Money laundering usually involves illegally acquired money, often termed “black money” or “dirty money,” being concealed, disguised, moved, rotated, or exchanged amongst several hands to wash off the traces of its origin, which is generated from criminal activity. This process of washing off the traces of the origin of black money is known as money laundering.
Why do people launder money?
Money laundering is carried out with the intention of avoiding suspicion or detection by law enforcement agencies to avoid conviction, imprisonment, fines, and freezing or confiscation of such illicit funds.
What is money laundering risk?
Money laundering risk refers to the probability that criminals could misuse legal or natural persons as a channel to carry out their illegal activities. Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Asset Service Providers (VASPs) must identify, assess, and understand the Money Laundering (ML) risk to mitigate it effectively.
The Stages of Money Laundering
The crime of money laundering is executed in three stages, known as placement, layering and integration.
DNFBPs and VASPs need to ensure that their business is not used as a medium to conduct money laundering activities by money launderers as they are prone to be misused by launderers due to the nature of their business, which involves multiple geographies and modes of transactions, complex business structures, products, and services across various jurisdictions.
Red Flags and Indicators of Money Laundering
The best way to ensure that DNFBPs and VASPs can safeguard themselves from money laundering is to ensure that all relevant personnel of the DNFBPs and VASPs are made aware of the Money Laundering and Financing Terrorism (ML/FT) risk indicators or ML/FT red flags.
These ML/FT risk indicators can be broadly classified into the following categories, with some of the examples of such red flags, including but not limited to:
What are DNFBPs
Designated Non-Financial Businesses and Professions (DNFBPs) are those entities or businesses that are involved with the following commercial activities:
DNFBPs are vulnerable to money laundering because, being a non-financial sector, they are not regulated as strictly as the banking and financial sectors are. DNFBPs are exposed to ML/FT and risks arising out of the following reasons:
Example of DNFBP’s vulnerability to money laundering:
Money launderers can buy, hold, or sell high-value diamonds and liquidate them in any country, transport those easily, escaping the scrutiny of authorities to conceal the illegal origin of dirty money and proceed with structuring and integration.
What are VASPs
Virtual Asset Service Providers (VASPs) are businesses that are engaged in Virtual Assets or “VA” services. VAs include digital representations of amounts that have a digital existence and can be traded or transferred digitally or utilised for payment or investment purposes. Examples of VAs include bitcoin, dogecoin, and ether. Virtual Assets do not include fiat currencies, shares, securities, or other e-money instruments.
VASPs conduct one or more operations on behalf of a company or individual, such as:
VA activities and VASPs are prone to high ML/FT and PF risk due to their basic nature: easy access to the Internet, offering anonymity while dealing with virtual assets. This anonymity feature attracts criminals who want to avoid scrutiny under usual channels when carrying out their transactions. The unique ML/FT risks associated with VASPs are as follows:
The UAE federal laws and FATF recommendations require DNFBPs and VASPs to implement a Risk-Based Approach (RBA) to mitigate their exposure to ML/FT risks. The RBA consists of measures, systems, and controls that are specifically designed to identify, assess, mitigate, and address the ML/FT risks that differ from business to business.
Why a One-Size-Fits-All Approach to AML doesn’t Work
The one-size-fits-all approach while implementing the RBA is not effective as ML/FT risk exposure will differ from business to business as each business, be it DNFBP or VASP, is unique and distinct in terms of their business model, risk factors such as customers, geographies, delivery channels, use of technology, tax regimes, sanctions requirements, or potential events of sanctions evasions. The identification of inherent risks, risk appetite, and assessment of residual risk would differ from business to business, which would cause every business’s RBA component to be different. Also, relying on a one-size-fits-all approach would lead to over-compliance or under-compliance of AML/CFT measures.
Importance of Identifying Risk Levels for Customers and Transactions
One important element of the RBA is customer and transaction risk profiling, which evaluates the risk levels of customers and transactions. The process of assigning risk levels involves
Having identified the risk levels for customers and transactions would enable the DNFBPs and VASPS to have a clear idea about the level of risk posed by each customer and transaction and the degree of risk mitigation measures to be applied for that particular customer or transaction, which is applying Enhanced Due Diligence Measures for high-risk customers or Simplified Due Diligence Measures for low-risk customers, resulting in an effective and robust AML/CFT compliance measures.
A risk-based AML/CFT program for DNFBPs is essential to ensure that their internal policies, procedures, and controls of the DNFBPs are in accordance with the requirements of the UAE federal law and are up to the standards recommended by the FATF. The risk-based AML/CFT program helps the DNFBPs to take adequate due diligence measures while considering the findings of the national risk assessment and the other relevant risk factors.
An ideal risk-based AML/CFT would consist of three major elements, as discussed below:
Customer Due Diligence (CDD)
Risk-based Customer Due Diligence measures contain steps and processes such as follows:
Further, the factors to be considered while conducting risk-based CDD are:
Enhanced Due Diligence (EDD)
As the name suggests, Enhanced Due Diligence refers to CDD measures with increased intensity and level of scrutiny, such as:
The risk-based AML/CFT policies, procedures, and controls must contain details of:
Transaction Monitoring
Transaction monitoring is an essential element of a risk-based AML program. DNFBPs are required to have their policies, procedures, and controls in alignment with enterprise-wide risk assessment and have measures in place to identify, list out, and have processes in place to assess potentially suspicious transactions.
The senior management of the DNFBPs must approve of the risk-based AML/CFT program and AML/CFT policies and procedures and must also oversee the onboarding of high-risk customers with their approval. The DNFBPs need to appoint a competent Compliance Officer who can supervise AML/CFT compliance requirements. Customer-facing personnel and relevant personnel must be adequately trained to implement the risk-based AML/CFT program effectively.
VASPs need to formulate a risk-based AML/CFT program to ensure compliance with UAE federal laws and the FATF recommendations. The essential elements of VASP’s risk-based AML program include the following:
KYC (Know Your Customer) for VASPs
The authorities encouraged VASPs to rely on technological solutions to conduct the CDD process. The Know Your Customer (KYC) process for VASPs can include the use of tools that facilitate verifying and confirming their customers’ identification by clicking or uploading selfies using the customer’s own cell phones to authenticate their identity. VASPs are also required to screen their customers across various international sanctions lists with the VA and VA wallet addresses. As a part of adequate CDD requirements, VASPs need to include the beneficiary account details, with the originator account details, along with their respective IP addresses and wallet addresses. These details should be monitored on a regular basis.
Importance of Verifying Virtual Asset Identities
VA identities need to be verified to ensure compliance with the UAE federal laws and to mitigate ML/FT risks to which the VASPs are prone. The process of identifying and verifying VA identities helps VASPs in the following ways:
Monitoring Transactions for Suspicious Activity
VASPs need to have a risk-based AML program with steps and procedures in place that enable VASPs to monitor their customer relationships by identifying, evaluating, and reporting suspicious activities and transactions to the Financial Intelligence Unit (FIU) through the goAML portal. The VASPs AML/CFT program should contain ML/FT typologies relevant to VASPS along with red flags of ML/FT that help the personnel of VASPs become aware of red flags.
Building a Robust AML Compliance Framework
The ML/FT and PF risks for DNFBPs and VASPs and the UAE federal laws require building a robust and effective AML Compliance framework. The key elements of an effective AML Compliance Framework include the following elements:
Establishing a Strong AML Culture
Any AML compliance framework is only as effective in combating ML/FT and PF as the type of compliance culture that exists within the DNFBPs and VASPs. The Senior Management is responsible for setting the tone of the AML compliance culture, as they are the top management. The employees of the DNFBPs and VASPs need to be educated about ML/FT and PF typologies relevant to their organisation and encouraged to report to the compliance officer. The compliance officer is responsible for reporting suspicious activities and transactions to the FIU (Financial Intelligence Unit) and ensuring that the AML/CFT program, policies and procedures are implemented across the organisation.
