Conducting Independent AML Audits in DNFBPs: A Comprehensive Handbook

In recent years, anti-money laundering (AML) regulations have become increasingly important for the non-financial sector in the United Arab Emirates. The UAE AML regulations mandate the Designated Non-Financial Businesses and Professions (DNFBPs) to design and implement a comprehensive AML/CFT framework to detect and prevent financial crime. As part of the AML/CFT program, the UAE AML regulations provide for implementing an independent AML audit function to check the quality of the AML measures adopted by these DNFBPs.

DNFBPs (such as dealers in precious metals and stones, real estate agents, lawyers, accountants/ auditors, and company service providers) are required to undertake ML/FT Enterprise-Wide Risk Assessment and establish adequate AML/CFT policies, procedures, and controls to manage these risks. This includes conducting Customer Due Diligence, compliance with the Sanctions regime, and measures to detect and report suspicious transactions on the goAML Portal. To test the adequacy and relevance of the implemented program, the DNFBPs are required to get their AML program independently audited by competent personnel.

Independent AML Audit is very different from regular auditing of books of accounts. This focuses on the DNFBP’s AML/CFT program and the controls and systems the entity has deployed to detect the red flags and manage the risks.

In this article, we will discuss the independent AML audit in DNFBPs, and the key elements necessary for ensuring the effectiveness of the AML audit.

What is the role of an Independent AML Audit?

The independent AML audit refers to a function – whether an internal department or an external third party – that audits and evaluates the quality of the organization’s AML policies, procedures, systems, and controls. This AML audit function operates independently from the routine operations of the business, including ongoing AML activities, and provides an unbiased opinion on the DNFBP’s AML efforts.

The independent AML audit function is entrusted with the responsibility of periodically reviewing the adequacy of the AML/CFT program of the company and detecting any potential gaps or weaknesses in the DNFBP’s AML measures. AML auditors are expected to thoroughly check the DNFBP’s AML/CFT policies, procedures, and controls to ensure that such framework is in line with UAE AML regulations and the overall enterprise-wide risk assessed by the company.

The independent AML audit is not just restricted to identifying the non-compliance instances or flaws in the implemented measures but also to suggesting the remedial actions necessary for improving the AML framework. The AML auditor’s recommendations may include a requirement for the implementation of additional controls, developing or enhancing the AML training programs, and adopting new technological solutions to strengthen the DNFBP’s AML capabilities.

An independent AML audit demonstrates the DNFBP’s commitment to AML compliance and safeguarding the economy from financial crimes. Periodic AML audits help the DNFBPs ensure that their AML efforts and resources are moving in the right direction. They are focused on effectively managing financial crime risks and staying AML compliant.

The independent AML audit is essential to the overall AML compliance framework for DNFBPs operating in the UAE. With an independent AML audit, the DNFBPs can enhance the business reputation, attracting customer loyalty with their efforts to prioritize AML regulatory compliance and combat financial crime. Further, the supervisory authorities also develop trust in the DNFBP’s AML/CFT measures and controls when an independent AML audit forms part of the overall AML framework.

How to implement an Independent AML Audit in DNFBPs?

Implementing an independent AML audit in DNFBPs in UAE requires adequate planning, robust execution, and post-audit activities management.

AML Audit Plan

An independent AML audit starts with AML Audit Plan. This involves defining the following:

scope of the audit (what all AML aspects and records must be reviewed and the review period)
audit objectives (why is the AML audit conducted, i.e., to check the quality of the AML/CFT framework, etc.)
audit procedures (what auditing methods would be used – like records verification, on-site visit, positive confirmation, interviews, etc.)
audit resources (what resources would be deployed for conducting the AML audit, including the audit team)

The AML audit team must be adequately qualified and have appropriate skills to conduct the review and form an opinion on the status of the DNFBP’s AML compliance and the quality of the AML/CFT measures implemented.

Further, the AML auditor must be aware of the latest regulatory amendments and understand the AML obligations of the particular DNFBP.

The AML audit plan must be designed considering the overall ML/FT risk exposure, size, and nature of the business. The audit plan and preparation must be aligned with the UAE AML regulations and the feedback from the supervisory authorities of the DNFBP.

Conducting Independent AML Audit

The designed AML audit plan must be diligently adopted for the effective execution of the independent AML audit.

The auditor must review the DNFBP’s documented AML/CFT policies, procedures, and controls to assess their completeness and relevance in the context of the relevant AML regulatory framework and the DNFBP’s ML/FT risk exposure. Any gaps or missing compliance aspects must be highlighted in the report.

Along with a review of the high-level AML/CFT program, the AML auditor must also verify the customer onboarding records to determine the accuracy of the Customer Due Diligence process. The transaction monitoring systems must also be examined to test the reasonableness and adequacy of the monitoring rules defined and their effectiveness in detecting unusual activities or suspicious transactions.

If the DNFBP has implemented any systems or tools for AML compliance, then the integrity and effectiveness of such systems and data security must be verified.

Wherever required, the AML audit team must interview the AML Compliance Officer and the compliance team members to understand their awareness of the internal AML/CFT program and their roles and responsibilities towards AML regulatory obligations. This shall also help the AML auditor determine the level of the entity’s AML training and whether any enhancements are required in the training program.

The team must maintain independence and be able to review and provide unbiased opinions on the company’s AML/CFT program.

Once the necessary audit procedures have been applied and the AML review is complete, the independent auditor must document its observations (identified gaps and non-compliance instances), and the corresponding recommendations in an audit report addressed to the senior management of the DNFBP.

These AML audit findings shall serve as one of the critical AML compliance measures, directing the DNFBPs to improve their AML compliance measures and effectively manage the financial crime risks

Managing the AML Audit findings (Post-Audit Activities)

Once the management receives the independent AML Auditor’s report, the senior management must immediately take necessary actions to address the AML/CFT deficiencies. The necessary team must be involved, including the AML Compliance Officer, to implement the AML auditors’ recommendations to enhance the quality and effectiveness of the DNFBP’s AML program.

In simple terms, an independent AML audit is a giant umbrella to check and test the DNFBP’s implemented AML/CFT measures, thriving to ensure its adequacy, quality, completeness, and relevance with appropriate AML audit planning and program, effectively executing the AML audit procedures and ensuring the redressal of the AML gaps as post AML audit.

How can Niyeahma assist in ensuring the quality of your AML framework with an independent AML audit?

Documenting the AML/CFT policies and procedures differs significantly from ensuring effective implementation. It is where the independent AML audit comes into the picture.

At all times, the implemented AML/CFT measures and controls must effectively identify and mitigate the money laundering and terrorism financing risks. The AML program must be aligned with relevant AML regulations and complete in all aspects, ensuring total coverage for fighting financial crimes and staying 100% compliant. Here is the role of the independent AML auditor to examine the existing measures, detect any loopholes and recommend the best practices to bridge the AML gaps.

Niyeahma is a leading AML consultancy firm assisting the regulated entities in UAE, including DNFBPs, to design and implement customized AML policies and procedures to manage the ML/FT risks. With our domain experts and diverse experience, we can assist DNFBPs in auditing the AML framework and identify necessary improvement areas and regulatory violations that need immediate attention to strengthen the AML measures.

Implement robust independent AML audit to stay AML compliant and channel your AML efforts in the right direction!

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Role of an AML Compliance Officer in a real estate agent or brokerage firm in UAE

Role of an AML Compliance Officer in a real estate agent or brokerage firm in UAE

Real Estate is considered one of the typologies criminals exploit to launder illicit money. Thus, UAE AML regulations have included the real estate agents and brokers under the ambit of Designated Non-Financial Businesses and Professions (DNFBPs), required to adhere to an anti-money laundering framework, including the appointment of an AML Compliance Officer to oversee the implementation of AML measures and identify the money laundering instances.

In this article, we will explore the functions of an AML Compliance Officer in a real estate agent or brokerage firm and their significance in combating financial crime from the UAE real estate sector.

Understanding AML Compliance in the real estate sector

Certain business organizations have been entrusted with identifying, preventing, and reporting instances of money laundering and the financing of terrorism. In this context, the procedures and controls adopted by these organizations to mitigate the financial crime risks would be treated as AML Compliance.

AML compliance involves designing and implementing internal AML/CFT policies, procedures, systems, and controls to manage the money laundering risks, implementing the Customer Due Diligence process and ongoing monitoring program to identify and report suspicious transactions, training the relevant staff to create AML awareness, etc.

AML compliance for real estate agents and brokers will help ensure that the sector is not exploited or misused by criminals to place the proceeds of illegal activities. Real estate agents or brokerage firms’ efforts and commitment towards AML compliance will promote the reputation and attract responsible buyers and sellers engaging with the real estate brokerage firm.

AML non-compliance by real estate agents and brokers in UAE can result in reputational damage and hefty administrative fines.

Real estate agents and brokerage firms in UAE must understand their AML compliance obligations and appoint a competent AML Compliance Officer to stay AML compliant and safeguard businesses against financial crime.

The Role of an AML Compliance Officer to combat money laundering in the real estate sector

As one of the DNFBPs under UAE AML regulations, the real estate agents and brokers must comply with the UAE AML regulations and implement necessary measures to protect the firm from being exploited by the money launderers. To oversee the effective implementation of the AML/CFT framework across the firm, the law mandates appointing a designated person to act as an AML Compliance Officer.

The primary role of the AML Compliance Officer would include the following:

– The Compliance Officer must conduct the Enterprise-Wide Risk Assessment to identify and evaluate the company’s possible ML/FT risk exposure. This risk assessment must be aligned with the management-approved risk appetite. It must consider the relevant risk factors, such as the nature of buyers and sellers the company is associated with, the geographies of its operations, the nature of properties involved, the complexity of the transactions, delivery channels used, etc. The outcome of the EWRA or the overall business risk assessment shall help the AML Compliance Officer understand the AML/CFT measures required to safeguard the company.

– The Compliance Officer (CO) must establish and implement comprehensive internal AML/CFT policies, procedures, and controls customized to its business operations and the assessed risk.

The policies must consider the relevant AML regulations, including the specific guidelines, e.g., the Ministry of Economy’s supplemental guidance on AML/CFT for the real estate sector. The CO must periodically review and update the AML/CFT policies and procedures to ensure their relevance and effectiveness.

– CO is also responsible for ensuring that the company follows robust Customer Due Diligence measures before establishing any business relationship with a customer (whether a buyer, seller, property developer, lessor, or lessee). This should also include designing Know Your Customer forms and implementing adequate customer risk assessment methodology to determine the risk each customer poses to the company’s real estate brokerage business.

CO should also ensure that the company has deployed necessary systems and tools to conduct timely screening of the customers, to comply with sanctions screening requirements and determine whether the customer is a Politically Exposed Person (PEP) or has any adverse media against the person, suggesting involvement in any criminal activities.

In case of customer is identified as high-risk, Compliance Officer must ensure that Enhanced Due Diligence measures are applied to manage the increased ML/FT risk, including additional checks and verification related to the customer’s identity, source of their funds and wealth, etc.

– Ongoing monitoring is one of the essential aspects of overall AML compliance. The Compliance Officer must implement adequate systems and procedures to identify suspicious activities and monitor transactions and business relationships.

– The CO is, also known as a Money Laundering Reporting Officer (MLRO), responsible for accurate and timely reporting of suspicious activities and transactions with UAE’s Financial Intelligence Unit (FIU).

– Apart from filing Suspicious Activity Report (SAR) and Suspicious Transaction Report (STR), the AML Compliance Officer of the real estate broker is accountable for the following additional reporting:

Filing of the Real Estate Activity Report (REAR) on the goAML portal, furnishing details of the designated transactions related to the purchase/sale of Freehold real estate property,
Preparing and submitting a periodic AML/CFT report to the company’s senior management, giving updates on the AML measures applied during the period, any red flags observed, any reports field with FIU, any additional requirements for AML resources, etc.,
Submitting relevant information and documents to the supervisory authority when requested.

– One other essential function of the Compliance Officer is to develop the AML training program for the company’s employees, including the senior management, to create awareness around the AML program and promote strong compliance culture.

– Along with AML/CFT measures, the Compliance Officer must consider compliance with Targeted Financial Sanctions. This will include screening the relevant sanctions list and, if any matches are found, applying adequate TFS measures and reporting it to the Executive Officer for Control and Non-Proliferation (EOCN) by filing Fund Freeze Report (FFR) or Partial Name Match Report (PNMR) on the goAML Portal.

– The AML Compliance Officer is responsible for ensuring the maintenance of AML/CFT records and information in an organized manner for a minimum period of five (5) years from the end of the business relationship or transaction. However, the period threshold is six (6) years for the real estate agents and brokers operating in or from ADGM’s Financial Service Regulatory Authority (FSRA) or DIFC’s Dubai Financial Service Authority (DFSA).

Must have Skills and Qualifications for an AML Compliance Officer

To ensure the effective implementation of the entire AML compliance program in the real estate agent or brokerage firm and protect the business from being vulnerable to financial criminals, the firms must appoint a competent AML Compliance Officer having adequate seniority and independence.

The functions entrusted to an AML Compliance Officer require technical expertise, subject and business knowledge, analytical skills, and a commitment to AML compliance.

The Compliance Officer is expected to have the following skill sets:

Thorough knowledge and understanding of the relevant AML regulations applicable to the real estate sector,
An analytical skills to detect and evaluate the ML/FT red flags,
Communication skills to collaborate with staff, open communication with senior management and supervisory authority,
Attention to detail to promptly identify any unusual patterns or transactions indicating financial crime or involvement of criminal proceeds and accurately reporting the suspicious transactions to the FIU,
Professionalism and integrity are essential qualities for an AML Compliance Officer to ensure an unbiased approach towards AML compliance and avoid any conflict of interest between compliance and business.

Smoothening the functions of the AML Compliance Officer with adequate technology

with the help of emerging technology, the Compliance Officer can optimize the real estate broker’s compliance function to ensure timely detection of ML/FT risk indicators and stay 100% AML compliant.

AML Compliance Officer of a real estate agent or brokerage firm can implement developing tools and systems to automate the customer onboarding process, starting from buyer and seller identification, ID verification, liveness checks, real-time screening against sanctions, PEP, or adverse media, etc.

Further, artificial intelligence-based solutions can assess customer risk and monitor transactions and customer profiles. This ensures prompt alert generation for high-risk customers, unusual trends, or suspicious customer behavior.

Embracing developing technology and tools would ease the responsibilities and improve the effectiveness of the AML/CFT measures developed and maintained by the Compliance Officer in the real estate agent or brokerage firm in UAE by reducing the manual errors, and identification of potential ML/FT risks to curb the vice on a timely basis.

How can Niyeahma assist the AML Compliance Officers of the UAE real estate agents and brokers to navigate the AML Compliance journey?

The role of an AML Compliance Officer in a real estate agent or brokerage firm in the UAE is critical to safeguard the real estate sector from being misused by criminals to route their dirty money.

Niyeahma is a leading AML consultancy firm in the UAE. Niyeahma can strengthen the efforts of the AML Compliance Officer by assisting in assessing the real estate agents and brokers’ ML/FT risk exposure and tailoring the internal AML/CFT policies, procedures, and controls to identify and report suspicious transactions.

We can also impart comprehensive AML training to the Compliance Officer and the staff, including senior management of the real estate brokers and agents, to promote collaborative attempts in the fight against financial crime. With our assistance in identifying and implementing the right AML technology and solutions, AML Compliance Officer can enhance the effectiveness of the compliance processes and efficiently identify potential ML/FT risks.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

AML Governance for VASPs in the UAE: Building trust and strengthening compliance

Virtual assets are increasing their acceptance and significance in the financial system of the UAE. However, with this comes the increased risk of money laundering and terrorist financing, given the inherent nature of anonymity and speed of virtual asset transactions. The UAE authorities have brought the Virtual Assets Service Providers (VASPs) under the Anti-Money Laundering (AML) regulatory landscape to mitigate these financial crime risks. Here, it becomes critical for VASPs in UAE to establish an effective AML governance and oversight function to manage financial crime vulnerabilities.

Why is AML Governance important for VASP in UAE?

The VASPs expose themselves to huge ML/FT risks while onboarding customers across the world without any boundaries. Further, as all the transactions are done virtually, the risk of unidentified originators and virtual asset beneficiaries is involved, which can be exploited for laundering illegal funds or financing terrorist activities.

The authorities have established specific regulatory guidelines, mandating the VASPs to adhere to them and safeguard themselves against financial crime risks. VASPs operating in UAE must register with the relevant authorities and comply with the AML/CFT regulations. Failure to comply with these compliance obligations can result in hefty administrative fines and reputation damage.

The AML regulations in UAE require the VASPs to conduct Enterprise -Wide Risk Assessment to identify the ML/FT risks, adopt a risk-based approach to design and implement internal AML/CFT policies, procedures, and controls, and report any identified suspicion to the Financial Intelligence Unit (FIU).

To mitigate the ML/FT risks and avoid regulatory non-compliance penalties, the VASPs must establish and maintain a robust AML governance and oversight function.

For the law firms licensed in UAE, other than Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), the Ministry of Justice is the AML supervisory authority.

How to establish a robust AML Governance Function in VASP?

As a first step to AML governance, the VASPs must understand the AML regulations and compliance obligations imposed upon the organization. With a basic understanding of AML compliance requirements, let us understand the critical component of an effective AML governance framework.

Effective AML governance framework

As a first step to AML governance, the VASPs must understand the AML regulations and compliance obligations imposed upon the organization. With a basic understanding of AML compliance requirements, let us understand the critical component of an effective AML governance framework.

Appointment of AML Compliance Officer or Money Laundering Reporting Officer

VASPs must appoint a competent person with adequate knowledge and experience in AML compliance to act as the AML Compliance Officer or the MLRO.

The compliance officer shall be responsible for overall AML/CFT program management.

Identifying the business risks

VASP must perform an Enterprise-Wide Risk Assessment (EWRA) to identify and assess the ML/FT risks that the organization faces. The risk assessment must be based on qualitative and quantitative analysis of the relevant risk factors such as customer base, geographies of operations, nature of transactions, products or services offered by VASP, etc.

As the business activities and ML/FT risk typologies keep evolving, the business risk assessment must be dynamic. VASPs must regularly assess the risk to factor in the changes in business activities, regulatory amendments, and emerging financial crime trends. The risk assessment results should be used to develop the internal AML/CFT policies, procedures, and controls to manage the identified ML/FT risks.

Developing the comprehensive AML/CFT framework

VASPs must have in place a well-defined internal AML/CFT program, including policies, procedures, systems, and controls that can adequately identify and manage the ML/FT risks of the organization’s virtual assets operations.

The AML policies and procedures must reflect the VASP’s overall risk and be practical to mitigate the risks.

Having an AML policy is not enough. The VASP must periodically review the policies and procedures to ensure their adequacy, effectiveness, and relevance in combating financial crimes. The AML/CFT framework must, at all times, be effective in addressing the identified business risks and is compliant with AML regulatory requirements.

The policy should document the VASP’s AML obligations, the controls adopted by the VASP to manage the risks, and the roles and responsibilities of the AML Compliance Officer, employees, and senior management towards the AML program.

Robust Customer Onboarding Process

Millions of transactions related to the transfer of virtual assets are conducted amongst multiple originators and beneficiaries worldwide. For an effective AML/CFT compliance framework, an effective customer onboarding process is one of the key elements.

It is pertinent for VASPs to identify these originators and beneficiaries of the transactions and verify their identity. The VASP must screen these customers to understand their connection with the Sanctions List, or Politically Exposed Person (PEP), and the presence of adverse media suggesting criminal history.

As part of the Customer Due Diligence (CDD) process, the VASP should also perform a customer risk assessment to identify the risk each customer poses to the business. Basis the outcome of the customer risk profiling, the VASP must adopt a risk-based approach and perform Enhanced Due Diligence (EDD) measures to manage the increased risk posed by high-risk customers.

CDD does not end here. The VASP must implement systems to monitor the transactions and business relationships on an ongoing and real-time basis to identify unusual or suspicious activities.

Suspicious activities identification and reporting procedures

AML framework is incomplete without adequate internal systems and procedures to identify the ML/FT risk indicators or red flags, suggesting involvement in money laundering activities, criminal proceeds, or terrorism financing. A clear mechanism must be in place to guide the employees to actions to be taken once any suspicious activities are observed and how the reporting shall be done to the AML Compliance Officer.

Further, the guidelines about external reporting to the FIU must also be well defined to ensure the timely filing of a Suspicious Activity Report (SAR) or Suspicious Transactions Report (STR) with the FIU.

Support from the senior management

No business function can be successful without the support from senior management. Similar is the case of the AML function. The senior management plays a critical role in ensuring the effectiveness of the AML governance framework by setting the right compliance tone at the top and providing strategic oversight of the implemented AML/CFT policies and procedures.

The management must establish the VASP’s ML/FT risks appetite and review and approve the VASP’s business risk assessment and the developed AML/CFT compliance program. Management should ensure that the risk assessment and AML policies, procedures, and controls are periodically reviewed and updated to manage the risks effectively.

Further, the one important role of senior management is ensuring its compliance department is well-staffed with adequate resources necessary to manage the ML/FT risks and stay AML compliant.

As part of the AML governance and oversight function, the senior management and board of directors must seek periodic reports from the AML compliance officer capturing the VASP’s ML/FT exposure, identify suspicious actions taken by the compliance officer, any AML gaps observed, etc.

Effective oversight function with periodic AML review and independent AML audit

To ensure the effectiveness of the AML/CFT measures adopted by the VASPs, it is important to establish an independent AML audit and also an internal periodic AML review function. The policies, procedures, systems, and controls implemented by the VASPs must be periodically reviewed to test the quality, adequacy, and effectiveness of the AML/CFT program.

A periodic AML review and interviews with the AML compliance team must be conducted to check whether the AML policies are effectively followed across the organization and to identify any gaps in policies, procedures, or implementation flaws. This periodic review shall assist the VASPs in remediating the AML non-compliance or vulnerabilities before it has a multifield impact on the operations. The internal reviews can be considered as frequent routine checks on the effectiveness of AML/CFT systems and controls, necessary to ensure that the AML measures are up-to-date and capable of identifying the financial crime risks.

Further, the VASP must appoint an independent person, having adequate AML understanding and experience to conduct the AML review. An independent AML audit shall be a more focused and unbiased review by a third party (possibly an external person) to ensure that VASP has an appropriate framework to manage the risks and stay AML compliant.

AML training program

AML governance function is incomplete without the involvement of the entire staff and their contribution towards the AML/CFT program. AML Compliance Officer of the VASP must develop a robust and comprehensive AML training program for the staff, including senior management, to ensure that all the employees of the organization understand the ML/FT risks, compliance obligations, and their roles and responsibilities towards VASP’s AML/CFT efforts.

AML training shall ensure that staff is well aware of internal AML/CFT policies and procedures and can exercise sound judgement when any suspicion is observed.

AML governance using technology and data analytics

AML governance and oversight would be challenging without deploying adequate technology and data analytics tools in this virtual asset world where everything is online. With technology, VASPs can automate the ML/FT risk assessment and deploy adequate measures to mitigate the same. With the humungous volume of virtual asset transactions, technologies like Artificial Intelligence and Machine Learning make transaction monitoring easy and real-time, generating alerts for unusual activities and reducing false positives.

Further, data analytics algorithms can be trained to identify unusual customer behaviour, detect suspicious transactions, and identify patterns that may indicate money laundering or terrorist financing.

VASPs can effectively detect and prevent money laundering and terrorist financing involving virtual assets by integrating technology and data analytics in their AML governance and oversight functions.

Collaborating with regulatory authorities and industry partners

As an element of effective AML governance, VASPs are recommended to stay connected with AML regulatory and supervisory authorities to seek guidance on various AML/CFT compliance obligations. Further, seeking the authorities’ feedback on implementing AML measures is also critical to enhance and improve the AML/CFT function.

Webinars and awareness sessions conducted by the authorities can also be helpful for VASPs to manage their ML/FT risks and detect emerging ML/FT typologies.

Collaboration with other VASPs can also help understand the industry’s best practices to identify and manage the ever-evolving ML/FT risks arising from virtual asset transfers.

Measuring the effectiveness of your AML governance and oversight function

VASPs need to review and enhance their AML governance and oversight function. This can be done using key performance indicators (KPIs) such as –

Periodicity of AML/CFT report furnished by AML Compliance Officer to senior management
Identified gaps and time and actions taken to remediate the same
Feedback received from the authorities
Number of suspicions observed
Quality and frequency of the AML training program
Finding of internal AML review and independent AML audit

Though not exhaustive, assessing certain factors can give insights into the effectiveness of the VASP’s AML governance and oversight function.

How can Niyeahma assist VASPs in UAE in establishing effective AML Governance Function?

Effective AML Governance and Oversight functions are critical for VASPs to stay AML compliant and manage the financial crime risks.

A robust AML/CFT program, commitment, and support from senior management, deployment of emerging technologies, comprehensive AML training, periodic AML review, audit, etc., can enhance the quality and relevance of the VASP’s AML/CFT framework.

Niyeahma is one of the leading AML firms in UAE, supporting regulated entities, including VASP, to establish and maintain a strong internal AML/CFT compliance program aligned with its overall ML/FT risks and regulatory requirements. We also help the VASPs set up solid AML governance and Oversight functions, constantly contributing towards enhancing the effectiveness of the VASP’s AML/CFT measures.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

AML Compliance Requirements for Law Firms in UAE

With the increase in financial crimes, the introduction and implementation of anti-money laundering and combating the financing of terrorism (AML/CFT) regulations is increasing. In the UAE, lawyers and independent legal firms are covered under the purview of AML regulations. As the vulnerability of the lawyers, notaries, and legal service providers to financial crime, law firms, and legal professionals have been put under AML regulatory regime to identify and prevent money laundering and terrorism financing.

This article lets us navigate AML requirements for law firms operating in or from the UAE.

What AML regulations apply to Law Firms in the UAE?

The primary legislation governing AML compliance is the Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations and its implementing guidelines under Cabinet Decision No. 10 of 2019. The federal AML regulations identify the regulated entities and establish a comprehensive framework for such entities to be followed to identify, report, and mitigate the money laundering and terrorist financing risks.

One of the regulated entities defined under the UAE AML regulations as Designated Non-Financial Businesses and Professions (DNFBPs) include:

Lawyers, notaries, and other independent legal professionals, when preparing, conducting, or executing financial transactions in relation to the following activities on behalf of the customers:

Purchase and sale of real estate
Management of customer’s funds
Managing customer’s bank accounts, saving, or securities accounts
Organizing contributions for the establishment, operation, or management of the company
Creating, operating, or managing legal persons
Selling and buying commercial entities

For the law firms licensed in UAE, other than Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), the Ministry of Justice is the AML supervisory authority.

With reference to the Federal AML regulations, the Ministry of Justice (MoJ) has also issued Ministerial Decision No. (533) of 2019 on Anti-Money Laundering and Combating Terrorism Financing related to Lawyers, Notaries, and Legal Independent Professionals and a detailed guide to help the law firms effectively implement the AML/CFT measures and prevent financial crimes.

Accordingly, law firms must comply with Federal AML legislation and the decision and guide issued by the Ministry of Justice.

What are the AML Compliance requirements of a Law Firm in UAE?

As a regulated entity, law firms and legal professionals are responsible for identifying and reporting ML/FT-related suspicious transactions to the Financial Intelligence Unit. In this context, law firms must comply with Federal AML legislations and the decision and guide issued by the Ministry of Justice.

The following are the AML compliance obligations for a law firm in UAE:

goAML Registration

Every law firm in UAE must be registered with the Financial Intelligence Unit’s (FIU) goAML Portal.

Appointing an AML Compliance Officer

To ensure the effective implementation of the AML Compliance program, law firms must appoint a competent AML Compliance Officer. The appointment of the compliance officer must be approved by the supervisory authority, which is sought during the pre-registration stage of the goAML registration.

Conducting Enterprise-Wide Risk Assessment

The law firms must assess the overall money laundering and financing of terrorism (ML/FT) risk their firm is exposed to. The AML Enterprise-Wide Risk Assessment must be conducted based on the nature of the customers, associated geographies, nature of services offered, volume and complexities of the transactions, etc.

Establishing AML/CFT Policies, Procedures, and Controls

Based on the overall business risk assessment outcome, law firms and legal professionals must design and implement internal AML/CFT policies, procedures, and controls to manage ML/FT risks.

The internal AML/CFT framework must be aligned with applicable AML regulations and the nature and size of the business.

Client Due Diligence Measures

One of the key AML requirements for law firms in the UAE is to identify the customers and the beneficial owners and verify their identity.

The companies must adopt “Know Your Customer” (KYC) procedures to identify the customer, their activities, the purpose of the business relationship, etc.

The law firms must also conduct screening to determine whether any of the customers, their beneficial owners, or the senior management is mentioned on the Sanctions Lists. Screening must be conducted to identify the customer’s status as a Politically Exposed Person (PEP) or a relative or close associate of the PEP.

Adverse media checks must also be conducted to see whether the customer has been linked or alleged to any financial crime-related matters in the past.

Based on the customer identification details and screening results, law firms and legal professionals must identify each customer’s risk to the business and classify the customers as high, medium, or low based on the assessed ML/FT risks.

In cases where the customers are identified as high-risk, the law firms in UAE must seek additional information and adopt enhanced due diligence measures. The lawyers must take necessary actions to understand the customer’s source of wealth and funds and determine its legitimacy.

Ongoing Monitoring of transactions and business relationships

Law firms are required to maintain customer information up-to-date. The CDD information must be closely monitored to ensure that the legal professionals have complete and accurate data about their customers and beneficial owners and that any changes therein are promptly identified.

Further, ongoing monitoring of the transactions is also very important to identify any unusual or suspicious customer activities related to money laundering and terrorist financing. For high-risk customers, enhanced and more stringent monitoring measures must be applied.

Compliance with Targeted Financial Sanctions

Law firms are required to implement the Targeted Financial Sanctions (TFS) measures. Accordingly, the law firms must subscribe to the Executive Officer for Control and Non-Proliferation (EOCN) Notification System to receive regular updates about changes in the sanctions lists – United Nations Consolidated List and the UAE Local Terrorist List.

All the customers, beneficial owners, and the customer’s senior management must be screened against these sanctions list. If any confirmed match is found, the law firms must immediately terminate the business relationship (existing customer) or reject the customer (prospect customer) and submit Fund Freeze Report (FFR) on the FIU’s goAML portal. In case of a partial name match where the law firm cannot conclude the match type, the business relationship must be suspended, and a report must immediately be filed on the goAML Portal – Partial Name Match Report (PNMR).

Identifying and reporting suspicious activities or transactions

Law firms must establish adequate procedures and controls to identify any potential ML/FT risk indicator and report suspicious activities to the FIU. The suspicions related to ML/FT must be reported to the FIU by filing the Suspicious Activity Report or Suspicious Transaction Report (STR), as the case may be.

The list of red flags and the internal procedures to be followed for reporting must be well documented as part of the AML/CFT framework.

AML Training

AML training for the staff is one of the critical compliance obligations for law firms. Regular training must be provided to the staff and senior management to create awareness about AML compliance obligations and their roles and responsibilities.

AML Governance

To ensure a robust AML Compliance culture, the senior management must support and contribute towards the law firm’s AML/CFT efforts.

The Compliance Officer must furnish a periodic AML report to the senior management, updating them on the firm’s AML measures, the requirement for any additional AML resources, any AML non-compliance identified, and the action taken by the compliance officer, along with routine AML matters. Senior management must review and provide feedback to the Compliance Officer.

The law firms must implement an independent AML Audit function to periodically test the quality and adequacy of the AML/CFT measures to identify and mitigate the financial crime risks effectively.

Filing Real Estate Activity Report (REAR)

The lawyers and the legal professionals are required to file a Real Estate Activity Report (REAR) with the goAML portal to report the transaction pertaining to the buy/sale of Freehold Real Estate, which involves cash (equals to or exceeding AED 55,000) or virtual assets or funds converted from virtual assets.

AML Record Keeping

All AML-related records and documents, including CDD files and transactions with customers, must be maintained by law firms for at least five (5) years.

How can Niyeahma assist Law Firms in UAE to stay AML Complaint?

AML compliance is critical for law firms operating in the UAE to safeguard their practice from being exploited by financial criminals and avoid non-compliance penalties.

To understand the AML regulatory landscape and effectively meet the compliance obligations, reach out to AML experts – like Niyeahma, your partner in making AML journey a smooth experience.

Niyeahma is a leading AML consultancy service provider in UAE, assisting DNFBPs, including law firms, to identify overall ML/FT risks and implement best AML practices to prevent money laundering and terrorism financing crimes.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

What is smurfing in money laundering? Smurfing technique, risks, and protective measures

Employee-training-on-effective-suspicious-activity-reporting

What is smurfing in money laundering? Smurfing technique, risks, and protective measures

What is smurfing in money laundering? Smurfing Technique, Risks, and Protective Measures

One of the widely used money laundering techniques, smurfing, poses a high risk to Financial Institutions worldwide. Smurfing meaning: smurfing is breaking down large amounts of cash into smaller amounts deposited with financial institutions to avoid detection and reporting thresholds. Owing to its characteristics of manipulating the transaction values, the technique is also known as “Structuring.”

Laundering of illegal money using the smurfing method can be carried out by individuals or organized crime groups, which leaves devastating consequences on the financial institution and society.

This article will provide insights into identifying smurfing instances and how financial institutions can safeguard themselves against them and prevent the same.

Before discussing how to prevent smurfing, it is important to understand what it is and how it affects financial institutions.

What is smurfing in financial institutions?

Smurfing involves splitting a large sum of cash into smaller amounts of multiple transactions below the AML reporting threshold to avoid the applicability of AML measures and detection by financial institutions and regulatory authorities.

Smurfing is often used to facilitate the placement of illegal funds into the valid financial system of the economy.

How does smurfing affect financial institutions?

As smurfing is used to launder funds by facilitating the entry of proceeds of criminal activities into financial institutions, it is a significant risk to the security and integrity of the financial institution. When financial institutions allow criminals to use the smurfing technique, knowingly or unknowingly, the financial institutions face legal consequences for aiding in money laundering activities and the breach of regulatory obligation of reporting the money laundering-related suspicious activities. Further, smurfing damages the reputation of financial institutions and adversely impacts public trust.

Thus, to avoid the loss of public trust and heavy fines for AML non-compliance, it is pertinent that the financial institutions design and implement robust procedures and controls to identify, report and prevent exploitation by smurfing.

What are the commonly used smurfing techniques in Money laundering?

Smurfing or the structuring of transactions can be conducted in many forms, and thus, awareness about the most common smurfing techniques is essential. The most frequently used smurfing technique is to divide the large cash amount into multiple smaller value transactions to deposit or withdraw cash from different financial institution locations or branches.

Other methods include using multiple accounts in the name of multiple individuals to conduct transactions and making payments using wire transfers or other electronic means of fund transfer to avoid AML scrutiny.

Financial institutions must monitor transactions and look for suspicious patterns or customer behaviour suggesting using smurfing. E.g., multiple withdrawals of the same amount through different accounts simultaneously but with the same beneficiary.

What are the regulatory measures against smurfing in money laundering?

The AML regulatory framework is important to detect and prevent money laundering through smurfing. Financial institutions must understand the risk associated with smurfing and, accordingly, implement the guidelines in the regulations to prevent financial crimes and stay compliant.

Anti-Money Laundering Regulations against smurfing

Since smurfing is associated with money laundering typologies, the AML regulations in UAE provide for adopting strong and comprehensive AML procedures, controls, and systems to identify and prevent money laundering activities, including laundering through the smurfing method.

The AML regulations in UAE mandate that financial institutions assess the money laundering risk, including the risk posed by smurfing. Further, the financial institutions must develop and implement a robust AML framework, including policies for performing customer due diligence and regularly monitoring transactions to identify suspicious activities and transactions contrary to the customer profile.

Financial institutions may implement solid transaction monitoring programs to identify the smurfing instances, using advanced algorithms or Artificial Intelligence to identify unusual patterns or suspicious activity. These systems should be able to trigger transactions inconsistent with a customer’s known financial behaviour. Further, the financial institutions should also conduct periodic reviews of customer due diligence files to identify any update to the customer information or risk assessment of the customers that may be considered suspicious.

Know Your Customer (KYC) and Customer Due Diligence (CDD) Policies against Smurfing

KYC policies include identifying the customer and verifying their identities to ensure that the customer the financial institutions are dealing with is legitimate and has no criminal history or active connection. Financial institutions can reduce the risk of enabling smurfing activities through their activities by implementing an effective KYC process. Please note that KYC is one of the starting measures to identify and prevent smurfing, but it is not sole-sufficient.

Financial institutions should implement additional Customer Due Diligence measures in case of high-risk customers or where any suspicion has been observed. These additional checks to verify the legitimacy of customer transactions may include understanding the purpose of the transaction, the customer’s source of funds and wealth, etc.

Reporting suspicious activities to UAE’s Financial Intelligence Unit (FIU)

UAE AML regulations mandate that financial institutions identify and report any suspicious activity to FIU by filing a Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR).

Financial institutions must comply with the regulatory framework and implement the necessary controls and systems to detect and prevent smurfing.

What are the risk indicators related to the smurfing in money laundering?

Here is a list of potential red flags that the financial institutions must be cautious of, suggesting possible involvement of smurfing:

Multiple small cash deposits a person or group makes into the same account but through different branches.
Regular deposits or withdrawals in amounts exactly matching the AML Compliance cut-off.
Transactions not matching the customer’s usual patterns, such as sudden large cash deposits or frequent transfers to offshore accounts unrelated to the customer or its business.
A customer opening multiple accounts with little to no activity to distribute the funds.
Frequent funds transfers between multiple accounts, specifically to high-risk jurisdictions.
Unnecessary involvement of intermediaries to facilitate transactions without any business sense.

What measures should a Financial Institution adopt to prevent smurfing in money laundering?

Implementing effective internal controls

Financial institutions must develop and implement internal solid AML policies, procedures, and controls to detect and prevent smurfing timely. The key AML measures to prevent smurfing are:

Employee training and awareness

Awareness among financial institutions’ employees is crucial to identifying smurfing-related red flags. Employees must be trained to understand the risks associated with smurfing, identify smurfing activities attempted through the financial institution, and report suspicious activities.

Employees must be trained in-house by the Compliance Officer, or some third-party expert can be hired to impart the training. The training program should include discussion around risk indicators and case studies based on actual real-life scenarios. Case studies can help employees better understand the technique and related red flags. This helps the employees correlate the training with on-job activities and, thus, helps employees understand their roles and responsibilities in preventing smurfing.

Another important aspect of employee training is ensuring employees stay updated with regulatory amendments and evolving ML typologies, including smurfing methods. Thus, ongoing training of the employees must be ensured through periodic sessions (refreshers course), internal circulars, etc.

Ongoing Monitoring Systems

Real-time or Ongoing Monitoring systems help financial institutions detect unusual transactions or suspicious activities. These systems should be based on robust logic and monitoring rules, suggested being fully automated, and intelligent data analytics should be used to ensure their relevance and effectiveness.

Using Artificial Intelligence (AI) can help financial institutions identify inconsistent patterns or trends in large datasets considering the past records, overall business risk, and the customer risk profile, suggesting potential risk indicators. AI can also help financial institutions detect new techniques that criminals may use for laundering illegal money.

Another important aspect of monitoring transactions to identify suspicious activities is to use reliable and independent data sources, such as watchlists and adverse media, to support the internal alerts generated during ongoing monitoring.

Risk assessment and management

To effectively manage the risk, financial institutions must first identify the risk exposure, specifically the vulnerabilities to smurfing. A periodic Enterprise-Wide Risk Assessment must be conducted, and basis the risk assessed, the necessary risk mitigation measures must be deployed.

Moving one step ahead, the finical institutions must also assess the risk each customer poses to the business – customer risk profiling must be conducted using risk scoring models. Considering each customer’s risk profile, the monitoring program can be designed and applied, i.e., high-risk customers should be subject to frequent and increased monitoring.

Designing and implementing effective internal controls is very important for a financial institution to safeguard itself against smurfing. Financial institutions can help reduce risk exposure and avoid reputational damage with adequate employee training, a strong and comprehensive monitoring program, and timely risk assessment of the business and customers.

Enhancing customer due diligence

Financial institutions are critical in preventing money laundering activities, especially smurfing. Financial institutions must adopt additional checks and measures while performing customer due diligence to prevent smurfing.

Customer due diligence involves identifying the customer and verifying the customer’s identity, customer risk classification, and ongoing monitoring of the customer’s information and transactions. Financial institutions can timely identify money laundering activities by implementing effective customer due diligence processes and avoid non-compliance regulatory fines and reputational damage.

Verifying customer identity

Verifying customer identity is the first and most crucial step of the CDD process. Financial institutions must ensure that their customers are genuine and not associated with criminal activities. Customer identity verification includes obtaining customer identification documents such as passports, driver’s licenses, and national identity cards. Financial institutions must also conduct screening against the Sanctions List and perform background verification to ensure the legitimacy of the person and the identity documents.

Verifying customer identity is essential for preventing money laundering activities and exposing the business to the hands of financial criminals.

Monitoring customer transactions

Monitoring customer transactions is another vital aspect of CDD. Financial institutions must regularly monitor customer transactions to detect and report suspicious activities such as depositing or withdrawing vast sums of cash divided into multiple small-value transactions.

Financial institutions can use various tools and technologies to monitor customer transactions, such as transaction monitoring systems built upon AI or machine learning. These tools can analyze customer transactions in real-time and identify inconsistent customer activities.

Identifying high-risk customers

Identifying customers posing the business with higher risk is important to prevent smurfing. High-risk customers include persons whose transactions are inconsistent with the customer’s business activities, persons reluctant to share identity documents, individuals or businesses with active connections with high-risk countries, or politically exposed persons (PEP).

Financial institutions must develop and implement increased checks and verification measures for high-risk customers. Enhanced Due Diligence (EDD) shall be performed, which includes obtaining information about the customer and beneficial owners’ source of funds and wealth, understanding the purpose of the transaction and business relationship, and seeking senior management approval before establishing a business relationship or conducting transactions with high-risk customers.

EDD is one of the important measures to identify and prevent smurfing activities, using adequate customer verification processes, continuous transaction monitoring, and identifying high-risk customers, increasing the financial institution’s overall risk.

Collaborating with regulatory authorities and other financial institutions

Collaboration with other financial institutions and regulatory authorities is essential to prevent smurfing. This involves smooth information of information, best AML practices, conducting joint investigations, and developing industry-wide control standards.

Sharing relevant information and best practices to prevent smurfing

Financial institutions must share information and best practices to identify and prevent smurfing activities. This includes sharing information about known smurfing syndicates, account numbers, and techniques and collaborating on research and development of effective solutions to identify and reduce the impact of smurfing activities.

Financial institutions can also share the best practices for identifying and reporting suspicious activity related to smurfing to the FIU.

Joint investigations and operations

Joint investigations can help to identify and prosecute the individuals and groups involved in smurfing activities. Financial institutions should collaborate with regulatory authorities and other financial institutions to facilitate these investigations, such as providing corroborative evidence to support investigations.

Developing the best industry-wide standards

Collaboration and cooperation between financial institutions are necessary to implement industry-wide best measures and standards to identify and prevent smurfing. This includes developing standard operating procedures, AML framework, and aligning AML regulatory requirements.

Collaboration between financial institutions and regulatory authorities aids in combating smurfing activities. Financial institutions can reduce the impact of smurfing and safeguard the financial system by sharing information on already proven smurfing elements, supporting investigations, and developing the best industry-wide standards.

Leveraging technology to fight smurfing

Smurfing is a common technique used to launder illegal money, given its simple nature of breaking large values into smaller amounts to surpass the AML threshold. Here, financial institutions can deploy technology to detect and prevent smurfing activities.

Advanced technologies like Artificial Intelligence (AI) and Machine Learning (ML) can help understand the trends and track customer behaviour to identify smurfing activities. AI and ML algorithms can analyze the massive volume of transactions and customer information to identify unusual or inconsistent activities.

Even emerging technologies – Blockchain and Distributed Ledger Technology (DLT) can also provide a secure transactional trail, reducing the risk of manipulating or structuring the transactions, thus reducing the risk of smurfing activities. By leveraging blockchain and DLT, financial institutions can create a transparent and immutable transactional record, making it difficult for criminals to disguise or conceal their activities or conduit financial crime.

The other technologies that can significantly assist financial institutions in combating smurfing are advanced analytics and data mining that can identify unusual patterns of transactions indicating the possibility of smurfing or other money laundering activities.

Financial institutions can prevent smurfing activities with the right technology and AML solution. With AI and ML, blockchain and DLT, and advanced analytics and data mining, financial institutions can up their AML compliance and safeguard their operations from the risk of smurfing.

How can Niyeahma assist financial institutions in developing a robust AML framework to prevent smurfing?

Niyeahma is an AML consultancy service provider offering end-to-end AML support to financial institutions, Virtual Asset Service Providers (VASPs), and Designated Non-Financial Businesses and Professions (DNFBPs). Niyeahma can assist financial institutions in designing robust AML/CFT policies and procedures, implementing adequate internal controls, enhancing the Customer Due Diligence framework, and training employees to stay vigilant in detecting smurfing instances.

Financial institutions must identify, report, and timely prevent smurfing activities. Niyeahma assists financial institutions in identifying the right technology and AML tool to identify the unusual activities suggesting smurfing.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

How to ensure effective Suspicious Activity Reporting?

In UAE, Anti-Money Laundering and Combating of Financing of Terrorism (AML/CFT) measures and regulations are critical to identifying potential risks and timely reporting these suspicious activities to ensure the financial stability and security of the economy.

When regulated organizations – whether Financial Institutions, Virtual Asset Service Providers (VASPs), or Designated Non-Financial Businesses and Professions (DNFBPs) – fail to implement the policies and procedures around suspicious activity reporting, the consequences are severe for the organization and the country. The employees must be trained on ML/FT risk indicators, identifying suspicious activities, and appropriately reporting to the Financial Intelligence Unit (FIU).

How to identify Suspicious Activity under AML regulations?

Employees engaging with customers and managing the business relationship are vital in identifying suspicious activity. For effective suspicious activity reporting, the employees must understand the red flags and the actions to be taken when such risk indicators are observed.

Once any ML/FT red flags are observed, the employees must collate adequate information about the suspicion and immediately report such suspicious activity to the AML Compliance Officer.

What are the common risk indicators suggesting Suspicious Activity?

Some common indicators of suspicious activity that the employees of the regulated organization must be aware of are:

Customer suddenly starts making large value transactions, contrary to the transaction history or not matching with the customer’s financial position
Customer coming from or is closely connected with the high-risk jurisdictions,
Customer having adverse media or criminal records for being involved in financial crime in past
Customer refusing to share the identity documents or reluctant to disclose the identity of the beneficial owners
Customer has no active connection with UAE, or the purpose of the transaction is not clear
Customer’s legal structure is excessively complex, without any business rationale
Customer hesitates in sharing information about the beneficial ownership
Customer engaging in multiple transactions with values exactly below the AML threshold
Identity document furnished by the customer is found to be fake or forged
Payment towards the transaction is being initiated from a third-party account not related to the business transaction
Unnecessary involvement of third-party agents or intermediaries, without any business sense, to conceal the identity of the customer.

The employees must be informed of the red flags suggesting a potential association with money laundering or terrorism financing. Further, employees should be aware of the list of high-risk countries.

Employees must be well-trained to look for unusual patterns of transactions, recognize these risk indicators, and immediately report such suspicious observations to the AML Compliance Officer.

What is the Role of Employees in detecting ML/FT-related Suspicious Activity?

Under the AML Compliance program, employees are considered the first line of defense against money laundering and terrorism financing. Employees play a pivotal role in identifying suspicious activity related to financial crime. Therefore, creating awareness around AML measures and identifying suspicious activities amongst employees is essential.

In addition to identifying suspicious activity, employees should be trained on adequate reporting procedures to ensure accuracy and completeness in internal reporting. This includes knowing when reporting will be done, to whom, and what details will be captured in the report.

Employees should be encouraged to ask relevant questions to determine the nature of the suspicion, including escalating the observed red flags to the departmental head.

Training shall be conducted for the employees covering real-life scenarios and case studies around money laundering or terrorism financing indicators observed by the internal staff and what actions were taken by that employee.

How to establish a robust Suspicious Activity Reporting system?

A strong system must be implemented within the regulated organization for internal reporting of suspicious activities to ensure that suspicions are reported on time and adequately addressed.

Documenting the red flags and risk indicators

For timely reporting of suspicious activity, timely identification of the potential risk indicators is essential. To assist the employees with immediate detection of the ML/FT red flags and evaluate the possibility of suspicion, the organization must include a business-specific list of risk indicators in its policy. These red flags must be well communicated amongst the team, including imparting specific training to create better awareness.

Establishing Clear Reporting Procedures

Clear reporting procedures should be designed and communicated with the relevant employees. This includes policies around who is responsible for reporting, the internal reporting shall be done to whom, how the reporting would be done (through email, physical internal Suspicious Transaction Report (STR) or Suspicious Activity Report (SAR) format, etc.), who should be included in the communication trail, etc.

The details of the AML Compliance Officer, including their contact information, must be available to every employee of the regulated organization.

Ensuring Confidentiality and Employee Protection

Employees must feel comfortable reporting suspicious activity without any fear of retaliation. The information of the employee reporting the suspicious activity must be kept confidential. The regulated organization must develop adequate policies to protect employees from retaliation.

No “Tipping off”

The employees must be aware of the requirement not to disclose any information about the identified suspicion to the subject party or any third party, directly or indirectly. The employees should understand that “tipping off” is a criminal offense under UAE AML regulations and attract hefty penal penalties, including imprisonment for such contravention.

Imparting training to the employees

The employees – whether serving clients or managing client relationships – are the first to observe the potential suspicion in transactions or customer behaviour. Also, the back-office teams play a significant role in detecting the red flags while clearing the payments or generating account statements. Thus, all employees of the organization must be imparted adequate training and equipped with the necessary resources to identify the ML/FT suspicion and exercise sound judgment around the necessity to report the same to the Compliance Officer.

Imparting adequate employee training on identifying and reporting suspicious activity is very important to promote a compliance culture in the organization and receive the required contribution from the employee to prevent financial crime.

Periodically Reviewing and Updating the Suspicious Activity Reporting System

The regulated organization should regularly review the internal suspicious activity reporting procedures and system to check its effectiveness and update, if necessary, to stay compliant with UAE AML regulations.

What are suspicious activity reporting requirements under UAE AML Regulations?

The AML regulations mandate the regulated organizations to identify and report suspicious activities related to money laundering, terrorist financing, or financing of the proliferation of weapons for mass destruction.

The entire AML compliance framework revolves around effective suspicious activity reporting, including designing the AML policies and AML training the employees to identify and undertake timely reporting.

A regulated organization that fails to identify and report suspicious activities in accordance with UAE AML regulations faces severe consequences, including damage to its reputation and non-compliance penalties.

How can Niyeahma assist you in implementing a robust Suspicious Activity Reporting System?

To stay AML compliant and safeguard the business against the exploitation of financial crimes, adequate systems and procedures to identify and report suspicious activities effectively are a must.

Niyeahma is a leading AML consultancy service provider, assisting clients in developing a robust AML compliance framework, including establishing internal and external suspicious activity reporting policies. With a team of experienced professionals, AML UAE imparts comprehensive AML training to the employees, covering basic concepts of ML/FT, AML measures, the organization’s internal policies and procedures, and best practices for suspicious activity reporting.

Timely identify and report suspicious activities to complete your AML Compliance circle!

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

Shining the business conduct with LBMA’s Global Precious Metals Code, 2022

London Bullion Market Association (LBMA) has issued LBMA’s Global Precious Metals Code, 2022, laying down the highest standards for business conduct expected from market participants engaged in the global Over-The-Counter (OTC) wholesale trade of precious metals.

Who is subject to LBMA’s Global Precious Metals Code?

Various participants are engaged in the Precious Metals Market, with different activities around precious metals –extraction, refining, storage, financing, transportation, storage, financing, trading, and marketing. The LBMA’s Global Precious Metals Code applies to all Precious Metals Market participants involved in global OTC wholesale trade, which include:

LBMA Members
Precious metals Refineries & Mining entities
Precious metals Logistics firms
Precious metals Fabricators
Jewellery entities
Financial institutions like Banks, Asset management companies, Exchange Traded Funds, Firms engaged in high-frequency trading strategies, Brokers, investment advisers, aggregators, etc.
Trading houses and Affirmation & settlement platforms
Sovereign wealth funds
Benchmark Administrators

All these market participants are required to implement this Code commensurate with the size and nature of the business activities.

What precious metals are governed under LBMA’s Global Precious Metals Code?

The Code sets out the standards for ensuring the highest quality conduct of the market participant engaged in activities related to the following precious metals:

Gold
Silver
Platinum
Palladium

What are the four (4) principles discussed in the LBMA's Global Precious Metals Code?

The following four principles are emphasized in the Code to ensure the global best practices in the Precious Metals Market:

A. Ethics:

All the precious metals organizations subject to this Code are expected to act professionally and ethically to maintain the integrity of the global precious metals market. It must deal with all its customers, suppliers, employees, and all other business associates in the utmost fair manner.

The companies are expected to implement appropriate internal policies to identify and address the conflict of interest that may comprise its code of ethics or professional standards.

The companies are expected to promote equality and avoid discrimination amongst customers, employees, etc.

The market participants are expected to impart adequate training to their employees to ensure that market obligations are discharged ethically and professionally.

B. Governance, Compliance, and Risk Management:

Market Participants are expected to identify the risks associated with their precious metals activities and implement appropriate governance and risk management frameworks to manage these risks, including a comprehensive compliance management program.

The companies are expected to evaluate the risk arising out of the following factors concerning their precious metals operations:

Market and credit-related risks
Operational and Settlement-related risk
Risks related to Technology & Cyber Security
Compliance and Legal risk
Business Continuity risk
Conduct and Reputational risk
Economic and Trade risk

As part of an adequate governance structure, the senior management is responsible for designing the business strategies and overseeing the business operations to ensure the company’s financial security.

Precious metals companies must comply with all the applicable rules and regulations, including the anti-money laundering framework. The internal policies must be well documented, highlighting the regulatory obligations, procedures & controls to ensure adequate compliance.

Further, the companies are expected to have well-defined lines of reporting, with clear roles and responsibilities for managing the precious metals operations. There shall be smart systems for the accurate and timely generation of MIS reports, which is necessary as part of the governance and risk management framework.

Through a well-designed whistle-blowing policy, employees must be encouraged to escalate any observed instances of inappropriate business practices or unethical behaviour of any market participants – internally and externally.

A periodic review of the governance, compliance, and risk management framework is suggested in the Code to ensure that the companies’ set operations mechanism is aligned with the highest professional standards and the applicable laws, including this LBMA’s Code. Any gaps identified by the independent reviewer must be highlighted to the senior management for their immediate action to rectify these breaches.

C. Information Sharing:

Precious metals market participants must communicate effectively and transparently within the business community. Market Participants are also expected to manage the confidentiality of critical market Information.

The companies shall not divulge confidential information that hampers standard market practices.

The communication must be fair and open, with clear language and with no or minimal use of technical jargon. Further, appropriate communication channels must be used to ensure the market’s integrity and maintain the required audit trails.

Companies are strictly prohibited from initiating or spreading rumours or circulating any misleading information which affects the best business practices of the precious metals market.

D. Business Conduct:

Precious metals companies are expected to effectively manage their pre-trade and post-trade business activities fairly and transparently.

As part of pre-trade business conduct, the market participants are expected to sign an agreement or similar document with the customers, suppliers, etc., with a clear scope of a business deal, terms of trade, and price points. Appropriate Know Your Customer and Customer Due Diligence measures must be applied before establishing any business relationship with other market participants. The companies must identify any risk associated with the customers and suppliers, including the supply-chain risk.

The precious metals trades must be executed fairly, with clear disclosure of the markups and the methods used for arriving at the markup. The markups must be determined professionally without misrepresenting any cost factors. The companies are prohibited from executing any trade against the LBMA’s precious metals benchmark (i.e., the prices determined by LBMA).

For post-trade business conduct, the company must initiate confirmation communication with the customer about the executed trade or deals that are amended or cancelled. Further, the market participants are expected to perform ongoing reviews and monitoring of the transactions, including periodic reconciliation of the customer’s accounts to identify gaps or delinquent payments.

The market participants are expected to design internal policies to ensure no trade payments are expected from unrelated third parties or cash payments exceeding a certain threshold.

How can Niyeahma assist you with developing your Code of Business Practices aligned with the LBMA’s requirements?

The Dealers in Precious Metals in UAE, engaged in the wholesale trade of gold, silver, platinum, and palladium, are expected to adopt this Global Precious Metals Code, 2022, to promote transparency and integrity of the global precious metals market.

Niyeahma is an AML consultancy firm supporting Dealers in Precious Metals and Stones to implement the AML framework and stay AML compliant. We help the DMPS develop tailor-made AML/CFT policies, procedures, and controls to identify and mitigate financial crime risks.

With our experience of dealing closely with dealers in precious metals, we understand the business operations and compliance requirements of the precious metals sector, such as the Responsible Gold Sourcing Code and the LBMA’s Global Precious Metals Code. With this, you design a comprehensive compliance framework to manage your business operations with highest of the ethical practice and professional standards while staying compliant with local and international regulatory frameworks (FATF, OECD, LBMA, etc.).

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article UAE

How to Detect High-risk Customer and Safeguard Your Business

How to Detect High-risk Customers and Safeguard Your Business

Money laundering and terrorism financing are significant threats to the integrity of the global economy. Various countries have implemented regulatory anti-money laundering and combating of financing of terrorism (AML/CFT) frameworks, laying down detailed guidelines around how to detect high-risk customers and safeguard the business.

Similarly, UAE authorities have implemented the AML/CFT regulations covering Financial Institutions, Virtual Assets Service Providers (VASPs), and Designated Non-Financial Businesses and Professions (DNFBPs). The UAE AML regulations mandate the regulated entities to conduct customer risk assessments to detect high-risk customers and apply Enhanced Due Diligence measures.

This article discusses the aspects to be considered for identifying high-risk customers and potentially suspicious activities and developing robust customer risk assessment frameworks.

Understanding AML compliance and high-risk customers

Before discussing the identification of high-risk customers, it is essential to understand why AML/CFT compliance is necessary and what customer characteristics would be considered high-risk from a money laundering perspective.

What is AML compliance?

Money laundering is a global problem adversely impacting the security and stability of society as a whole. Under money laundering activities, the financial criminals attempt to hide the source of the illegally obtained proceeds and disguise it to make it appear as though they were generated from legitimate economic activities. While through terrorism financing, the criminal provides financial assistance to propagate terrorist activities.

To fight these vices, there is a need for AML/CFT compliance. AML/CFT compliance is a set of measures implemented to identify and prevent money laundering and terrorism financing activities. The AML/CFT compliance includes developing robust internal policies and procedures to identify and verify the customers and monitor their activities to detect any unusual or suspicious behaviour.

AML compliance is mandatory for regulated organizations to safeguard their businesses against exploitation by financial criminals, avoid administrative penalties for regulatory non-compliance and ensure the integrity of the business. The failure to comply with AML regulations results in huge fines, legal actions against the business and irreversible damage to the reputation of the organization.

Who are considered high-risk customers under UAE AML regulations?

The customers posing increased ML/FT risk to the business would be construed as high-risk customers under the AML framework. The following would be construed as a high-risk customer from ML/FT perspective:

Individuals who are Politically Exposed Persons (PEP) and the individual or legal person associated with PEPs
The PEP is entrusted with prominent public function, domestically or in foreign countries and the Heads of International Organizations. Given the PEP’s access to government funds and power to influence government decisions, they are more susceptible to criminal activities such as corruption and, in turn, money laundering to hide these illegal funds. The close family members and business associates would also be considered as PEP for risk classification of the customer under AML compliance.
Individuals or entities hailing from or are closely connected with high-risk countries
These high-risk countries are vulnerable to high risk of money laundering due to factors like a high rate of corruption, less transparency around business activities and beneficial ownership, and weaker AML/CFT measures known to have been assisting the countries or organizations supporting terrorist activities.
The individuals or entities whose behaviour or transactions suggest the presence of ML/FT suspicion
The customer’s behaviour while establishing a business relationship or conducting the customer due diligence suggests any connection with proceeds or crime or the transactions executed by the customer are contrary to the customer’s profile.

The customers engaged in business are considered as high-risk, or where the customer’s business activities are associated with ML/FT typologies, such as Virtual Assets Service Provider, where large amounts of fiat currency can be easily converted into cryptocurrencies and transferred across the border without actually disclosing the identity or drawing the attention of the authorities.

The AML laws of UAE require the Financial Institutions, VASPs and DNFBPs to apply Enhanced Due Diligence (EDD) measures to these customers to manage the higher risk and determine whether they are not connected with any illegal activities, money laundering or financing of terrorism.

Importance of identifying high-risk customers

Identifying high-risk customers and applying required due diligence measures to mitigate the increased risk are critical aspects of an effective AML program. It helps the regulated organization maintain integrity among the stakeholders and customers, safeguard the business from being involved in money laundering or terrorism funding activities, and stay 100% AML compliant

Protecting your business from financial crimes

Not just directly indulging in money laundering or terrorism financing activities is a federal crime, but indirectly assisting anybody, knowingly or unknowingly, is also a crime punishable under UAE AML regulations. The regulated organizations, whether Financial Institutions, DNFBPs or VASPs, would be subject to heavy monetary fines and sanctions from the Supervisory Authority for executing any financial crime through its business.

Hence, regulated organizations need to identify high-risk customers and apply additional verification measures to prevent the misuse of the business by financial criminals and money launderers.

The regulated organization must use rigorous identity verification checks to detect the customers connected with high-risk parameters like high-risk countries and robust transaction monitoring systems to identify unusual patterns or suspicious customer behaviour.

Once identified, high-risk customers should be subject to EDD measures, which include obtaining additional information and documents about customer identity, financial position (source of funds and source of wealth), frequent, ongoing monitoring, etc.

Meeting regulatory requirements and staying compliant

AML regulations in UAE mandate the regulated organization to apply adequate AML measures and stay 100% AML compliant. Non-compliance with AML regulatory requirements by any regulated organization calls for severe actions from the authorities, including imposing hefty administrative fines, imprisonment, restriction on the business activities or even termination of the business license.

As part of the AML Compliance program, the regulated organization must identify high-risk customers, take adequate mitigation measures, and report to the Financial Intelligence Unit (FIU) to remain AML compliant and avoid non-compliance penalties.

The regulated organizations must adhere to the UAE’s AML Federal Law, implementing Cabinet Decision and supplementary guidelines issued by the relevant Supervisory Authority. These regulations require the Financial Institutions, DNFBPs and the VASPs to implement AML compliance programs to identify and report suspicious activity. One of the critical aspects of the AML compliance framework is identifying high-risk customers.

Maintaining a solid reputation and business integrity

The regulated organizations need to protect their reputation and integrity to survive in the economy and maintain customer trust. The involvement of the regulated organizations in a money laundering scheme or any other financial crime badly damages its reputation amongst its stakeholders and customers in an irreversible manner. Identifying high-risk customers can help detect and prevent such potential indulgence in financial crime.

Instead, implementing a strong AML culture in the organization and demonstrating a commitment towards AML compliance increases the organization’s reputation in the market. These AML measures could include comprehensive AML policies and procedures, adequate customer due diligence process, imparting AML training to employees, etc. The customers and other stakeholders are more inclined towards working with businesses compliant with the regulatory framework.

Identifying high-risk customers is critical for regulated organizations to protect themselves from getting inadvertently involved in financial crimes, stay compliant with regulatory requirements, and avoid any reputational damage. By implementing effective AML compliance programs, regulated organizations can detect suspicious elements posing higher ML/FT risks and prevent money laundering activities from occurring through their businesses.

Customer Risk Assessment and adequate Customer Due Diligence

It is pertinent to design and implement a robust customer risk assessment procedure and apply adequate Customer Due Diligence (CDD) measures to identify high-risk customers, exposing the business to increased ML/FT risks. This part of AML compliance involves identifying the customers and their Ultimate Beneficial Owners (UBOs) and verifying the customer identity and other information to create the customer’s risk profile and identify any suspicion.

Developing a risk assessment framework

It is essential to assess the risk of each customer the organization is dealing with. The customer risk assessment procedure is about obtaining customers’ identification information, like name, nationality, business activities, etc., to determine the ML/FT risk they bring. The factors to be considered while determining the customer risk are the nature of the customer, its business activities, the geography of the customers, the nature and purpose of the business relationship, transactional parameters – value, mode of payment, etc.

By developing a comprehensive customer risk assessment framework, regulated organizations can adopt a risk-based approach and prioritize the customer due diligence measures depending on the risk associated with the customers. The regulated organisation can design and implement adequate risk mitigation measures by evaluating the specific ML/FT risks associated with the customers.

Performing appropriate Customer Due Diligence

Customer Due Diligence (CDD) measure involves:

Identifying the customer and verifying the customer’s identity using reliable, independent sources, including the customer’s valid identification documents
Conducting screening against the sanctions and adverse media to check customer’s background and reputation
Performing customer risk assessment, based on the customer’s profile and the transactional parameters, to identify the ML/FT risk the customer is posing to the business.

The regulated organizations must design a strong CDD program, including policies, procedures, and controls. The organizations may also deploy AML software to perform CDD, such as using Artificial Intelligence or Machine Learning to screen the customers or create customer risk profiles, evaluating the customer’s identification data and documents.

The AML software can help regulated organizations to identify suspicious activities timely and immediately report the same to the authorities, reducing false positive matches.

The Customer Due Diligence process is incomplete without ongoing monitoring of the customer’s profile to identify changes in customer identification information, and ongoing transaction monitoring to determine whether the customer’s behaviour is in sync with the originally assessed risk or customer rile level needs to be re-evaluated.

Enhanced Due Diligence for high-risk customers

Application of Enhanced Due Diligence (EDD) is mandatory for customers identified as high-risk. The EDD is an extension of the CDD process, requiring the regulated organizations to apply additional checks and verification measures to evaluate the customer’s identity (including the beneficial owners and the controlling parties), their financial position, the purpose of the transaction, etc.

EDD involves obtaining information about the customer’s and Ultimate Beneficial Owners’ source of funds and wealth and determining its legitimacy. Further, UAE AML regulations mandate the regulated organizations to ensure that the first payment towards their product or services is received from the customer’s bank account in a bank subject to similar CDD measures. Customers and transactions with high-risk customers are to be subjected to increased ongoing monitoring to assess and detect any unusual patterns or suspicious activities.

No business relationship can be established or a transaction be executed with a high-risk customer without the approval of the regulated organization’s senior management.

For example, suppose a customer is associated with a high-risk country. In that case, the regulated organization must apply rigorous verification measures and implement EDD to manage the increased ML/FT risk associated with a customer hailing from a high-risk country.

Red Flags and potential risk indicators of high-risk customers

Detecting the ML/FT red flags and risk indicators is essential to determining the risk associated with a customer and classifying them as high-risk customers. Here are a few examples of ML/FT red flags that can suggest the involvement of proceeds of crime, money laundering or terrorism financing activities:

Unusual transaction patterns

Transactions inconsistent with a customer’s profile or nature of business activities, unusually large, or series of transactions over a short period can indicate money laundering activities. Additionally, transactions involving unnecessary intermediaries or multiple jurisdictions can raise red flags.

For example, if a customer with a fixed monthly income starts making large value transactions frequently, contrary to its annual income, it indicates suspicion around the source of funds.

Incomplete, fake or inconsistent information

Customers who provide incomplete, incorrect or inconsistent information are red flags, suggesting the customer attempts to hide their identity or disguise the purpose of the transaction. The regulated organizations should be cautious while verifying the customer’s identity and establishing its risk profile to determine the legitimacy of the identification information and validity of the identity documents.

if a customer provides a different address every time they interact or multiple customers use the same contact number/email ID, suggest a potential money laundering activity involving multiple parties across different jurisdictions. Similarly, if the customer’s identification documents prove to be forged upon verification, a red flag indicates potential involvement in financial crime activities and hence the need to mislead the identification.

High-risk occupations or connect with high-risk business segments

Customers with high-risk business activities, such as gambling, real estate, and precious metals, prone to higher exploitation by money launderers, require enhanced verification measures.

E.g., if a customer engaged in a real estate brokerage business insists on cash payment, it could be considered a potential risk indicator suggesting money laundering activities.

Geographical risk factors

Customers located in or closely connected with high-risk countries, such as those with no or weaker AML regulations, terrorist activity, or high-rate of corruption, should also be considered as high-risk to apply AML/CFT measures.

E.g., a customer from a country mentioned in the FATF’s grey list of countries subject to increased monitoring is to be considered for enhanced customer due diligence measures.

Identifying the potential risk indicators helps the regulated organization proactively detect high-risk customers and apply adequate measures to manage the increased ML/FT risk, stay compliant, and avoid non-compliance penalties.

With Niyeahma’s expertise, manage your increased ML/FT risk posed by high-risk customers

Identifying high-risk customers and deploying mitigative measures is crucial for regulated organizations to manage regulatory compliance, safeguard the business from ML/FT vulnerabilities and avoid reputational damage.

Niyeahma is an AML Consultancy service provider that offers end-to-end support in your AML compliance journey. We help clients conduct the overall Enterprise-Wide Risk assessment and design the tailor-made AML compliance framework, including controls and procedures to identify high-risk customers and enlist the potential risk indicator and red flags relevant to the business activities. We assist clients in effectively implementing the AML framework by imparting comprehensive AML training to the client’s AML/CFT Compliance Officer and the compliance team.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

The Vital Role of an AML Compliance Officer in Safeguarding VASPs in the UAE

With the increasing acceptance of virtual assets, Virtual Asset Service Providers (VASPs) also continue to grow around the globe, including in the UAE. However, given the nature of the virtual assets – anonymity involved and easy transferability – criminals misuse them for money laundering and terrorism financing activities.

To manage the exploitation of virtual assets, the countries have implemented stringent regulations and have entrusted VASPs with compliance obligations to identify and prevent the ML/FT risk. To effectively implement the AML compliance program and adhere to the regulatory requirements, the role of the anti-money laundering (AML) Compliance Officer is important for VASP.

In this article, we will discuss the role of AML Compliance Officers in ensuring AML Compliance for VASPs in the UAE.

Introduction to AML Compliance in the UAE

The UAE government intends to develop the country as an international virtual assets centre. To promote this, robust AML compliance regulations around mitigating the risk of money laundering and terrorism financing have been introduced.

To manage the activities of the virtual asset in Dubai, the government has formed a supervisory authority – the Virtual Assets Regulatory Authority (VARA) of Dubai. At the same time, there are other authorities designated to supervise the activities of the virtual asset across the UAE, such as the Financial Services Regulatory Authority for VASPs registered in Abu Dhabi Global Market (ADGM), Dubai Financial Services Authority for VASPs operating from Dubai International Financial Centre (DIFC) and Securities and Commodities Authority of UAE for rest of the 6 Emirates and free zones.

These authorities have developed and implemented comprehensive AML regulatory guidelines and rulebooks for VASPs, mandating VASPs to design solid AML frameworks and ensure compliance with international best practices and FATF recommendations around managing ML/FT risks associated with virtual assets.

The Importance of AML Compliance

Compliance with AML regulations is mandatory for various regulated organizations, including Virtual Assets Services Providers in the UAE. A robust AML compliance program will safeguard virtual asset activities against being exploited for money laundering or terrorism financing activities. Further, non-compliance with any AML obligation will lead to severe adverse consequences for the VASP, such as substantial administrative fines, reputational damage and even termination of the license to conduct virtual asset activities.

Adequate AML compliance will help VASP create customer loyalty and seek respect from various stakeholders and market players worldwide, looking at its efforts towards combating money laundering and financing terrorism.

UAE's Regulatory Framework for AML Compliance

The UAE has established a comprehensive AML regulatory framework for financial institutions, VASPs and other Designated Non-Financial Businesses and Professions (DNFBPs). The legislative framework includes the Federal Decree-Law and the implementing Cabinet Decision, specific guidance issued by the relevant supervisory authorities like the Central Bank of UAE, Securities and Commodities Authority of UAE, Ministry of Economy, Ministry of Law, etc.

These AML regulations lay down comprehensive AML requirements for regulated entities operating in the UAE, including customer due diligence measures that must be adopted before establishing a business relationship, ongoing transaction monitoring requirements, procedures for identifying and reporting suspicious transactions, etc.

The UAE government is committed to fighting financial crimes and developing UAE as a safe and secure internal financial centre. Violating the UAE’s AML regulations requires heavy penalties and a long-term impact on the reputation.

Defining Virtual Asset Service Providers (VASPs) in UAE

In simple language, the business organization providing virtual assets-related services to its customer is a Virtual Asset Service Provider. For instance, the company operating a cryptocurrency exchange or services of converting eth fiat currency into virtual assets or vice versa.

Virtual assets are digital representations of value that can be transferred or traded using distributed ledger technology. The virtual assets include cryptocurrencies like Bitcoin and Ethereum, Non-Fungible Tokens (NFTs) and other digital assets like stablecoins. VASPs are essential in facilitating virtual asset trade, transfer and use.

Types of VASP in UAE

The different types of virtual assets-related services that qualify as VASP include:

an exchange between virtual assets and fiat currencies or between one or more forms of virtual assets, transfer of virtual assets between wallets by way of virtual asset transactions on behalf of another person, safekeeping and administration of virtual assets owned by other persons or instruments, enabling control over virtual assets, Facilitating and providing financial services related to virtual assets issuer’s offer or sale of a virtual asset into the primary or secondary market.

VASP Regulation in the UAE

To safeguard virtual assets from financial crime, the UAE has developed a robust AML regulatory framework for VASPs, including stringent licensing requirements and ongoing regulatory oversight of virtual asset activities. Along with Federal Decree-Law and the implementing guidelines, the regulatory authorities have also issued guidance and AML rulebooks for monitoring the VASP in their respective jurisdictions, such as ADGM’s FSRA, VARA, DIFC’s Dubai Financial Services Authority, etc.

The UAE’s AML regulations for VASPs are based on international best practices and the FATF recommendations around virtual assets and VASPs. The regulatory framework mandates that VASPs in the UAE comply with customer due diligence processes and sanctions screening requirements, implement transaction monitoring systems and procedures, ensure timely reporting of suspicious transactions to the Financial Intelligence Unit (FIU) and the regulatory authority, etc.

The Role of an AML Compliance Officer in VASP

To ensure effective compliance with AML obligations, the VASP must appoint a competent AML Compliance Officer or a Money Laundering Reporting Officer (MLRO). The AML compliance officer’s role is pivotal in ensuring 100% AML compliance by VASPs, including safeguarding the VASP against the evil of money laundering and terrorism financing and preventing these financial crimes.

The overall responsibility of implementing and overseeing the effectiveness of the AML compliance framework lies with the AML Compliance Officer.

VASP Regulation in the UAE

The AML compliance officer in VASP is entrusted with several key responsibilities around AML compliance, such as:

Conducting overall business risk assessments or enterprise-wide risk assessments of the VASP, considering all the relevant risk factors posing a risk to the business
Designing and implementing a robust AML compliance framework aligned with the overall business risks and regulatory requirements, including policies, procedures, and controls.
Developing and implementing a comprehensive customer onboarding process, including Know Your Customer, Know Your Transactions, and sanctions screening.
Implementing the systems and procedures for assessing customer risk and applying adequate customer due diligence measures, including enhanced due diligence.
Defining the rules for ensuring ongoing monitoring of transactions to identify unusual patterns or suspicious activity and ensure relevance and effectiveness.
Identifying the potential red flags and making them part of the AML policies. A few red flags related to virtual assets activities are:

Structuring virtual asset transactions in small amounts,
Making multiple high-value transactions within 24 hours,
Transferring virtual assets immediately to multiple VASPs in another country where there are no AML/CFT regulations,
Depositing virtual assets at an exchange and then immediately withdrawing the same without any further activity,
Conducting a large deposit to open a new wallet with a VASP, which is inconsistent with the customer’s economic profile,
Conducting VA-fiat currency exchange at a potential loss,
The use of decentralized/un-hosted wallets.

Receiving internal reports on observed suspicion, investigating the same and filing the Suspicious Transaction Reports (STR) or Suspicious Activity Reports (SARs) with FIU and regulatory authorities.
Designing and conducting AML training programs for the employees, including senior management.
Conducting a periodic review of the AML program and submitting a report to the senior management.
Ensuring AML-related records are adequately maintained and secured from unauthorized access.

Required Skills and Qualifications

Given the importance of the AML compliance officer’s role in VASP, the designated person must have a strong understanding of AML regulations and industry knowledge and experience.

Moreover, the AML compliance officer must possess excellent communication skills supported by problem-solving approaches. Officers must be competent and independent enough to effectively manage the AML compliance requirements and prevent misuse of virtual assets for money laundering or terrorism financing activities.

Key Challenges Faced by AML Compliance Officers

AML compliance officers in VASP face various challenges in ensuring compliance with AML regulatory requirements. One of the significant challenges is keeping pace with the evolving ML/FT typologies related to virtual assets and amending AML regulations. The Compliance Officer must stay up-to-date with AML compliance obligations to avoid non-compliance penalties and safeguard the business from being exploited by criminals using new money laundering techniques.

Another challenge the AML compliance officers faces is managing the large volume of data about customers and transactions. Such a colossal database makes monitoring and identifying suspicious activity difficult without sophisticated AML software.

The role of the AML Compliance Officer in VASP must be independent of regular business operations and client relationship management. The Compliance Officer must balance the business and AML Compliance without comprising the AML regulatory obligations.

Implementing AML Compliance Programs in VASP

The AML compliance program in VASP must be comprehensive, aligned with the VASP’s overall ML/FT risk and capable of identifying and mitigating the money laundering and terrorist financing risks effectively. The AML compliance framework should include the methodology of conducting enterprise-wide risk assessment, customer due diligence process, ongoing transaction monitoring, compliance with FATF travel rule, AML record keeping, and procedures for identifying and reporting suspicious transactions.

Business Risk Assessment

The risk assessment process involves identifying and evaluating the money laundering and terrorist financing risks the VASP is exposed to. The Compliance Officer should consider various risk factors such as customer base, geographies, products and services, etc.

Risk Mitigation Policies, Procedures and Controls (AML Framework)

Once the overall risk has been identified, it is the role of the AML Compliance Officer to design and implement adequate risk mitigation policies, procedures, and controls. The AML framework must be aligned with the size, nature and complexity of the business activities and must be approved by the management of the VASP.

Customer Due Diligence (CDD), Know Your Customer (KYC) and Know Your Transaction (KYT) Procedures

KYC and KYT procedures are essential to identify and verify the customer’s identity and understand the transactional elements associated with the virtual asset transfer. Further, the framework should include adequate customer risk profiling procedures and implementing the Targeted Financial Sanctions (TFS) and screening requirements.

Effective customer due diligence will ensure that VASPs deal with genuine customers and do not unintentionally aid in money laundering activities by onboarding financial criminals as their customers.

Identifying and Reporting of Suspicious Activities

Adequate procedures and systems must be implemented to monitor the transactions and customer profiles to detect and report suspicion. The Compliance Officer shall ensure that potential suspicious transactions are investigated internally and only reported to the FIU and the supervisory authority if the internal examination confirms the ML/FT suspicion warranting the external reporting.

One of the important roles of the AML Compliance Officer is to ensure the timely filing of the Suspicious Transaction Report (STR) or Suspicious Activity Report on the goAML Portal.

AML Governance

The Compliance Officer must assess the AML training needs of the employees and design a comprehensive AML training program. The AML training program must be included in the AML framework, highlighting the timing, course, and employees involved in this training.

Further, periodic reviews must be conducted of implemented AML program, and a report must be submitted to the senior management of the VASP by the AML Compliance Officer, highlighting the AML compliance gaps and mitigation measures additionally required.

Record Keeping

AML-related records must be maintained adequately for the specified period and in an organised manner.

Collaboration with Regulatory Authorities

AML Compliance Officer, or Money Laundering Reporting Officer (MLRO), is the key contact between the VASP and the regulatory authorities. One of the key roles of the AML Compliance Officer in VASP is to ensure effective correspondence with the authorities, including the following:

Reporting of Suspicious Transactions and Activities

Identifying and reporting suspicious transactions is a crucial responsibility of AML Compliance Officers in VASP. If suspicious activities are observed, the front-line team must immediately intimate to the Compliance Officer, who would investigate the matter and, if reporting is required, should immediately file a SAR or STR with the FIU.

Ongoing Training and Education

The AML Compliance Officer must attend AML training sessions and workshops conducted by the authorities to be updated with evolving AML regulations and practices.

Ensuring Compliance with Evolving AML Regulations

AML Compliance Officer must ensure that VASP’s AML/CFT framework, including policies, procedures, and controls, are up-to-date with the amended regulatory requirements.

How can Niyeahma assist AML Compliance Officers in fulfilling their roles in VASPs?

AML Compliance Officer must ensure that its Virtual Asset Service Provider (VASP) complies with UAE local AML regulations and the FATF recommendations around virtual assets transactions. The role of the AML Compliance Officer in VASP is critical to identify and mitigate the financial crimes risks by developing a robust AML compliance framework.

Niyeahma is a leading AML consultancy firm, assisting VASPs in assessing the overall risk, designing and implementing an AML compliance program, establishing a competent AML compliance department and imparting adequate AML training to ensure regulatory compliance and avoid administrative fines for AML violations.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Customer Lifecycle Management and AML Compliance in the Digital World

Customer lifecycle management(CLM) has become automated, quick, and efficient in the digital world. This risk assessment environment is different from the traditional scenarios, which were characteristic of a tedious manual process working in isolation and targeting specific functions and limited to particular businesses.

However, regulated entities had to forego this approach and adopt an aggressive risk management approach with acceleration in the digital world and adoption of the digital KYC mechanism.

Customer lifecycle in the digital age has witnessed a rapid transformation. As mentioned earlier, customer lifecycle processes were siloed, labour intensive, needless to say, time-consuming, and prone to errors. The focus is on digital lifecycle management, which connects disparate systems and provides a unified solution to verify customer identity efficiently. CDD – Customer Due Diligence is the primary function that needs to be performed by Financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Assets Service Providers (VASPs).

The traditional customer verification method involved an actual visit to the branch where employees would verify the hard copies of the documents. This process is becoming redundant as mobile transactions have increased drastically. Every process is completed online such as opening bank accounts, getting a loan, creating a fixed deposit, and transferring money. The customer’s verification process has too shifted online, where branch visits are not necessarily required. In a changing business landscape and evolving customer preferences, they need instant gratification, and branch visits are becoming a thing of the past. It has been estimated that the branch visit will be drastically reduced by 36%, and there will be more than a 120% increase in mobile transactions.

Digital KYC and CDD processes will take center stage. It is estimated that by 2022, 60% of the world economy will be digitised. Such unprecedented growth requires robust measures for customer identification and verification. New digital ID systems are being extensively used to mitigate the risks arising in the evolving digitised world. It is necessary to understand how digital ID systems work and help businesses identify any fraudulent financial activity in the garb of legitimate transactions.

Digital ID systems have a few basic components- 

Digital KYC information collection

The deduplication process is carried out, which is a part of identity proofing. It involves collecting attributes and the evidence for the same and features about a single unique identity. The applicants’ details, such as name, age, and gender are checked, and biometrics include fingerprints, iris scans, and facial recognition images. These, along with the government-issued IDs, are verified with the information in the database. With digital verification on the rise, the documents are stored in electronic forms in databases which can be referred to as and when required. It enables to obtain the identity evidence and verification remotely.

Validation

This step verifies if the digital KYC evidence submitted is genuine and accurate. The evidence is validated by checking the information submitted against reliable sources and matching the information in the independent databases/ sources. 

Verification

This step involves confirmation that the validated identity is real and the person is the same who has been identity proofed. 

Authentication

Authentication ensures that the person seeking online/ offline account access is the same person who has been identified and verified earlier. The digital identification process is done when people need access to online activities such as accessing net banking, transferring money online via app, and seeking authorisation to complete the process. Authentication is also required when someone asks for in-person interaction to access the account or conduct other financial activity.

The best part about digital identity verification is that banks and financial institutions do not rely solely on the authenticators/ credentials issued at the time of onboarding in such scenarios. Obviously, at the time of onboarding, after all the KYC, CDD, and EDD processes are completed, the person will possess the credentials issued to them. Still, digital verification also depends on continuous authentication. They rely on data points collected during the online session, such as the IP address, geolocation, etc.

What is CDD?

The CDD process helps reporting entities to combat money laundering and other financial frauds and prevent the financing of terrorism. The process includes collecting customer information and monitoring it throughout the business relationship.  

Individual Customer Information: It collects customer information and verifies that the information submitted is accurate and that no false information has been submitted. The customer’s name, address, contact details, photo, occupation, unique ID number, and tax identification number is verified. 
Business information: It includes the name of the business, the type, and nature of the company, ultimatebeneficial owners, source of funds, etc. 
Risk Assessment: After the verification process is completed, the customers are categorised as low, medium, or high-risk customers. This categorisation is done after considering different factors such as the customer’s identity, location, nature of the business, and identifying PEPs and UBOs. High-risk customers require enhanced due diligence compared to the low or medium-risk profiles. The risk assessment process provides clarity on the due diligence process that needs to be followed to follow the AML compliance process correctly. 
Continuous Monitoring: The ongoing monitoring keeps a tab on the customers’ transaction patterns and changes in customer profiles and identifies unusual transactions.

The CDD process becomes automated and more reliable in a digital landscape with emerging technologies such as Artificial Intelligence and Machine Learning. The introduction of biometrics has also made a massive difference in accuracy levels in identifying customers and has streamlined the process. 

How is the customer lifecycle managed with greater efficiency with tech?

Regulatory compliance and serving customers with excellence have kept businesses on their toes as they need to fulfill both purposes with equal efficiency. They need to follow the AML rules and regulations and meet the evolving customers’ expectations. So, they choose to rely on AML software to instantly identify suspicious activities, which provides timely notifications that alert them in case of any fraudulent/ unusual transaction.

New and emerging technologies are being used in the customer lifecycle management landscape, often referred to as RegTech. They have been in use for a while and focus on solving only a part of the more significant compliance problem rather than serving as a complete solution that can take over the compliance issues and risk assessment scenario and reduce the false positives. However, with better technology and the emergence of advanced AML software, financial institutions have solved compliance issues and safeguarded their reputation from being maligned by unknown risks. It is vital to adopt a risk-based approach as money launderers find innovative ways to launder their illicit money.

AML Compliance in the Digital world

Digital acceleration has changed the course of AML compliance for businesses as they need to brace themselves up to fight financial fraud and provide customers with the best experiences. Digital payments have witnessed exponential growth. So there is increased pressure on the regulated entities to overhaul their client Lifecycle management process. 

Financial and other regulated entities have to mandatory follow the AML compliance requirements. They have to follow the KYC diligently- Know Your Customer, CDD- Customer Due Diligence, and the EDD- Enhanced Due Diligence collect, verify and continuously monitor customer identity, evaluate risk profile and keep themselves AML compliant. Apart from following the AML rules and regulations, financial institutions must focus on enhancing customer experience.

FATF guidelines on Digital ID

The FATF regularly provides guidelines for AML compliance. It is advisable to follow the procedures as it helps reporting entities brace themselves against challenges in a digitally enhanced landscape. Client verification remotely has become a prominent trend in the recent past, especially during pandemic times. 

Verify the customer’s identity
Understand and verify the type and nature of the business relationship
Continuous monitoring.

Where deemed necessary, the reporting entities should perform background checks for criminal records and politically exposed persons and determine the customers’ citizenship. These verification processes depend on the risk profile of the customers or the risk posed by the business transaction. 

Digital KYC- The Way Forward

Digital KYC is an online process that involves video-based KYC. It is a must to have an audio-video-enabled device.  

The reporting entity will remind the person of the online appointment for the KYC process. The customer must ensure that all the required documents are furnished for the KYC process. The institution will send a video link via message or email. The customer, with the help of an interactive online application, completes his Digital KYC. In this process, the application will capture the live video/photo and the documents to complete the verification process. It will ask for age, address, occupation, nature, type of business, political association, etc. That will be verified with the documents submitted for verification.  

Why is AML Training Important?

Employees need to be acquainted with updated knowledge on the software and methods with which they can identify fraudulent transactions and prevent financial frauds such as money laundering. It is not easy to spot fraudulent transactions such as layering, and so the employees need to be provided with technology that can aid them in strict transaction monitoring. 

Digitalization has urged financial organisation to improve their customer identification programs and sync with the evolved customer identification requirements. The digital AML process is automated at every step of the customer verification, right from the customer onboarding process, customer due diligence, risk assessment m identification of UBOs, PEPs, and Enhanced due diligence process- the entire spectrum of the customer verification process.

When digital channels have become a passage for money laundering and financial fraud, it is better to be equipped with advanced technology—emerging technologies such as AI and ML. AML software has built-in technologies that help identify financial scams and reduce false positives. The software helps combat money laundering and empowers financial institutions and other regulated entities to improve AML detection and thwart risks in a digitally accelerated world. 

Benefits of the AML Software

The AML software is a crucial element in the AML compliance strategy. It efficiently collects the customer information- KYC, CDD, and EDD which are the foundation of an efficient AML compliance program. The software stores the data with customer identity verification processes such as KYC- Know Your Customer, CDD- Customer Due Diligence, and EDD- Enhanced Due Diligence. It efficiently verifies the customers’ identity and makes the financial institutions and other regulated entities aware of any fraudulent identity or transaction.

It evaluates the risk of being associated with a customer/ entity. So, the institution can follow appropriate measures while establishing a business relationship and continuously monitor the customer lifecycle. Moreover, the software scans the customers against a sanction list and identifies potential risks. Financial Institutions can extract more information about PEPs- Politically Exposed Persons and the UBOs- Ultimate Beneficial Owners and correctly evaluate the risk of establishing and maintaining customer relationships. 

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE