On 1 August 2022, the Central Bank of the United Arab Emirates (the "CBUAE") issued "Guidance for Licensed Financial Institutions ("LFIs") on the risks relating to payments" (the "Guidance").
The purpose of the Guidance is to assist LFIs in understanding their statutory obligations under the following laws:
- Decree Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations as amended by Decree Federal Law No. (26) of 2021;
- Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Decree Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations as amended by Cabinet Decision No. (24) of 2022; and
- Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution.
The Guidance applies to all natural and legal persons licensed and/or supervised by the CBUAE.
In recent weeks, we have seen increased regulatory scrutiny by the CBUAE of LFIs. It has issued multiple fines to exchange houses and banks for anti-money laundering ("AML") related compliance failures and non-compliance of due diligence requirements. As such, the Guidance, which takes into account standards and guidance issued by the Financial Action Task Force ("FATF"), is a welcomed addition for LFIs when navigating and seeking to comply with the UAE's AML/CFT legislation. The CBUAE requires LFIs to demonstrate compliance with the Guidance by 1 September 2022.
It appears that the CBUAE's increased enforcement appetite reflects its commitment to increase efforts to assist in combatting money laundering offences in the UAE following the UAE's addition to FATF's grey list (a list of jurisdictions that are subject to increased monitoring by the FATF due to gaps in their AML/CFT regimes) in March 2022.
Overview
By way of summary, the Guidance sets out details of:
- money laundering and terrorist financing risks associated with the payment sector and for LFIs providing services to payment sector participants;
- AML/CFT obligations under CBUAE regulations;
- risk assessment guidelines;
- preventative measures for LFIs providing products and services directly to customers;
- preventive measures for LFIs providing services to other payment sector participants;
- requirements with respect to sanctions;
- requirements with respect to transaction monitoring and suspicious transaction reporting; and
- information on governance and training requirements.
Following an increase in the emergence of innovative technologies and subsequent developments in the payments sector, customers now find themselves being offered an array of new and diverse payment products and services ("NPPS") which do not share one single risk profile. As such, it is important for LFIs to remain alert to unforeseen risks posed by highly intermediated payment transactions where no single entity participating in the transaction (a "Participant") has visibility to allow it to fully understand the entire transaction and all parties involved. For example, each Participant may consider the information they have received with respect to the transaction as legitimate; however, without full visibility of the whole transaction it is difficult for a single Participant to determine that a transaction is illicit. In such circumstances, it is possible that there could be a transaction involving a series of Participants in which one or more of them are not regulated. An important risk that arises here is that such non-regulated entities are not subject to the same level of supervision and regulatory oversight as the regulated entities. It is conceivable that a regulated entity that is party to a transaction involving a number of Participants could assume that other Participants are, for example, conducting due diligence on counterparties when they are not. That would then leave the regulated entities exposed with respect to non-compliance with AML/CFT requirements.
As prescribed by the FATF, LFIs are expected to take a risk-based approach to mitigating and managing money laundering and financing terrorism risk. This starts with an assessment of the LFI's payments-related risks. The Guidance is particularly helpful to LFIs as it sets out certain risk factors for them to consider when conducting risk assessments on a payment product or service ("PPS"), NPPS and relationships it maintains with other Participants. This includes:
- Movement of funds: What are the financial flows in connection with the PPS?
- Mode of funding: How are users funding their PPS accounts?
- Peer-to-peer payments: Which parties are involved with the PPS?
- Cross-border movement: Are high-risk countries involved with the PPS?
- Regulatory status: What is the regulatory status of the PPS in other jurisdictions where it is provided?
- Use of agents and affiliates: Who and how many parties are involved in providing the PPS?
- Intermediation: Does the LFI have visibility of all elements of the PPS?
- Controls: Are there appropriate controls in place to manage the risks associated with the PPS?
The Guidance also provides details on customer due diligence, enhanced due diligence and ongoing monitoring. Of note is the guidance with respect to digital and electronic due diligence, the use of IP addresses and geographical locators, stored value facility due diligence, merchant due diligence and chargeback monitoring. The Guidance highlights elements of electronic customer due diligence that are particularly important in the context of NPPS, given the increased risk present where these services are delivered digitally and the customer is not fully known. Specifically, the Guidance reminds LFIs that they must use the online validation gateways of the UAE government to verify a customer's Emirates ID and retain a copy of it along with its digital verification record. Electronic customer due diligence may also be supplemented through the use of geographic location tools, for instance, by reviewing a customer's log-in locations during a due diligence refresh to identify suspicious log-in attempts or movement patterns. This demonstrates the CBUAE's recognition of the changing payments landscape and an increase in risks due to the development in payments-related technology.
In the Guidance, the CBUAE sets out direction on LFIs' AML/CFT obligations so that LFIs may ensure that they maintain effective control and oversight over all aspects of the transactions to which they are a Participant, even where such transactions involve multiple other Participants and are part of a more complex and extended transaction chain. The Guidance emphasises that LFIs are ultimately responsible for monitoring all transactions processed or conducted through them, irrespective of which other Participants may be involved in the intermediated transaction chain. This extends to LFI's obligations to identify and report suspicious transactions and activity implement and maintain appropriate sanctions compliance programmes to screen transactions related to its PPS or NPPS and understand other Participants sanctions screening approaches.
LFIs have specific obligations under the UAE's AML/CFT legislation to comply with the legal and regulatory framework regarding targeted financial sanctions and to apply directives issued by the competent UAE authorities that implement the decisions of the United Nations Security Council under Chapter (7) of UN Convention for the prohibition and suppression of the financing of terrorism and proliferation of weapons of mass destruction. The Guidance reminds LFIs that they are also required to register with the Integrated Enquiries Management System ("IEMS"), an online portal system introduced by the UAE Financial Intelligence Unit ("UAE FIU"). The purpose of IEMS is to facilitate the execution process of requesting information and implementing decisions of public prosecutions regarding AML/CFT matters. Through IEMS, the UAE FIU may, for instance, send simultaneous requests for information to all LFIs in order to efficiently provide assistance to law enforcement authorities.
Finally, the Guidance sets out specific criteria that LFIs must endeavour to incorporate into the design of their legally mandated AML/CFT governance and training frameworks. This includes additional employee training, agent governance and training and ensuring the clear allocations of AML/CFT responsibilities among LFIs. For instance, any LFI that provides PPS should assume full responsibility for customer due diligence. In our view, the CBUAE has included this additional guidance to mitigate the risks associated with having unregulated Participants involved in a transaction, where such Participants AML/CFT responsibilities may not be clearly defined elsewhere.
[View source.]