Training and Awareness Programs for Staff
The AML/CFT framework of DNFBPs and VASPs needs to provide for the training of their relevant employees (customer-facing staff, compliance officer, and senior management) regarding ML/FT red flags, ML/FT typologies, ML/FT reporting, and record-keeping requirements to ensure that they are well aware of their individual responsibilities towards preventing ML/FT and PF incidences.
Record-Keeping and Reporting Requirements
The AML compliance framework of DNFBPs and VASPs needs to provide for documenting their AML compliance procedures and policies and maintain records of the customer information derived during the CDD, EDD, AML training logs, training attendance lists, Risk assessment methodologies and outcomes, internal suspicious activities reports and transactions for the period prescribed by their supervisory body.
Internal Controls and Risk Management Processes
The AML framework for DNFBPs and VASPs needs to contain the processes that they undertake to control the ML/FT and PF risks. The risk management process includes steps taken to identify, assess and mitigate ML/FT and PF risks the business is exposed to, such as enterprise-wide risk assessments where the risk mitigation is done on the basis of various risk factors such as customers, geographies, transactions, delivery channels, and so on.
Utilising Technology to Enhance AML Compliance
The AML framework of DNFBPs and VASPs needs to include the details of the technology they rely on while conducting AML compliance processes, as the use of AML software solutions is encouraged by federal laws. DNFBPs and VASPs may rely on several AML solutions, such as name-screening software, customer onboarding and risk assessment tools, and case management tools, while ensuring that such tools are compliant with regulatory requirements.
Transaction Monitoring Tools
The AML framework must provide details of the transaction monitoring tools relied upon by the DNFBPs and VASPs. Transaction monitoring is essential to identify any deviation or change in the customer profile during the course of the business relationship. The deviations, changes, or updates to a customer’s profile are alerted by the transaction monitoring tool to the user, usually the compliance team or customer-facing team, enabling them to take corrective action such as requesting additional or fresh information or filing suspicious activity or suspicious transaction reports.
Customer Identification and Verification Systems
The AML compliance framework needs to include the details of customer identification and verification systems relied upon and ensure that adequate record-keeping measures are taken to document the customer identification and verification details of each customer that the DNFBPs or VASPs intend to onboard. The customer identification and verification systems will help the DNFBPs and VASPs ensure that the CDD and EDD requirements of the UAE federal laws are adequately complied with.
Conclusion: Protecting Your Business and the Financial System
The DNFBPs and VASPs operating in the UAE need adequate ML/FT risk identification and assessment mechanisms to effectively mitigate ML/FT risks by educating their relevant personnel about the ML/FT typologies, building strategies and AML/CFT compliance framework based on a risk-based approach where the risk mitigation measures are applied in proportion to the risks to which their individual businesses are exposed.
To effectively identify and report suspicious money laundering activities and transactions, the relevant employees of the DNFBPs and VASPs need to be trained and educated about what incidences or activities consist of money laundering, what are money laundering risks the DNFBPs and VASPs exposed to by being aware of the ML/FT typologies and red-flags and the basic ML risk mitigation framework that their organisation has in place to counter ML/FT and PF.
The senior management and compliance officers of DNFBPs and VASPs also need to remember that ML/FT risk assessment is unique for each business, and a one-size-fits-all approach cannot be relied upon while implementing risk mitigation mechanisms.
ML/FT risk mitigation needs to be carefully tailored to fit the AML/CFT compliance needs according to the nature, size, sector, area of operations, number and types of customers, volume of business, their desired modes of transaction, which varies from business to business. However, the generic requirements of the robust AML compliance framework are discussed to update the DNFBPs and VASPs on the basic requirements of the UAE federal laws and FATF recommendations.
Pathik is a Chartered Accountant with over 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise-Wide Risk Assessments to implementing robust AML compliance frameworks. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.
Pathik's expertise extends to guiding businesses in navigating complex regulatory landscapes, ensuring adherence to FATF and other international standards, and mitigating financial crime risks. He is a recognised thought leader in AML/CFT, frequently sharing insights on emerging compliance challenges on various platforms.
Join our Waitlist