The role of Re-KYC process in AML Compliance

The role of Re-KYC process in AML Compliance

KYC is a critical AML compliance requirement for regulated entities in the UAE. It lets you know your customers better and gauge the risks associated with their transactions. Nowadays, authorities are also stressing on the need for re-KYC of customers to keep track of updated information. Let us learn the role of Re-KYC process in AML compliance and strengthen our defences against money laundering and terrorist financing.

What is Re-KYC?

KYC must not be a one-time event. As customers’ details and regulations change, you must also update these data points in your database. That is why re-KYC of customers is essential. Re-KYC means periodic updates of the customers’ KYC details.

For a smooth conduct of the re-KYC process, you must invest your time, effort, and money in it. Recollect the information on customers, verify them, and add them to your database. This must lead to accurate and up-to-date details on all your customers. You also need to carry out sanctions screening and customer risk assessment to classify customers into low-risk, medium-risk, and high-risk customers and apply suitable countermeasures to fight against the risks they pose.

Why is re-KYC of customers essential?

Re-KYC of customers is essential for every regulated entity for the following reasons:

AML/CFT policy and procedures

AML/CFT policy and procedures mandate the KYC refresh. Depending upon the local rules and regulations and the risk-based approach adopted by the regulated entity, the schedule for periodic review is predecided and triggered. For example, the organisation may have a policy to conduct re-KYC every year for high-risk customers, once every two years for medium-risk customers, and once every three years for low-risk customers.

Industry transformations

Post-COVID, business models have significantly changed. Some of the old industries do not exist anymore or have undergone significant changes. The associated ML/TF risks have changed. Re-KYC helps understand customer profiles in the changed context, align risks, and take appropriate countermeasures to fight ML/TF.

Change in customer profile

Like fluctuations in your business, your client’s business or profile also witnesses changes. For example, they expand to a new territory, add a new product or service line in their offerings, have new owners, change the source of funds, or something else. These types of deviations in your clients change their risk profiles. To incorporate the amendments in their risk profiles, you must conduct a re-KYC of customers.

Internal shifts

Your business is unique, with its own set of requirements, business models, objectives, capabilities, and procedures. Based on these factors, you also define your risk appetite to tolerate money laundering risks. Any internal shifts in these factors lead to a change in your risk appetite. This leads to changes in your AML measures and compliance policies. In such situations, re-KYC of customers is essential.

Regulatory amendments

To keep up with the regulatory changes, you may be required to gather additional information about customers. Re-KYC helps gather that information and comply with legal requirements.

FATF Greylisting of a country

If a country is greylisted, you need to take a risk-based approach and require your customers to furnish additional information as to the source of funds and source of wealth. Re-KYC helps you do that.

FATF Black listing of a country

If a country is blacklisted, you need more information about your customers in high-risk jurisdictions, and hence Re-KYC or KYC refresh is required.

Due to all these reasons, it becomes essential for regulated entities to conduct the re-KYC process. Whether you conduct it twice a year or once every two years, the aim is to have updated information. Such up-to-date and accurate data facilitates the correct risk profiling of the customer. Based on this, you can take a risk-based approach for further AML compliance initiatives. Thus, you can prevent money laundering and terrorism financing activities.

Another benefit of the KYC process is a better understanding of your customers. You can tailor your services to their needs to improve customer satisfaction. Thus, you can also enhance your customer relationships with the re-KYC of customers.

Steps of the re-KYC process

You have the reasons and benefits of the re-KYC process. But what are the steps of conducting this process?

The re-KYC process involves the following steps:

Step 1: Client communication

The first step of the re-KYC process is letting your customers know you will conduct KYC again. Communicate to them the reasons for this exercise and its importance. Inform them about the documents you will need for re-KYC.

Step 2: Information collection

Once you have identified the customers for whom you want to repeat the KYC process, list the necessary details. You might need some past information as well as dig some new details. Collect all those data points from customers.

Step 3: Information verification

In the next step, verify all the customer details with the necessary documents received from them. You must ask them for proof of identity and address, beneficial ownership, sources of funds, payment methods used, and other necessary documents. Match the details submitted by clients with these documents.

Step 4: Screening

Screen your customers against lists of sanctions, terrorists, watchlists, PEPs, or any other local and international list of criminals. Moreover, check for adverse media or social media mentions of crime-related activities.

Step 5: Risk Assessment

Assess each bit of information on your customers. Examine every slight suspicion you have about them based on their behaviour, transactions, and profile changes. Based on these results of such analysis, update their risk profile. Keep an eye on those customers whose risks have increased.

Best practices in re-KYC of customers

For the smooth and accurate performance of the re-KYC process, avoid making the most common errors. You can imbibe the following best practices for successful re-KYC process and quality outcomes:

Establish Re-KYC procedures

AML compliance is not an easy journey. You have to manage quite a few procedures to ensure you comply with all the requirements. KYC is one such procedure. It helps you better know your customers to prevent or mitigate their risks. So, give it the importance it deserves.

Define a strategy for conducting re-KYC of customers. Mention the steps. List the timelines, resources required, and budget for the re-KYC process. Also, define the potential challenges you might face in this process, like customers’ disagreement, and the steps to deal with them. Such a strategy enables a seamless process.

Implement KYC software

KYC is a lengthy process. If you do it manually, it takes a lot of time. Also, it requires special skills to manage this exercise without errors and hassles. So, you need to spend money on hiring skilled staff as well. Also, the manual process has increased the chances of errors. All these can affect your re-KYC process.

So, the best solution to all these problems is automating the re-KYC process. Such a solution will lead to accurate results, faster processes, and customer ease. Also, these KYC solutions raise an alert when they detect an anomaly, suspicion, or shift from the usual behaviour. Thus, you are better equipped to fight money laundering risks.

Take a risk-based approach

AML compliance is all about a risk-based approach. You have to decide the next action based on your customers’ risk levels. The same is the case with re-KYC. For high-risk customers, the frequency of re-KYC is higher. So, you must know whether your customer is high or low risk and when you last conducted their KYC.

So, if the customer is high risk, conduct a re-KYC frequently. If the risk is low, postpone it for later. Thus, you can decide the frequency and depth of your KYC procedures.

Customer communication is key

Inform your customers about the re-KYC process. They must be aware of the purpose of such data collection and document verification. It is also a good practice to obtain their consent to this exercise. Inform them about the documents needed, the time taken, and other necessary details. Constant communication from your side facilitates better relationships with customers. Since it will be a disturbing and problematic exercise for your customers, explain its significance to them.

Allocate proper resources

Re-KYC is not an administrative process. It is not a scheduled thing that you do away with by just following the steps. It needs your complete dedication and sincerity. It will help you stay away from risky customers and transactions. Thus, it is a part of your business’s risk prevention and mitigation plan.

So, you must give it much importance. Don’t forget to allocate skilful resources, a reasonable budget, and specific timelines to this exercise. Also, ensure that you do not destroy customer relationships while managing this procedure.

Ensure proper record-keeping

You must document every result and finding of the re-KYC process. Since you are analysing the client again and rebuilding the risk profile, the rationale behind it must be saved and secured. So, maintain proper records of each data point on the customer. Save the documents. These records help you during audits or investigations by regulatory authorities.

These six effective approaches can help you with a successful re-KYC process. Ensure that you imbibe them and follow the step-by-step journey. Do not forget to conduct a re-KYC of customers to be doubly sure of their risks to your business. Only with such re-KYC and due diligence can you strengthen your AML measures.

AMLUAE – your partner for conducting re-KYC of customers

AMLUAE is a prominent provider of AML compliance services in the UAE. We help you follow AML regulations in the UAE at every step. You needn’t worry about deadlines or regulatory updates; we handle everything on time and in compliance.

We also handhold you through the entire KYC and re-KYC process. Our consultants and AML experts conduct customer due diligence on your clients for accurate results. Ultimately, you will have each customer’s detailed risk profile to enable you to take a risk-based approach to your AML compliance.

Besides KYC and due diligence, we also help monitor transactions to detect suspicious ones. Our team can impart personalised training to your employees, create and implement AML policies, and manage all communication with regulatory authorities. The aim is to let you focus on your core business while we manage the AML compliance.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

The risk-based approach in Anti-Money Laundering Compliance

man-finger-abRisks analyze, low riskout-press-analysis-push-button-focus-blue-led-concept-image-illustration-risk-management-assessment

The risk-based approach in Anti-Money Laundering Compliance

The risk based approach to AML - Anti-Money Laundering Compliance

Money Laundering and Terrorist Financing are global threats. Governments across the globe have framed laws and regulations to counter Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF). The regulated entities are obligated to employ their resources to fight financial crimes. For any business, resources are always scarce, and hence they would want them to be employed efficiently. That is where the Risk Based Approach to AML compliance comes into play and helps businesses deal with financial crimes efficiently.

Definition of Risk Based Approach (RBA):

The Risk-Based Approach (RBA) is basically the effective deployment of controls to counter the most significant ML/TF/PF risks a business is exposed to. It takes into account various risk factors, their likelihood of occurrence, impact, controls in place, and the risk appetite of the management to keep ML/TF risks at an acceptable level. Every business has its own risk-bearing capacity, and in AML compliance, it becomes essential to adopt a Risk-Based Approach in order to tackle ML, TF, and PF. Further, under an RBA, there is no such thing as ZERO risk, but it offers the most effective way to counter the risks. EDD for high-risk customers, determination of sample size by AML auditors, cash transaction thresholds, customer acceptance and customer exit policies are some of the common examples of having taken a risk-based approach.

Before going into detail about compliance requirements for a Risk-Based Approach under the UAE’s AML/CFT regulations, let us understand what a Risk-Based Approach in the AML realm means.

What is a Risk-Based Approach in Anti-Money Laundering (AML)?

Risk Based Approach: Meaning

The UAE Federal Decree Law No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations required Fis, DNFBPs, and VASPs to take a Risk-Based Approach to counter money laundering and terrorist financing risks.

The Risk-Based Approach (RBA) helps reporting entities effectively identify, assess and tackle ML/TF/PF risks. Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) should apply appropriate measures and procedures commensurate with the risks of money laundering, terrorist financing, and proliferation financing. The Risk-Based Approach enables the reporting entities to apply their efforts optimally to mitigate ML/TF/PF and sanctions risks. The RBA provides the risk-sensitive application of AML/CFT measures. Accordingly, companies are able to apply the principle of “higher the risks, higher the controls”.

The application of the Risk-Based Approach helps firms decide on the degree, frequency, or intensity of the ML/TF/PF/ controls.

Enforcement of cash thresholds by entities to mitigate ML/TF risks is one example of a risk-based approach. Other examples of RBA include EDD for high-risk customers, ML/TF independent audits, etc.

Step-by-step implementation of Risk-Based Approach in AML

RBA requires proper implementation of controls for an AML program to be successful. For an effective RBA process, all steps must be looked into and implemented correctly. The following is the step-wise process that DNFBPs should undertake for taking a Risk-Based Approach to compliance:

1. Risk Identification:

In identifying the ML/FT and PF risks to which DNFBPs are exposed, they should consider various internal and external factors such as the nature of business, product, services, risks associated with each customer, geography, especially high-risk jurisdictions and distribution channels. This step becomes a base for risk assessment, as DNFBPs are supposed to conduct risk assessments based on the factors identified to evaluate the emerging and relevant ML/FT and PF threats.

2. Risk Assessment:

It forms the basis of the DNFBP’s RBA for the development of policies and procedures to mitigate ML/TF risk, reflecting the risk appetite of the institution and stating the risk level deemed acceptable.

This step enables DNFBPs to understand the possibilities of risk materialising and the impact thereof.

4. Residual Risk:

It is necessary for DNFBPs to compare the risk profile to risk controls to measure the effectiveness of control measures against risk. This step requires identifying risk that remains after efforts have been made to reduce the inherent risk. The residual risk is also known as net risk.

Residual Risk = Inherent Risk – Controls

5. Risk Appetite:

After residual risk is identified, it is vital to compare it to determine whether it meets the risk acceptance level set out in the risk appetite. Risk appetite is set at the early stage, which defines the amount and type of risk that is accepted. As a forward-looking concept, it helps in assessing the residual risk an organisation can accept.

6. Take Additional Measures:

After residual risk is identified, it is vital to compare it to determine whether it meets the risk acceptance level set out in the risk appetite. Risk appetite is set at the early stage, which defines the amount and type of risk that is accepted. As a forward-looking concept, it helps in assessing the residual risk an organisation can accept.

Principles of The Risk Based Approach to AML Compliance

Acceptance of the existence of risk is the first thing that actually matters when it comes to the principles of the RBA to AML compliance. A risk assessment should be carried out according to the intensity of risk, the risk assessment process should be examined, and the compliance process should be applied.

Inherent Risk:

The gross risk is the risk an entity is exposed to before putting any AML/CFT controls in place.

Residual Risk:

The residual risk is the risk the reporting entity assesses once AML/CFT controls and measures are put in place.

According to the principles of a Risk-Based Approach, controls need to be aligned with the risks involved. The risk-based approach requires an entity to focus more on the risks that can have a higher impact.

For instance, the Customer Due Diligence (CDD) Process for Politically Exposed People (PEPs), which undoubtedly belongs to a high-risk profile, will remain insufficient if Enhanced Due Diligence isn’t carried out for them.

In addition, business enterprises must continuously monitor, analyse, and interpret their pool of data that falls within the scope of anti-money laundering compliance.

The manual monitoring of a business relationship is impractical when the transaction volume is high. Therefore, the regulated entities may resort to transaction monitoring software which can help them identify suspicious patterns in customer’s transactions and help them investigate the cases further and submit SAR/STR depending on the facts of the case.

Importance of Risk-Based Approach in Anti-Money Laundering Compliance

The risk appetite and risk-bearing capacity differ from one company to another. Therefore, following the same AML process for each enterprise or individual will not fetch healthy results.

Besides that, the risk-bearing appetite of the companies from the same industry also differs because the management style isn’t uniform everywhere.

Here is when the need for and importance of a Risk-Based Approach come into the picture. With the help of a Risk-Based Approach, companies from various business sectors can create an anti-money laundering framework that helps them fight ML/TF effectively.

