the checks and verification measures on its own afresh.

What Conditions Must Be Considered Before Relying On A Third Party For CDD?

A regulated entity can rely on third parties for CDD measures subject to the fulfilment of the following conditions:

The regulated entity should be able to obtain records or information pertaining to the CDD measures carried out by the third party on an immediate basis,
The regulated entity should take adequate steps to ensure that the third party shall provide copies of the identification documents relating to CDD to the regulated entity upon request, without delay,
The third party (not part of the same Financial Group) is adequately regulated, supervised and monitored and has implemented measures for complying with CDD and AML record-keeping requirements as per FATF Recommendations and meeting the provisions of IFSCA (AML, CFT & KYC) Guidelines. When relying on a third party who is part of the same Financial Group, the following conditions must be satisfied:

the Financial Group applies and implements group-wide programmes on CDD that meets standards set out in FATF Recommendations and
implementation of CDD and recordkeeping at the group level are supervised by that country’s financial services regulator or some competent authority.

Here, the regulated entity should document the methodology followed for assessing the third party’s compliance with FATF Recommendations and the outcome of such assessment.

The third party is not located or based in a country or jurisdiction assessed as high-risk.
Reliance on a third party cannot be placed for ongoing monitoring of the business relationship with the customer.
Reliance cannot be placed on third parties explicitly prohibited by the IFSCA from relying upon.

It is important to note that the regulated entity shall ultimately be responsible for CDD measures, including Enhanced Customer Due Diligence measures for high-risk customers.

Other Key Considerations Before Relying On A Third Party For CDD

The regulated entity is not automatically required to obtain certified documents from a third party to carry out CDD. However, the regulated entity should ensure that certified documents are readily available from a third party upon request.
the regulated entity must assess the jurisdictional or geographical ML/FT associated with the third party, considering the outcome of the FATF publications, mutual evaluation reports, political stability, etc.
the regulated entity should not rely upon the third party located in the country, which prevents access to CDD data due to secrecy or data protection laws of such country.
When regulated entities are not satisfied with the CDD measures applied by the third party or the CDD measures are found deficient, the regulated entity shall immediately apply the CDD measures necessary to remediate the deficiencies.
The regulated entity’s AML/CFT Policy and overall framework must provide for placing reliance on third parties, the extent to which the entity shall rely on such CDD data and the measures the regulated entity shall perform on its own.
For smooth compliance, the regulated entity must enter into an agreement with the third party when placing reliance on such a party for CDD.

What Are The Benefits Of Relying On A Third Party For CDD?

Sr. No.	Parameter	Benefits
1	Experience	A third party’s experience can be used to enhance the adequacy and quality of CDD measures applied.
2	Time & Cost	Relying on a third party helps the regulated entity save time and thus increase cost-effectiveness.
3	Independent Perspective	CDD measures applied by the third party offer an unbiased view (bias related to onboarding the customer for financial benefit could be avoided).

Conclusion

The process of conducting CDD to identify the customer and verify their identity is a major legal obligation of a regulated entity. In this context, the IFSCA (AML, CFT, & KYC) Guidelines, 2022, permits the regulated entity to place reliance on specified third parties for CDD, subject to certain conditions.

Let Niyeahma assist you with defining your code or policy around reliance on third parties for CDD and ensure compliance with the conditions mentioned in the IFSCA (AML, CFT, and KYC) Guidelines.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

How to ensure effective Suspicious Activity Reporting?

In UAE, Anti-Money Laundering and Combating of Financing of Terrorism (AML/CFT) measures and regulations are critical to identifying potential risks and timely reporting these suspicious activities to ensure the financial stability and security of the economy.

When regulated organizations – whether Financial Institutions, Virtual Asset Service Providers (VASPs), or Designated Non-Financial Businesses and Professions (DNFBPs) – fail to implement the policies and procedures around suspicious activity reporting, the consequences are severe for the organization and the country. The employees must be trained on ML/FT risk indicators, identifying suspicious activities, and appropriately reporting to the Financial Intelligence Unit (FIU).

How to identify Suspicious Activity under AML regulations?

Employees engaging with customers and managing the business relationship are vital in identifying suspicious activity. For effective suspicious activity reporting, the employees must understand the red flags and the actions to be taken when such risk indicators are observed.

Once any ML/FT red flags are observed, the employees must collate adequate information about the suspicion and immediately report such suspicious activity to the AML Compliance Officer.

What are the common risk indicators suggesting Suspicious Activity?

Some common indicators of suspicious activity that the employees of the regulated organization must be aware of are:

Customer suddenly starts making large value transactions, contrary to the transaction history or not matching with the customer’s financial position
Customer coming from or is closely connected with the high-risk jurisdictions,
Customer having adverse media or criminal records for being involved in financial crime in past
Customer refusing to share the identity documents or reluctant to disclose the identity of the beneficial owners
Customer has no active connection with UAE, or the purpose of the transaction is not clear
Customer’s legal structure is excessively complex, without any business rationale
Customer hesitates in sharing information about the beneficial ownership
Customer engaging in multiple transactions with values exactly below the AML threshold
Identity document furnished by the customer is found to be fake or forged
Payment towards the transaction is being initiated from a third-party account not related to the business transaction
Unnecessary involvement of third-party agents or intermediaries, without any business sense, to conceal the identity of the customer.

The employees must be informed of the red flags suggesting a potential association with money laundering or terrorism financing. Further, employees should be aware of the list of high-risk countries.

Employees must be well-trained to look for unusual patterns of transactions, recognize these risk indicators, and immediately report such suspicious observations to the AML Compliance Officer.

What is the Role of Employees in detecting ML/FT-related Suspicious Activity?

Under the AML Compliance program, employees are considered the first line of defense against money laundering and terrorism financing. Employees play a pivotal role in identifying suspicious activity related to financial crime. Therefore, creating awareness around AML measures and identifying suspicious activities amongst employees is essential.

In addition to identifying suspicious activity, employees should be trained on adequate reporting procedures to ensure accuracy and completeness in internal reporting. This includes knowing when reporting will be done, to whom, and what details will be captured in the report.

Employees should be encouraged to ask relevant questions to determine the nature of the suspicion, including escalating the observed red flags to the departmental head.

Training shall be conducted for the employees covering real-life scenarios and case studies around money laundering or terrorism financing indicators observed by the internal staff and what actions were taken by that employee.

How to establish a robust Suspicious Activity Reporting system?

A strong system must be implemented within the regulated organization for internal reporting of suspicious activities to ensure that suspicions are reported on time and adequately addressed.

Documenting the red flags and risk indicators

For timely reporting of suspicious activity, timely identification of the potential risk indicators is essential. To assist the employees with immediate detection of the ML/FT red flags and evaluate the possibility of suspicion, the organization must include a business-specific list of risk indicators in its policy. These red flags must be well communicated amongst the team, including imparting specific training to create better awareness.

Establishing Clear Reporting Procedures

Clear reporting procedures should be designed and communicated with the relevant employees. This includes policies around who is responsible for reporting, the internal reporting shall be done to whom, how the reporting would be done (through email, physical internal Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) format, etc.), who should be included in the communication trail, etc.

The details of the AML Compliance Officer, including their contact information, must be available to every employee of the regulated organization.

Ensuring Confidentiality and Employee Protection

Employees must feel comfortable reporting suspicious activity without any fear of retaliation. The information of the employee reporting the suspicious activity must be kept confidential. The regulated organization must develop adequate policies to protect employees from retaliation.

No “Tipping off”

The employees must be aware of the requirement not to disclose any information about the identified suspicion to the subject party or any third party, directly or indirectly. The employees should understand that “tipping off” is a criminal offense under UAE AML regulations and attract hefty penal penalties, including imprisonment for such contravention.

Imparting training to the employees

The employees – whether serving clients or managing client relationships – are the first to observe the potential suspicion in transactions or customer behaviour. Also, the back-office teams play a significant role in detecting the red flags while clearing the payments or generating account statements. Thus, all employees of the organization must be imparted adequate training and equipped with the necessary resources to identify the ML/FT suspicion and exercise sound judgment around the necessity to report the same to the Compliance Officer.

Imparting adequate employee training on identifying and reporting suspicious activity is very important to promote a compliance culture in the organization and receive the required contribution from the employee to prevent financial crime.

Periodically Reviewing and Updating the Suspicious Activity Reporting System

The regulated organization should regularly review the internal suspicious activity reporting procedures and system to check its effectiveness and update, if necessary, to stay compliant with UAE AML regulations.

What are suspicious activity reporting requirements under UAE AML Regulations?

The AML regulations mandate the regulated organizations to identify and report suspicious activities related to money laundering, terrorist financing, or financing of the proliferation of weapons for mass destruction.

The entire AML compliance framework revolves around effective suspicious activity reporting, including designing the AML policies and AML training the employees to identify and undertake timely reporting.

A regulated organization that fails to identify and report suspicious activities in accordance with UAE AML regulations faces severe consequences, including damage to its reputation and non-compliance penalties.

How can Niyeahma assist you in implementing a robust Suspicious Activity Reporting System?

To stay AML compliant and safeguard the business against the exploitation of financial crimes, adequate systems and procedures to identify and report suspicious activities effectively are a must.

Niyeahma is a leading AML consultancy service provider, assisting clients in developing a robust AML compliance framework, including establishing internal and external suspicious activity reporting policies. With a team of experienced professionals, AML UAE imparts comprehensive AML training to the employees, covering basic concepts of ML/FT, AML measures, the organization’s internal policies and procedures, and best practices for suspicious activity reporting.

Timely identify and report suspicious activities to complete your AML Compliance circle!

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Shining the business conduct with LBMA’s Global Precious Metals Code, 2022

London Bullion Market Association (LBMA) has issued LBMA’s Global Precious Metals Code, 2022, laying down the highest standards for business conduct expected from market participants engaged in the global Over-The-Counter (OTC) wholesale trade of precious metals.

Who is subject to LBMA’s Global Precious Metals Code?

Various participants are engaged in the Precious Metals Market, with different activities around precious metals –extraction, refining, storage, financing, transportation, storage, financing, trading, and marketing. The LBMA’s Global Precious Metals Code applies to all Precious Metals Market participants involved in global OTC wholesale trade, which include:

LBMA Members
Precious metals Refineries & Mining entities
Precious metals Logistics firms
Precious metals Fabricators
Jewellery entities
Financial institutions like Banks, Asset management companies, Exchange Traded Funds, Firms engaged in high-frequency trading strategies, Brokers, investment advisers, aggregators, etc.
Trading houses and Affirmation & settlement platforms
Sovereign wealth funds
Benchmark Administrators

All these market participants are required to implement this Code commensurate with the size and nature of the business activities.

What precious metals are governed under LBMA’s Global Precious Metals Code?

The Code sets out the standards for ensuring the highest quality conduct of the market participant engaged in activities related to the following precious metals:

Gold
Silver
Platinum
Palladium

What are the four (4) principles discussed in the LBMA's Global Precious Metals Code?

The following four principles are emphasized in the Code to ensure the global best practices in the Precious Metals Market:

A. Ethics:

All the precious metals organizations subject to this Code are expected to act professionally and ethically to maintain the integrity of the global precious metals market. It must deal with all its customers, suppliers, employees, and all other business associates in the utmost fair manner.

The companies are expected to implement appropriate internal policies to identify and address the conflict of interest that may comprise its code of ethics or professional standards.

The companies are expected to promote equality and avoid discrimination amongst customers, employees, etc.

The market participants are expected to impart adequate training to their employees to ensure that market obligations are discharged ethically and professionally.

B. Governance, Compliance, and Risk Management:

Market Participants are expected to identify the risks associated with their precious metals activities and implement appropriate governance and risk management frameworks to manage these risks, including a comprehensive compliance management program.

The companies are expected to evaluate the risk arising out of the following factors concerning their precious metals operations:

Market and credit-related risks
Operational and Settlement-related risk
Risks related to Technology & Cyber Security
Compliance and Legal risk
Business Continuity risk
Conduct and Reputational risk
Economic and Trade risk

As part of an adequate governance structure, the senior management is responsible for designing the business strategies and overseeing the business operations to ensure the company’s financial security.

Precious metals companies must comply with all the applicable rules and regulations, including the anti-money laundering framework. The internal policies must be well documented, highlighting the regulatory obligations, procedures & controls to ensure adequate compliance.

Further, the companies are expected to have well-defined lines of reporting, with clear roles and responsibilities for managing the precious metals operations. There shall be smart systems for the accurate and timely generation of MIS reports, which is necessary as part of the governance and risk management framework.

Through a well-designed whistle-blowing policy, employees must be encouraged to escalate any observed instances of inappropriate business practices or unethical behaviour of any market participants – internally and externally.

A periodic review of the governance, compliance, and risk management framework is suggested in the Code to ensure that the companies’ set operations mechanism is aligned with the highest professional standards and the applicable laws, including this LBMA’s Code. Any gaps identified by the independent reviewer must be highlighted to the senior management for their immediate action to rectify these breaches.

C. Information Sharing:

Precious metals market participants must communicate effectively and transparently within the business community. Market Participants are also expected to manage the confidentiality of critical market Information.

The companies shall not divulge confidential information that hampers standard market practices.

The communication must be fair and open, with clear language and with no or minimal use of technical jargon. Further, appropriate communication channels must be used to ensure the market’s integrity and maintain the required audit trails.

Companies are strictly prohibited from initiating or spreading rumours or circulating any misleading information which affects the best business practices of the precious metals market.

D. Business Conduct:

Precious metals companies are expected to effectively manage their pre-trade and post-trade business activities fairly and transparently.

As part of pre-trade business conduct, the market participants are expected to sign an agreement or similar document with the customers, suppliers, etc., with a clear scope of a business deal, terms of trade, and price points. Appropriate Know Your Customer and Customer Due Diligence measures must be applied before establishing any business relationship with other market participants. The companies must identify any risk associated with the customers and suppliers, including the supply-chain risk.

The precious metals trades must be executed fairly, with clear disclosure of the markups and the methods used for arriving at the markup. The markups must be determined professionally without misrepresenting any cost factors. The companies are prohibited from executing any trade against the LBMA’s precious metals benchmark (i.e., the prices determined by LBMA).

For post-trade business conduct, the company must initiate confirmation communication with the customer about the executed trade or deals that are amended or cancelled. Further, the market participants are expected to perform ongoing reviews and monitoring of the transactions, including periodic reconciliation of the customer’s accounts to identify gaps or delinquent payments.

The market participants are expected to design internal policies to ensure no trade payments are expected from unrelated third parties or cash payments exceeding a certain threshold.

How can Niyeahma assist you with developing your Code of Business Practices aligned with the LBMA’s requirements?

The Dealers in Precious Metals in UAE, engaged in the wholesale trade of gold, silver, platinum, and palladium, are expected to adopt this Global Precious Metals Code, 2022, to promote transparency and integrity of the global precious metals market.

Niyeahma is an AML consultancy firm supporting Dealers in Precious Metals and Stones to implement the AML framework and stay AML compliant. We help the DMPS develop tailor-made AML/CFT policies, procedures, and controls to identify and mitigate financial crime risks.

With our experience of dealing closely with dealers in precious metals, we understand the business operations and compliance requirements of the precious metals sector, such as the Responsible Gold Sourcing Code and the LBMA’s Global Precious Metals Code. With this, you design a comprehensive compliance framework to manage your business operations with highest of the ethical practice and professional standards while staying compliant with local and international regulatory frameworks (FATF, OECD, LBMA, etc.).

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

How to Detect High-risk Customer and Safeguard Your Business

How to Detect High-risk Customers and Safeguard Your Business

Money laundering and terrorism financing are significant threats to the integrity of the global economy. Various countries have implemented regulatory anti-money laundering and combating of financing of terrorism (AML/CFT) frameworks, laying down detailed guidelines around how to detect high-risk customers and safeguard the business.

Similarly, UAE authorities have implemented the AML/CFT regulations covering Financial Institutions, Virtual Assets Service Providers (VASPs), and Designated Non-Financial Businesses and Professions (DNFBPs). The UAE AML regulations mandate the regulated entities to conduct customer risk assessments to detect high-risk customers and apply Enhanced Due Diligence measures.

This article discusses the aspects to be considered for identifying high-risk customers and potentially suspicious activities and developing robust customer risk assessment frameworks.

Understanding AML compliance and high-risk customers

Before discussing the identification of high-risk customers, it is essential to understand why AML/CFT compliance is necessary and what customer characteristics would be considered high-risk from a money laundering perspective.

What is AML compliance?

Money laundering is a global problem adversely impacting the security and stability of society as a whole. Under money laundering activities, the financial criminals attempt to hide the source of the illegally obtained proceeds and disguise it to make it appear as though they were generated from legitimate economic activities. While through terrorism financing, the criminal provides financial assistance to propagate terrorist activities.

To fight these vices, there is a need for AML/CFT compliance. AML/CFT compliance is a set of measures implemented to identify and prevent money laundering and terrorism financing activities. The AML/CFT compliance includes developing robust internal policies and procedures to identify and verify the customers and monitor their activities to detect any unusual or suspicious behaviour.

AML compliance is mandatory for regulated organizations to safeguard their businesses against exploitation by financial criminals, avoid administrative penalties for regulatory non-compliance and ensure the integrity of the business. The failure to comply with AML regulations results in huge fines, legal actions against the business and irreversible damage to the reputation of the organization.

Who are considered high-risk customers under UAE AML regulations?

The customers posing increased ML/FT risk to the business would be construed as high-risk customers under the AML framework. The following would be construed as a high-risk customer from ML/FT perspective:

Individuals who are Politically Exposed Persons (PEP) and the individual or legal person associated with PEPs
The PEP is entrusted with prominent public function, domestically or in foreign countries and the Heads of International Organizations. Given the PEP’s access to government funds and power to influence government decisions, they are more susceptible to criminal activities such as corruption and, in turn, money laundering to hide these illegal funds. The close family members and business associates would also be considered as PEP for risk classification of the customer under AML compliance.
Individuals or entities hailing from or are closely connected with high-risk countries
These high-risk countries are vulnerable to high risk of money laundering due to factors like a high rate of corruption, less transparency around business activities and beneficial ownership, and weaker AML/CFT measures known to have been assisting the countries or organizations supporting terrorist activities.
The individuals or entities whose behaviour or transactions suggest the presence of ML/FT suspicion
The customer’s behaviour while establishing a business relationship or conducting the customer due diligence suggests any connection with proceeds or crime or the transactions executed by the customer are contrary to the customer’s profile.

The customers engaged in business are considered as high-risk, or where the customer’s business activities are associated with ML/FT typologies, such as Virtual Assets Service Provider, where large amounts of fiat currency can be easily converted into cryptocurrencies and transferred across the border without actually disclosing the identity or drawing the attention of the authorities.

The AML laws of UAE require the Financial Institutions, VASPs and DNFBPs to apply Enhanced Due Diligence (EDD) measures to these customers to manage the higher risk and determine whether they are not connected with any illegal activities, money laundering or financing of terrorism.

Importance of identifying high-risk customers

Identifying high-risk customers and applying required due diligence measures to mitigate the increased risk are critical aspects of an effective AML program. It helps the regulated organization maintain integrity among the stakeholders and customers, safeguard the business from being involved in money laundering or terrorism funding activities, and stay 100% AML compliant

Protecting your business from financial crimes

Not just directly indulging in money laundering or terrorism financing activities is a federal crime, but indirectly assisting anybody, knowingly or unknowingly, is also a crime punishable under UAE AML regulations. The regulated organizations, whether Financial Institutions, DNFBPs or VASPs, would be subject to heavy monetary fines and sanctions from the Supervisory Authority for executing any financial crime through its business.

Hence, regulated organizations need to identify high-risk customers and apply additional verification measures to prevent the misuse of the business by financial criminals and money launderers.

The regulated organization must use rigorous identity verification checks to detect the customers connected with high-risk parameters like high-risk countries and robust transaction monitoring systems to identify unusual patterns or suspicious customer behaviour.

Once identified, high-risk customers should be subject to EDD measures, which include obtaining additional information and documents about customer identity, financial position (source of funds and source of wealth), frequent, ongoing monitoring, etc.

Meeting regulatory requirements and staying compliant

AML regulations in UAE mandate the regulated organization to apply adequate AML measures and stay 100% AML compliant. Non-compliance with AML regulatory requirements by any regulated organization calls for severe actions from the authorities, including imposing hefty administrative fines, imprisonment, restriction on the business activities or even termination of the business license.

As part of the AML Compliance program, the regulated organization must identify high-risk customers, take adequate mitigation measures, and report to the Financial Intelligence Unit (FIU) to remain AML compliant and avoid non-compliance penalties.

The regulated organizations must adhere to the UAE’s AML Federal Law, implementing Cabinet Decision and supplementary guidelines issued by the relevant Supervisory Authority. These regulations require the Financial Institutions, DNFBPs and the VASPs to implement AML compliance programs to identify and report suspicious activity. One of the critical aspects of the AML compliance framework is identifying high-risk customers.

Maintaining a solid reputation and business integrity

The regulated organizations need to protect their reputation and integrity to survive in the economy and maintain customer trust. The involvement of the regulated organizations in a money laundering scheme or any other financial crime badly damages its reputation amongst its stakeholders and customers in an irreversible manner. Identifying high-risk customers can help detect and prevent such potential indulgence in financial crime.

Instead, implementing a strong AML culture in the organization and demonstrating a commitment towards AML compliance increases the organization’s reputation in the market. These AML measures could include comprehensive AML policies and procedures, adequate customer due diligence process, imparting AML training to employees, etc. The customers and other stakeholders are more inclined towards working with businesses compliant with the regulatory framework.

Identifying high-risk customers is critical for regulated organizations to protect themselves from getting inadvertently involved in financial crimes, stay compliant with regulatory requirements, and avoid any reputational damage. By implementing effective AML compliance programs, regulated organizations can detect suspicious elements posing higher ML/FT risks and prevent money laundering activities from occurring through their businesses.

Customer Risk Assessment and adequate Customer Due Diligence

It is pertinent to design and implement a robust customer risk assessment procedure and apply adequate Customer Due Diligence (CDD) measures to identify high-risk customers, exposing the business to increased ML/FT risks. This part of AML compliance involves identifying the customers and their Ultimate Beneficial Owners (UBOs) and verifying the customer identity and other information to create the customer’s risk profile and identify any suspicion.

Developing a risk assessment framework

It is essential to assess the risk of each customer the organization is dealing with. The customer risk assessment procedure is about obtaining customers’ identification information, like name, nationality, business activities, etc., to determine the ML/FT risk they bring. The factors to be considered while determining the customer risk are the nature of the customer, its business activities, the geography of the customers, the nature and purpose of the business relationship, transactional parameters – value, mode of payment, etc.

By developing a comprehensive customer risk assessment framework, regulated organizations can adopt a risk-based approach and prioritize the customer due diligence measures depending on the risk associated with the customers. The regulated organisation can design and implement adequate risk mitigation measures by evaluating the specific ML/FT risks associated with the customers.

Performing appropriate Customer Due Diligence

Customer Due Diligence (CDD) measure involves:

Identifying the customer and verifying the customer’s identity using reliable, independent sources, including the customer’s valid identification documents
Conducting screening against the sanctions and adverse media to check customer’s background and reputation
Performing customer risk assessment, based on the customer’s profile and the transactional parameters, to identify the ML/FT risk the customer is posing to the business.

The regulated organizations must design a strong CDD program, including policies, procedures, and controls. The organizations may also deploy AML software to perform CDD, such as using Artificial Intelligence or Machine Learning to screen the customers or create customer risk profiles, evaluating the customer’s identification data and documents.

The AML software can help regulated organizations to identify suspicious activities timely and immediately report the same to the authorities, reducing false positive matches.

The Customer Due Diligence process is incomplete without ongoing monitoring of the customer’s profile to identify changes in customer identification information, and ongoing transaction monitoring to determine whether the customer’s behaviour is in sync with the originally assessed risk or customer rile level needs to be re-evaluated.

Enhanced Due Diligence for high-risk customers

Application of Enhanced Due Diligence (EDD) is mandatory for customers identified as high-risk. The EDD is an extension of the CDD process, requiring the regulated organizations to apply additional checks and verification measures to evaluate the customer’s identity (including the beneficial owners and the controlling parties), their financial position, the purpose of the transaction, etc.

EDD involves obtaining information about the customer’s and Ultimate Beneficial Owners’ source of funds and wealth and determining its legitimacy. Further, UAE AML regulations mandate the regulated organizations to ensure that the first payment towards their product or services is received from the customer’s bank account in a bank subject to similar CDD measures. Customers and transactions with high-risk customers are to be subjected to increased ongoing monitoring to assess and detect any unusual patterns or suspicious activities.

No business relationship can be established or a transaction be executed with a high-risk customer without the approval of the regulated organization’s senior management.

For example, suppose a customer is associated with a high-risk country. In that case, the regulated organization must apply rigorous verification measures and implement EDD to manage the increased ML/FT risk associated with a customer hailing from a high-risk country.

Red Flags and potential risk indicators of high-risk customers

Detecting the ML/FT red flags and risk indicators is essential to determining the risk associated with a customer and classifying them as high-risk customers. Here are a few examples of ML/FT red flags that can suggest the involvement of proceeds of crime, money laundering or terrorism financing activities:

Unusual transaction patterns

Transactions inconsistent with a customer’s profile or nature of business activities, unusually large, or series of transactions over a short period can indicate money laundering activities. Additionally, transactions involving unnecessary intermediaries or multiple jurisdictions can raise red flags.

For example, if a customer with a fixed monthly income starts making large value transactions frequently, contrary to its annual income, it indicates suspicion around the source of funds.

Incomplete, fake or inconsistent information

Customers who provide incomplete, incorrect or inconsistent information are red flags, suggesting the customer attempts to hide their identity or disguise the purpose of the transaction. The regulated organizations should be cautious while verifying the customer’s identity and establishing its risk profile to determine the legitimacy of the identification information and validity of the identity documents.

if a customer provides a different address every time they interact or multiple customers use the same contact number/email ID, suggest a potential money laundering activity involving multiple parties across different jurisdictions. Similarly, if the customer’s identification documents prove to be forged upon verification, a red flag indicates potential involvement in financial crime activities and hence the need to mislead the identification.

High-risk occupations or connect with high-risk business segments

Customers with high-risk business activities, such as gambling, real estate, and precious metals, prone to higher exploitation by money launderers, require enhanced verification measures.

E.g., if a customer engaged in a real estate brokerage business insists on cash payment, it could be considered a potential risk indicator suggesting money laundering activities.

Geographical risk factors

Customers located in or closely connected with high-risk countries, such as those with no or weaker AML regulations, terrorist activity, or high-rate of corruption, should also be considered as high-risk to apply AML/CFT measures.

E.g., a customer from a country mentioned in the FATF’s grey list of countries subject to increased monitoring is to be considered for enhanced customer due diligence measures.

Identifying the potential risk indicators helps the regulated organization proactively detect high-risk customers and apply adequate measures to manage the increased ML/FT risk, stay compliant, and avoid non-compliance penalties.

With Niyeahma’s expertise, manage your increased ML/FT risk posed by high-risk customers

Identifying high-risk customers and deploying mitigative measures is crucial for regulated organizations to manage regulatory compliance, safeguard the business from ML/FT vulnerabilities and avoid reputational damage.

Niyeahma is an AML Consultancy service provider that offers end-to-end support in your AML compliance journey. We help clients conduct the overall Enterprise-Wide Risk assessment and design the tailor-made AML compliance framework, including controls and procedures to identify high-risk customers and enlist the potential risk indicator and red flags relevant to the business activities. We assist clients in effectively implementing the AML framework by imparting comprehensive AML training to the client’s AML/CFT Compliance Officer and the compliance team.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

The Vital Role of an AML Compliance Officer in Safeguarding VASPs in the UAE

With the increasing acceptance of virtual assets, Virtual Asset Service Providers (VASPs) also continue to grow around the globe, including in the UAE. However, given the nature of the virtual assets – anonymity involved and easy transferability – criminals misuse them for money laundering and terrorism financing activities.

To manage the exploitation of virtual assets, the countries have implemented stringent regulations and have entrusted VASPs with compliance obligations to identify and prevent the ML/FT risk. To effectively implement the AML compliance program and adhere to the regulatory requirements, the role of the anti-money laundering (AML) Compliance Officer is important for VASP.

In this article, we will discuss the role of AML Compliance Officers in ensuring AML Compliance for VASPs in the UAE.

Introduction to AML Compliance in the UAE

The UAE government intends to develop the country as an international virtual assets centre. To promote this, robust AML compliance regulations around mitigating the risk of money laundering and terrorism financing have been introduced.

To manage the activities of the virtual asset in Dubai, the government has formed a supervisory authority – the Virtual Assets Regulatory Authority (VARA) of Dubai. At the same time, there are other authorities designated to supervise the activities of the virtual asset across the UAE, such as the Financial Services Regulatory Authority for VASPs registered in Abu Dhabi Global Market (ADGM), Dubai Financial Services Authority for VASPs operating from Dubai International Financial Centre (DIFC) and Securities and Commodities Authority of UAE for rest of the 6 Emirates and free zones.

These authorities have developed and implemented comprehensive AML regulatory guidelines and rulebooks for VASPs, mandating VASPs to design solid AML frameworks and ensure compliance with international best practices and FATF recommendations around managing ML/FT risks associated with virtual assets.

The Importance of AML Compliance

Compliance with AML regulations is mandatory for various regulated organizations, including Virtual Assets Services Providers in the UAE. A robust AML compliance program will safeguard virtual asset activities against being exploited for money laundering or terrorism financing activities. Further, non-compliance with any AML obligation will lead to severe adverse consequences for the VASP, such as substantial administrative fines, reputational damage and even termination of the license to conduct virtual asset activities.

Adequate AML compliance will help VASP create customer loyalty and seek respect from various stakeholders and market players worldwide, looking at its efforts towards combating money laundering and financing terrorism.

UAE's Regulatory Framework for AML Compliance

The UAE has established a comprehensive AML regulatory framework for financial institutions, VASPs and other Designated Non-Financial Businesses and Professions (DNFBPs). The legislative framework includes the Federal Decree-Law and the implementing Cabinet Decision, specific guidance issued by the relevant supervisory authorities like the Central Bank of UAE, Securities and Commodities Authority of UAE, Ministry of Economy, Ministry of Law, etc.

These AML regulations lay down comprehensive AML requirements for regulated entities operating in the UAE, including customer due diligence measures that must be adopted before establishing a business relationship, ongoing transaction monitoring requirements, procedures for identifying and reporting suspicious transactions, etc.

The UAE government is committed to fighting financial crimes and developing UAE as a safe and secure internal financial centre. Violating the UAE’s AML regulations requires heavy penalties and a long-term impact on the reputation.

Defining Virtual Asset Service Providers (VASPs) in UAE

In simple language, the business organization providing virtual assets-related services to its customer is a Virtual Asset Service Provider. For instance, the company operating a cryptocurrency exchange or services of converting eth fiat currency into virtual assets or vice versa.

Virtual assets are digital representations of value that can be transferred or traded using distributed ledger technology. The virtual assets include cryptocurrencies like Bitcoin and Ethereum, Non-Fungible Tokens (NFTs) and other digital assets like stablecoins. VASPs are essential in facilitating virtual asset trade, transfer and use.

Types of VASP in UAE

The different types of virtual assets-related services that qualify as VASP include:

an exchange between virtual assets and fiat currencies or between one or more forms of virtual assets, transfer of virtual assets between wallets by way of virtual asset transactions on behalf of another person, safekeeping and administration of virtual assets owned by other persons or instruments, enabling control over virtual assets, Facilitating and providing financial services related to virtual assets issuer’s offer or sale of a virtual asset into the primary or secondary market.

VASP Regulation in the UAE

To safeguard virtual assets from financial crime, the UAE has developed a robust AML regulatory framework for VASPs, including stringent licensing requirements and ongoing regulatory oversight of virtual asset activities. Along with Federal Decree-Law and the implementing guidelines, the regulatory authorities have also issued guidance and AML rulebooks for monitoring the VASP in their respective jurisdictions, such as ADGM’s FSRA, VARA, DIFC’s Dubai Financial Services Authority, etc.

The UAE’s AML regulations for VASPs are based on international best practices and the FATF recommendations around virtual assets and VASPs. The regulatory framework mandates that VASPs in the UAE comply with customer due diligence processes and sanctions screening requirements, implement transaction monitoring systems and procedures, ensure timely reporting of suspicious transactions to the Financial Intelligence Unit (FIU) and the regulatory authority, etc.

The Role of an AML Compliance Officer in VASP

To ensure effective compliance with AML obligations, the VASP must appoint a competent AML Compliance Officer or a Money Laundering Reporting Officer (MLRO). The AML compliance officer’s role is pivotal in ensuring 100% AML compliance by VASPs, including safeguarding the VASP against the evil of money laundering and terrorism financing and preventing these financial crimes.

The overall responsibility of implementing and overseeing the effectiveness of the AML compliance framework lies with the AML Compliance Officer.

VASP Regulation in the UAE

The AML compliance officer in VASP is entrusted with several key responsibilities around AML compliance, such as:

Conducting overall business risk assessments or enterprise-wide risk assessments of the VASP, considering all the relevant risk factors posing a risk to the business
Designing and implementing a robust AML compliance framework aligned with the overall business risks and regulatory requirements, including policies, procedures, and controls.
Developing and implementing a comprehensive customer onboarding process, including Know Your Customer, Know Your Transactions, and sanctions screening.
Implementing the systems and procedures for assessing customer risk and applying adequate customer due diligence measures, including enhanced due diligence.
Defining the rules for ensuring ongoing monitoring of transactions to identify unusual patterns or suspicious activity and ensure relevance and effectiveness.
Identifying the potential red flags and making them part of the AML policies. A few red flags related to virtual assets activities are:

Structuring virtual asset transactions in small amounts,
Making multiple high-value transactions within 24 hours,
Transferring virtual assets immediately to multiple VASPs in another country where there are no AML/CFT regulations,
Depositing virtual assets at an exchange and then immediately withdrawing the same without any further activity,
Conducting a large deposit to open a new wallet with a VASP, which is inconsistent with the customer’s economic profile,
Conducting VA-fiat currency exchange at a potential loss,
The use of decentralized/un-hosted wallets.

Receiving internal reports on observed suspicion, investigating the same and filing the Suspicious Transaction Reports (STR) or Suspicious Activity Reports (SARs) with FIU and regulatory authorities.
Designing and conducting AML training programs for the employees, including senior management.
Conducting a periodic review of the AML program and submitting a report to the senior management.
Ensuring AML-related records are adequately maintained and secured from unauthorized access.

Required Skills and Qualifications

Given the importance of the AML compliance officer’s role in VASP, the designated person must have a strong understanding of AML regulations and industry knowledge and experience.

Moreover, the AML compliance officer must possess excellent communication skills supported by problem-solving approaches. Officers must be competent and independent enough to effectively manage the AML compliance requirements and prevent misuse of virtual assets for money laundering or terrorism financing activities.

Key Challenges Faced by AML Compliance Officers

AML compliance officers in VASP face various challenges in ensuring compliance with AML regulatory requirements. One of the significant challenges is keeping pace with the evolving ML/FT typologies related to virtual assets and amending AML regulations. The Compliance Officer must stay up-to-date with AML compliance obligations to avoid non-compliance penalties and safeguard the business from being exploited by criminals using new money laundering techniques.

Another challenge the AML compliance officers faces is managing the large volume of data about customers and transactions. Such a colossal database makes monitoring and identifying suspicious activity difficult without sophisticated AML software.

The role of the AML Compliance Officer in VASP must be independent of regular business operations and client relationship management. The Compliance Officer must balance the business and AML Compliance without comprising the AML regulatory obligations.

Implementing AML Compliance Programs in VASP

The AML compliance program in VASP must be comprehensive, aligned with the VASP’s overall ML/FT risk and capable of identifying and mitigating the money laundering and terrorist financing risks effectively. The AML compliance framework should include the methodology of conducting enterprise-wide risk assessment, customer due diligence process, ongoing transaction monitoring, compliance with FATF travel rule, AML record keeping, and procedures for identifying and reporting suspicious transactions.

Business Risk Assessment

The risk assessment process involves identifying and evaluating the money laundering and terrorist financing risks the VASP is exposed to. The Compliance Officer should consider various risk factors such as customer base, geographies, products and services, etc.

Risk Mitigation Policies, Procedures and Controls (AML Framework)

Once the overall risk has been identified, it is the role of the AML Compliance Officer to design and implement adequate risk mitigation policies, procedures, and controls. The AML framework must be aligned with the size, nature and complexity of the business activities and must be approved by the management of the VASP.

Customer Due Diligence (CDD), Know Your Customer (KYC) and Know Your Transaction (KYT) Procedures

KYC and KYT procedures are essential to identify and verify the customer’s identity and understand the transactional elements associated with the virtual asset transfer. Further, the framework should include adequate customer risk profiling procedures and implementing the Targeted Financial Sanctions (TFS) and screening requirements.

Effective customer due diligence will ensure that VASPs deal with genuine customers and do not unintentionally aid in money laundering activities by onboarding financial criminals as their customers.

Identifying and Reporting of Suspicious Activities

Adequate procedures and systems must be implemented to monitor the transactions and customer profiles to detect and report suspicion. The Compliance Officer shall ensure that potential suspicious transactions are investigated internally and only reported to the FIU and the supervisory authority if the internal examination confirms the ML/FT suspicion warranting the external reporting.

One of the important roles of the AML Compliance Officer is to ensure the timely filing of the Suspicious Transaction Report (STR) or Suspicious Activity Report on the goAML Portal.

AML Governance

The Compliance Officer must assess the AML training needs of the employees and design a comprehensive AML training program. The AML training program must be included in the AML framework, highlighting the timing, course, and employees involved in this training.

Further, periodic reviews must be conducted of implemented AML program, and a report must be submitted to the senior management of the VASP by the AML Compliance Officer, highlighting the AML compliance gaps and mitigation measures additionally required.

Record Keeping

AML-related records must be maintained adequately for the specified period and in an organised manner.

Collaboration with Regulatory Authorities

AML Compliance Officer, or Money Laundering Reporting Officer (MLRO), is the key contact between the VASP and the regulatory authorities. One of the key roles of the AML Compliance Officer in VASP is to ensure effective correspondence with the authorities, including the following:

Reporting of Suspicious Transactions and Activities

Identifying and reporting suspicious transactions is a crucial responsibility of AML Compliance Officers in VASP. If suspicious activities are observed, the front-line team must immediately intimate to the Compliance Officer, who would investigate the matter and, if reporting is required, should immediately file a SAR or STR with the FIU.

Ongoing Training and Education

The AML Compliance Officer must attend AML training sessions and workshops conducted by the authorities to be updated with evolving AML regulations and practices.

Ensuring Compliance with Evolving AML Regulations

AML Compliance Officer must ensure that VASP’s AML/CFT framework, including policies, procedures, and controls, are up-to-date with the amended regulatory requirements.

How can Niyeahma assist AML Compliance Officers in fulfilling their roles in VASPs?

AML Compliance Officer must ensure that its Virtual Asset Service Provider (VASP) complies with UAE local AML regulations and the FATF recommendations around virtual assets transactions. The role of the AML Compliance Officer in VASP is critical to identify and mitigate the financial crimes risks by developing a robust AML compliance framework.

Niyeahma is a leading AML consultancy firm, assisting VASPs in assessing the overall risk, designing and implementing an AML compliance program, establishing a competent AML compliance department and imparting adequate AML training to ensure regulatory compliance and avoid administrative fines for AML violations.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Explaining the Concept of Designated Transactions Under the PSPM Act 2019

Mobile banking concept. Hand holds smartphone with abstract icons of bank and financial services

Explaining the Concept of Designated Transactions Under the PSPM Act 2019

Individuals and entities engaged in money laundering (ML), terror financing (TF), and proliferation financing (PF) activities frequently use precious stones and precious metals to move their illicit money and disguise it as generated from legitimate sources. To curb ML/FT and PF risk, the Precious Stones and Precious Metals (Prevention of Money Laundering and Financing of Terrorism) Act, 2019 (PSPM Act 2019) created a category of Precious Stones and Precious Metals (PSPM) transactions known as “Designated Transactions” to which the Precious Stones and Precious Metals Dealers (PSMD) must be cautious about identifying and reporting the ML/FT/PF suspicion.

The PSPM Act 2019 provides in-depth clarity around the designated transactions, considering the following aspects, with respect to which the PSPMD must undertake necessary AML compliance:

Purpose of the transaction
Payment mode and threshold
Parties to the transaction
Location of transaction
Count of the transactions executed

What is a Designated Transaction under the PSPM Act 2019?

A “designated transaction” under the PSPM Act 2019 is a transaction when conducted wholly or partly in Singapore and

The purpose of the transaction is the sale of precious stones, precious metals, precious products, or asset-backed tokens by a regulated dealer to the customer against payment in cash or cash equivalent or digital payment tokens exceeding SDG 20,000.
Two or more PSPM sales transactions by a regulated dealer in a single day to the same customer or a person acting on behalf of the same customer against cash or cash equivalent or digital payment tokens exceeding SDG 20,000.
Transaction relating to the purchase of PSPM by the secondhand goods dealer from a customer (other than the regulated dealer) against cash or cash equivalent exceeding SGD 20,000.

Here, it is essential to understand who would be treated as a “regulated dealer”. A regulated dealer is a person engaged in the following regulated dealings or acting as an intermediary in such dealings:

manufacturing or selling PSPM
importing or possessing PSPM for sale
selling or redeeming asset-backed tokens (backed by PSPM)
purchasing any PSPM for resale

Why is it Important to Identify Designated Transactions?

Designated transactions involve cash and possess a higher degree of ML/FT/PF risk. Hence, it is essential to understand the nature of the transactions and apply appropriate risk mitigation measures.

The primary importance of identifying designated transactions is to detect and prevent the exploitation of the PSPM sector by financial criminals. Further, it is also essential to fulfil AML compliance obligations concerning designated transactions by a PSMD, including applying customer due diligence measures, reporting designated transactions to the STRO, etc.

Legal Obligations of a PSMD Engaged in Designated Transactions

To ensure compliance with Singapore’s AML regulatory regime and check the ML/FT/PF threats, a regulated dealer must adhere to the following obligations:

Risk Assessment and Internal Policies, Procedures, and Controls (IPPC)

A regulated dealer must assess the internal business risk assessment to identify the exposure to ML/FT/PF arising from the nature of customers, the geographies it is associated with, the type of PSPM offered, the complexities of the transactions, etc.

Based on the outcome of such Enterprise-Wide Risk Assessment and adopting the risk-based approach, a regulated dealer must design, implement and maintain its Internal policies, procedures and controls (IPPC) to mitigate ML, FT and PF risks.

The IPPC must provide detailed guidelines around performing the Customer Due Diligence measures, AML governance structure, identification and reporting of suspicious transactions, requirement for AML training, complying with Targeted Financial Sanctions, AML record-keeping requirements, etc.

Customer Due Diligence (CDD)

The regulated dealer must perform Customer Due Diligence (CDD) before entering any designated transaction. It must include measures to identify the customer and the beneficial owners, verify the identity, determine whether the customer is the owner of the cash, and screen the customer or beneficial owners to identify any connection with Sanctions Lists or Politically Exposed Persons (PEP), etc.

Depending upon the nature of the designated transaction and the risk associated with a particular business relationship, the PSMD must apply different CDD measures. For example, for a customer identified as high-risk, enhanced customer due diligence measures must be applied, covering the inquiries around the customer’s income level, source of funds and wealth.

Further, the regulated dealer must terminate the transaction or reject a customer if the CDD measures cannot be applied adequately or the PSMD suspects that the designated transaction may be connected to any ML, FT or PF activity.

The PSMD must carry out CDD measures to identify the third party acting on behalf of the customer to execute a designated transaction. Here, the PSMD must also obtain and verify the third party’s authority or specific rights to act on behalf of the customer.

Suspicious Transaction Report (STR)

When a regulated dealer cannot satisfactorily conclude the appropriate customer due diligence process or any red flags are observed concerning the designated transaction, the regulated dealer must file a Suspicious Transaction Report (STR) on SONAR.

The PSMD must submit the STR to the Suspicious Transaction Reporting Office (STRO) as soon as the customer is identified as suspicious involving proceeds of crime or activities related to ML/FT or PF.

While filing STR, the regulated dealer must provide complete details of the suspected transaction, red flags observed, and details of the parties to such suspicious transaction.

Cash Transaction Report (CTR)

A regulated dealer carrying out business related to PSPM must file a Cash Transaction Report (CTR) when he enters a designated transaction with the STRO.

CTR must be filed using Form NP 784 on the SONAR within 15 business days from the date of executing a designated transaction.

The CTR must capture accurate and complete information on the designated transactions and the identification details of the customer, the beneficial owners, or the person acting on behalf of the customer.

Record-keeping

A regulated dealer is under the obligation to maintain records about every designated transaction (irrespective of the completion status) for a minimum period of five (5) years, capturing the following details or documents:

All customers’ and beneficial owners’ identification details collected as part of the CDD process, including supporting documents relied upon
ID information of the person acting on behalf of the customer and proof of such authority given
Date, addresses, and amount of transaction entered into
Reasons recorded for inability to complete CDD or any other risk indicators observed
Copy of all STRs filed with the STRO
Copy of all CTRs and supporting documents relied upon for filing CTR

Independent Audit Function

The PSMD carrying out designated transactions are mandated to have their IPPC tested by an independent audit function to have an unbiased opinion regarding the health of AML/CFT controls and measures implemented, including:

Assessing and analysing the relevance and adequacy of IPPC
Assessing the effectiveness of IPPC by analysing AML compliance and engagement by the employee
Checking the quality and timeliness of the regulatory reporting

Other key regulatory obligations

In addition to the above, a regulated dealer is also required to comply with the following requirements:

appoint a competent Compliance Officer to manage and oversee the entity’s AML compliance, including performing a periodic review of the IPPC and its effectiveness
monitoring the transactions and business relationships to identify any suspicious activity or transaction
furnish a semi-annual return (SAR) with the Ministry of Law, capturing information about the dealer’s business profile, copy of IPPC, details of designated transactions executed, etc.
develop a robust AML training program for the staff, including senior management

Conclusion

Through the article, we have discussed the meaning, importance and obligations surrounding “designated transactions” for the PSPM sector in Singapore.

If you struggle to manage AML compliance, we have your back. Niyeahma is a leading AML consultancy service provider, offering top-notch quality AML support customised to your business needs. We offer consultancy around:

Assessing the risk and performing Enterprise-Wide Risk Assessment,
Developing internal Policies, Procedures, and Controls (IPPC),
Imparting comprehensive AML training to the team,
Performing an independent review of the IPPC and overall AML program,
Managing the KYC and Customer Due Diligence requirements.

Stay compliant, stay safe!

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Customer Lifecycle Management and AML Compliance in the Digital World

Customer lifecycle management(CLM) has become automated, quick, and efficient in the digital world. This risk assessment environment is different from the traditional scenarios, which were characteristic of a tedious manual process working in isolation and targeting specific functions and limited to particular businesses.

However, regulated entities had to forego this approach and adopt an aggressive risk management approach with acceleration in the digital world and adoption of the digital KYC mechanism.

Customer lifecycle in the digital age has witnessed a rapid transformation. As mentioned earlier, customer lifecycle processes were siloed, labour intensive, needless to say, time-consuming, and prone to errors. The focus is on digital lifecycle management, which connects disparate systems and provides a unified solution to verify customer identity efficiently. CDD – Customer Due Diligence is the primary function that needs to be performed by Financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Assets Service Providers (VASPs).

The traditional customer verification method involved an actual visit to the branch where employees would verify the hard copies of the documents. This process is becoming redundant as mobile transactions have increased drastically. Every process is completed online such as opening bank accounts, getting a loan, creating a fixed deposit, and transferring money. The customer’s verification process has too shifted online, where branch visits are not necessarily required. In a changing business landscape and evolving customer preferences, they need instant gratification, and branch visits are becoming a thing of the past. It has been estimated that the branch visit will be drastically reduced by 36%, and there will be more than a 120% increase in mobile transactions.

Digital KYC and CDD processes will take center stage. It is estimated that by 2022, 60% of the world economy will be digitised. Such unprecedented growth requires robust measures for customer identification and verification. New digital ID systems are being extensively used to mitigate the risks arising in the evolving digitised world. It is necessary to understand how digital ID systems work and help businesses identify any fraudulent financial activity in the garb of legitimate transactions.

Digital ID systems have a few basic components- 

Digital KYC information collection

The deduplication process is carried out, which is a part of identity proofing. It involves collecting attributes and the evidence for the same and features about a single unique identity. The applicants’ details, such as name, age, and gender are checked, and biometrics include fingerprints, iris scans, and facial recognition images. These, along with the government-issued IDs, are verified with the information in the database. With digital verification on the rise, the documents are stored in electronic forms in databases which can be referred to as and when required. It enables to obtain the identity evidence and verification remotely.

Validation

This step verifies if the digital KYC evidence submitted is genuine and accurate. The evidence is validated by checking the information submitted against reliable sources and matching the information in the independent databases/ sources. 

Verification

This step involves confirmation that the validated identity is real and the person is the same who has been identity proofed. 

Authentication

Authentication ensures that the person seeking online/ offline account access is the same person who has been identified and verified earlier. The digital identification process is done when people need access to online activities such as accessing net banking, transferring money online via app, and seeking authorisation to complete the process. Authentication is also required when someone asks for in-person interaction to access the account or conduct other financial activity.

The best part about digital identity verification is that banks and financial institutions do not rely solely on the authenticators/ credentials issued at the time of onboarding in such scenarios. Obviously, at the time of onboarding, after all the KYC, CDD, and EDD processes are completed, the person will possess the credentials issued to them. Still, digital verification also depends on continuous authentication. They rely on data points collected during the online session, such as the IP address, geolocation, etc.

What is CDD?

The CDD process helps reporting entities to combat money laundering and other financial frauds and prevent the financing of terrorism. The process includes collecting customer information and monitoring it throughout the business relationship.  

Individual Customer Information: It collects customer information and verifies that the information submitted is accurate and that no false information has been submitted. The customer’s name, address, contact details, photo, occupation, unique ID number, and tax identification number is verified. 
Business information: It includes the name of the business, the type, and nature of the company, ultimatebeneficial owners, source of funds, etc. 
Risk Assessment: After the verification process is completed, the customers are categorised as low, medium, or high-risk customers. This categorisation is done after considering different factors such as the customer’s identity, location, nature of the business, and identifying PEPs and UBOs. High-risk customers require enhanced due diligence compared to the low or medium-risk profiles. The risk assessment process provides clarity on the due diligence process that needs to be followed to follow the AML compliance process correctly. 
Continuous Monitoring: The ongoing monitoring keeps a tab on the customers’ transaction patterns and changes in customer profiles and identifies unusual transactions.

The CDD process becomes automated and more reliable in a digital landscape with emerging technologies such as Artificial Intelligence and Machine Learning. The introduction of biometrics has also made a massive difference in accuracy levels in identifying customers and has streamlined the process. 

How is the customer lifecycle managed with greater efficiency with tech?

Regulatory compliance and serving customers with excellence have kept businesses on their toes as they need to fulfill both purposes with equal efficiency. They need to follow the AML rules and regulations and meet the evolving customers’ expectations. So, they choose to rely on AML software to instantly identify suspicious activities, which provides timely notifications that alert them in case of any fraudulent/ unusual transaction.

New and emerging technologies are being used in the customer lifecycle management landscape, often referred to as RegTech. They have been in use for a while and focus on solving only a part of the more significant compliance problem rather than serving as a complete solution that can take over the compliance issues and risk assessment scenario and reduce the false positives. However, with better technology and the emergence of advanced AML software, financial institutions have solved compliance issues and safeguarded their reputation from being maligned by unknown risks. It is vital to adopt a risk-based approach as money launderers find innovative ways to launder their illicit money.

AML Compliance in the Digital world

Digital acceleration has changed the course of AML compliance for businesses as they need to brace themselves up to fight financial fraud and provide customers with the best experiences. Digital payments have witnessed exponential growth. So there is increased pressure on the regulated entities to overhaul their client Lifecycle management process. 

Financial and other regulated entities have to mandatory follow the AML compliance requirements. They have to follow the KYC diligently- Know Your Customer, CDD- Customer Due Diligence, and the EDD- Enhanced Due Diligence collect, verify and continuously monitor customer identity, evaluate risk profile and keep themselves AML compliant. Apart from following the AML rules and regulations, financial institutions must focus on enhancing customer experience.

FATF guidelines on Digital ID

The FATF regularly provides guidelines for AML compliance. It is advisable to follow the procedures as it helps reporting entities brace themselves against challenges in a digitally enhanced landscape. Client verification remotely has become a prominent trend in the recent past, especially during pandemic times. 

Verify the customer’s identity
Understand and verify the type and nature of the business relationship
Continuous monitoring.

Where deemed necessary, the reporting entities should perform background checks for criminal records and politically exposed persons and determine the customers’ citizenship. These verification processes depend on the risk profile of the customers or the risk posed by the business transaction. 

Digital KYC- The Way Forward

Digital KYC is an online process that involves video-based KYC. It is a must to have an audio-video-enabled device.  

The reporting entity will remind the person of the online appointment for the KYC process. The customer must ensure that all the required documents are furnished for the KYC process. The institution will send a video link via message or email. The customer, with the help of an interactive online application, completes his Digital KYC. In this process, the application will capture the live video/photo and the documents to complete the verification process. It will ask for age, address, occupation, nature, type of business, political association, etc. That will be verified with the documents submitted for verification.  

Why is AML Training Important?

Employees need to be acquainted with updated knowledge on the software and methods with which they can identify fraudulent transactions and prevent financial frauds such as money laundering. It is not easy to spot fraudulent transactions such as layering, and so the employees need to be provided with technology that can aid them in strict transaction monitoring. 

Digitalization has urged financial organisation to improve their customer identification programs and sync with the evolved customer identification requirements. The digital AML process is automated at every step of the customer verification, right from the customer onboarding process, customer due diligence, risk assessment m identification of UBOs, PEPs, and Enhanced due diligence process- the entire spectrum of the customer verification process.

When digital channels have become a passage for money laundering and financial fraud, it is better to be equipped with advanced technology—emerging technologies such as AI and ML. AML software has built-in technologies that help identify financial scams and reduce false positives. The software helps combat money laundering and empowers financial institutions and other regulated entities to improve AML detection and thwart risks in a digitally accelerated world. 

Benefits of the AML Software

The AML software is a crucial element in the AML compliance strategy. It efficiently collects the customer information- KYC, CDD, and EDD which are the foundation of an efficient AML compliance program. The software stores the data with customer identity verification processes such as KYC- Know Your Customer, CDD- Customer Due Diligence, and EDD- Enhanced Due Diligence. It efficiently verifies the customers’ identity and makes the financial institutions and other regulated entities aware of any fraudulent identity or transaction.

It evaluates the risk of being associated with a customer/ entity. So, the institution can follow appropriate measures while establishing a business relationship and continuously monitor the customer lifecycle. Moreover, the software scans the customers against a sanction list and identifies potential risks. Financial Institutions can extract more information about PEPs- Politically Exposed Persons and the UBOs- Ultimate Beneficial Owners and correctly evaluate the risk of establishing and maintaining customer relationships. 

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE