Best Practices for Conducting AML Customer Due Diligence

Customer Due Diligence (CDD) is an important regulatory requirement in the UAE. The DNFBPs and VASPs must conduct Customer Due Diligence before onboarding customers. This article provides insights into the best practices for conducting AML customer due diligence.

What is Customer Due Diligence (CDD)

Customer Due Diligence, shortly called CDD, is the process of identifying, assessing, and verifying who your customers are. The logic of carrying out CDD is to understand the nature and volume of transactions expected from the customer and what might be the potential risk factors associated with the business relationship.

At its basic level, the CDD procedure involves collecting information such as a customer’s name, address, work site details, and intentions with respect to the utilisation of his account with the organisation. Other information, such as official documents, which include driving license, passport, and incorporation documents, is collected to ensure that the customer is being truthful and has no malicious intentions.

CDD is based on the idea that it is better for an institution to know about its clients to effectively money laundering (ML), terrorism financing (TF), or proliferation financing (PF) activities.

The Financial Action Task Force (FATF) Recommendation No. 10 states that financial institutions should carry out CDD procedures under the following circumstances:

1. Establishing new business relationships
2. In case they suspect any Money Laundering or Terrorist Financing activities
3. They are sceptical about the authenticity of client’s identification documents
4. Carrying out occasional transactions exceeding USD 15,000, depending on the nature of the transaction and the circumstances.

However, regulated entities such as financial institutions, banks, insurance companies, Designated Non-Financial Businesses and Professions (DNFBPs)
Such as:

• Dealers in precious Metals and Stones
• Real Estate Agents and Brokers
• Trust and Corporate Service Providers
• Auditors & independent Accountants
• Lawyers, Notaries & Other Legal Professionals

and Virtual Asset Services Providers (VASPs) in the UAE are required to conduct Customer Due Diligence in situations such as:

• When establishing a new business relationship with a person or a legal entity
• Occasional designated transactions equal to or exceeding AED 55,000/- call for applying adequate CDD measures
• Occasional wire transfer for an amount equal to or exceeding AED 3,500/- call for applying adequate CDD measures
• DNFBPs and VASPs suspect probable involvement of clients, whether existing or prospective, in activities such as ML, FT or PF
• DNFBPs and VASPs come across customers, whether existing or prospective, who have identification documents that are inadequate, insufficient, or incomplete or arouse suspicion.

Conducting CDD helps ensure compliance with AML/CFT regulations, namely:

• Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (as amended by Federal Decree Law No. (26) of 2021),
• Cabinet Decision No. (10) of 2019  Concerning the Implementing Regulation of Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by Cabinet Resolution No. (24) of 2022)
• The Cabinet Decision No. (109) of 2023 On Regulating the Beneficial Owner Procedures
• Cabinet Resolution No. (132) of 2023 Concerning the Administrative Penalties against Violators of The Provisions of the Cabinet Resolution No. (109) of 2023 Concerning the Regulation of Beneficial Owner Procedures
• Cabinet Decision No. (16) of 2021 Regarding the Unified List of the Violations and Administrative Fines for the Said Violations of Measures to Combat Money Laundering and Terrorism Financing that are Subject to the Supervision of the Ministry of Justice and the Ministry of Economy,
• Cabinet Resolution No. (74) of 2020 regarding the Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combatting of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing, and Relevant Resolutions.

Types of Customer Due Diligence (CDD)

To determine the type of CDD that needs to be conducted upon a customer, the regulated entity, such as a DNFBP or a VASP, is required to collect customer details through the Know Your Customer (KYC) process, following which customer must be name screening across applicable sanctions list, adverse media and Politically Exposed Person (PEP) lists must be carried out. Considering on the outcome of Name Screening, Customer Risk Assessment (CRA) must be carried out to determine the level of risk posed by the customer to the business. ML, FT or PF risk at this stage is catagorised as high, medium, low, medium-high, and low-medium.
On the basis of CRA categorisation, a regulated entity, by relying on RBA must conduct CDD that is either Simplified, Standard or Enhanced.

If while carrying out the Due Diligence process, the customer seems high-risk then regulated entities have to undertake a more extensive CDD procedure. Customer Due Diligence takes place in three different yet correlated ways, namely – Simplified, Standard, and Enhanced.

Simplified Due Diligence

Simplified Due Diligence is a streamlined procedure to conduct customer due diligence on customers who pose low risk to the DNFBP or VASP.

It is a basic level of investigation to verify essential information, such as the identity of parties involved.

In the case of Simplified Due Diligence, the regulated entity generally relies on readily available information to make informed decisions while ensuring compliance with relevant regulations and standards without seeking detailed information.

Standard Due Diligence (SDD)

Standard Due Diligence involves thoroughly examining all aspects of a customer’s identification documents.

The regulated entity undertakes in-depth verification of identity documents across reliable sources.

The Standard Due Diligence process involves a detailed review of the customer’s profile.

Enhanced Due Diligence (EDD)

There are certain factors about the customer that hint at a higher risk of Money Laundering or Terrorist Financing, for example, clients who are named Sanctions list or are classified as Politically Exposed Persons (PEP).

In such cases, it becomes mandatory for regulated entities to take Enhanced Due Diligence (EDD).

In the case of EDD, the following factors may be evident when identifying a high-risk client. In these cases, the regulated entity is obliged to conduct EDD measures:

1. A client has a nominee shareholder in bearer form
2. The client has a cash-intensive business
3. In the case of the Complex ownership structure of a company
4. The client has an unusual way of conducting his business and establishing relationships
5. The country of residence is different from the financial institution
6. Using legal persons or asset-holding vehicle

There are other factors, such as Geographic Risk factors and Transaction Risk Factors, where undertaking Enhanced Due Diligence (EDD) becomes crucial.

These factors are:

Geographic Risk Factors:	Transaction Risk Factors:
Countries that represent a high risk are indicated by the following: a. Inadequate Anti-Money Laundering system b. Funding or supporting Terrorist motives c. High rate of financial crime and corruption	Transactions indicating risk factors are: a. Non-face-to-face dealings b. Receiving payments from unidentified third parties c. Anonymous transactions

Key Components of CDD

CDD procedures have these measures as their key components:

1. Customer Identification and Verification

DNFBPS and VASPs in UAE are required to identify customers.

Here is a step-by-step guide to identifying customers who want to open an account. The committee has further divided it into two lists. The first list is for natural persons, and the second one is for legal entities.

The list of details that need to be obtained from the client in the case of natural persons is as follows:

• Name
• Address
• Contact details and alternative contact details
• Gender
• Date and place of birth
• Nationality and country of residence
• Occupation
• Workplace details – working email address, employer name
• Government-issued identification number

For legal persons:

• Name, legal form, and evidence/certification of incorporation/ trade license/ certificate of good standing
• Permanent address and other registered addresses
• Identification of natural persons authorised to manage the account
• Identification details of beneficial owners
• Nature and intent of business activities

2. Sanctions Screening

Sanctions screening involves checking individuals and entities against the list of sanctioned parties to prevent interaction with prohibited parties (UAE Local Terrorist List, UN Consolidated List).

It is crucial for compliance with respect to international regulations and local laws. This procedure utilises specialised sanctions screening software to compare data against the sanctions list produced by the regulatory authorities.

If a match is found, a Funds Freeze Report (FFR) or Partial Name Match Report (PNMR) is submitted to the FIU. In the case of suspicion as to ML/TF, a Suspicious Transactions Report (STR) or Suspicious Activity Report (SAR) is submitted with the goAML portal.

3. Customer Profile Management

The regulated entity gathers all the relevant information about the customer, including his business, occupation, income level, value, and volume of transactions, and develops a comprehensive customer profile.

4. Customer Risk Assessment

Customer Risk Assessment under Anti-Money Laundering regulations involves evaluating the potential risk posed by a customer. The regulated entity takes into consideration various risk factors like geography, product, service, transaction, delivery channel, customer, technology, etc., to assess the risks associated with the customer.

5. Customer Acceptance

As per the customer acceptance policy, the customer is onboarded, and if the risks associated with a customer are unacceptable, the business relationship with the customer is not established.

6. Ongoing Monitoring

What we mean by “Ongoing Monitoring” is the ongoing assessment of business relationships. This step is crucial because, while certain transactions might not initially seem suspicious, they could, over time, hint at a pattern of irregular behaviour that necessitates changing a customer’s risk profile.

The following are included in continuous monitoring:

• Monitoring a client’s financial transaction during a business affiliation to confirm that their risk tolerance is appropriate for the work they do
• Remaining alert to any possible changes in the risk profile or any other factors that might raise questions
• Preserving all relevant records, papers, data, and information that might be needed for CDD purposes in a secured place

All business engagements should follow the best practice of continuous monitoring, but like other CDD measures, it can be tailored to the customer’s risk profile.

7. Investigation

If a customer enters into suspicious transactions or conducts suspicious activities, the investigation is conducted, and STR or SAR is filed with the FIU.

8. Documentation

As per the Federal AML/CFT Laws, regulated entities are required to maintain AML/CFT documentation and records for a period not less than 5 years in UAE Mainland. Documentation of the CDD procedures and related records play a huge role in fulfilling this obligation. The duration for maintaining records varies from one supervisory body to another, which regulated entities must keep in mind. For instance, refer to the table below to understand AML/CFT  record-keeping duration requirements under various supervisory bodies in UAE.

Sr. No	Area of Operation	Applicable to	Supervisory Body	Prescribed Data Retention Period
1	UAE Mainland and Free Zones	DNFBPs	Ministry of Economy	Five [5] years
2	Abu Dhabi Global Market	DNFBPs & VASPs	Financial Services Regulatory Authority	Six [6] years
3	Dubai International Financial Centre	DNFBPs & VASPs	Dubai Financial Services Authority	Six [6] years
4	Dubai (Except DIFC)	VASPs	Virtual Assets Regulatory Authority	Eight [8] years
5	UAE (Except DIFC, VARA)	VASPs	Securities & Commodities Authority (SCA)	Ten [10] years

9. Staff Training

Employee training and awareness around CDD requirements is a must to fulfil the legal obligations around customer onboarding.

Why is Customer Due Diligence Required?

• CDD guarantees that the regulated entity uses risk-aware CDD procedures.
• CDD process offers an extensive understanding of the ML/TF risk involved in a business relationship.
• CDD procedures allow the regulated entity to identify the beneficial owners in order to understand the rationale behind a customer using a complicated corporate structure.
• In cases where customers are unable to produce common forms of identification, the CDD process provides a degree of flexibility and alternate means for customers to verify their identities without negatively affecting the business.

Legal Obligations of DNFBPs to Carry Out Customer Due Diligence

DNFBPs stands for Designated Non-Financial Businesses and Professions. DNFBPs are entities that are not financial institutions but are still vulnerable to being used for Money Laundering purposes (e.g., real estate agents involved in the sale and purchase of real estate, dealers in precious metals, companies providing accounting and auditing services, lawyers, notaries, etc.)

Keeping the scope of DNFBP practices and its exposure to several risk areas relating to money laundering and terrorist financing (ML/FT), the following legal obligations arise:

• DNFBPs must identify and verify the identity of their customers before establishing a business connection to carry out any transaction.
• DNFBPs must understand the nature of their customers’ businesses and the objective behind the intended transaction. This helps in understanding the risks associated with them.
• Continuous monitoring is required to report any unusual or suspicious activity promptly.
• DNFBPs are obligated to maintain up-to-date records of customer’s identity and transactional activity. These records should be preserved as per regulatory requirements.
• Abide by any other regulations as and when required.

Failure to abide by these regulations results in administrative and financial penalties for DNFBPs, which could be as grave as the institution’s license being cancelled.

Customer Due Diligence Best Practices

The best Customer Due Diligence practice involves a systematic and thorough approach to assessing and managing risks associated with clients. Key aspects include:

1. Crafting CDD Policies and Procedures:

Developing a clear CDD policy outlining criteria for assessing risks, customer identification and verification process, and other protocols.

2. CDD Policies and Procedures Implementation

Assigning responsibility for effectively implementing CDD procedures to designated personnel. Deploy appropriate KYC software, Screening Software, Customer Risk Assessment Software, and Case Management Software to support CDD processes effectively.

3. Staff Training

Educating staff on CDD policies, procedures, and regulatory requirements. Providing necessary training on recognising suspicious activities and unusual customer behaviour.

4. Sanctions Screening

Integrate the name-screening software into customer onboarding processes for real-time screening. The software helps in efficient and accurate sanctions screening, further aiding in reduced onboarding time and increased automated flow, leading to straight-through processing.

5. PEP Screening

Under the CDD process, PEP screening identifies any prominent political personality, either domestic or international. It helps determine if a customer is a PEP or a relative or close associate of a PEP and whether there is any risk associated with that person with respect to carrying out transactions.

6. Adverse Media Checks

Adverse media checks, or, say, Negative News Screening, is a crucial step in identifying any negative information associated with customers. Open sources can be utilised to monitor relevant news and events.

Conclusion

AML Customer Due Diligence serves as a robust mechanism in safeguarding DNFBPs against money laundering and terrorist financing activities. Be it simplified, standard, or enhanced, CDD plays a crucial role in combating financial fraud including ML,FT and PF. It aids in catching red flags at an early stage and prevents regulated entities from engaging in illegal transactions.