Anti-money laundering obligations for DNFBPs

DNFBPs have an important role to play in preventing money laundering, terrorist financing, proliferation financing, the financing of illegal organisations and sanctions non-compliance (collectively referred to as “money laundering”) risks which could impact financial systems and economies. Acting as gatekeepers, they are exposed to large amounts of information and act on behalf of their customers in many transactions. These transactions can be highly vulnerable to money laundering risks, which could be due to the product or service being offered by the DNFBP.

The importance of the role played by DNFBPs in protecting against money laundering is evident from the recent influx of enforcement action against DNFBPs in the region.

To comply with applicable AML rules and legislation, firms are required to have adequate resources and systems and controls in place, including policies and procedures, to enable the firm to comply with AML requirements.

Firms who are looking to become registered in one of the freezones as a DNFBP will need to satisfactorily demonstrate to the relevant regulator that the firm is fit and proper to perform AML functions, including the firm’s understanding of the applicable rules.

Keeping up to date with relevant publications such as the legal persons and arrangements risk assessments produced by the UAE National Anti-Money Laundering and Combatting Financing of Terrorism and Financing of Illegal Organizations Committee (“NAMLCFTC”) and freezone regulators will help firms to understand, mitigate and manage applicable money laundering risks.

Key considerations

We have put together an overview of the systems and controls that DNFBP firms will need to consider putting in place, whether the firm is a real estate agency, tax advisory business, accounting firm, audit firm, dealer in precious metals, or a law firm; having adequate systems and controls in place once you have registered as a DNFBP is key to protecting customers and building a successful relationship with the regulator.

MLRO

It is a requirement to appoint a Money Laundering Reporting Officer (“MLRO”) to assist the firm in adhering to the rules. The MLRO must be a resident in the UAE and can be either an in-house resource or outsourced to a third-party provider.

The individual appointed should have a good understanding of money laundering risks as well as local AML rules and legislation. The MLRO should also have appropriate experience in performing his/her role. The responsibilities of an MLRO are extensive, including acting as the point of contact to receive notifications from relevant employees, making Suspicious Activity Reports (“SAR”), and acting as the AML point of contact within the firm for UAE authorities and regulators. The MLRO will implement and have oversight of the day-to-day operations of the firm for compliance by the firm with AML policies, procedures, systems and controls.

The process to appoint an individual as MLRO involves assessing whether the individual will be able to carry out the role effectively, is fit and proper to do so, and that there are no conflicts of interest. Where there are conflicts of interest, the firm must be able to demonstrate how these are effectively managed.

Following the firm’s assessment of the individual, an application form will be completed, senior management approval must be sought and the application, along with supporting documents will be submitted to the relevant regulator. Depending on the freezone, the process may involve the regulator simply acknowledging the appointment or asking for further information prior to this. Alternatively, there may be an approval process that can include an interview of the appointed individual.

The firm should be prepared for questions from the regulator on the assessment it has undertaken to determine that the individual is suitable to perform the role.

The firm is also expected to appoint a deputy to carry out the role of MLRO when the MLRO is not available.

Training

The MLRO is responsible for establishing, maintaining, and overseeing an appropriate AML training programme and adequate awareness arrangements. The training and awareness should be proportionate to the AML risks of the business and the role of the employees.

The freezone regulators prescribe the content of the training which should include topics such as; key understanding of money laundering, internal AML policies, systems and controls, suspicious activity reporting and its red flags, and the firm’s management responsibilities in preventing money laundering.

It is expected that AML training is delivered to all relevant employees as soon as reasonably practicable after commencing employment, this includes senior management, operational staff, any employee from the firm’s group who is involved in the firm’s AML system (if the firm is part of a group), and any employee with customer contact or contact with customer monies or assets. Training should then be conducted at least annually thereafter.

Adequate training records must be maintained, this should include the date, nature, the attendees of the training and the training materials.

AML Policies and Procedures

The firm must establish effective AML policies and procedures, these should not just reiterate the rules but explain the processes your firm has in place with regard to topics such as suspicious activity reports, reliance on a third party, AML training, customer due diligence and business risk assessments.

A risk-based approach should be taken when producing these policies, and policies should be introduced to manage and mitigate the money laundering risks identified within the Business AML Risk Assessment (“BARA”).

The policies and procedures should be specific to the customer type and act as a guide for employees who will be undertaking customer due diligence. Generally, the document will include templates for conducting a customer risk assessment and for performing customer due diligence based on the risk that has been assigned.

The AML policies and procedures should be reviewed annually or sooner if required. They should be easily accessible to all relevant employees.

Business AML risk assessment (“BARA”)

A BARA assists the firm in identifying AML risks that it may be vulnerable to and details the systems and controls in place to try to mitigate those risks. These vulnerabilities may relate to the types of customers and their activities, the countries they are associated with, or the nature of the products and services being offered. This is not a comprehensive list, however, and there may be more.

The BARA should be produced at the outset and approved by senior management. It is a live document that should be revisited at least annually or sooner if any changes occur. The outcome of the BARA must be considered when developing policies, procedures, systems and controls.

When producing the BARA, firms should review the outcome of the UAE National Risk Assessment (“NRA”). Within the BARA, consideration should be given to the money laundering risks in the sector which the firm operates in.

According to the UAE NRA, DNFBP’s both onshore and offshore are susceptible to a medium or high-risk level of being used for money laundering. Firms should be aware of the ways in which they may be vulnerable to being used by money laundering perpetrators and understand the ways in which they can prevent this. Customers to be aware of may include politically exposed persons (“PEP”), high net worth individuals, customers in vulnerable business sectors and customers’ activities conducted in high-risk jurisdictions.

The UAE Financial Intelligence Unit (“FIU”) produce reports on trends and typologies which may be read by firms to keep their knowledge up to date, that are over and above the risks outlined in the UAE’s NRA.

Screening requirements

Firms are obliged to conduct screening prior to onboarding a customer, when there is a hit found based on the ongoing screening that is applied to the customer, when a customer is due for CDD periodic review, and when there are any changes in the customer’s KYC details.

The screening should include the customer, beneficial owners, and any other related parties. Screening should also highlight PEP involvement, adverse media, and any enforcement actions.

Ongoing screening should be conducted continually on the firm’s customer database with some screening providers offering this on a real-time basis.

Sanctions implementation

It is expected that firms have a proper understanding of their obligations regarding Targeted Financial Sanctions (“TFS”), considering both local and international sanctions. It is mandatory for firms to subscribe to the sanctions notification system on the Executive Office for Control and Non-Proliferation (“EOCN”) website.

Firms are obligated to screen their customer database after receiving the notification by the EOCN, this includes beneficial owners and any persons or organisations they have a direct link to. If a partial or exact match is found against the sanction list, the firm should proceed with Applying TFS. The last step is to report via the GoAML system using the appropriate form.

Suspicious activity reports

Employees of the firm must be aware of what constitutes suspicious activity and be prepared to report this, when necessary. The firm should have proper training for the employees in detecting suspicious activities and introduce procedures for dealing with it. This includes internal reporting by the employee to the MLRO and external reporting by the MLRO via the GoAML system.

All firms must register on the UAE FIU GoAML system before conducting their business activities and the MLRO contact details should be kept up to date.

The GoAML system allows reports to be submitted for suspicious activities, suspicious transactions, any transaction within a high-risk jurisdiction and in relation to potential and exact name matches from sanction screening.

The GoAML system also captures regular reporting that must be carried out by dealers in precious metals and stones and real estate agents.

Requests from competent authorities

Reporting entities should be aware of the UAE FIU’s Integrated Enquiry Management System (“IEMS”), launched in April 2023. The platform allows for the free flow of communications between the UAE FIU, all UAE law enforcement authorities and reporting entities. Requests may include those which are issued to all reporting entities in relation to AML/counter-terrorist financing and financial crime investigations, the collective responses can thereby accelerate assistance to UAE law enforcement authorities.

Reporting and notification obligations

The semi-annual MLRO report will document the review of the firm’s AML framework. The report should be reviewed by the senior management and, depending on the jurisdiction, may need to be submitted to the regulator. There is no deadline in place for the production of the semi-annual MLRO report, however, as best practice, firms should ensure this is produced bi-annually and submitted to senior management for approval.

An AML return must be completed by the firm on an annual basis, the channel to submit and the template will be provided by the firm’s regulator. The AML return is comprehensive and may require information in relation to systems and controls in place during the period and details of customers onboarded, including their PEP involvement, the jurisdiction of the customers and risk rating. The return must be approved by the senior management and submitted to the regulator by the deadline.

DFNBP’s must notify the regulator of any changes to their name, legal status, address, MLRO, senior management or beneficial ownership and if it ceases to carry on the business activities that establish it as a DNFBP.

Enforcement

To reflect the vulnerabilities of money laundering to DFNBPs, regulators have powers to suspend or withdraw the registration of a DNFBP if deemed necessary, following a breach of the regulatory law or the rules. Not forgetting that the penalties under UAE Federal Law can also be severe with fines of up to Dhs5Mn or life imprisonment for some offences.

It is crucial to have in place an adequate AML framework to protect your business, customers and your relationship with the regulator. Over the past year we have seen several cases of the DFSA and ADGM taking action against firms that are not complying with the law. We have set out below some examples:

Case study 1
Fine: USD26,000

Business type: Legal consultants

Supervisory authority: ADGM

The ADGM imposed a financial penalty against a legal consultancy firm for contraventions of AML requirements. The regulator has taken the action set out in their enforcement notice because the firm failed to:

• maintain effective AML policies, procedures, systems and controls by failing to complete its registration for the ‘GoAML’ AML reporting system
• ensure that its policies, procedures, systems and controls comply with Federal AML Legislation
• ensure that its policies, procedures, systems and controls are enabled for suspicious persons and transactions to be detected and reported, and be open and cooperative in its dealings with the regulator.

Case study 2
Fine: USD8,400

Business type: Legal consultants

Supervisory authority: DFSA

On 10 January 2023, the DFSA fined a DIFC registered legal consultant firm USD8,400 for failure to submit its 2021 and 2022 AML returns by the specified deadlines, despite several follow-up reminders by the DFSA and the receipt of a regulatory concern letter.

Case study 3
Fine: USD72,000

Business type: Company Service Provider (“CSP”)

Supervisory authority: ADGM

The ADGM conducted a review of the CSP’s activities and operations which was focused on assessing the CSP’s compliance with AML compliance practices. The ADGM imposed a hefty penalty on the CSP after the following findings:

• failure to verify customer’s identity
• failure to identify and verify the source of wealth and funds for a high-risk customer
• failure to conduct ongoing customer due diligence.

How Waystone Compliance Solutions can help you

We offer DNFBP firms operating in the DIFC and ADGM various AML services to ensure they remain compliant on a day-to-day basis. This includes providing:

• outsourced individuals specialised to fill roles such as MLRO
• support services, even if you have the resources available, you may need to obtain an expert view on an issue or require us to provide an independent AML review of the business and its operations
• AML training on an annual or ad-hoc basis, to all relevant employees, our subject matter experts can design and deliver practical, risk-based compliance training that is focused on embedding essential knowledge and understanding of the rules and regulations which apply to your business
• AML compliance documentation, that is comprehensive and practical including manuals, policies and procedures to meet the precise needs of your business.

We also provide guidance to firms in the early stages through the ADGM or DIFC incorporation process, ensuring a smooth and efficient launch for the business.

If you would like to find out more about how we can assist your firm, please reach out to your usual Waystone representative or to our Middle East Solutions team.

Contact us