AML-CFT Guide | White & Case srl

On August 1, 2022, the Central Bank of the United Arab Emirates (the “CBUAE”) issued “Guidelines for Licensed Financial Institutions (“LFIs”) on Payments Risk” (the “Guidelines”).

The purpose of the Guide is to help DFIs understand their statutory obligations under the following laws:

  • Federal Decree-Law No. 20 of 2018 on the fight against money laundering and the fight against the financing of terrorism and illegal organizations, as amended by Federal Decree-Law No. (26) of 2021;
  • Cabinet Decision No. (10) of 2019 on the Implementing Regulations of Federal Decree-Law No. 20 of 2018 on Combating Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended by Cabinet Decision No. (24) of 2022; and
  • Cabinet Decision No. (74) of 2020 regarding the Regulation of Terrorist Lists and the Implementation of United Nations Security Council (UNSC) Resolutions on Suppression and Countering of Terrorism, Terrorist Financing, fight against the proliferation of weapons of mass destruction and its financing and the relevant resolution.

The Guide applies to all natural and legal persons approved and/or supervised by the CBUAE.

Over the past few weeks, we have witnessed increased regulatory oversight by the CBUAE of LFIs. It has issued multiple fines to brokerages and banks for anti-money laundering (“AML”) compliance failures and failing to meet due diligence requirements. As such, the Guide, which takes into account the standards and guidance issued by the Financial Action Task Force (“FATF”), is a welcome addition for DFIs as they navigate and seek to comply with AML legislation. /CFT of the UAE. The CBUAE requires LFIs to demonstrate compliance with the guidelines by September 1, 2022.

It appears that the CBUAE’s increased appetite for law enforcement reflects its commitment to increase its efforts to help combat money laundering offenses in the UAE following the addition of the Emirates. Arab States to the FATF Gray List (a list of jurisdictions that are subject to increased scrutiny by the FATF due to deficiencies in their AML/CFT regimes) in March 2022.


By way of summary, the Guidelines detail:

  • money laundering and terrorist financing risks associated with the payments industry and for DFIs providing services to participants in the payments industry;
  • AML/CFT obligations under CBUAE regulations;
  • risk assessment guidelines;
  • preventive measures for DFIs providing products and services directly to customers;
  • preventative measures for DFIs providing services to other players in the payments industry;
  • penalty requirements;
  • transaction monitoring and suspicious transaction reporting requirements; and
  • information on governance and training requirements.

Following an increase in the emergence of innovative technologies and subsequent developments in the payments industry, customers are now being offered a range of new and diverse payment products and services (“NPPS“) that do not share a unique risk profile. As such, it is important that DFIs remain vigilant to the unforeseen risks posed by highly intermediated payment transactions when no entity participating in the transaction (a “Participant“) has visibility to fully understand the entire transaction and all parties involved. For example, each participant may consider the information they have received regarding the transaction to be legitimate; however, without complete visibility of the he transaction as a whole, it is difficult for a single participant to determine that a transaction is illicit. In such circumstances, it is possible that there is a transaction involving a series of participants, one or more of whom are unregulated. A significant risk that arises here is that such unregulated entities are not subject to the same level of regulatory oversight and oversight as regulated entities. It is conceivable that a regulated entity that is a party to a transaction involving multiple participants may assume that other participants perform, for example, due diligence on counterparties when they are not, which would then expose regulated entities to non-compliance with AML/CFT requirements.

As prescribed by the FATF, DFIs must adopt a risk-based approach to mitigate and manage the risk of money laundering and terrorist financing. It starts with an assessment of the risks related to the IFL payments. The Guide is particularly useful to DFIs as it sets out certain risk factors that they should consider when carrying out risk assessments on a payment product or service (“PPS“), NPPS and its relationships with other participants. This includes:

  • Movement of funds: What are the financial flows linked to the PPS?
  • Funding method : How do users fund their PPS accounts?
  • Peer-to-peer payments: Who are the parties involved in the PPS?
  • Cross-border movement: Are high-risk countries involved in the PPS?
  • Regulatory status: What is the regulatory status of PPS in other jurisdictions where it is supplied?
  • Use of Agents and Affiliates: Who and how many parties are involved in delivering the PPS?
  • Intermediation: Does the FIS have visibility on all the elements of the PPS?
  • Controls: Are appropriate controls in place to manage the risks associated with PPS?

The Guide also provides details on customer due diligence, enhanced due diligence and ongoing monitoring. Of note are the guidelines for digital and electronic due diligence, use of IP addresses and geolocators, stored value facility due diligence, merchant due diligence, and chargeback monitoring. The Guide highlights elements of e-customer due diligence that are particularly important in the context of NPPS, given the heightened risk present when such services are delivered digitally and the customer is not not fully known. Specifically, the Guide reminds LFIs that they must use the UAE Government’s online validation gateways to verify a customer’s Emirates identity and keep a copy with their digital verification record. Electronic customer due diligence can also be supplemented by the use of geo-tracking tools, for example by examining a customer’s login locations during a due diligence refresh to identify connection attempts or suspicious movement patterns. This demonstrates CBUAE’s recognition of the changing payments landscape and increased risk due to the development of payment-related technologies.

In the Guidelines, the CBUAE sets out guidelines on the AML/CFT obligations of DFIs so that DFIs can ensure that they maintain effective control and supervision over all aspects of transactions in which they are a participant. , even when these transactions involve several other participants and are part of a more complex and extended chain of transactions. The guidance emphasizes that DFIs are ultimately responsible for monitoring all transactions processed or effected through them, regardless of other participants that may be involved in the chain of intermediated transactions. This extends to LFI’s obligations to identify and report suspicious transactions and activities, to implement and maintain appropriate sanctions compliance programs to screen transactions related to its PPS or NPPS, and to understand other approaches to participant sanction screening.

DFIs have specific obligations under the UAE AML/CFT legislation to comply with the legal and regulatory framework regarding targeted financial sanctions and to apply directives issued by the competent authorities of the UAE which implement the decisions of the Board United Nations Security Council under Chapter (7) of the Convention for the Prohibition and Suppression of the Financing of Terrorism and the Proliferation of Weapons of Mass Destruction. The Guide reminds DFIs that they are also required to register with the Integrated Application Management System (“IEMS“), an online portal system introduced by the UAE Financial Intelligence Unit (“UAE FIU“). The purpose of the IEMS is to facilitate the process of executing the request for information and the implementation of the decisions of public prosecutions in AML/CFT matters. Through the intermediary of the IEMS, the UAE FIU can, for example, send simultaneous requests for information to all LFIs in order to efficiently provide assistance to law enforcement authorities.

Finally, the Guide sets out specific criteria that DFIs should strive to incorporate into the design of their legally mandated AML/CFT governance and training frameworks. This includes additional employee training, governance and officer training and ensuring a clear division of AML/CFT responsibilities between DFIs. For example, any LFI that provides PPS should take full responsibility for customer due diligence. In our view, the CBUAE has included these additional guidelines to mitigate the risks associated with the involvement of unregulated participants in a transaction, where such participants’ AML/CFT responsibilities may not be clearly defined elsewhere.

[View source.]

Comments are closed.