The Traditional Tick-Box Approach vs. Risk-Based-Approach

Prior to the evolution of RBA, financial institutions (Fis) and DNFBPs were employing a tick-box approach to manage their AML compliance requirements. Under the traditional tick-box approach, merely going through a set of uniform AML standards was assessed and satisfied. However, with the changing financial landscape and advancement of technology, the Financial Action Task Force (FATF) presented the concept of RBA.

The following is an analysis of the traditional tick-box approach vs. the Risk-Based Approach on different factors:

Criteria	Tick-Box Approach	Risk-Based Approach
Flexibility	It is an inflexible approach as a set of compliance requirements without considering underlying unique aspects of risk.	It is a flexible approach as it leaves the possibility to consider the unique risk profile and make it more adaptive.
Efficiency	In terms of efficiency, there is no scope to change and make it adaptive to new changes and risks, thus making it an inefficient approach.	It is dynamic and adaptable, which allows efficient use of resources in combating ML/FT and PF risks, thus increasing the efficiency of AML measures.
Resource	This measure follows a resource-intensive approach for applying AML measures. It requires extensive manual effort and time to complete. Thus, for efficient measures, this approach can take up a lot of resources, leading to an increase in financial burden as well.	This allows for smarter allocation of resources by focusing efforts on areas of higher risk, optimising efficiency, and enhancing effectiveness in identifying and mitigating risks. It also fosters a more dynamic and targeted approach to AML compliance.
Effectiveness	It is a superficial approach that only addresses surface-level aspects of AML compliance and disregards associated risks.	It is an effective approach that focuses on in-depth learning, understanding new risks, and implementing measures accordingly.
Prioritising	This works by taking a one-size-fits-all approach to every risk, leaving little room for risk prioritisation.	This approach prioritises risk by incorporating a tailored method for each risk according to its impact and probability.
Proactiveness	It is an active approach for AML measures by working in a manner that follows standard policies without being open to the risk that requires a proactive approach.	It is a proactive approach to compliance by entailing measures for identifying, assessing, and controlling risks.

UAE AML/CFT Laws and FATF Recommendations Around Risk-Based Approach

What is the reasoning behind implementing a risk-based anti-money laundering approach?

The UAE has adopted effective AML laws to combat financial crimes, including ML, FT, and PF. The regulatory framework in the UAE includes federal laws that are aligned with international standards set out by the Financial Action Task Force (FATF).

Within UAE’s legal regime, it has implicitly adopted RBA to AML compliance to understand ML/FT and PF risks and implement appropriate measures. Furthermore, Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to implement RBA to identify, assess and understand ML/FT and PF risks and further take the most appropriate mitigating measures.

The RBA framework is also based on FATF recommendation no. 1, which lays down the principle of applying RBA to assess and adopt measures for ML/FT and PF risks.

Primary Elements of a Risk-Based Approach in AML Compliance for DNFBPs and VASPs

The following is the list of primary elements of a Risk-Based Approach in AML compliance for DNFBPs and VASPs:

ML/FT Enterprise-Wide Risk Assessment

ML/FT Enterprise-Wide Risk Assessment (EWRA), also known as Business Risk Assessment, is a key pillar of the RBA. It is an enterprise-level risk assessment that plays a pivotal role in combating ML/FT and PF risks.

EWRA is a process of identifying all external and internal risk factors such as products, services, transactions, delivery channels, customers, geographies, technology, etc, and further assessing their impact, exploring ways to mitigate, and controlling and monitoring associated risks.

Assessing the risk at the enterprise level helps in formulating a comprehensive and better AML framework.

AML/CFT Policy and Procedures

AML/CFT policies and procedures are the foundational documents that outline an entity’s approach to preventing, detecting, and mitigating ML/FT and PF activities.

These documents provide guiding principles to compliance officers and employees regarding their responsibilities to ensure compliance with AML/CFT regulations and the actions required.

These policy documents cover a wide range of areas under the AML framework that include CDD, transaction monitoring, reporting activities, and risk management.

The policies and procedures detail the actual implementation of RBA within an organisation. What it perceives as an ML/TF/PF risk and the commensurate controls to counter it.

With effective AML/CFT policies and procedures, DNFBPs can establish an effective AML/CFT framework within their organisation to counter financial crimes, including ML/FT and PF.

KYC and Customer Due Diligence (CDD)

Know your customer, and the customer due diligence processes are carried out in order to identify who the customers really are and to further verify their identity and the nature of the businesses they engage with.

These procedures are one of the most fundamental building blocks of efficient and effective anti-money laundering compliance management. Within the scope of these procedures, you can assess and determine the level of risks associated with the customer and then take necessary actions to mitigate those risks.

Assessing the risk level of your customers accurately is an undeniable prerequisite for the Risk-Based Approach. However, without accurate customer due diligence, it is difficult to analyse risks posed by a customer.

Sanctions Screening

Sanctions screening aims to restrict dealings with persons involved in illicit activities. For this purpose, an entity is required to screen names against sanction lists maintained by governments, international organisations, and regulatory authorities.

DNFBPs, by conducting sanctions screening, can efficiently identify and prevent dealings that are against the regulatory framework and can also demonstrate adherence to the compliance requirements.

As per UAE AML Regulations, DNFBPs and VASPs are required to conduct screening against the UNSC Consolidated List and the UAE Local Terrorist List.

If the regulated entity deals with foreign countries, it can adopt a Risk-Based Approach and consider other relevant sanction lists for screening purposes.

PEP Screening

PEP screening means screening customers to identify if they are politically exposed persons (PEPs) or are related to a person identified as PEP. PEPs pose a high risk to DNFBPs because of their prominent position, which can be misused for illicit activities like corruption and financial crimes.

This measure involves screening customers against a PEP database to assess the nature and extent of their political exposure.

PEP screening helps to implement RBA and a better risk assessment process, which enhances the ability to take appropriate risk mitigation measures like Enhanced Due Diligence.

Adverse Media Screening

Any negative news about an individual customer or a business enterprise can broadly impact the decision to enter into a business relationship with them.

Plus, keeping an eye on such news is the best way to protect your organisation from any potential risks that might come when dealing with clients with high-risk profiles.

Adverse Media Screening helps a reporting entity adopt a Risk-Based Approach effectively and fight ML/TF risks.

Anti-money Laundering Transaction Monitoring

The regulated entities conduct CDD and risk assessments while onboarding the customer. This helps them understand the customer profile and the expected nature, volume, and frequency of transactions.

If the actual transactions with customers are not monitored, the risk-based approach adopted by the entity fails. What if the customer is transacting beyond his means?

Regulated entities implement transaction monitoring software which help them segment their customers based on various attributes like age, gender, nationality, turnover, size of business, etc. and frame rules to identify and investigate exceptions.

The system then monitors transactions and generates alerts when it finds a suspicious transaction.

Risk based transaction monitoring helps in suitably changing customer profiles and the risks associated with them, and it helps implement RBA in its true sense.

AML Compliance Officer

The DNFBPs and VASPs in UAE are required to designate a competent person as the company’s compliance officer. The compliance officer is responsible for AML/CFT program management, imparting AML/CFT training, and submitting regulatory reports on the goAML portal.

The AML Compliance Officer is the human arm of the Risk-Based Approach. The compliance officer adds the human element to RBA and changes the approach to fighting ML/TF according to the risks involved.

Thus, an AML compliance officer is an integral part of the implementation of the Risk-Based Approach.

Independent Audit

An AML independent audit is a comprehensive review of the AML program by an external party who is not involved in the operations of the business. The purpose of conducting an AML independent audit is to outline the effectiveness of the AML program, identify gaps for non-compliance and provide recommendations for improvement.

This measure helps maintain the transparency, integrity, and credibility of DNFBPs in the AML efforts. An external AML audit is an integral part of the RBA adopted by the regulated entity.

Monitoring and Review

When an entity establishes business relationships with persons, it is required to conduct ongoing monitoring to address any evolving risks and changes in the compliance framework. Monitoring and review are ongoing processes of RBA in AML that continuously assess the effectiveness of the AML compliance program.

Monitoring measures involve regular surveillance of customers, their transactions, and activities to detect any suspicious activity or unusual behaviour that may indicate potential ML/FT and PF activities.

The review measures include periodic evaluation of the AML framework to identify changes in risk patterns, determine the capacity of control measures in combating financial crimes, and observe areas for improvement.

By undertaking these measures, DNFBPs can proactively address compliance gaps and areas for improvement and, based on such evaluation, enhance their risk management capabilities.

Challenges in Implementing a Risk-Based Approach

Difficulty in Identifying Risk Factors

The complexity of identifying and categorising risk factors makes it difficult to implement RBA within the AML framework. Additionally, the realm of the financial landscape keeps changing due to new trends in criminal activities, making it more difficult to identify risk.

Difficulty in Assessing ML/TF and PF Risks

RBA requires an accurate assessment of ML/FT and PF risks. However, the assessment of ML/FT and PF risks requires knowledge about the financial landscape, known ML/TF/PF typologies, FATF recommendations, National Risk Assessment (NRA), transactions and patterns, which makes it difficult to assess.

Difficulty in Assessing the Effectiveness of Controls

The application of AML measures requires continuous updates and monitoring due to the dynamic nature of the business. This requires continuous changes in control measures, thus making it difficult to assess the effectiveness of control measures. Further, the effectiveness of the control measures is measured by the quality of their implementation than the quantity. This adds a layer of subjectivity to the overall assessment.

Difficulty in Identifying Risk Appetite

It is a crucial step of RBA to establish an accurate Risk Appetite Statement that lays down the level of risk an entity is willing to accept. However, it becomes difficult to identify risk appetite due to the changing landscape and the involvement of multiple parameters.

Lack of Expertise

The application of RBA is technical, and it requires knowledge of the business and existing and emerging ML/TF/PF risks and their patterns. DNFBPs face challenges here due to their small size and the unavailability of competent persons internally.

Top Management Support

RBA requires taking proactive action to combat ML/FT and PF risks and top management’s support is vital as various actions require approval from senior management, which at times can be difficult. Unavailability and resistance to change from top management makes it difficult for businesses to take proactive measures.

Consistency in Risk Assessment Methodologies

Consistency is utmost important while adopting RBA for risk management. It helps staff stick to a uniform procedure. However, for a growing organization, changes in products, services, and technology are constant variables. This leads to inconsistency in applying RBA.

Handling Customer Experience

RBA requires taking stringent measures to implement an effective AML framework within the organisation. These measures include undertaking enhanced due diligence and monitoring, which may cause inconvenience to customers who are not involved in any illicit activities. It is thus difficult to find a balance between mitigating AML risks and positive customer experience.

Lack of Budget

RBA is a detailed process that requires expert knowledge and resources for effective implementation. However, such measures need budgetary support, which could be difficult for small organisations.

Building a Robust AML Compliance Framework using RBA

Crafting an effective AML compliance framework using RBA is important to detect and deter financial crimes, including ML/FT and PF.

Here is the list of elements required for building a robust AML compliance framework using RBA:

Establishing a Strong AML Culture

The AML compliance culture means shared values, practices, and behaviours within a business workplace that prioritise adherence to the AML regulatory framework.

With a strong compliance culture, businesses can efficiently and consistently employ a risk-based approach.

Training and Awareness Programs for Staff

Compliance officers and staff need to carry out responsibilities in the AML/CFT framework for successful compliance with the AML regulatory requirements. An AML compliance framework incorporates a training program tailored to staff based on their role and responsibilities. Further, in order to have effective AML governance, DNFBPs must undertake periodic and up-to-date training program activities and maintain training records.

With such AML training programs, employees can easily understand ML/FT and PF risks and, therefore, employ measures required to fight such risks. This goes a long way in implementing the RBA in the regulated entity.

Customer Identification and Verification

To ensure compliance with KYC and CDD requirements, customer identification and verification systems are necessary. Customer identification and verification systems come with liveness checks, two-factor authentication, and checks for the authenticity of ID documents. Such systems help adopt a Risk-Based Approach and determine if the customer is acceptable, considering the company’s customer acceptance policy.

Transaction Monitoring

Transaction monitoring helps identify transactions that do not align with the customer’s profile or expected business activities. There are transaction monitoring tools available to identify suspicious patterns and put transactions on hold until the compliance team investigates them and decides if there is a requirement to submit SAR/STR.

By employing transaction monitoring tools, DNFBPs can take a Risk-Based Approach and decide if EDD is required, customer offboarding is necessary, or the system generates a false alert.

Record-Keeping

Under the UAE AML/CFT Laws, regulated entities are required to keep all AML/CFT records for a minimum of 5 years. The ADGM and DIFC-based entities are required to retain records for 6 years.

The record-keeping serves as evidence of having taken a Risk-Based Approach.

Reporting Structure

An effective reporting structure is required for better implementation of the AML framework to combat ML/FT and PF risks. DNFBPs must maintain records and develop a reporting system in their AML governance program.

This measure must include systems for maintaining data on the number of customers rejected, terminated relationships, transactions monitored, and alerts generated, as well as systems for reporting suspicious transaction reports and suspicious activity reports STRs/SARs via the goAML system.

Periodic AML/CFT compliance reporting to top management helps management take a Risk-Based Approach and determine if they need to put in more resources to counter ML/TF risks or tweak AML/CFT policies and procedures to align them with their risk appetite.

Internal Controls and Risk Management

Internal Controls and Risk Management processes help fight ML/TF. The nature and extent of such internal control mechanisms differ from business to business, depending on the entity’s risk appetite and risk-based approach.

Technological Support

Technology has made life easy for DNFBPs and criminals as well. To counter technologically driven criminal activities, the AML compliance framework should leave space to employ technologically driven tools.

It also helps enhance AML compliance by quickly analysing vast quantities of data to detect suspicious patterns and anomalies that might indicate the happening of ML, FT, or PF activity.

How Does the Risk-Based Approach Work in AML?

The Risk-Based Approach works differently for every business as no two businesses are the same, and so are the risks. It essentially boils down to the risk appetite of the regulated entity and what they think is an acceptable risk.

There is no concept like ZERO risk in business. Risk management is resource-intensive, and businesses have to control their costs. However, they also need to ensure that the ML/TF and PF are countered and legal requirements are met.

Regulated entities, therefore, prioritise their risks and enforce controls judicially to maintain risks at an acceptable level.

Benefits of a Risk-Based Approach to AML

Resource Optimization

Risk-based approach to compliance focuses on allocating resources based on risk assessment and its impact on the regulated entity. It’s a need-based resource allocation which optimises resource utilisation and saves costs.

Effective in Countering ML/TF

With elaborate steps and a defined approach, RBA effectively counters ML/FT and PF risks. Furthermore, RBA targets the risk in a structured manner based on its impact. This increases the effectiveness of DNFBPs’ AML efforts.

Enhances Customer Onboarding Experience

RBA enhances the customer onboarding experience. It treats each customer in isolation depending on the risks they pose to the business. Low-risk customers undergo simplified due diligence, medium-risk customers undergo standard due diligence, and high-risk customers undergo enhanced due diligence.

In the case of high-risk customers, the business can also decide to exit the business relationship if the risks are not acceptable as per the risk appetite.

This enhances the customer onboarding experience as not everyone goes through the stringent KYC and CDD requirements.

Improved Risk Management

RBA follows a proactive approach to prevent and mitigate financial risks, including ML/FT and PF. Such proactive measures of identifying and managing risks reduce DNFBPS’ exposure to financial crimes and illicit activities.

Ensures Regulatory Compliance

It is essential for all DNFBPs in the UAE to adhere to the AML/CFT regulatory framework. RBA increases their attention to regulatory outcomes, and activities throughout the business lifecycle. Thus, adopting RBA in their AML framework helps DNFBPs meet their regulatory requirements effectively.

Strategic Business Insights

RBA is a continuous process that involves risk assessment, policy framework, and the systematic application of mitigation measures. With RBA to AML, DNFBPs gain valuable insights for informed decision–making and improving performance. Therefore, RBA enhances flexibility in AML compliance and boosts competitiveness in the market.

Improved Regulatory Reporting

RBA applies controls based on risk level and focuses on prioritising resources on identified risks. With such a targeted approach, it is easier for DNFBPs to focus on high-risk areas and report suspicious activities with more efficiency and accuracy. RBA, therefore, improves the reporting system, which helps DNFBPs, as well as regulatory authorities, to fight ML/TF risks effectively.

Employee Engagement

Adopting RBA requires the proactive application of measures that require quick decision–making for AML policies, implementation, and performance assessment. This fosters employee engagement, which enhances the overall effectiveness of AML measures and promotes responsibility among employees and a compliance culture.

Final words on Risk Based Approach

The UAE AML CFT Law requires FIs, DNFBPs, and VASPs to employ a Risk-Based Approach that is tailored to their business. The controls employed by a reporting entity should be in sync with the risks to which it is exposed. Money Laundering and Terrorist Financing risks differ from organisation to organisation and industry to industry. Therefore, DNFBPs need to assess and understand ML/TF risks associated with each customer, supplier, and third party.

The adoption of a Risk-Based Approach does not mean that the organisation will be able to eliminate all risks related to financial crime. It only means that ML/TF risks are managed, but the organisation is still vulnerable to various risks that it couldn’t identify and assess. Risks, by their very nature, are dynamic.

Niyeahma provides extensive help and guidance on implementing a Risk-Based Approach. Contact us if you are looking to optimise your ML/TF countermeasures.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Mitigating ML/TF risks associated with high-net-worth individuals

The ML/TF risks associated with high-net-worth individuals are high. Their relation to money laundering (ML) and terrorist financing (TF) is two-fold:

Fraudsters and criminals target them because of the presence of many opportunities to commit fraud. High-net-worth individuals can themselves engage in illicit business activities; their wealth might be from illicit sources or dirty money.

If you have a high-net-worth individual as a customer, you are prone to money laundering in both cases. So, you must have appropriate AML measures to deal with the risks of high-net-worth individuals. But first, let’s understand what a high-net-worth individual is in AML and the ML/TF risks posed by them.

Risks associated with high-net-worth individuals (HNIs)

Generally, the definition of HNIs varies from industry to industry and within the same industry. However, an individual with a net worth between US$1 and US$5 million is considered a high-net-worth individual. Net worth means a person’s liquid financial assets. If the individual has a net worth of US$5-30 million, they are very high-net-worth individuals (VHNIs). Then there are ultra high-net-worth individuals (UHNIs) with a net worth exceeding US$30 million.

High-net-worth individuals are more vulnerable to money laundering and other financial crimes. The potential threats include:

With the digitalisation of transactions, high-net-worth individuals’ transactions are at a higher risk. Cybercriminals access these transactions to change the destination of funds transfers.
HNIs might be keeping funds in offshore bank accounts to enjoy the tax savings in that jurisdiction. Also, it helps them transfer funds anonymously or protect illicitly gained assets.
As they are HNIs, they have connections with PEPs, other HNIs, and other influential persons. Such connections might force them to take part in or assist with fraudulent transactions or money laundering activities.

In all these cases, you are at risk as a product or service provider to such HNI. So, when you onboard a high-net-worth individual, consider the risks they pose to your business. Your exposure to such risks will increase your vulnerability to money laundering and terrorist financing threats.

Considering the risks, if you do not onboard such HNIs, you will lose big sales and revenues. It will also affect your credibility in the market. It will not have much impact in the short term, but the long-term effects are unavoidable. So, you need to be cautious while dealing with the AML risks of high-net-worth individuals.

Best practices to deal with ML/TF risks posed by high-net-worth individuals

You must implement the following best practices and AML measures to deal with the risks of high-net-worth individuals:

Maintain a list of ML/TF red flags

The first action you can take is to be aware of the fact that high-net-worth individuals are risky for your business. It does not mean they will indeed cause money laundering or terrorist financing. However, the ML/TF risks are high. So, you must know the potential red flags or warning signs of HNIs’ money laundering activities. Some of these red flags are:

Not cooperating in the KYC and due diligence process
Providing wrong documents or missing out some information in the KYC process
Engaging in financial transfers with unusual patterns, different from their usual transactions
Unexplained or erratic customer behaviour while conducting financial transactions
Using unrelated or unknown third parties in a transaction
Financial activities that don’t align with the HNI’s business
Sudden or unexplained large transactions to or from high-risk jurisdictions
Providing incorrect information on identity, business, or transactions
Too many transactions of buying and selling properties despite financial losses
Linkages to business in sectors like gambling, weapons of mass destruction, or arms trade
Frequent cross-border transactions in jurisdictions with no relation to HNIs’ business interests
A high volume of cash transactions

If you are aware of these, you can take the right action. You can investigate the transaction further to confirm the particulars. If found suspicious, you can report it to the UAE FIU.

Perform Enhanced Due Diligence

HNIs are high-risk customers. Since you know this, you must be ready to implement strict KYC and due diligence on your HNI customers. So, deep research should be conducted on these clients.

Conducting in-depth research on HNI customers’ identities is essential. You must know the following details:

Full names with family details
All the previous residential addresses
Past and present passports held
Nationalities and citizenships of different countries
Professional background
Shareholdings in different entities
Utility bills

Focus on finding every possible information on their wealth, funds, assets, and structuring. So, you must collect and verify the following information on HNIs:

Origin and legitimacy of their funds
Overall wealth (holdings and assets) and their sources
Types of assets like properties, salaries, investments, inheritances, dividends, bonuses, and shareholdings
Financial statements
Identifying their structures’ complexity
Presence in opaque and risky jurisdictions

All these data points help you spot suspicious activities or transactions.

Perform name screening

HNIs are hi-fi individuals known to the public. But you must be careful before dealing with them. In addition to due diligence, try every possible method to learn more about them. Conduct a deeper examination of their identities and financial behaviour. Screen them against lists of:

National, regional, and international sanctions released by authorities
Terrorists or terrorist-funding organisations
Politically Exposed Persons (PEPs)
High-profile people with links to financial crimes like money laundering, corruption, bribery, etc.

It’s not enough to check only if HNIs’ names are on the list. HNIs might have linkages to people featured in these lists. So, you must also verify those points. Use databases and intelligence tools for any linkages to illicit activities.

Another check that is essential for you is adverse media sources. Check if their names appear in any adverse news related to crimes. Any negative mention of their names in media must be investigated in depth. The issue is that some criminals own such media channels or pay them good money to hide their negative news. They plant more positive news about themselves to paint an optimistic picture. That is why you must have experts working on investigating HNIs.

Examine tax compliance status

Checking high-net-worth individuals’ sources of wealth, linkages to financial crimes, and assets is crucial. But another critical factor that is generally ignored is their tax compliance. You must know about their tax compliance status to decide on their connections with illicit activities.

Generally, criminals use many offshore bank accounts to transfer money from one tax jurisdiction to another. Also, they engage in multiple global money transfers, which is, again, a suspicious activity. They also use structures like trusts, shell companies, and charities to invest, move, and control assets.

Collect necessary data on their tax compliance to understand if they are compliant. Identify any tax evasive strategies they have used in their past or current operating years. Check if they have used shell structures or other opportunities to avoid paying taxes or mitigate tax liabilities illegally.

Ongoing monitoring

You have already conducted KYC and due diligence. However, there is a chance that you will miss some data points or fail to focus on a document. So, ongoing monitoring is essential to prevent any money laundering risks to your business from high-net-worth individuals.

Constant monitoring helps to factor in:

Changes in the data of HNIs
Emerging risks of money laundering and terrorism financing
Advanced technologies and techniques for collecting information
Variations in HNIs’ risk profiles

If you have HNIs as customers, conduct real-time monitoring of their transactions. You must look for some unusual patterns or suspicious activities. Set a threshold or limit to transactions and investigate them if you observe outliers. Manual reviews of such suspicious transactions enable you to draw more conclusions.

Scrutinise crypto investment or payment

Are your high-net-worth customers dealing in cryptocurrencies?

Do they make payments using cryptocurrencies?

If your answer is yes to any of these, you must be extra careful. Cryptocurrencies are more vulnerable to money laundering. Also, cryptocurrency transactions have a higher degree of confidentiality and privacy. This fact makes it easier to conceal the illegitimacy of a transaction.

That is why if your HNI customer uses cryptocurrencies, conduct more investigations. Check if they are trading crypto assets or have invested in such assets. All these data points help you confirm your high-net-worth customers’ legitimacy.

Partner with an expert AML consultant

All of the above measures are necessary to confirm the identities of your HNI customers. You need to know them in and out to check for any connections with financial crimes. Collecting and verifying all these data points is an arduous task. So, hiring a specialist AML consultant who performs identity verification is a better option.

Search for a services provider with expertise in KYC and customer due diligence. One, who can collect all information on high-net-worth individuals and verify with respective documents. The vendor must have industry connections, access to databases, and skilful professionals to conduct these exercises. They will have complete knowledge of UAE’s AML regulations to ensure compliance. Such expertise is essential to ensure data accuracy, relevance, and completeness for high-net-worth customers.

So, as a regulated entity in UAE with high-net-worth individuals as customers, you must apply these seven AML measures to avoid falling prey to money laundering risks. For the last one, you have the best option in Niyeahma as your expert AML compliance partner.

Niyeahma – your partner for professional AML consulting services

Niyeahma is an expert provider of AML compliance consulting services in the UAE. You can always ask our experts for help in AML compliance. With immense knowledge and extensive experience in AML compliance, our professionals can help you through any AML procedure.

We help you with KYC, due diligence, and screening of all types of customers. If the customers are high-net-worth individuals or high-risk, you’ll have more digging to do. Our AML experts manage all data collection and verification with a unique investigative approach. We help you build customers’ risk profiles so that you know whom to onboard and, thus, take a risk-based approach to fight ML/TF.

Besides KYC and due diligence, our expertise lies in:

Monitoring transactions of your customers
Conducting risk assessments and building customers’ risk profiles
Creating and implementing customised AML policies and procedures
Selecting proper AML software for your compliance needs
Hiring and appointing an expert AML compliance office
Forming a capable and skilful AML team for your business

So, for all these needs, you have one contact to call – Niyeahma.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Why is Record-Keeping of Customer Identity and Transactions necessary?

Illicit financial activities, such as money laundering, financing terrorism, and proliferation financing (ML/FT and PF), hamper the integrity of the economy as well as the operations of business entities. To combat these illicit activities, businesses adopt robust Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) measures, which are aligned with the regulatory framework.

As part of the UAE’s AML/CFT regulatory framework, all regulated entities, including Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs), are required to maintain records of KYC, CDD, EDD, transactions, audit logs, software audit trail, AML/CFT policy, procedures, etc.

In this article, we’ll discuss why record keeping of customer identity and transactions is important and what its best practices are.

What is Record-Keeping?

Whenever regulated entities undertake measures and activities to mitigate ML/FT and PF risks, such as customer due diligence, transaction monitoring and AML audit, they generate several documents in the process. Maintaining these documents is necessary as it makes it easier for them to access data as and when required, which is crucial for combating financial crimes, including ML/FT and PF.

This is the essence of AML record-keeping. Therefore, record-keeping in the AML framework means maintaining documents pertaining to AML measures that include customer identity records, transaction records, adverse media checks, etc. Record-keeping thus carries a significant purpose in ensuring AML compliance.

What type of records are required to be maintained?

The types of records that regulated entities need to maintain depend on the regulations they need to follow. In the UAE, regulated entities must maintain records related to various compliance measures undertaken by them.

Here is a comprehensive list of customer-related information and transactions which require record-keeping in the UAE:

1. EWRA, Internal policies, Procedures and Control Measures

The CDD process includes verifying the customer’s identity and keeping a copy of references and other related pieces of evidence. Other documents include a copy of identities and any other additional information that must be maintained to facilitate regular monitoring of the records. Companies must also keep customers’ scanning process records on various checks such as PEP and Sanction. They can present them as evidence to the investigation agencies as and when needed.

As part of policies and procedures, regulated entities need to establish a risk appetite statement that provides the entity’s stand on accepting risks and sets a base to analyse trade-off decisions. A risk appetite statement helps everyone understand the level of risks the entity is willing to take and accordingly apply suitable control measures.

Furthermore, based on risk appetite, the regulated entity must also identify and enforce AML control measures to combat ML/FT and PF risks associated with the entity.

2. Customer Due Diligence

It is essential for regulated entities to conduct the CDD process to measure ML/FT and PF risks associated with customers. There are various elements for an effective CDD. The CDD process includes conducting know-your-customer (KYC) measures to verify the customer’s identity. It is required to maintain KYC records along with supporting documents like Emirates ID, Passport, Utility Bill, etc.

Customer risk assessment is a key component of the CDD process that helps detect and prevent ML/FT and PF risks by evaluating the risk associated with each customer. Regulated entities must maintain customer risk assessment documents as evidence of their risk profiling.

Based on customer risk assessment, regulated entities are needed to undertake Enhanced Due Diligence (EDD) for higher-risk customers that pose ML/FT and PF risks and thus present increased exposure to them. They need to maintain any additional information related to customers within CDD records concerning EDD.

3. Transactional Records

Regulated entities have to keep a record of the business relationship- transactions involved from five years of completing the transaction. The various transaction records involve purchase orders, sales orders, invoices, receipts, payments, credit and debit notes and correspondence with the business. Regulated entities must maintain all the documents to establish a proper audit trail.

4. Regulatory Reports

To meet the internal and external reporting requirements, regulated entities must maintain all submissions made to the regulatory authorities.

As a part of his responsibility, the compliance officer prepares a semi-annual AML compliance report, which he submits to the senior management. These reports must be preserved. Further, semi-annual reports submitted to the regulatory authorities must be preserved for a period of 5 years.

The AML regulations in the UAE mandate the regulated entities to identify suspicions related to ML/FT and PF and report such suspicions by filing a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). As part of record-keeping compliance, they must keep records of STR/SAR.

In addition to MLRO and STR/SAR, the regulated entity needs to submit additional reports based on the nature of the customer’s business, circumstances and place of the customer’s business or transactions. These reports include the High-Risk Country Report, High-Risk Country Activity Report, Real Estate Activity Report, Fund Freeze Report, Partial Name Match Report and Dealers in Precious Metals and Stones Report. Regulated entities in the UAE are mandated to maintain such reports.

An Independent AML Audit report issued by the external auditor must be preserved for at least 5 years.

5. Correspondence and Directives Issued by Regulatory Authorities

Regulated entities should also keep records related to communication and directives issued by regulatory bodies, ensuring compliance with applicable laws and regulations. With such records, regulated entities in the UAE can effectively manage risks associated with their customers and transactions and help supervisory authorities keep checks and balances.

6. Training Logs

Training logs are key tools within the AML/CFT framework. They ensure that staff and employees within businesses are adequately trained to fulfill their responsibilities effectively. By maintaining comprehensive training logs, regulated entities demonstrate their commitment to AML/CFT compliance, fostering a culture of compliance within the organization and empowering staff to detect and prevent financial crimes effectively.

Why is record-keeping of customer-related information necessary?

Record-keeping is an integral part of the AML/CFT framework. It supports various compliance activities like customer due diligence, transaction monitoring, reporting, compliance documentation, regulatory examinations, and investigations. Properly maintained customer records are essential for compliance with AML regulations.

Here is the list of reasons that make record-keeping of customer information and transactions necessary:

Legal and Regulatory Compliance

The AML/CFT regulatory framework requires regulated entities to maintain customer-related AML records. If a regulated entity fails to maintain records, it can result in legal consequences, fines, or penalties. Therefore, having a system for record-keeping helps in avoiding legal implications.

Customer Due Diligence

AML regulations require regulated entities to conduct due diligence on their customers to assess their risk levels and verify their identities. Record keeping helps regulated entities maintain proper documentation of customer information, identity verification, and risk assessments. Furthermore, it helps them avoid any financial and reputational loss in case a customer is engaged in illicit activities.

Proactive Monitoring

Regulated entities are required to monitor customer transactions for suspicious activities that may indicate money laundering or other illicit activities. Record-keeping plays a vital role in enabling proactive monitoring from an AML/CFT standpoint.

Regulatory Reporting

When suspicious activities are detected, financial institutions must file SAR/STR with the appropriate regulatory authorities. Proper record-keeping ensures that all necessary information related to the customer’s suspicious activity is documented and can be provided to regulatory authorities.

Performance Evaluation

Record-keeping helps regulated entities assess the performance of AML measures across the entire organisation, including those measures incorporated for customers. By tracking KPIs over time, regulatory entities can easily identify AML measures’ strengths, weaknesses, and gaps for improvement.

Decision Making

Records provide valuable data and insights that aid in making informed decisions. Whether it’s about customer-business relationships, control measures, or strategic direction, having access to historical records enables better decision-making. A well-structured record-keeping system allows for better tracking of suspicions, which in turn helps in making informed decisions.

Independent AML Audit

Regulated entities need to appoint an independent AML auditor to carry out the audit of their AML/CFT compliance. Record-keeping facilitates such audits.

Inspections and Investigationsit

Often, regulatory authorities come for inspections and ask for various compliance records. Record-keeping also helps investigators conduct investigations into cases related to money laundering and terrorist financing.

How do you maintain customer identity and transaction records?

Record keeping procedure depends on local and global regulatory requirements. The number of records required to be maintained affects the manner in which such records are maintained. The records can be maintained physically or in an electronic form. Ideally, the following documents should be maintained:

Original documents
Photocopies of original documents
Documents stored in electronic form

It is noteworthy that the records maintained should be easily accessible. If the source documents are available in a foreign language, then translated copies must be made available to ensure AML/CFT compliance.

Challenges for maintaining customer records

Although it is necessary to keep records of customer information and transactions, regulated entities face various challenges in maintaining an efficient system.

The following are some major challenges:

Large and Complex Data

Customer records are comprehensive data that include information relating to customer due diligence, transactions, ongoing monitoring, suspicion reports and internal policies, procedures, and controls. Thus, handling the large volume and complexity of AML records becomes challenging for businesses.

Regulatory Variations

Global businesses have to adhere to multiple laws and regulations. Such variations in regulatory requirements pose a constant challenge as every jurisdiction requires different record-keeping obligations, making adherence to regulatory frameworks challenging for the entities.

Privacy and Consent

KYC information is personal in nature. Before keeping records, regulated entities must obtain consent from the person to whom such information belongs. However, customers are hesitant to provide information due to privacy concerns. Further, remote onboarding procedures require liveness checks, IP address logging, etc. If customers are not willing to part such information, it becomes difficult to onboard customers.

Data Security

Keeping a large amount of data requires effective security measures. Businesses face challenges in ensuring the security of sensitive data. Additionally, information pertaining to customers and their transactions is very sensitive and is targeted by criminals for facilitating their illicit activities. This obligates regulated entities to deploy enhanced data security measures.

Incomplete and Inaccurate Data

There is an abundance of information collected by the regulated entity from various sources while undertaking AML measures. However, not all information is relevant, complete, or accurate. It becomes a challenge to segregate qualitative and accurate data from the amount of information available.

Best practices for effective record-keeping of customer information

It is essential for regulated entities to implement effective record-keeping measures to maintain accurate documentation concerning customers and third parties.

Here are some best practices that regulated entities can establish for record-keeping of customer information:

Implement Document Management Software

Document management tools provide a harmonious and logical filing system that is easy to understand and use. Regulated entities can implement such tools to standardise AML record-keeping processes for maintaining customer information and transactions across their operations.

Use Cloud-based Storage

Regulated entities collect a large volume of customer data for which they can use cloud-based storage. The transition to cloud-based storage solutions can help them store records while providing scalability and accessibility.

Implement Security and Privacy Guidelines

Customers have privacy concerns about data usage and retention, which makes it difficult for regulated entities to obtain consent from them. Thus, to maintain their trust, they should establish clear data usage and retention policies which comply with relevant privacy regulations.

Deploy Data Security Tools

Keeping a large amount of data requires effective security measures. For this purpose, regulated entities should implement encryption technology, firewalls, etc., to limit unauthorised access and tackle data breaches.

Backup and recovery

Maintaining customer information is very important for regulated entities, and any loss of data can lead to major repercussions. Thus, regulated entities must implement backup procedures for records to prevent data loss by system failure or cyber-attacks. Further, they should also develop a recovery plan to ensure that records can be quickly restored in the event of loss.

Regular Updates and Review

Regulated entities must regularly update their systems and underlying procedures to remain compliant with the ever-changing regulatory environment. Internal health-check reviews must be conducted to find discrepancies in record-keeping and take immediate remedial measures.

Final Words on Maintaining Effective Customer-related Records

For regulated entities, record-keeping of the identities of their customers and transactions is crucial to ensure compliance with regulations, manage risks, and easily access data for submitting it to the authorities as and when required.

Niyeahma is a global AML/CFT consulting firm assisting regulated entities in deploying countermeasures to curb financial crimes.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

AML measures for non-face-to-face customers

Financial institutions and DNFBPs have moved to the next level of customer service. One such aspect that they cover is non-face-to-face customer onboarding or transactions. However, the ML/TF risks associated with such customers are high, and that is why you need well-defined and strict AML measures for non-face-to-face customers.

A customer’s physical absence during onboarding is a red flag of money laundering or other financial crimes. Also, such customers avoid meeting the officials of regulated entities. In some cases, customers are present at the time of onboarding but conduct all transactions remotely. Such non-face-to-face (NFTF) customers have a high risk of money laundering for these entities.

To negate the chances of money laundering, you need to be extra careful during identity verification. That is, again, a task since you must have more documents to verify identities and addresses.

The task of onboarding a remote customer is full of challenges, and here is the article that provides insights on implementing appropriate AML measures for non-face-to-face (NFTF) customers.

How do non-face-to-face clients pose a threat to your business?

Technology has made rapid inroads into DNFBPs, VASPs, and FIs. Customers require on-demand, anytime, and anywhere services. They want to perform remote and digital transactions to avoid physical presence and visits. These are digital transactions conducted via mobiles or the internet.

ID verification and KYC software make all of these possible. Many regulated entities, especially banks and other financial institutions, have embraced such digital business methods.

Customers prefer digital transactions to avoid visiting the vendor’s offices.

The biggest demotivators are the hassle of visiting the office, providing hard copies for conducting transactions and standing in queues. Digitally, you can manage several transactions at your convenience with online documentary proof. So, less effort and faster service.

But, in such cases, money laundering risks for the regulated entity increase. Remote onboarding of non-face-to-face customers exposes DNFBPs and VASPs to the following risks:

Fake identities

Customers can use fake identities to open an account with your business and conduct transactions. Since you won’t be able to associate their wrongdoing with a face and identity, it becomes difficult to capture them. This anonymity of non-face-to-face customers increases the ML, TF, and PF risks for your business.

Limited visibility of customer behaviour

Physical interaction with customers enables an understanding of their behaviour. In the absence of such face-to-face meetings, you have no idea of their conduct and actions. So, it becomes difficult to identify suspicious behaviour, activity, or transaction.

Transaction speed

Digital transactions are faster than normal in-person transactions. So, money launderers prefer to engage in non-face-to-face transactions so that criminal activity occurs faster before anyone detects suspicious behaviour.

Hidden ownership structures

In the case of non-face-to-face customers, understanding the ownership structure is challenging. They might be using this anonymity feature to hide their beneficial ownership. There might be possibilities of the presence of shell companies to conduct transactions. This is a widespread way by which non-face-to-face clients launder money.

With in-person onboarding, the compliance team gets a chance to ask questions and counter-question the customer. Remote onboarding works in a pre-defined way and offers little flexibility. Further, the human element is missing, so judgement is on technology to identify suspicious customers and their activities.

Cross-border transactions

Engaging in cross-border transactions is the most effective way for non-face-to-face financial criminals to conduct crimes. Identifying the origin and destination of funds in transactions conducted across different jurisdictions is challenging. Also, it becomes easier for anonymous customers to hide these details or produce false documents. This is how money laundering occurs predominantly in such cases.

Third-party risks

DNFBPs and VASPs who rely on third parties to conduct KYC and CDD expose themselves to ML/TF risks if the third parties do not adopt adequate procedures for customer identification and verification. The criminals may exploit the vulnerabilities existing in third-party KYC and onboarding procedures and misuse the system.

Data security and privacy

Online onboarding exposes the firm to data security and privacy breaches. The genuine customers’ accounts may be taken over by criminals to perform their illegal activities, and this exposes the DNFBPs and VASPs to various types of ML/TF risks.

You must devise and apply effective AML measures to reduce the risks of such occurrences and fight the money laundering threats.

Common ML/TF Typologies employed through NFTF Channels

Smurfing and structuring are the most common ML/TF typologies employed by criminals onboarded through NFTF channels.

Structuring

Criminals are resorting to structuring split large transactions into several small transactions to avoid their detection. Normally, regulators across the globe have specified thresholds for reporting cash transactions. The criminals smartly plan their transactions to avoid crossing the thresholds.

Smurfing

Smurfing is similar to structuring. Here, the criminals split transactions into small amounts and use multiple parties to deposit funds into the banking system.

Effective AML measures for non-face-to-face customers

Following are some of the effective AML measures that you can carry out to manage your ML/TF risks arising out of the digital onboarding of customers:

Develop a risk-based approach to respond to risks related to non-face-to-face clients

Understand that the risks from non-face-to-face clients are high. So, you must be better prepared for such customers. Your AML measures for non-face-to-face customers must be well-planned and defined. Give it due importance in your scheme of things so that you can prevent and avoid the risk.

Take a risk-based approach to such customers depending on the following factors:

Industry of your operations
Location of customers
Money laundering threats from customers

If customers’ risks are high, enhanced due diligence measures should also be implemented. If the risk is low, you can continue with the existing KYC and simple due diligence.

Create customised identification and verification procedures

Since the risk is high, you can have custom identity checks to protect your business. Define the minimum criteria for accepting non-face-to-face customers. This depends on the nature of your business operations. If your sector is more susceptible to money laundering threats, it’s better to avoid such remote online customers. You can define new verification procedures like submission of more documents, manual visits to the client’s office, or any other relevant action.

Conduct in-depth KYC to understand the risks of non-face-to-face customers

The first thing to match for the regulated entities is the customer’s face with the identity document. You make a decision based on a match or no match. However, in the case of non-face-to-face clients, the customer’s face is not available to match. This is a big challenge for you.

You can face such situations when onboarding a new remote customer or while conducting a transaction. So, you must have a stringent KYC policy to know your customers better. The KYC and CDD measures are the same, plus some additional aspects. Since the risk is higher, you must ensure the following:

Check for certification and attestation of documents. Such certification must be from specific authorised individuals or organisations. Such attestation can facilitate higher credibility in the authenticity of documents.
You must also ask for additional proof to know the non-face-to-face clients better. These documents must be from reliable sources that can verify these customers’ identities.
Have a known third party to guarantee the authenticity of such customers. Check if your existing customers, suppliers, or associates have complete knowledge of these customers. Also, ensure that you have complete KYC and due diligence of these third parties.

Consider the non-face-to-face clients’ geographical location

One aspect that you can consider critically is the geographical location of your customers. Be very careful about who you onboard as a customer. Have second thoughts if the customer is from any of the following jurisdictions:

Economically sanctioned
Weak AML controls or financial systems
Politically unstable
High levels of corruption, drug trafficking, human trafficking, terrorism, or smuggling

If your non-face-to-face customer is from any of the above jurisdictions, the smarter decision would be not to onboard them. By onboarding them, you’ll increase your risk exposure. You’ll need to put more effort into KYC and CDD before transactions.

Apply enhanced due diligence measures for non-face-to-face clients

You don’t have the customer in front of you for conducting the transaction. It means identity verification is a challenge. Since the risk is high, you can’t let it go. So, you must apply enhanced due diligence measures to prevent the risks of financial crimes:

Exercise caution before engaging in transactions with these non-face-to-face clients. The first payment must be from a known bank account in the customer’s name. Even for the succeeding transactions, check the details thoroughly.
Use safe and secure electronic identification technologies to verify the identities of your non-face-to-face customers.
You can also check the national registers of trade, businesses, associations, and patents. Even the population and credit data registers can help you confirm the identities of your non-face-to-face customers.

A combination of these identification and verification techniques can ensure the authenticity of your customers’ documents and identities. But do check the dates of the latest updates to these registers for timely information.

Hire third parties for identity verifications of cross-border customers

Dealing with non-face-to-face clients becomes challenging when they reside in other countries. The identity documents are different from the local UAE documents. However, you must get all possible identity and address evidence from your customers. Now, match the details provided by the customers with these documents.

One solution in these cases is to hire third parties for such certifications to prove the authenticity of documents and identities. However, you must be careful before engaging with a third-party provider. Ensure that the provider is registered and licensed in the jurisdiction of its operations. Check the quality of its KYC and due diligence technology systems and procedures. Also, management understanding and technical acumen are required to ensure quality services.

Employ video conferencing AML measures for identifying and verifying non-face-to-face customers

You can conduct a video-based process to verify the identities of your customers. This will be a secure, live, and informed audio-visual interaction between the regulated entity and the customer. You must obtain the customer’s consent before conducting such a meeting.

Manage the KYC verification process through this video conferencing method. Have a live video call with the regulated entity’s KYC expert. You will interview them with identity questions and detect their liveness. Check their identity documents live by asking the customer to hold them in the video. Match the face with the photo to verify the identity in real time. Also, click live photos for facial recognition.

However, you also need to ensure a secure way of conducting this video interview. It must be end-to-end encrypted. The video must be clear enough to verify the identity of the customer. The live GPS coordinates and date-time of the customer interview must be available in the video recording.

Use advanced technologies to confirm non-face-to-face customer identity

Technologies like artificial intelligence, machine learning, and blockchain have improved many sectors. You can use the same technologies in AML measures for non-face-to-face customers. One way to do this is to use them for customer data storage data and comparison with other documents.

You can use AI in facial recognition to verify customers’ identities based on the proof they submit. AI even helps confirm the authenticity of identity proof submitted by customers. AI makes it possible to check the passport chip of biometric passports and the authenticity of holograms. You can use blockchain technology for secure and confidential data storage. You can also implement AML software, which supports liveness checks. It will help you reduce deepfakes and strengthen your defenses against ML/TF.

Monitor transactions for unusual trends or patterns

Transaction monitoring is an effective AML measure for non-face-to-face customers. You should be careful about any unusual or out-of-pattern behaviour of customer transactions. So, when supervising their transactions, look out for the following:

Unusual pattern not matching with customers’ profiles or regular transactions
If more than one user is using the same account
If the user opens more than one account
If the customer information and IP address don’t match
If the customer uses different payment methods for different transactions

When you see such patterns or unusual behaviour, investigate further. You must report the issue to higher authorities and classify the transaction as suspicious.

Ongoing monitoring is a critical AML measure for non-face-to-face clients

Face-to-face customers visit you for transactions. So you can still verify their identities. It is also possible to monitor their activity and behaviour. However, in the case of non-face-to-face customers, ongoing monitoring is essential. You cannot skip it at all.

So, keep monitoring the customers’ risks. Keep an eye on their transactions to spot anything out of the usual. Maintain records of their transactions for a specific period for analysis whenever you wish. Keep repeating this exercise to prevent any potential money laundering risks.

If you have any suspicions about the customer’s activity, report it to the FIU using SAR/STR. In cases where the risks posed by customers are beyond your risk appetite, you can exit the business relationship. Carefully draft your customer acceptance and exit policies to effectively counter ML/TF.

These 10 AML measures for non-face-to-face customers can help you reduce the money laundering risks. You can confirm their identities and decide whether to proceed with the business relationship or transaction. If you still find the customer as suspicious, do not engage in a transaction. Start a business relationship if any of these verification methods prove their authenticity.

If you need help dealing with such non-face-to-face customers, hire an expert AML consultant like Niyeahma.

Niyeahma – your partner for professional AML consulting services

Niyeahma is an expert in AML Consulting services. We have guided clients throughout the journey of becoming compliant with AML laws in the UAE. You will always find us with customised and appropriate solutions to your AML concerns. Our offerings include:

Customized AML policies, procedures, and internal controls
Risk assessments and analysis of your business
KYC and different levels of due diligence of your customers to build their risk profiles
Monitoring transactions and customers to detect suspicious ones and take respective actions
Personalized training solutions for your AML needs and industry requirements
Regular health checks and audits of your AML compliance

Likewise, we also help you deal with non-face-to-face customers with appropriate AML measures. We take all possible steps to prevent money laundering and terrorism financing threats from such customers. So, don’t worry about remote, digital customers; we have the right AML measures for you.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

AML compliance vs AML risk management: Closely aligned despite striking differences

Understanding AML compliance vs AML risk management is essential. In the realm of AML, businesses use compliance and risk management as substitutes. Both are crucial for any business entity. So, you must understand the differences between risk management and compliance in AML.

Anti-money laundering compliance is an ‘in-trend’ term for businesses nowadays. Another similar term that has been in use for quite a long time is risk management, specifically in the case of financial institutions. While the former talks about adherence to rules, the latter entails managing threats to a business.

In this blog, we will explore the distinctions between the two. First, we will understand what AML compliance and AML risk management mean. Then, we will discover the similarities and differences between AML risk management and compliance.

Compliance and risk management: Term differences

What is compliance?

Compliance means adhering to regulations, laws, and rules. It means you are ethical in your business practices. You do what the government and the law expect you to without deviating from the business morals. Thus, it is a reactive exercise to show your country and regulator that you follow the rules.

Suppose you are a business in the UAE. You must follow the local rules and regulations related to your operations, license, environment, labour, and many other aspects. The process of following these rules and how well you are able to do it means compliance.

By complying with laws, the regulator or relevant authority will not impose penalties or fines on you. Also, you will not face any legal cases for non-compliance. Thus, by complying, you save yourself from financial losses, legal ramifications, and reputational damages.

What is risk management?

Risk management means managing the risks to your business. How do you manage them? You identify these risks, categorise them, measure their probability and impact, and develop strategies to mitigate, control, or manage them.

You can try to avoid risks in the first place. Or, you can try to reduce their impact on your business activities. Whatever you do, you can plan it before the risks affect you. Thus, it is a proactive action from your side based on your expectations of potential risks.

When there is a change in the business environment, potential risks change. So, you must keep changing your risk management strategies. Thus, risk management requires you to be more strategic in your thinking while planning for it.

Thus, compliance and risk management differ in many aspects. But, when you consider these terms related to money laundering, some more differences crop up. Let’s explore these differences between AML risk management and compliance.

AML compliance vs AML risk management: Definitions

AML compliance

AML compliance means adhering to the regulations to protect your business from money laundering. It involves creating a framework that includes policies, procedures, practices, and internal controls to guide the fight against money laundering. Moreover, this framework or strategy is unique to each business’s needs and activities.

AML compliance requires businesses to comply with the local AML regulations. As per the UAE AML/CFT laws, you need to:

Create an AML compliance department and appoint an AML compliance officer
Assess the money laundering risks to your business from several factors so that you can fight them
Create a risk-based AML compliance program that enables adherence to each requirement of the law
Monitor transactions to identify suspicious ones
Conduct KYC, screening, and due diligence of customers to identify threats
Conduct training of your employees on AML-specific aspects
Implement technology solutions or manual systems to facilitate compliance
Create reports on suspicious transactions and customers and report them to authorities

AML risk management

If you check the aspects of AML compliance, risk management is an integral part of it. It requires you to identify the money laundering risks from your:

Customers
Transactions
Geographies
Delivery methods
Products and services

After risk identification, it entails analysis, rating, and categorising. Based on the levels of risks identified, you can take a risk-based approach for your AML compliance. It allows you to determine:

Stern AML measures for high-risk customers
Less strict AML actions for moderate-risk customers
Relaxed AML strategies for low-risk customers

These measures include:

KYC of customers, which is typical for every risk type
Customer due diligence, which is standard for every customer
Enhanced due diligence for high-risk customers
Monitoring of transactions of high-risk and medium-risk customers
Ending the relationship or cancelling the transaction is possible only in the case of high-risk customers

Differences between AML risk management and AML compliance

AML compliance vs AML risk management is crucial but challenging to understand. However, you must remember that to comply with AML regulations, you need to follow the rules. Risk management is a strategy to ensure that you adhere to these rules.

Superset vs subset

A crucial aspect of the AML compliance vs AML risk management contest is to identify which concept includes the other.

AML compliance is the set of activities you must undertake to adhere to the UAE regulations. AML risk management is a broader term that includes strategies, policies, and procedures an organisation implements to identify, assess, and counter ML/TF risks. Thus, AML compliance is a subset of AML risk management.

Compliance has always been a part of risk management. Further, there is something called compliance risk management, wherein the risks associated with non-compliance are identified, assessed, and managed.

Reactive vs proactive

AML compliance is a reactive exercise. As a business entity in the UAE, you must follow UAE’s AML regulations. To avoid penalties, you must adhere to each requirement. Thus, you react to a mandate by the government.

In contrast, AML risk management is a proactive exercise. You must protect your business from money laundering risks so you can take action to prevent or mitigate them. Thus, you act before these risks affect you.

Legal vs strategic aspect

Another factor that differentiates AML compliance from AML risk management is the business aspect covered.

AML compliance is a legal requirement in the UAE. Since you are one of the financial institutions, DNFBPs, or VASPs, you must follow the UAE’s AML regulations. So, the goal is the same for all of you, although your compliance journey might differ.

When you follow these rules accurately and on time, you are AML-compliant. These requirements include submitting:

Suspicious Transaction Report and Suspicious Activity Report
Funds Freeze Report and Partial Name Match Report
DPMSR and REAR reports
HRC and HRCA reports
PNMR and FFR reports
Surveys and Questionnaires

On the other hand, AML risk management is a strategy to enable AML compliance. You must identify, categorise, rate, and assess risks to manage and mitigate risks. During this process, you generate KYC, CDD, PNMR, FFR, DPMSR, REAR, STRs, and SAR records.

Your risk management differs from that of other organisations because the risks differ. Even in the same industry, the impact of these risks differs because your operations and business models vary. So, you need to create a unique strategy for AML risk management to help you with legal and regulatory compliance in AML.

Current vs futuristic

AML compliance is more of a current process. It defines your legal obligations for this year. So, this year, you have to follow these specific AML requirements. So, you know what you have to do. You are legally obligated to follow these rules, which makes you compliant for this year.

On the other hand, AML risk management ensures you are safe from money laundering risks now and in the future. You have to predict the risks your business will face from money launderers. You need to consider the emerging threats of predicate offences as well. Thus, it makes you more of a planner for the current and future risks.

Tangible vs intangible

The tangibility of the process is a crucial point in AML compliance vs AML risk management.

AML compliance is a tangible process. You have to follow specific rules to comply with industry standards. If you follow these particular requirements of the AML regulator, you become AML-compliant. If you do not follow them, you will have to face penalties. Thus, you will suffer financial losses, reputational damage, and legal proceedings.

In the case of AML risk management, there are no concrete rules. You have to analyse the business environment in which your firm operates. You need to predict and evaluate the possible ways criminals can launder money through your business processes. Thus, it is unique to every firm. If you cannot control or mitigate these risks, your business suffers. The money laundering risks will affect your business, causing losses in terms of customers, credibility, and money.

However, the FATF has recommended that regulated entities follow a risk-based approach, and similarly, the UAE Federal Decree Law No. (20) of 2018 and related cabinet decisions require reporting entities to do the same. By virtue of this, AML risk management is embedded in the AML compliance requirements.

Tickmark exercise vs continuous process

AML compliance is more of a checklist-based process. The AML compliance department ensures the business adheres to each requirement and tickmarks it. If you miss any of these, you have to pay a penalty. Once you adhere to the requirements, your work ends.

In contrast, AML risk management is not a tickmark exercise. It’s not like you have submitted a report, so you are done with it. It is a continuous process. You need to keep identifying the money laundering risks your business faces. Analyse them. Find ways to mitigate, prevent, or manage them. So, you must continue the AML risk management exercise to reap complete benefits.

Besides these differences between AML risk management and compliance, there are also some similarities. These include:

Risk management tactics and compliance strategies keep changing. As and when the regulations change, you need to make changes in your AML compliance program. Moreover, the money laundering risks, macroeconomic climate, and industry trends keep changing, leading to amendments in your AML risk management policies.
Both AML compliance and risk management become better with the help of technology. Innovative solutions and technologies make these procedures smoother. The technologies use data analytics, artificial intelligence, and other advanced concepts to ensure your process is faster, smoother, and more accurate.
Both AML compliance and risk management need decision-making at the top level. Since identifying and managing money laundering risks is critical, the top management must set the tone. Only when you ensure AML compliance and risk management culture at the top, you can maintain it across the firm.
One significant challenge in both these procedures is maintaining a good customer experience. Customers demand a seamless user experience. If you are unable to do that, you might lose customers. So, while managing AML compliance and risk management, you must ensure the processes are not time-consuming or intrusive for them. On the other hand, collecting all information is also essential for successful procedures.

Setting the similarities and differences aside, your primary focus must be to protect your business from money laundering threats. To do this, you need to create a robust AML compliance program. This program will include a well-defined AML risk management strategy. In combination, it will help you meet UAE’s AML regulations and prevent risks.

Exploring these differences and similarities enables you to fit both into your strategy. You can determine the efforts, resources, timelines, and overall alignment with business operations. This is how you can prevent potential threats and create value for your business. To help you achieve this objective, partnering with an expert AML consultant like Niyeahma will help.

How can Niyeahma help you?

Niyeahma has revolutionised the AML compliance landscape in the UAE. We help clients strategise risk management and compliance in AML. Be it just one part of AML compliance or the entire journey, you can rely on us for quality services.

Your business can enjoy our expertise in:

Monitoring transactions and identifying suspicious ones
Conducting KYC and due diligence of customers
Identifying money laundering risks to your business and assessing them
Developing a risk-based AML compliance framework personalised to your entity
Imparting AML training to your employees
Preparing and submitting STR, SAR, and other industry-specific reports to authorities

By partnering with us, you get a streamlined AML compliance process for the fight against money laundering risks.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

A guide To establishing an Effective AML/CFT Framework in your business

Financial Institutions and Designated Non-Financial Businesses and Professions that do not abide by the Money-Laundering laws or regulations have to pay heavy penalties and face severe reputational losses.

Therefore, every business has to establish an effective AML/CFT framework to operate as per the legal requirements of the country.

So, the question arises: what should you consider when managing AML/CFT compliance in your business? This article provides the best practices for establishing an effective AML/CFT framework in your business.

What is an Anti-Money Laundering Framework?

Implementing elements of the Anti-money laundering (AML) framework using a risk-based approach is crucial for preventing money laundering, financing terrorism, and proliferation financing (ML/FT and PF). The AML framework is a set of policies, procedures and controls that are formed to detect, deter, and report ML/FT and PF activities.

The AML framework lays down a structured strategy that aims to fulfil regulatory obligations and achieve mitigation of ML/FT and PF risks.

Importance of an Anti-Money Laundering Framework

The following is a list of factors stating why the AML framework is essential:

Ensure regulatory compliance:

DNFBPs are required to comply with different AML regulations, including regulations imposed by national and international regulators. In case it fails to comply with such regulatory requirements, penalties and fees are imposed on DNFBPs. Therefore, with the implementation of an effective AML framework, they can ensure compliance with these regulations and stay away from associated penalties and fines.

Risk mitigation:

The major threat to DNFBPs is using their platforms to facilitate financial risks. Criminals often use them to indulge in criminal activities because of inherent vulnerabilities. The AML framework employs measures that help DNFBPs in detecting ML/FT and PF activities and further aid in combating ML/FT and PF risks.

Protect business’s reputation:

As DNFBPs work in a highly competitive market, it is essential for them to maintain a good reputation to attract and retain clients and customers. Commitment to AML compliance can act as a deciding factor for clients to enter into a business relationship with the DNFBP. Any linkage to ML/FT and PF activities can damage its reputation, which results in client and business loss. The AML framework helps DNFBPs avoid risk and maintain their reputation by laying down the best strategy within its framework.

Maintain the integrity of the financial system:

By promoting stability, preventing illicit activities, risk management, and regulatory compliance, the AML framework helps maintain the integrity of the financial system. With such measures, the AML framework enables a safe, secure and strong global economy.

Regulatory requirements around AML/CFT framework

AML regulatory framework in the UAE includes national regulations, international regulatory framework and national AML strategy.

National Regulatory Framework

The national regulatory structure in the UAE contains federal civil, commercial and criminal regulations. Because criminal legislation comes under federal jurisdiction throughout the country, the ML/FT and PF criminal activities are covered under it. The following are such regulations within the country:

Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.
Cabinet Decision No. 10 of 2019 Concerning the Implementing Regulation of Federal Law No. 20 of 2018.
Cabinet UBO Resolution No. 58 of 2020 on the Regulation of the Procedures of the Real Beneficiary (UBO Resolution)

International regulatory framework

The AML framework in the UAE is aligned with the international bodies network, which implements international treaties and conventions for combating illicit crimes. These integrated laws are supervised by the regional regulatory authorities.

For such an integrated framework, the government and competent authorities in the UAE collaborated with various international bodies such as:

United Nations
Financial Action Task Force (FATF)
Middle East and North Africa Financial Action Task Force (MENAFATF)
Egmont Group of Financial Intelligence Units

National AML Strategy

The UAE government has implemented strategic decisions in the form of the National Strategy on Anti-Money Laundering and Countering the Financing of Terrorism. The strategy shapes the key initiative of the country’s national action plan. This strategy is based on four pillars that include:

Legislative & Regulatory Measures
Transparent Analysis of Intelligence
Domestic and International Cooperation & Coordination
Compliance and Law Enforcement

Furthermore, the National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations looks into the implementation of strategy, emphasising effective coordination between different authorities, compliance with regulations and awareness of ML/FT risks among DNFBPs.

Regulatory Obligations and AML/CFT Framework

The AML framework needs to be aligned with the statutory obligations of DNFBPs as follows:

ML/FT Enterprise-Wide Risk Assessment

ML/FT Enterprise-Wide Risk Assessment, also known as Business Risk Assessment, is an assessment that lays down an extensive plan that needs to be carried out to manage ML/FT and PF risks at an enterprise level. EWRA is a key pillar of a risk-based approach that addresses business-specific AML risks, threats, and vulnerabilities and further takes action to mitigate them.

EWRA is a continuous process to identify and assess ML/FT and PF risks that DNFBPs face in business lines, their products, and services and associated with different customers. While conducting the assessment, it considers various internal and external factors such as geographical risks, customer behavior, distribution channels and adequacy of the current AML policies.

DNFBPs with EWRA can effectively detect money laundering risks, identify mitigating measures, point out gaps and take cautious decisions relating to risk appetite and allocation of resources.

Customer Due Diligence

Customer Due Diligence (CDD) is an extensive process to identify and verify customer identity with the help of verified documents. CDD process also includes assessing customer risk profile, understanding the nature of transactions and monitoring customer activities. Additionally, it also focuses on assessing risk associated with customer’s business relationships and transactions.

Further, the CDD process differs depending on the ML/FT and PF risks that customers are associated with. CDD comes in three types: Simplified Due Diligence, Standard Due Diligence and Enhanced Due Diligence. Different CDD types are employed for each customer to mitigate ML/FT and PF risks, depending on the circumstance.

Ongoing Monitoring

Only after CDD measures are employed for customers can DNFBPSs establish business relationships with them. Once they enter into these relationships, DNFBPS must undertake ongoing monitoring measures. This measure is crucial as it continuously detects and reports suspicious activities.

Further, as part of ongoing monitoring, DNFBPs monitor business relationships with each customer on an ongoing basis to prevent any probable ML/FT and PF activities which an existing customer can pose.

DNFBPs also need to undertake ongoing monitoring of transactions. In order to undertake such a measure, they need to implement a robust transaction monitoring system that can detect suspicious activity effectively by pointing out unusual patterns and frequent transactions and alerting the involvement of high-risk jurisdictions.

Regulatory Reporting

It is a regulatory obligation under the UAE’s AML regulatory framework to swiftly report suspicious transactions or any reasonable situation where any suspicion relating to proceeds is in question. DNFBPs in the UAE must put in place and update indicators that could be used to identify possible suspicious transactions.

Regulatory reporting means submitting various reports provided under the AML/CFT regulatory framework to the relevant authorities. In the UAE, Suspicious Activity Report (SAR) or Suspicious Transactions Report (STR) are standard reports filed by DNFBPs to report any suspicious activity they come across.

Furthermore, in addition to SAR/STR, they must also file reports depending on the circumstances and nature of their business. These include filing of Partial Name Match Report (PNMR), Fund Freeze Report (FFR), Real Estate Activity Report (REAR), Dealers in Precious Metals and Stones Report (DPMSR), High-Risk Country (HRC), and High-Risk Customer Activity (HRCA) reports.

AML/CFT Governance

For an effective AML framework, DNFBPs must include AML/CFT governance within their AML framework. This governance measure acts as a foundational structure. DNFBPs must include the following measures within AML/CFT governance:

AML governance must include compliance staffing and training to ensure that compliance officers and employees understand their responsibilities surrounding AML and further effectively undertake them.
It is mandated by the UAE’s regulatory framework that senior management is involved in the institution of the AML framework. Further, the law imposes various responsibilities on it, such as implementing governance and operating systems, approval of internal policies, procedures, and controls, application of the directives of Competent Authorities, and oversight of the AML/CFT compliance programme.
The AML framework must include an AML/CFT health check mechanism within DNFBPs that evaluates the business’s performance against all applicable AML/CFT obligations. This measure establishes ways to oversee vulnerabilities across DNFBPs, thereby strengthening the effectiveness of AML policies.
AML governance must include AML Independent Audit measures to evaluate efficacy and adherence to AML measures. It is an essential factor of the AML framework to engage auditors for conducting thorough reviews of current policies, procedures, and controls.

Record Keeping

Having a record-keeping system is essential within the AML framework. Records are an important source of information not only for DNFBPs but also for regulators. With record keeping, it is easier to undertake investigations and ensure transparency. As per the UAE’s AML regulatory framework, it is mandated that DNFBPs keep comprehensive information related to transactions, CDD, and any SAR/STR for five years.

Maintaining such records helps in identifying potential ML/FT and PF activities and underscores regulatory oversight. By keeping such records, DNFBPs can effectively counter ML/FT crimes and further safeguard themselves. Furthermore, having robust record-keeping practices, DNFBPs can effectively respond to regulators and commit to having a transparent and answerable culture.

Targeted Financial Sanctions

Targeted Financial Sanctions (TFS) include measures that the regulatory authority imposes to restrict financial transactions with specific individuals, entities, or countries. DNFBPs must undertake such measures to prevent transactions with sanctioned individuals or entities and freeze their assets when identified.

To avoid indulgence with ML/FT and PF risk, DNFBPs, as part of this measure, undertake screening procedures for customers against relevant sanctions lists released by national and international bodies and further report any matches to the appropriate authorities.

How to frame effective AML Controls framework?

Here are a few ways in which you can effectively build AML Controls Framework

1. Having Qualified Compliance Professionals

The first and foremost step to building an effective AML and CFT framework is to have an effective and efficient AML expert who wouldn’t shy away from taking the help of creativity and innovation.

A practical AML/CFT framework requires a structure of corporate governance that incorporates compliance professionals or officers who are fluent in terms of legal regulations requirements.

Anti-money laundering professionals are basically responsible for making sure that the reported issues within the organization are addressed or looked after within the organization and within a time frame that will restrict you from further damage.

In addition to that, it is your moral duty to make all the employees of your organization and not just AML professionals know about the legal and ethical responsibilities that need to be effectively managed at an individual level as well in order to comply with the legal AML regulations.

Furthermore, all the employees must understand the fundamental idea of AML/CFT. In order to effectively comply with AML or CFT regulations, all the employees must undergo interdisciplinary training or certification programs in order to identify potential risks.

2. Training of Anti-Money Laundering Experts

Anti-money laundering is a pretty dynamic subject. There is always some sort of updates, changes in regulations, proposals, or laws happening. In addition to that, various methods continue to find channels in criminals with every passing day.

Improving the overall skill set of your employees is essential in order to ensure that AML/CFT measures are actually implemented in the best possible way.

Professionals from the finance department must clearly understand the AML and CFT legislation and regulations for identifying and reporting any suspicious transactions.

Likewise, management employees who have direct contact with customers or the ones who process documents and money must understand the requirements of the Anti-Money Laundering Laws in the UAE.

Your entire staff must be well aware of the AML/CFT Framework and various roles of the consultants, compliance officers, officers, senior management, and the board of directors.

In addition to that, all of your staff members must be aware of ways in which they are supposed to react if at all they encounter suspicious activity.

3. Risk Assessment And Risk-Based Approach

The foundation of a practical counter-terrorism financing framework (CTF) and anti-money laundering (AML) is actually based on a risk-based approach.

Business enterprises should determine the risk level of the clients by conducting an accurate risk assessment during the process of client recruitment.

Post this, enterprises should aim to implement an efficient and effective AML compliance program in accordance with the AML/CFT Framework. By developing a tailor-made control program in accordance with the risk levels of your respective clients.

Building policies and adequate controls to reduce the risk and even the potential of money laundering
Understanding the overall levels of risks associated with business transactions and relationships
Identifying various sources of risks and evaluating all the potential risk reduction controls
Effectively running the successful AML compliance programs
Making accurate risk-based decisions about the employees as well as customers

In addition to that, a risk-based approach is adopted in order to detect and prevent all sorts of money laundering activities.

However, risk-bearing capacity and the risk appetite of all the companies and customers are pretty different from one another. As a result, companies would be failing miserably if they try to implement the same AML controls for every customer.

There are basically two fundamental steps for organizations to move ahead with a risk-based approach. The first one is undoubtedly assessing the risk and the second one is to appropriate control processes to various risk levels.

4. Advanced Anti-Money Laundering Policies

Highly dynamic anti-money laundering policies are needed to protect a business enterprise from criminal activities like money laundering and fully comply with relevant regulations and laws.

Enterprises need to implement robust risk-based governance to guide systems and processes. Providing a practical anti-money laundering policy framework is the topmost priority when it comes to meeting AML obligations.

Anti-money laundering policies should be easily verifiable by the authorized regulators, reflecting the overall risk appetite.

For instance, your AML policies should incorporate customer risk ranking during the recruitment process and due diligence.

Business enterprises should know their customers in order to comply with local and global legal anti-money laundering requirements and operate within the purview of the established AML/CFT Framework.

5. Know Your Customer (KYC)

Know your customer processes incorporate the process of accurately and completely defining the information of the respective customers. Generally, KYC is the most critical step in the entire anti-money laundering control process.

Once you are sure of who your customers really are, the risk levels of these customers can be evaluated without any hassle, and post which, you can apply customer due diligence (CDD) processes.

Determining the level of risks of your customers or even potential customers with the help of CDD makes the AML control process much faster and efficient for the company.

During the process of CDD, the potential customer must be screened in politically exposed persons (PEPs) and the sanction list.

If any politically exposed person is found in this list, then the need and importance of enhanced due diligence (EDD) come into the picture.

This is simply because politically exposed persons are usually considered as individuals who hail from a high-risk profile, and thus, merely CDD processes might not be sufficient. As a result, the risks and threats related to the customer’s account opening can be detected, allowing you to take more effective AML controls and establish a highly-effective AML/CFT Framework.

6. Ongoing Monitoring

Information or risks of institutions or customers may change over a period of time. For example, individuals who are not PEP might become politically exposed person by taking up any new task.

Hence, it is essential to be familiar with the information of the customer that may change over a period, also changing the risk levels of that particular customer.

Therefore, all of this information should be updated in your systems at regular intervals.

In addition to that, the accuracy of this information should also be confirmed so that it does not lose its functions of the risk-based approach.

If you are unable to keep up with the constantly changing customer information, you have to be prepared for some severe consequences.

The AML and CTF framework or policies makes an effective risk management tool. Additionally, an effective AML and CTF regime also reduces the probability of damage to the organization due to fraudulent activities.

7. Detecting And Reporting Any Suspicious Transactions

The primary purpose of anti-money laundering checks is to detect financial crimes and suspicious transactions. Financial crimes must be detected, and necessary precautions must be taken in order to bring your AML processes to their actual purpose.

Although it is pretty challenging to check suspicious transactions almost instantly, they can be detected with the help of transaction monitoring solutions available to you. All of these transactions are stopped immediately and passed onto some other AML experts.

8. Upgrade The Anti-Money Laundering System With AI-Powered Solutions

With the constant technological change, crimes are also changing their pace and ways dramatically, resulting in the evolution and development of the regulations. With this given, manual anti-money laundering controls remain insufficient in organizations that are prone to the risk of money laundering activities.

AI-powered anti-money laundering software solutions help you track the unusual transactions for the known patterns, and they reduce the risk of ML to a greater extent and thereby help in implementing an effective AML/CFT Framework.

Conclusion on Effective AML/CFT Framework in Your Business

The anti-money laundering (AML) framework is vital for preventing ML/FT and PF risks. Policies, procedures, and controls established under the AML framework help to detect, mitigate, and report illicit activities, including ML/FT and PF.

Additionally, as a structured strategy, the AML framework aids in a better understanding of the UAE’s AML/CFT regulatory compliance, thus ensuring compliance and avoiding penalties and fines. Therefore, with the implementation of the AML framework, DNFBPs can protect themselves from ML/FT and PF activities.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Counting on Compliance: The Vital Role of Accounting in AML

With growing instances of money laundering and terrorist financing, the UAE AML laws are evolving, imposing more regulatory compliance and reporting obligations upon the regulated entities to combat these crimes. To abide by the AML compliance and reporting requirements, the regulated entities – be it a Financial Institution, Virtual Asset Service Provider (VASP), or Designated Non-Financial Business and Profession (DNFBP), the need for a transparent, accurate, and comprehensive accounting of the business activities cannot be overlooked.

In this article, we shall explore why accounting is so significant in implementing the AML program efficiently and the intersection of the accounting and AML framework.

Intersection and Significance of Accounting in the AML Program

Accurate and complete accounting is crucial to detecting and combating financial crime and staying compliant with regulatory reporting. Here are some of the critical points where the alignment of AML compliance and the accounting function must be ensured:

Business Risk Assessment

The UAE AML regulations mandate the regulated entities to periodically conduct the Enterprise-Wide Risk Assessment to identify and evaluate the financial crime risk the business is vulnerable to. For assessing the risk, the regulated must rely on the qualitative and quantitative parameters impacting their business. The “quantitative” aspect of the risk assessment reflects the entity’s historical information, such as instances where any high-risk indicators or red flags were observed.

For this, the regulated entities generally refer back to their business trends for the previous years. This is not possible unless the records and details are appropriately accounted for in the company’s books of accounts.

The quality and relevance of the business risk assessment are highly dependent upon the quality and accuracy of the data used for performing the risk assessment. Thus, the primary step of assessing the ML/FT risk cannot be concluded satisfactorily if the accounting function of the entity is flawed.

Transaction Monitoring

One more obligation imposed upon the regulated entities is to develop and maintain a robust ongoing transaction monitoring program, having adequate controls in place to detect unusual patterns suggesting a connection with money laundering or terrorism financing. The essential requirement of an effective Transaction monitoring program is to have an appropriate data source covering the complete and up-to-date details about the transactions executed by various customers of the regulated entity. The data must be comprehensive regarding purchase, sale, deposit, withdrawal, payments, receipts, time, party, location, value, etc.

This need to have the correct data source on which the monitoring rules and logic shall be applied depends on the entity’s accounting functions. Only if the business’s financial transactions are correctly recorded can such transactional data be made available to the Transaction Monitoring system to analyze and identify the red flags.

Regulatory compliance and reporting requirements

Periodic AML report from the Compliance Officer to the senior management

The AML Compliance Officer of the regulated entities is required to prepare and furnish a periodic AML report to the senior management, providing an update on the entity’s compliance status. This update must include the critical business statistics around the number of transactions with high-risk customers, transactions where payment is received in cash, transactions involving high-risk jurisdictions, etc. This is possible only when the AML Compliance Officer has access to the transactional records, properly accounted for with necessary details.

AML Audit

The regulated entities in the UAE must have an independent AML Audit function in place to test the status and adequacy of the entity’s compliance with regulatory requirements. Performing an AML audit is impossible without having proper records to check on which the auditor can provide its opinion. Thus, fulfilling the AML audit requirement would be faulty in the absence of proper accounting.

AML Surveys

The AML Supervisory Authorities in UAE often issue surveys to the regulated entities, requesting for sharing the details about the value and volumes of specified categories of transactions. It is pertinent to adhere to this survey request and furnish accurate and complete information to the authorities. Again, without having done adequate and timely accounting, retrieving the required data and ensuring its validity would always be a challenge.

AML Recording Keeping requirement

Further, the AML laws require the regulated entities to maintain the AML records for a minimum period of 5 years from the transaction’s completion date or the end of the business relationship, whichever is later. The details and information to be maintained under AML must include the transaction details capturing the nature of the transaction, date, and value of the transaction, parties involved, mode of payment, reference to connected transactions, etc. The financial records must be maintained in a way that can be promptly furnished to the authorities when requested, allowing them to review the entity’s compliance efforts and its authenticity.

This AML Documentation requirement can only be achieved when the entities appropriately account for the transactions executed both ways – inward and outward supplies, including receipts, payments, withdrawals, etc.

Best practices for leveraging the benefits of accounting to AML compliance

The following practices shall prove to help accelerate the AML compliance program with the assistance of the accounting function:

AML training to the accountants

Accountants are well-versed in the study and analysis of financial data, enabling them to detect unusual financial transactions, gaps around the cash flows, or inconsistencies in the working capital cycle of the business.

With ready access to the financial data, they can strongly support the entity’s transaction monitoring program. The accounting team must be trained around the AML framework, internal procedures and controls, and intricacies of the ongoing monitoring rules and logic. When accountants review the transactions, they can quickly evaluate for the possibility of any anomalies and promptly notify the red flags identified. When the accounting brains back the robust monitoring program, malicious transactions can be uncovered effectively.

They can scrutinize the transactions to detect any structuring arrangement to avoid the reporting threshold or unexpected change in the customer’s transactional pattern.

Further, accountants generally understand the business’s possible risk exposure and define the required controls. When accountants understand AML requirements and the financial crime vulnerabilities, the controls proposed by the accountants would be wholesome and capable of managing the overall business risk, including the money laundering and terrorism financing risk.

Integrating the AML systems with accounting systems

A regulated entity needs to have a seamless connection between the AML systems, such as customer screening and transaction monitoring, with the accounting tools used by the business. This integration will ensure that the complete data maintained from the financial records perspective is made available to the AML systems in real-time, permitting timely review of the transactions and business relationships and curbing potential financial crime attempts.

Further, the integrated systems should handle the generation of intelligent MIS reports and business-AML analytics that serve as a base for the AML Compliance Officer to check the overall quality of the AML controls and procedures and prepare necessary reports required to be furnished to the internal reporting authorities or external AML authorities.

Collaboration between the accounting team and the AML Compliance Officer

The AML Compliance Officer must proactively communicate and collaborate with the accountants to design and develop comprehensive and integrated controls and processes for AML compliance.

Allow Niyeahma to uphold the potential of your accounting function for the benefit of AML compliance

Financial accountability and transparency are of utmost significance in all aspects of business, including AML compliance. Niyeahma has a team of professionals from accountancy backgrounds with vast experience in AML compliance who can assist you in combining the accounting and AML functions to optimally utilize accounting to foster AML compliance and prevention of money laundering and terrorism financing. We can help you design standard controls and risk mitigation measures, adequately meeting your compliance and accounting needs and training the team of accountants, empowering them to contribute to the entity’s AML efforts.

Let’s make the most of the accounting team in the course of AML compliance.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Identity Verification for Partnership Firms

UAE has introduced stringent regulations to combat financial crimes such as money laundering and terrorist financing. These laws mandate that Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) implement adequate frameworks within the organization to identify and prevent money laundering and terrorism financing instances.

Identifying the customers and verifying their identity is essential to the AML compliance program. The regulated entities must apply thorough identity verification measures when dealing with a partnership firm, not just individual customers.

In this article, we will discuss the critical elements of the identity verification process under UAE AML regulations when establishing a business relationship with a partnership firm.

Why are partnership firms vulnerable to financial crime?

A partnership firm is a legal structure owned and managed by individual persons. Sometimes, the legal identity of the partnership firm is exploited by criminals to conduct money laundering or terrorism financing, concealing their identity under cover of the partnership firm.

Further, setting up a partnership firm is relatively simple and quick, making it more vulnerable to financial crime risks and used as a money laundering technique to disguise the actual ownership of illegally obtained proceeds.

Given this, the UAE AML regulations mandate that when conducting a business transaction with a partnership firm, the firm’s identity, including the identity of the Ultimate Beneficial Owners (UBO) and the controlling parties, must be obtained and verified using reliable, independent documents, or sources. This measure shall help uncover the bogus firms established to execute financial crimes.

What is Customer Due Diligence under AML regulations?

Customer Due Diligence (CDD) is a process of identifying the customer or supplier or any third party with whom the business transactions are to be conducted and verifying their identity to determine the legitimacy, including assessing the ML/FT risk the customer poses to the business.

How to ensure adequate identity verification for Partnership Firms?

When establishing a business relationship with a partnership firm, it is very pertinent to understand the firm and its true owners or controllers managing the firm’s business. It is necessary to ensure that the regulated organization is not unknowingly exploited by the partners of the firm for money laundering or other illegal activities.

To ensure adequate identity verification of a partnership firm, the following measures must be followed:

Obtain identification details, including other necessary information and documents

To begin with, the regulated entities must seek the identification details of the partnership firm. For this, it is recommended that the regulated entities get the “Know Your Customer” form filed by the firm, capturing legal name, legal structure, partners, their holding, contact details, license number, nature of the business activities, the purpose of the business relationship, etc.

Adequate documents supporting the identification details, such as a trade license or certificate of incorporation, must also be obtained. Further, documents presenting the organization structure must be obtained, which includes the Memorandum of Association and Article of Association.

Ensuring the identity documents obtained from the partnership firm are valid and up-to-date is vital.

All the information obtained about the firm shall assist in identifying and evaluating the ML/FT risks the firm poses to the business and accordingly determine the level and degree of the AML/CFT measures to be applied to manage the risk.

Identifying the partners and beneficial owners

Identification of a partnership firm is incomplete without identifying the actual mind behind the legal structure – the partners, UBOs, and the controlling parties. The regulated entities must seek adequate identification details about the UBOs and partners, such as full name, nationality, date and place of birth, address, identification number, etc.

Further, the necessary documents supporting the identification information must be obtained, for example, the passport, Emirates ID, Driver’s License, or any other government-issued document bearing the person’s photograph.

The regulated entities must ensure that the information obtained about partners and beneficial owners is complete and accurate. The partnership structure, as presented in the KYC form, must match the firm’s legal documents.

Verify identity using documents obtained and other reliable, independent sources

Once all necessary documents and information have been collected, the next step is to verify the identity details’ authenticity and the documents’ legitimacy. For verification purposes, the regulated entities may rely on government-issued identity documents or resort to independent databases like the corporate registry or third-party paid resources to ensure that the partnership firm and its partners are legit persons to conduct business with.

The regulated entities should seek the original document for verification purposes and obtain a photocopy of such document, with a remark from the person verifying the documents as “original sighted and verified.” Suppose the firm cannot produce the original documents for verification. In that case, the regulated entity must insist on getting a certified copy of the identity document, certified as a “true copy” by a chartered accountant, bank manager, notary, police officer, etc.

The regulated entities must ensure that the identity documents are not forged or tampered with. Further, necessary steps must be taken to match the photo presented on the identification document with the person actually presenting it.

Screening the partnership firm and the partners, UBOs, and controlling parties

The regulated entities must screen the firm and its UBOs, partners, etc., to check whether any person is designated under any sanctions list, specifically under UAE Local Terrorist List or UNSC Consolidated List.

It is also essential to determine whether any of the partners of the firm or the UBOs are Politically Exposed Persons (PEPs) or close relatives of associates of PEP or any other high-risk individuals.

Further, the regulated entity must also check if there is any negative news or adverse media available against the firm or any of the partners of the firm, indicating criminal history or involvement in financial crime.

Ongoing monitoring

The regulated entities must ensure that the identification formation obtained about the partnership firm and the partners is accurate, complete, and valid at all times. For this, the entities must implement adequate ongoing monitoring measures and systems, including regular reviews of identification documents and maintaining adequate documentation related to the identity verification process and changes therein.

Record-keeping

Record-keeping is an important aspect of the identity verification process. Regulated entities must maintain accurate records of all the documents collected and the verification process, including records related to ongoing monitoring and changes in the initial information or documents. The identification verification-related records must be maintained in an organized manner and must be made available to the relevant authorities upon request.

A robust identity verification process, including identifying eth partners and UBOs, is mandatory to manage the ML/FT risks while establishing a business relationship with the partnership firm.

How can technology come in handy in the identity verification process of the partnership firm?

Identity verification is essential to manage the risk and stay AML compliant. Given the legal structure of the partnership firm and the requirement to identify and verify the identity of the partners, the regulated entities are recommended to leverage the technology for efficient identity verification.

Regulated entities may use emerging technologies like Artificial Intelligence or Machine Learning to streamline the identity verification process while onboarding a partnership firm as a customer. For example, biometric verification (facial recognition) or automated identity document verification solutions can help reduce the time and resources required to carry out identity verification of the partnership firm and presents more accurate results, reducing the risk of manual errors or manipulation.

Identity verification is a crucial component of complying with AML regulations while establishing business relationships, specifically in the case of a legal person, including a partnership firm. A comprehensive identity verification process is essential to identify the ML/FT risks and determine the adequate measures to be implemented to manage the risk arising from the partnership firms onboarded as customers or suppliers.

Any gaps in customer identification may expose the business to unwanted financial crime risk and administrative fines for regulatory non-compliance.

How can Niyeahma assist you in the identity verification process?

Niyeahma is a leading AML consultancy service provider in UAE, assisting regulated entities in identifying business risks and tailoring the AML/CFT policies, procedures, and controls to mitigate the assessed risk effectively. It includes designing a robust customer onboarding framework, including the identity verification processes customized for partnership firms, corporate entities, individuals, trusts, etc., to assess customer risk and apply appropriate AML/CFT controls.

We also impart AML training to the Compliance Officer and the team to effectively implement the designed processes and controls and ensure that identity verification of partnership firms is adequately performed to prevent ML/FT vulnerabilities.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Choosing an apt AML Software for DPMS

Dealers in precious metals and stones are one of the Designated Non-Financial Businesses and Professions (DNFBPs) required to comply with anti-money laundering and combating financing of terrorism (AML/CFT) regulations in the UAE. Non-compliance with AML requirements has severe consequences, including monetary fines, administrative penalties, and reputational damage. The importance of choosing an apt AML software for the DPMS sector cannot be overstated. Adopting an appropriate AML compliance software for Dealers in Precious Metals and Stones is very important to ensure compliance with the AML requirements and safeguard your precious metals and stones business against exploitation by financial criminals.

This article discusses the critical consideration for selecting the right AML software for your AML compliance needs.

Understanding the AML Compliance requirements for Dealers in Precious Metals and Stones in the UAE

Before selecting an AML screening solution, we must understand the AML compliance requirements in the UAE and why a dealer in precious metals and stones must comply with these AML requirements.

Money laundering is concealing the source of the illegally obtained funds and disguising the same as proceeds from legitimate business activities. Financial criminals often use precious metals and stones to launder their dirty and illicit money without attracting the attention of the regulatory authorities. Precious metals and stones are commonly used for laundering funds, given their inherent characteristics – high in value, compact in size and easy to transport across borders.

What are “Precious Metals and Stones” in UAE under the AML regulations?

Under UAE AML regulations, the following are considered “Precious Metals and Stones”:

Precious Metals

Gold (minimum purity of 500 parts per 1,000)
Silver (minimum purity of 800 parts per 1,000)
Platinum (minimum purity of 850 parts per 1,000)
Palladium (minimum purity of 500 parts per 1,000)

Precious Stones

Rough diamonds of any weight in carats
Polished diamonds (minimum weight of 0.3 carats per stone if loose, or a minimum weight of 0.5 carats per any single stone mounted in a setting)
Coloured Gemstones like Emeralds, Rubies, and Sapphires (minimum weight of 1 carat per stone if loose, or a minimum weight of 2 carats per any single stone mounted in a setting)

Pearls

Loose (minimum diameter of 3 millimetres per bead)
Strung or mounted in a setting (minimum diameter of 10 millimeters per any single bead)

Other

Any object with a minimum 50% value of the object is comprised of precious metals and stones.

Who is Dealer in Precious Metals and Stones in UAE?

A person engaged in any of the following activities related to precious metals and stones would be treated as a dealer in precious metals and stones (DPMS) in UAE:

Extraction, refining, cutting, polishing or fabrication
Import or export
Purchase, sale, re-purchase or re-sale, including scrap sale of precious metals and stones
Barter, or exchange of precious metals and stones
Loan or lease arrangements
Possession of precious metals and stones, e.g., as a fiduciary, warehousing, or safekeeping arrangement
Job work arrangement, e.g., cutting, polishing, refining, casting or fabrication services related to precious metals and stones.

What is AML Compliance in UAE?

Anti-money laundering (AML) compliance is a set of regulations and governing frameworks focused on detecting and preventing the process of laundering illegal money from entering into a legitimate financial system. In UAE, the primary AML/CFT regulations are the Federal Decree-Law No. 20/2018, and its implementing guidelines in Cabinet Decision No. 10/2019.

AML compliance is essential to safeguard the business from being vulnerable in the hands of money launderers. By developing a comprehensive AML compliance framework, businesses can detect and prevent suspicious activities on time without getting their business impacted by financial criminals for money laundering activities.

The AML regulations in the UAE mandate that Financial Institutions, Virtual Assets Service Providers (VASP) and certain Designated Non-Financial Businesses and Professions (DNFBPs) comply with these regulations. Dealers in precious metals and stones are one of the DNFBPs, required to design and implement AML/CFT policies, procedures, and controls to identify, prevent, and report suspicious transactions and activities related to money laundering and terrorism financing.

An AML Compliance Software helps meet KYC, Screening, and Reporting requirements and saves time and costs.

Why is AML Compliance necessary for Dealers in Precious Metals and Stones in the UAE?

As precious metals and stones are considered as closely associated with money laundering typologies, the dealers in precious metals and stones are entrusted with the responsibility of iden

tifying any red flags intended towards using precious metals and stones for conducting the money laundering process.

Following are a few ML/FT red flags for dealers in precious metals and stones:

Customer requests reshaping of gold into ordinary-looking items to hide the nature of precious metals
Customer frequently trades diamonds and gold jewellery for cash in small incremental amounts
Transaction involving precious metals with unusual characteristics, not matching market standards
Charitable organization requesting to buy gold worth AED 1 million, not aligned with the customer’s activities, etc.

Complying with AML regulations helps the business from non-compliance penalties and protects the business from reputational damage. With your commitment towards complying with AML compliance requirements, you gain trust and respect from your customers, suppliers, and other stakeholders, achieving customer loyalty and long-term commercial benefits.

AML compliance is a necessary part of the routine business operations of a dealer in precious metals and stones, ensuring the business does not aid any financial criminal in laundering the illegal proceeds of crime.

An AML Screening Software will help you meet legal obligations and counter money laundering and terrorism financing.

Key Features and Functionalities of an Ideal AML Software

AML compliance is integral to any business operation to maintain integrity and avoid non-compliance penalties. With increasing importance and awareness about AML compliances, new technological solutions are designed to detect, prevent, and report money laundering activities. To ensure the completeness and accuracy of the AML compliance requirements, the selection of the right AML software is necessary. While finalizing the AML software, the following key features must be emphasized.

Customer Identification and Verification

The AML software must support the performance of customer due diligence, including Customer identification and identity verification of the customers and their beneficial owners. The customer identification process should be accurate and reliable to determine whether the customer is the one he claims to be. The software should also be able to verify the customer’s address, nationality, and date of birth.

The software should support identifying the designated person or entity mentioned in the sanctions list, specifically in the UAE Local Terrorist and UNSC Consolidated lists. Further, the AML software should also allow screening of the customers and the ultimate beneficial owners against the global list of Politically Exposed Persons (PEP) and adverse media searches.

Risk Assessment and Management

The AML software should allow the Dealers in Precious Metals and Stones to assess the ML/FT risk for each of the customers and, thus, overall enterprise-wide risk assessment. The risk assessment process should be robust and accurate, considering all the relevant risk parameters such as the customer’s business activities, geographies involved, the transactional elements like mode of payment and the frequency of transactions, beneficial ownership, association with PEP, etc.

The risk scoring methodology of the AML compliance software must be simple to understand but comprehensive, assisting the AML Compliance Officer in taking necessary due diligence measures depending on the risk rating to manage the money laundering risk.

Ongoing Monitoring

The AML Compliance software should allow for maintaining and monitoring the customer’s profile and transactions executed with the customer. The transactions should be monitored against the customer’s information file to detect suspicious or unusual activity. Any unusual pattern or mismatch between the customer’s profile and the activities must be highlighted for further investigation by generating an alert. The flagging of the ML/FT red flags would ensure timely actions to prevent or mitigate the impact of the risks.

Regulatory Reporting and Record-Keeping

The AML screening software should support the generation of intelligent and analytic reports to monitor the organisation’s compliance status.

The retention of the necessary AML records and documents must be enabled in the AML software, as required under the UAE AML regulations. The software should maintain a complete audit trail and history of the compliance activities, including the customer screened, transactions monitored, alerts generated, etc. This AML recording-keeping functionality of the AML software should serve as documentary evidence to be furnished to the regulatory authorities as proof of AML compliance.

Integration with Existing Operational Systems

The AML software should integrate easily with the business’s existing systems, processes and databases to ensure efficient AML compliance management without hampering any routine business operations. The precious metals and stones dealers can easily integrate their CRM solution with the AML software and streamline the customer due diligence process.

With comprehensive data around AML compliance available in one place, the AML Compliance Officer can review the organisation’s compliance level and ensure the quality of the AML compliance framework implemented across the organization.

Selecting the right AML compliance software is of utmost importance to ensure that dealers in precious metals and stones comply with relevant AML compliance obligations and safeguard themselves from being used for money laundering activities. Right AML Software will equip you with the resources to effectively manage your 100% AML compliance requirements.

Evaluating AML Software Providers

Selection of the right AML software vendor is equally important. You may have the best of the AML software, but you may not optimally use the features if the software provider is not professional and does not provide handholding support. Partnering with the wrong AML software provider can cost you non-compliance fines and reputational damage. Here are a few key factors to consider when evaluating AML software vendors:

Reputation and Industry Experience

The AML software provider’s reputation and industry experience are among the most important factors. Look for an AML screening software provider with experience in the precious metals and stones industry. With the vendor’s understanding of the business operations and the industry, you will get customized AML software mapped with the AML compliance requirements of the dealers in the precious metals and stones sector.

You can check the Name Screening Software vendor’s reputation and experience by referring to online reviews, customer feedback and testimonials from other dealers in precious metals and stones. It helps you make decisions, providing information about the vendor’s strengths and weaknesses and their commitment to customer satisfaction.

Customer Support and Training

Another key factor to consider is the level of post-implementation customer support and training the AML compliance software vendor provides. Implementing AML software is a different task from buying one. The implementation requires support from the vendor in configuring the features as per business needs, training the employees to use the AML screening solution and extending post-implementation ongoing support to manage any issues while using the AML software, which may arise in future once the software is live.

Pricing and Contract Terms

The budget and cost of the AML software are other crucial factors while the software providers. Look out for any additional hidden charges or costs, such as implementation or annual maintenance costs. The contractual arrangement with the vendor must be clear and transparent, laying down the scope of AML software.

Scalability and Customization Options

One-size-fits-all is not a practical principle in business. The AML software must support customization, allowing the businesses to tailor-make the AML compliance software per the business needs and compliance obligations of the dealers in precious metals and stones. Further, the solution must be scalable, supporting the organisation’s growing business. The AML software, which allows scalability and customization, is always preferred over other AML software.

Selection of the right AML software, supported by the right software vendor, is necessary for the long-term success of the investment in AML technology and for ensuring 100% AML compliance in your precious metals and stones business.

Rightfully implementing the AML Software in the Jewellery Business

Managing AML compliance is necessary to keep financial criminals away from the precious metals and stones business and avoid regulatory fines for non-compliance and reputational damage. With effective implementation of the software, you can manage your AML compliance. Take care of the following aspects while going live with the AML software, and half of your AML compliance job is done:

Configuration of the AML Software

The AML software must be aligned with local and international regulatory developments and the latest data sources to ensure accurate and correct AML compliance by dealers in precious metals and stones.

Preparing the Team

The compliance team must be well-trained in the AML software’s features and functionalities to use the AML software efficiently. The training should discuss the AML compliance obligations and how the software will help achieve each AML compliance requirement.

While deciding on the AML software, AML Compliance Officer, IT professionals and senior management must be involved. This will ensure that the Compliance Officer is satisfied with the solution’s functionalities, the IT team approves the technical configuration and data security, the management signs off the investment in AML software, and shows commitment towards compliance.

How can Niyeahma assist you in selecting the right AML Software for your precious metals and stones business?

The quality and effectiveness of AML compliance depend on the resources deployed, including AML Software. Appropriate AML compliance software will help your business achieve 100% compliance with AML regulations prevalent in the UAE.

Niyeahma is one of the leading AML consultancy service providers in the UAE, assisting clients in setting up and implementing the AML compliance framework. Our domain experts and AML professionals understand your business requirements and help you identify the most appropriate AML solution, including discussing the solution’s functionalities and negotiating prices with vendors.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE