Entire Section
Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Module (AML) [VER17/04-20]
AML 1 AML 1 Introduction
AML 1.1 AML 1.1 Application
AML 1.1.1
This module (AML) applies to:
(a) everyRelevant Person in respect of all its activities carried on in or from theDIFC ;(b) the persons specified in Rule 1.2.1 as being responsible for aRelevant Person's compliance with this module; and
except to the extent that a provision of AML provides for a narrower application.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 1.1.2
For the purposes of these Rules, a
Relevant Person means:(a) anAuthorised Firm other than aCredit Rating Agency ;(b) anAuthorised Market Institution ;(c) aDNFBP ; or(d) aRegistered Auditor .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]AML 1.2 AML 1.2 Responsibility for compliance with this module
AML 1.2.1
(1) Responsibility for aRelevant Person's compliance with this module lies with every member of its senior management.(2) In carrying out their responsibilities under this module every member of aRelevant Person's senior management must exercise due skill, care and diligence.(3) Nothing in this Rule precludes theDFSA from taking enforcement action against any person including any one or more of the following persons in respect of a breach of any Rule in this module:(a) aRelevant Person ;(b) members of aRelevant Person's senior management; or(c) anEmployee of aRelevant Person .Derived from RM117/2013 [VER9/07-13]AML 1.3 AML 1.3 Application table
AML 1.3 Guidance
Relevant Person Applicable Chapters Authorised Person 1–14 Representative Office 1–5* 10- 14 Registered Auditor 1 -8 10–14 DNFBP 1–8 10–15 * Chapters 6–9 are unlikely to apply to a
Representative Office as such an office is only permitted to carry on limited activities in theDIFC and therefore must not haveCustomers .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 2 AML 2 Overview and Purpose of the Module
AML 2 Guidance
1. In this module, for simplicity, a reference to "money laundering" also includes terrorist financing and the financing of illegal organisations (see AML Rule 3.1.1).Overview of the DIFC's AML regime
2. TheDIFC is governed by two separate and complementary regimes in relation to AML regulation, both administered by the DFSA:a. The Federal regime: Under Article 3 of Federal Law No. 8 of 2004, the provisions of Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations and Federal Law No. 7 of 2014 on Combating Terrorism Offences and the implementing regulations under those laws apply in theDIFC . The DFSA, as the DIFC's supervisory authority for Relevant Persons for the purposes of those laws, is obliged to supervise and monitor Relevant Persons for compliance with provisions of the Federal laws and regulations. The DFSA may also impose administrative penalties for breaches of those laws and the implementing regulations. See Article 14 of Federal Law No. 20 of 2018, Article 44 of Cabinet Decision No. 10 of 2019, and Article 20 of Cabinet Decision No. 20 of 2019; andb. TheDIFC regime: Under Article 70(3) of the DIFC Regulatory Law 2004 (the "Regulatory Law"), the DFSA has jurisdiction for the regulation of anti-money laundering in theDIFC relating toRelevant Persons (see para 4 below) and their officers, employees and agents. TheDIFC specific regime is contained in Chapter 2 of Part 4 of the Regulatory Law and any DFSA Rules made in connection with anti-money laundering measures, policies and procedures.3. Note that under Article 71(1) of the Regulatory Law, theDIFC regime requires compliance with the Federal regime. It follows that a failure to comply with a provision of Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations or Federal Law No. 7 of 2014 on Combating Terrorism Offences or the implementing regulations under those laws may also provide evidence of failure to comply with Article 71(1), which may then be addressed under the disciplinary and remedial provisions of the Regulatory Law and DFSA Rules.Purpose of the AML module
4. The AML module has been designed to provide a single reference point for all persons and entities (collectively calledRelevant Persons ) referred to in AML Rule 1.1.2 who are supervised by theDFSA forAnti-Money Laundering (AML),Counter-Terrorist Financing (CTF) and sanctions compliance. Accordingly it applies toAuthorised Firms (other thanCredit Rating Agencies ),Authorised Market Institutions ,Designated Non-Financial Businesses and Professions (DNFBPs), andRegistered Auditors . The AML module takes into consideration the fact thatRelevant Persons have differing AML risk profiles. ARelevant Person should familiarise itself with this module, and assess the extent to which the chapters and sections apply to it.5. The AML module cannot be read in isolation from other relevant U.A.E. legislation or developments in international policy and best practice and, to the extent applicable,Relevant Persons need to be aware of, and take into account, how these aforementioned matters may impact on theRelevant Person's day to day operations. This is particularly relevant when considering the list of persons and terrorist organisations issued under Cabinet Decision No. 20 of 2019 and the United Nations Security Council Resolutions (UNSCRs) which apply in theDIFC , and unilateral sanctions imposed by other jurisdictions which may apply to aRelevant Person depending on theRelevant Person's jurisdiction of origin, its business and/or customer base.Structure of the AML module
6. Chapter 1 of this module contains an application table which should assist aRelevant Person to navigate through the module and to determine which chapters are applicable to it. Chapter 1 also specifies who is ultimately responsible for aRelevant Person's compliance with the AML module. TheDFSA expects the senior management of aRelevant Person to establish a robust and effective AML/CTF and sanctions compliance culture for the business.7. Chapter 2 provides an overview of the AML module and chapter 3 sets out the key definitions in the module. Note that not all definitions used in this module are capitalised.8. Chapter 4 explains the meaning of the risk-based approach (RBA), which should be applied when complying with this module. The RBA requires a risk-based assessment of aRelevant Person's business (in chapter 5) and its customers (in chapter 6). A risk-based assessment should be a dynamic process involving regular review, and the use of these reviews to establish the appropriate processes to match the levels of risk. No twoRelevant Persons will have the same approach, and implementation of the RBA and the AML module permits aRelevant Person to design and implement systems that should be appropriate to their business and customers, with the obvious caveat being that such systems should be reasonable and proportionate in light of the AML risks. TheDFSA expects the RBA to determine the breadth and depth of the Customer Due Diligence (CDD ) which is undertaken for a particular customer under chapter 7, though theDFSA understands that there is an inevitable overlap between the risk-based assessment of the customer in chapter 6 andCDD in chapter 7. This overlap may occur at the initial stages of customer on-boarding but may also occur when undertaking on-goingCDD .9. Chapter 8 sets out when and how aRelevant Person may rely on a third party to undertake all or some of itsCDD obligations. Reliance on a third-partyCDD reduces the need to duplicateCDD already performed for a customer. Alternatively, aRelevant Person may outsource some or all of itsCDD obligations to a service provider.10. Chapter 9 sets out certain obligations in relation to correspondent banking, wire transfers and other matters which apply to Authorised Persons , and, in particular, to banks.11. Chapter 10 sets out aRelevant Person's obligations in relation to United Nations Security Council resolutions and sanctions, and government, regulatory and international findings (in relation to AML, terrorist financing and the financing of weapons of mass destruction).12. Chapter 11 sets out the obligation for aRelevant Person to appoint a Money Laundering Reporting Officer (MLRO ) and the responsibilities of such a person.13. Chapter 12 sets out the requirements for AML training and awareness. ARelevant Person should adopt the RBA when complying with chapter 12, so as to make its training and awareness proportionate to the AML risks of the business and the employee role.14. Chapter 13 contains the obligations applying to allRelevant Persons concerningSuspicious Activity Reports , which are required to be made under Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.15. Chapter 14 contains the general obligations applying to allRelevant Persons , includingGroup policies, notifications, record-keeping requirements and the annual AML Return.16. Chapter 15 sets out specific Rules applying toDNFBPs , including the requirement to register with theDFSA , and Chapter 16 contains certain transitional Rules.The U.A.E. criminal law
17. TheU.A.E. criminal law applies in theDIFC and, therefore, persons in theDIFC must be aware of their obligations in respect of the criminal law as well as these Rules. RelevantU.A.E. criminal laws include Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations, Federal Law No. 7 of 2014 on Combating Terrorism Offences and the Penal Code of the U.A.E.18. Under Federal AML legislation a Person may be criminally liable for certain conduct, such as:
a. money laundering;b. financing terrorism;c. financing illegal organisations;d. 'tipping off';e. violation of sanctions;f. failure to declare currency or precious metals brought into or taken out of the U.A.E.19. The U.A.E Central Bank has the power under Federal AML legislation to freeze funds or other assets suspected of relating to money laundering, terrorist financing or the financing of illegal organisations. Other Federal authorities also have powers to apply for the freezing or confiscation of funds or other assets that have been used for such purposes.20. In a number of places in this module, Guidance cross-refers to specific requirements in Federal AML legislation. Rules or Guidance in this module should not be relied upon to interpret or determine the application of the Federal AML legislation.Relevant Persons should refer to the guidelines issued under the Federal AML legislation to understand their obligations under that legislation..Financial Action Task Force
21. TheFinancial Action Task Force (FATF ) is an inter-governmental body whose purpose is the development and promotion of international standards to combat money laundering and terrorist financing.22. TheDFSA has had regard to theFATF Recommendations in making these Rules. ARelevant Person may wish to refer to theFATF Recommendations and interpretive notes to assist it in complying with these Rules. However, in the event that aFATF Recommendation or interpretive note conflicts with a Rule in this module, the relevant Rule takes precedence.23. ARelevant Person may also wish to refer to theFATF typology reports which may assist in identifying new money laundering threats and which provide information on money laundering and terrorist financing methods. TheFATF typology reports cover many pertinent topics forRelevant Persons , including corruption, new payment methods, money laundering using trusts and company service providers, and vulnerabilities of free trade zones. These typology reports can be found on theFATF website www.fatf-gafi.org.24. TheU.A.E. , as a member of the United Nations, is required to comply with sanctions issued and passed by the United Nations Security Council (UNSC). These UNSC obligations apply in theDIFC and their importance is emphasised by specific obligations contained in this module requiringRelevant Persons to establish and maintain effective systems and controls to comply with UNSC sanctions and resolutions (See chapter 10).25. TheFATF has issued guidance on a number of specific UNSC sanctions and resolutions regarding the countering of the proliferation of weapons of mass destruction. Such guidance has been issued to assist in implementing the targeted financial sanctions and activity based financial prohibitions. This guidance can be found on theFATF website www.fatf-gafi.org.26. In relation to unilateral sanctions imposed in specific jurisdictions such as the European Union, the U.K. (HM Treasury) and the U.S. (Office of Foreign Assets Control), theDFSA expects aRelevant Person to consider and take positive steps to ensure compliance where required or appropriate.Tax Issues and Exchange of Information for Tax purposes
27. TheDIFC benefits from an international customer base with a growing number of customers who may be investing with financial institutions outside their country of residence. These factors create a risk of the services ofRelevant Persons being used to hide assets which are subject to taxation, or to launder the unlawful proceeds of tax crimes.28. The DFSA is committed to protecting theDIFC from being used to facilitate tax crimes and believes that strong AML policies, procedures, systems and controls, including robust customer due diligence requirements, are needed to mitigate the risk of tax crimes.29. Such measures will also ensure that aRelevant Person is able to comply with other international obligations such as the OECD Automatic Exchange of Information for Tax Purposes Programme and FATF Recommendations, which were updated in 2012 to expand the scope of money laundering predicate offences to include tax crimes (related to direct and indirect taxes).30. ARelevant Person should therefore establish and maintain appropriate policies, procedures, systems and controls to enable it to detect and deter the laundering of proceeds of tax crimes. For example, as part of its risk-based approach under chapter 4, it should consider its tax risk exposure as a result of the nature of its business, customers, products, services and other relevant factors. It should also conduct appropriate customer due diligence to identify customers who may be subject to tax crime risk (see also the Guidance after AML Rule 6.1.4).Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 3 AML 3 Interpretation and Terminology
AML 3.1 AML 3.1 Interpretation
AML 3.1.1 AML 3.1.1
A reference in this module to "money laundering" in lower case includes a reference to terrorist financing and the financing of illegal organisations unless the context provides or implies otherwise.
Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 3.1.1 Guidance
Chapter 6, section 6.2, of the General (GEN) module sets out how to interpret the Rulebook, including this module.
Derived from RM117/2013 [VER9/07-13]AML 3.2 AML 3.2 Glossary for AML
AML 3.2 Guidance
1. In order to make this module easier to read, some of the defined terms in this module have not had the initial letter of each word capitalised in the same way as in other Rulebook modules.2. Some of the defined terms and abbreviations in this module may also be found in theDFSA's Glossary module (GLO). Where a defined term in this module does not appear in Rule 3.2.1, aRelevant Person should look in GLO to find the meaning. In addition, AML Rule 9.3.2 of this module sets out definitions relevant to AML section 9.3 (Electronic fund transfers).3. In accordance with the interpretation provisions in theRegulatory Law , a reference to legislation includes a reference to the legislation as amended or re-enacted from time to time.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 3.2.1
In this module, the terms and abbreviations listed in the table below have the following meanings:
AML Means either "anti-money laundering" or this Anti-Money Laundering, Counter-Terrorist Financing and Sanctions module, depending on the context. Authorised Person Means an Authorised Firm or anAuthorised Market Institution .Beneficial Owner (1) In relation to a customer, means a natural person who ultimately owns or controls the customer or a natural person on whose behalf a transaction is conducted or a business relationship is established, and includes:
(a) in relation to a body corporate, a person referred to in AML Rule 7.3.3 (2) or (4);(b) in relation to a foundation, a person referred to in AML Rule 7.3.5 (2) or (3); and(c) in relation to a trust or other similar legal arrangement, a person referred to in AML Rule 7.3.6 (2) or (3).(2) In relation to a beneficiary of a life insurance or other similar policy, means a natural person who ultimately owns or controls the beneficiary.
body corporate Any body corporate, including a limited liability partnership, whether constituted under the law of the
DIFC , anEmirate , theState or any other country or territory.Branch Means a place of business within the DIFC :(a) which has no separate legal personality;(b) which forms a legally dependant part of aRelevant Person whose principal place of business and head office is in a jurisdiction other than theDIFC ; and(c) through which theRelevant Person carries on business in or from theDIFC .Cabinet Decision No. 10 of 2019 Means Federal Cabinet Decision No. 10 of 2019 on the Implementing Regulation of Federal Law No. 20 of 2018. Cabinet Decision No. 20 of 2019 Means Federal Cabinet Decision No. 20 of 2019 regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing and Proliferation of Weapons of Mass Destruction, and Related Resolutions. Client Has the meaning in chapter 2 of the Conduct of Business module. company service provider Means a person, not falling into parts (1)(a) to (e) or (g) of the definition of a DNFBP that, by way of business, provides any of the following services to a customer:(a) acting as a formation agent of legal persons;(b) acting as (or arranging for another person to act as) a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;(c) providing a registered office, business address or accommodation, correspondence or administrative address for a company, a partnership or any other legal person or arrangement; or(d) acting as (or arranging for another person to act as) a nominee shareholder for another person.Contract of Insurance Has the meaning in GEN Rule A4.1.1. CTF Means counter-terrorist financing. customer Unless otherwise provided, means: (a) a person where, in relation to a business relationship between the person and aRelevant Person , there is a firm intention or commitment by each party to enter into a contractual relationship or where there is a firm commitment by each party to enter into a transaction, in connection with a product or service provided by theRelevant Person ;(b) aClient of anAuthorised Firm ;(c) aMember or prospectiveMember of, or an applicant for admission ofSecurities to trading on, anAuthorised Market Institution ;(d) in relation to aSingle Family Office , a member of theSingle Family ; or(e) a person with whom aRelevant Person is otherwise establishing or has established a business relationship.Customer Due Diligence (CDD)Means the measures referred to in AML section 7.3. Designated Non-Financial Business or Profession (DNFBP)Means: (1) The following class of persons whose business or profession is carried on in or from theDIFC :(a) a real estate developer or agency which carries out transactions with a customer involving the buying or selling of real property;(b) a dealer in precious metals or precious stones;[deleted](d) a law firm, notary firm, or other independent legal business;(e) an accounting firm, audit firm or insolvency firm;(f) a company service provider; or(g) aSingle Family Office .(2) A person who is anAuthorised Person or aRegistered Auditor is not aDNFBP .DIFC entityMeans a legal person which is incorporated or registered in the DIFC (excluding a registeredBranch ).Domestic Fund A Fund established or domiciled in theDIFC .Employee Means an individual: (a) who is employed or appointed by a person in connection with that person's business, whether under a contract of service or for services or otherwise; or(b) whose services, under an arrangement between that person and a third party, are placed at the disposal and under the control of that person.Enhanced Customer Due Diligence Means undertaking Customer Due Diligence and the enhanced measures under Rule 7.4.1.FATF Means the Financial Action Task Force. FATF RecommendationsMeans the publication entitled the "International Standards on Combatting Money Laundering and the Financing of Terrorism and Proliferation" as published and amended from time to time by FATF .Federal AML legislation Means all U.A.E Federal Laws and their implementing regulations relating to money laundering, terrorist financing and the financing of illegal organisations, as well as sanctions compliance, including Federal Law No. 20 of 2018, Federal Law No. 7 of 2014, Cabinet Decision No. 10 of 2019 and Cabinet Decision No. 20 of 2019. Federal Law No. 20 of 2018 Means U.A.E Federal Law No.20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.Federal Law No. 7 of 2014 Means U.A.E Federal Law No. 7 of 2014 on Combating Terrorism Offences. FIU The Financial Intelligence Unit of the U.A.E. Financial Institution A regulated or unregulated entity, whose activities are primarily financial in nature. Financial Services Regulator Means a regulator of financial services activities established in a jurisdiction other than the DIFC. foundation Means a foundation established under the DIFC Foundations Law 2018 or under any other law.Governing Body Means the board of directors, partners, committee of management or other governing body of: (a) aBody Corporate orPartnership ; or(b) an unincorporated association carrying on a trade or business, with or without a view to profit.Group Means a Group of entities which includes an entity (the 'first entity') and:(a) any parent of the first entity; and(b) any subsidiaries (direct or indirect) of the parent or parents in (a) or the first entity; or(c) for a legal person which is not a body corporate, refers to that person and any other associated legal persons who are in an equivalent relationship to that in (a) and (b).Illegal Organisation An organisation the establishment or activities of which have been declared to be criminal under Federal AML legislation. IMF The International Monetary Fund. International Organisation Means an organisation established by formal political agreement between member countries, where the agreement has the status of an international treaty, and the organisation is recognised in the law of countries which are members. Law Means the Regulatory Law. legal arrangement Means an express trust or any other similar legal arrangement. legal person Means any entity other than a natural person that can establish a customer relationship with a Relevant Person or otherwise own property. This can include companies, bodies corporate or unincorporate, foundations, anstalten, partnerships, associations, states and governments and other relevantly similar entities.Member A person admitted as a member of an Authorised Market Institution in accordance with its Business Rules.MENAFATF The Middle East and North Africa Financial Action Task Force. Money Laundering Reporting Officer (MLRO)Means the person appointed by a Relevant Person pursuant to Rule 11.2.1(1).natural person Means an individual. OECD The Organisation for Economic Co-operation and Development. person Means a natural or legal person. Politically Exposed Person (PEP)Means a natural person (and includes, where relevant, a family member or close associate) who is or has been entrusted with a prominent public function, whether in the State or elsewhere, including but not limited to, a head of state or of government, senior politician, senior government, judicial or military official, ambassador, senior person in an International Organisation, senior executive of a state owned corporation, an important political party official, or a member of senior management or an individual who has been entrusted with similar functions such as a director or a deputy director.
This definition does not include middle ranking or more junior individuals in the above categories.Registered Auditor Has the meaning given to that term in the Regulatory Law Regulated Exchange Means an exchange regulated by a Financial Services Regulator .Regulated Financial Institution A person who does not hold a Licence but who is authorised in a jurisdiction other than theDIFC to carry on any financial service by anotherFinancial Services Regulator .Relevant Person Has the meaning given to that term in Rule 1.1.2. senior management Means: (1) In relation to a
Relevant Person every member of theRelevant Person's executive management and includes:(a) for aDIFC entity, every member of theRelevant Person's Governing Body ;(b) for aBranch , the person or persons who control the day to day operations of theRelevant Person in theDIFC and would include, at a minimum, the senior executive report or equivalent officer, such as the managing director; or(c) for aRegistered Auditor , every member of theRelevant Person's executive management in theU.A.E. (2) In relation to a customer that is a body corporate, every member of the body corporate's Governing Body and the person or persons who control the day-to-day operations of the body corporate, including its senior executive officer, chief operating officer and chief financial officer.
Shell Bank A bank that has no physical presence in the country in which it is incorporated or licensed and which is not affiliated with a regulated financial group that is subject to effective consolidated supervision. Simplified Customer Due Diligence Means Customer Due Diligence as modified under Rule 7.5.1.Single Family Has the meaning given to that term in the DIFC Single Family Office Regulations.Single Family Office Has the meaning given to that term in the DIFC Single Family Office Regulations.source of funds Means the origin of funds which relate to a transaction or service and includes how such funds are connected to the source of wealth of a customer of Beneficial Owner .source of wealth Means how the global wealth or net worth of a customer or Beneficial Owner is or was acquired or accumulated.State Means the U.A.E. Suspicious Activity Report (SAR) Means a report regarding suspicious activity (including a suspicious transaction) made to the FIU under Federal Law No. 20 of 2018 and Cabinet Decision No. 10 of 2019.transaction Means any transaction undertaken by a Relevant Person for or on behalf of a customer in the course of carrying on a business in or from theDIFC .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]
[Amended] DFSA RM156/2015 (Made 9th December 2015) [VER35/02-16]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 4 AML 4 Applying a Risk-Based Approach
Figure 1. The Risk-Based Approach (RBA)
Derived from RM117/2013 [VER9/07-13]AML 4.1 AML 4.1 The Risk-Based Approach
AML 4.1.1 AML 4.1.1
A
Relevant Person must:(a) assess and address its AML risks under this module by reviewing the risks to which the person is exposed as a result of the nature of its business, customers, products, services and any other matters which are relevant in the context of money laundering and then adopting a proportionate approach to mitigate those risks; and(b) ensure that, when undertaking any risk-based assessment for the purposes of complying with a requirement of this module, such assessment is:(i) objective and proportionate to the risks;(ii) based on reasonable grounds;(iii) properly documented; and(iv) reviewed and updated at appropriate intervals.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 4.1.1 Guidance
1. Rule 4.1.1 requires aRelevant Person to adopt an approach to AML which is proportionate to the risks. This is called the "risk-based approach" ("RBA") and is illustrated in figure 1 above. TheDFSA expects the RBA to be a key part of theRelevant Person's money laundering compliance culture and to cascade down from the senior management to the rest of the organisation. Embedding the RBA within its business allows aRelevant Person to make decisions and allocate AML resources in the most efficient and effective way.2. In implementing the RBA, aRelevant Person is expected to have in place processes to identify and assess money laundering risks. After the risk assessment, theRelevant Person is expected to monitor, manage and mitigate the risks in a way that is proportionate to the Relevant Person's exposure to those money laundering risks. The general principle is that where there are higher risks of money laundering, aRelevant Person is required to take enhanced measures to manage and mitigate those risks, and that, correspondingly, when the risks are lower, simplified measures are permitted.3. The RBA discourages a "tick-box" approach to AML. Instead aRelevant Person is required to assess relevant money laundering risks and adopt a proportionate response to such risks. The outcome of using the RBA is akin to using a sliding scale, where the type ofCDD undertaken on each customer will ultimately depend on the outcome of the risk-based assessment made of such customer under this chapter.4. The Rules regarding record-keeping for the purposes of this module are in section 14.4. These Rules apply in relation to Rule 4.1.1(b)(iii).Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 5 AML 5 Business Risk Assessment
Figure 2. Business risk-based assessment
Derived from RM117/2013 [VER9/07-13]AML 5.1 AML 5.1 Assessing business AML risks
AML 5.1.1
A
Relevant Person must:(a) take appropriate steps to identify and assess money laundering risks to which its business is exposed, taking into consideration the nature, size and complexity of its activities;(b) when identifying and assessing the risks in (a), take into account, to the extent relevant, any vulnerabilities relating to:(i) its type of customers and their activities;(ii) the countries or geographic areas in which it does business;(iii) its products, services and activity profiles;(iv) its distribution channels and business partners;(v) the complexity and volume of its transactions;(vi) the development of new products and new business practices, including new delivery mechanisms, channels and partners; and(vii) the use of new or developing technologies for both new and pre-existing products;(c) take appropriate measures to ensure that any risk identified as part of the assessment in (a) is taken into account in its day to day operations, including in relation to:(i) the development of new products, business practices and technologies referred to in AML Rule 5.1.3;(ii) the taking on of new customers; and(iii) changes to its business profile.AML 5.1.2
A
Relevant Person must use the information obtained in undertaking its business risk assessment to:(a) develop and maintain its AML policies, procedures, systems and controls required by Rule 5.2.1;(b) ensure that its AML policies, procedures, systems and controls adequately mitigate the risks identified as part of the assessment in Rule 5.1.1;(c) assess the effectiveness of its AML policies, procedures, systems and controls as required by Rule 5.2.1(c);(d) assist in allocation and prioritisation of AML resources; and(e) assist in the carrying out of the customer risk assessment under chapter 6.Derived from RM117/2013 [VER9/07-13]New products, business practices and technologies
AML 5.1.3 AML 5.1.3
(1) This Rule applies in relation to:(a) the development of new products and new business practices, including new delivery mechanisms, channels and partners; and(b) the use of new or developing technologies for both new and existing products.(2) Without limiting AML Rules 5.1.1 and 5.1.2, aRelevant Person must take reasonable steps to ensure that it has:(a) assessed and identified the money laundering risks relating to the product, business practice or technology; and(b) taken appropriate steps to manage and mitigate the risks identified under (a), before it launches or uses the new product, practice or technology.before it launches or uses the new product, practice or technology.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 5.1.3 Guidance
1. Unless aRelevant Person understands the money laundering risks to which it is exposed, it cannot take appropriate steps to prevent its business being used for the purposes of money laundering. Money laundering risks vary from business to business depending on the nature of the business, the type of customers a business has, and the nature of the products and services sold.2. Using the RBA, aRelevant Person should assess its own vulnerabilities to money laundering and take all reasonable steps to eliminate or manage such risks. The results of this assessment will also feed into theRelevant Person's risk assessment of its customers under chapter 6.3. Under Article 4 of Cabinet Decision No.10 of 2019, in assessing its money laundering risks and taking steps to mitigate those risks, aRelevant Person is required to take into consideration the results of the National Risk Assessment prepared by the National Anti-Money Laundering and Combating Financing of Terrorism Committee (NAMLCFTC).Derived from RM117/2013 [VER9/07-13]
[Amended] RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]AML 5.2 AML 5.2 AML Systems and Controls
AML 5.2.1 AML 5.2.1
A
Relevant Person must:(a) establish and maintain effective policies, procedures, systems and controls to prevent opportunities for money laundering in relation to theRelevant Person and its activities;(b) ensure that its systems and controls in (a):(i) include the provision to theRelevant Person's senior management of regular management information on the operation and effectiveness of its AML systems and controls necessary to identify, measure, manage and control theRelevant Person's money laundering risks;(ii) enable it to determine:(A) whether a customer or aBeneficial Owner is aPolitically Exposed Person (PEP); and(B) if it provides a customer with a life insurance or other similar policy, whether a beneficiary of the policy, or aBeneficial Owner of the beneficiary, is a PEP; and(iii) enable theRelevant Person to comply with these Rules and Federal AML legislation; and(c) ensure that regular risk assessments are carried out on the adequacy of theRelevant Person's AML systems and controls to ensure that they continue to enable it to identify, assess, monitor and manage money laundering risk adequately, and are comprehensive and proportionate to the nature, scale and complexity of its activities.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 5.2.1 Guidance
In Rule 5.2.1(c) the regularity of risk assessments will depend on the nature, size and complexity of the
Relevant Person's business and also on when any material changes are made to its business.AML 6 AML 6 Customer Risk Assessment
Figure 3. Customer risk-based assessment
AML 6 Guidance
1. This chapter prescribes the risk-based assessment that must be undertaken by aRelevant Person on a customer and the proposed business relationship, transaction or product. The outcome of this process is to produce a risk rating for a customer, which determines the level ofCustomer Due Diligence (CDD) which will apply to that customer under chapter 7. That chapter prescribes the requirements ofCDD and ofEnhanced CDD for high risk customers andSimplified CDD for low risk customers.2.CDD in the context of AML refers to the process of identifying a customer, verifying such identification and monitoring the customer's business and money laundering risk on an ongoing basis.CDD is required to be undertaken following a risk-based assessment of the customer and the proposed business relationship, transaction or product.3.Relevant Persons should note that the ongoingCDD requirements in Rule 7.6.1 require aRelevant Person to ensure that it reviews a customer's risk rating to ensure that it remains appropriate in light of the AML risks.4. TheDFSA is aware that in practice there will often be some degree of overlap between the customer risk assessment andCDD . For example, aRelevant Person may undertake some aspects ofCDD , such as identifying aBeneficial Owner , when it performs a risk assessment of the customer. Conversely, aRelevant Person may also obtain relevant information as part ofCDD which has an impact on its customer risk assessment. An example of such relevant information is information on the ownership and control structure of the customer. Where information obtained as part ofCDD of a customer affects the risk rating of a customer, the change in risk rating should be reflected in the degree ofCDD undertaken.AML 6.1 AML 6.1 Assessing Customer AML Risks
AML 6.1.1
(1) ARelevant Person must:(a) undertake a risk-based assessment of every customer; and(b) assign the customer a risk rating proportionate to the customer's money laundering risks.(2) The customer risk assessment in (1) must be completed prior to undertakingCustomer Due Diligence for new customers, and whenever it is otherwise appropriate for existing customers.(3) When undertaking a risk-based assessment of a customer under (1)(a) aRelevant Person must:(a) identify the customer and anyBeneficial Owner ;(b) obtain information on the purpose and intended nature of the business relationship;(c) obtain information on, and take into consideration, the nature of the customer's business;(ca) take into consideration the nature of the customer, its ownership and control structure, and itsBeneficial Owner (if any);(d) take into consideration the nature of the customer business relationship with theRelevant Person ;(e) take into consideration the customer's country of origin, residence, nationality, place of incorporation or place of business;(f) take into consideration the relevant product, service or transaction;(fa) if it is providing a customer with a life insurance or other similar policy, take into consideration the beneficiary of the policy and anyBeneficial Owner of the beneficiary; and(g) take into consideration the outcomes of business risk assessment under chapter 5.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Factors that may indicate higher money laundering risk
AML 6.1.2
(1) When assessing if there is a high risk of money laundering in a particular situation, aRelevant Person must take into account, among other things:(a) customer risk factors, including whether:(i) the business relationship is conducted in unusual circumstances;(ii) the customer is resident, established or registered in a geographical area of high risk (as set out in paragraph (c));(iii) the customer is a legal person or legal arrangement that is a vehicle for holding personal assets;(iv) the customer is a company that has nominee shareholders or shares in bearer form;(v) the customer is a business that is cash intensive, such as a business that receives a majority of its revenue in cash; and(vi) the corporate structure of the customer is unusual or excessively complex given the nature of the business;(b) product, service, transaction or delivery channel risk factors, including whether:(i) the service involves private banking;(ii) the product, service or transaction is one that might favour anonymity;(iii) the situation involves non face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures;(iv) payments will be received from unknown or unassociated third parties;(v) new products and new business practices are involved, including new delivery mechanisms or the use of new or developing technologies for both new and pre-existing products; and(vi) the service involves the provision of nominee directors, nominee shareholders or shadow directors, or the formation of companies in another country; and(c) geographical risk factors, including:(i) countries identified in reports by credible sources, such as mutual evaluations, detailed assessment reports or follow-up reports, as:(A) not having effective systems to counter money laundering; or(B) not implementing requirements to counter money laundering that are consistent withFATF Recommendations;(ii) countries identified by credible sources as having significant levels of corruption or other criminal activity, such as terrorism, money laundering or the production and supply of illicit drugs;(iii) countries subject to sanctions, embargos or similar measures issued by, for example, the United Nations or the State;(iv) countries providing funding or support for terrorism; and(v) countries that have organisations operating within their territory that have been designated by the State, other countries or International Organisations as terrorist organisations.(2) For the purposes of (1)(c), a credible source includes, but is not limited to,FATF , the IMF, the World Bank, the OECD and other International Organisations.(3) When assessing the risk factors referred to in (1),Relevant Persons must bear in mind that the presence of one or more risk factors may not always indicate a high risk of money laundering in a particular situation.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Factors that may indicate lower money laundering risk
AML 6.1.3
(1) When assessing if there is a low risk of money laundering in a particular situation, aRelevant Person must take into account, among other things:(a) customer risk factors, including whether the customer is:(i) a public body or a publicly owned enterprise;(ii) resident, established or registered in a geographical area of lower risk (as set out in paragraph (c));(iii) anAuthorised Person ;(iv) aRegulated Financial Institution that is subject to regulation and supervision, includingAML regulation and supervision, in a jurisdiction withAML regulations that are equivalent to the standards set out in theFATF Recommendations;(v) aSubsidiary of aRegulated Financial Institution referred to in (iv), if the law that applies to theParent ensures that theSubsidiary also observes the sameAML standards as itsParent ;(vi) a company whose Securities are listed by theDFSA , anotherFinancial Services Regulator or aRegulated Exchange and which is subject to disclosure obligations broadly equivalent to those set out in theMarkets Rules ;(vii) a law firm, notary firm or other legal business that carries on its business in or from theDIFC ; and(viii) an accounting firm, insolvency firm,Registered Auditor or other audit firm that carries on its business in or from theDIFC ;(b) product, service, transaction or delivery channel risk factors, including whether the product or service is:(i) aContract of Insurance that is non-life insurance;(ii) aContract of Insurance that is a life insurance product with no investment return or redemption or surrender value;(iii) an insurance policy for a pension scheme that does not provide for an early surrender option and cannot be used as collateral;(iv) aContract of Insurance which is a reinsurance contract that is ceded by an insurer who is aRegulated Financial Institution ;(v) a pension, superannuation or similar scheme that satisfies the following conditions:(A) the scheme provides retirement benefits to employees;(B) contributions to the scheme are made by way of deductions from wages; and(C) the scheme rules do not permit the assignment of a member's interest under the scheme; and(vi) a product where the risks of money laundering are adequately managed by other factors such as transaction limits or transparency of ownership; and(c) geographical risk factors, including whether:(i) a country has been identified by credible sources as having effective systems to counter money laundering;(ii) a country is identified by credible sources as having a low level of corruption or other criminal activity, such as terrorism, money laundering, or the production and supply of illicit drugs; and(iii) on the basis of reports by credible sources, such as mutual evaluations, detailed assessment reports or follow-up reports, a country:(A) has requirements to counter money laundering that are consistent with theFATF Recommendations; and(B) effectively implements those Recommendations.(2) For the purposes of (1)(c), a credible source includes, but is not limited to,FATF , the IMF, the World Bank, the OECD and other International Organisations.(3) When assessing the risk factors referred to in (1),Relevant Persons must bear in mind that the presence of one or more risk factors may not always indicate a low risk of money laundering in a particular situation.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Business relationship not to be established if ownership arrangements prevent identification of beneficial owners
AML 6.1.4 AML 6.1.4
A
Relevant Person must not establish a business relationship with the customer which is a legal person or legal arrangement if the ownership or control arrangements of the customer prevent theRelevant Person from identifying one or more of the customer'sBeneficial Owners .AML 6.1.2 Guidance [Deleted]
[Deleted] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 6.1.2 Guidance [Deleted]
[Deleted] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 6.1.2 [Deleted]
[Deleted] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]Shell Banks
AML 6.1.5
A
Relevant Person must not establish or maintain a business relationship with aShell Bank .Derived from RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Anonymous or fictitious accounts
AML 6.1.6
A
Relevant Person must not establish or maintain an anonymous account, an account in a fictitious name, or a nominee account which is held in the name of one person but which is controlled by or held for the benefit of another person whose identity has not been disclosed to theRelevant Person .Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] by DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Use of numbered or abbreviated accounts for internal purposes
AML 6.1.7 AML 6.1.7
If a
Relevant Person uses a numbered account or an account with an abbreviated name, it must ensure that:(a) such an account is used only for internal purposes;(b) it has undertaken the sameCustomer Due Diligence procedures in relation to the account holder as are required for other account holders;(c) it maintains the same information in relation to the account and account holder as is required for other accounts and account holders; and(d) staff performingAML functions, including staff responsible for identifying and monitoring transactions for suspicious activity, and staff performing compliance and audit functions, have full access to information about the account and the account holder.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Guidance on the customer risk assessment
1. The risk assessment of a customer, which is illustrated in figure 3 above, requires aRelevant Person to allocate an appropriate risk rating to every customer. TheDFSA would expect risk ratings to be either descriptive, such as "low", "medium" or "high", or a sliding numeric scale such as 1 for the lowest risk to 10 for the highest. Depending on the outcome of aRelevant Person's assessment of its customer's money laundering risk, aRelevant Person should decide to what degreeCDD will need to be performed. For a high risk customer, theRelevant Person will need to undertake Enhanced CDD under AML section 7.4 as well as the normalCDD set out in AML section 7.3. For a low risk customer, theRelevant Person may be able to undertake Simplified CDD in accordance with AML section 7.5. For any other customer, theRelevant Person will be required to undertake the normalCDD set out in AML section 7.3.2. Using the RBA, aRelevant Person could, when assessing two customers with near identical risk profiles, consider that one is high risk and the other low risk. This may occur, for example, where both customers may be from the same high risk country, but one customer may be a customer in relation to a low risk product or may be a long-standing customer of aGroup company who has been introduced to theRelevant Person .3. In AML Rule 6.1.4, ownership arrangements which may prevent theRelevant Person from identifying one or moreBeneficial Owners include bearer shares and other negotiable instruments in which ownership is determined by possession.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Guidance on the term "customer"
4. The point at which a person becomes a customer will vary from business to business. However, theDFSA considers that it would usually occur at or prior to the business relationship being formalised, for example, by the signing of a customer agreement or the acceptance of terms of business.5. TheDFSA does not consider that a person would be a customer of aRelevant Person merely because such person receives marketing information from aRelevant Person or where aRelevant Person refers a person who is not a customer to a third party (including aGroup member).6. TheDFSA considers that a counterparty would generally be a "customer" for the purposes of this module and would therefore require aRelevant Person to undertakeCDD on such a person. However, this would not include a counterparty in a transaction undertaken on aRegulated Exchange . Nor would it include suppliers of ordinary business services, for consumption by theRelevant Person such as cleaning, catering, stationery, IT or other similar services.7. ARepresentative Office should not have any customers in relation to itsDIFC operations.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Guidance on high risk customers [Deleted]
[Deleted] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Guidance on low risk customers [Deleted]
[Deleted] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Guidance on Shell Banks
8. AML Rule 6.1.5 prohibits aRelevant Person from establishing or maintaining a business relationship with aShell Bank. AShell Bank is a bank that has no physical presence in the country in which it is incorporated or licensed, and is not affiliated with a regulated financialGroup that is subject to effective consolidated supervision. The DFSA does not consider that the existence of a local agent or low level staff constitutes physical presence.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Guidance on fictitious and anonymous accounts
9. ARelevant Person should note that, in addition to the prohibition in AML Rule 6.1.6 against establishing anonymous or fictitious accounts or accounts for unknown persons, the Federal AML legislation also prohibits the creation or keeping of records of bank accounts using pseudonyms, fictitious names or numbered accounts, without the account holder's name.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]Guidance on Tax Issues
10. ARelevant Person should, when carrying out a customer risk assessment, consider and assess the tax crime risk associated with the customer and factor such risks into the overall risk assigned to that customer. Many of the factors described in AML Rule 6.1.2 on higher risk customers could also be an indicator of potential tax crimes. For example, the use of complex or unusual corporate structures, the customer's business not being located where the customer lives (without adequate explanation), unusual customer interface, or reluctance by the customer to communicate directly with theRelevant Person .11. If it is justified based on the risk assessment and where concerns arise, aRelevant Person may wish to seek comfort from its customers by obtaining disclosures or declarations to ascertain if a legitimate explanation exists for the concerns and therefore to allay those concerns.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7 AML 7 Customer Due Diligence
Figure 4. CDD
AML 7.1 AML 7.1 Requirement to Undertake Customer Due Diligence
AML 7.1.1 AML 7.1.1
(1) ARelevant Person must:(a) undertakeCustomer Due Diligence under AML section 7.3 for each of its customers; and(b) in addition to (a), undertakeEnhanced Customer Due Diligence under AML Rule 7.4.1 in respect of any customer it has assigned as high risk.(2) ARelevant Person may undertakeSimplified Customer Due Diligence in accordance with AML Rule 7.5.1 by modifyingCustomer Due Diligence under AML section 7.3 for any customer it has assigned as low risk.AML 7.1.1 Guidance
A
Relevant Person should undertakeCDD in a manner proportionate to the customer's money laundering risks identified under Rule 6.1.1(1). This means that all customers are subject toCDD under section 7.3. However, for high risk customers, additional EnhancedCDD measures should also be undertaken under section 7.4. For low risk customers, section 7.3 may be modified according to the risks in accordance with section 7.5.AML 7.2 AML 7.2 Timing of Customer Due Diligence
AML 7.2.1
(1)A Relevant Person must except as otherwise provided in AML Rule 7.2.2 or in AML section 7.3:(a) undertake the appropriateCustomer Due Diligence under AML Rule 7.3.1(1)(a) to (c) and AML section 7.3 when it is establishing a business relationship with a customer; and(b) undertake the appropriateCustomer Due Diligence under AML Rule 7.3.1(1)(d) after establishing a business relationship with a customer.(2) ARelevant Person must also undertake appropriateCustomer Due Diligence if, at any time:(a) in relation to an existing customer, it doubts the veracity or adequacy of documents, data or information obtained for the purposes ofCustomer Due Diligence ;(b) it suspects money laundering in relation to a person; or(c) there is a change in risk-rating of the customer, or it is otherwise warranted by a change in circumstances of the customer.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Establishing a business relationship before verification
AML 7.2.2 AML 7.2.2
(1) ARelevant Person may establish a business relationship with a customer before completing the verification required by AML Rule 7.3.1 if the following conditions are met:(a) deferral of the verification of the customer orBeneficial Owner is necessary in order not to interrupt the normal conduct of a business relationship;(b) there is little risk of money laundering occurring and any such risks identified can be effectively managed by theRelevant Person ;(c) in relation to a bank account opening, there are adequate safeguards in place to ensure that the account is not closed and transactions are not carried out by or on behalf of the account holder (including any payment from the account to the account holder) before verification has been completed; and(d) subject to (2), the relevant verification is completed as soon as reasonably practicable and in any event no later than 30 days after the establishment of a business relationship.(2) Where aRelevant Person is not reasonably able to comply with the 30 day requirement in (1)(d), it must, prior to the end of the 30 day period:(a) document the reason for its non-compliance;(b) complete the verification in (1) as soon as possible; and(c) record the non-compliance event in its annual AML Return.(3) TheDFSA may specify a period within which aRelevant Person must complete the verification required by (1) failing which theDFSA may direct theRelevant Person to cease any business relationship with the customer.(4) ARelevant Person must ensure that its AML systems and controls referred to in AML Rule 5.2.1 include risk management policies and procedures concerning the conditions under which business relationships may be established with a customer before completing verification.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.2.2 Guidance
1. For the purposes of AML Rule 7.2.1(2)(a), examples of situations which might lead aRelevant Person to have doubts about the veracity or adequacy of documents, data or information previously obtained could be where there is a suspicion of money laundering in relation to that customer, where there is a material change in the way that the customer's account is operated, which is not consistent with the customer's business profile, or where it appears to theRelevant Person that a person other than the customer is the real customer.2. In AML Rule 7.2.2(1)(a), situations that theRelevant Person may take into account include, for example, accepting subscription monies during a short offer period or executing a time critical transaction, which if not executed immediately, would or may cause a customer to incur a financial loss due to price movement or loss of opportunity or when a customer seeks immediate insurance cover.3. When complying with AML Rule 7.2.1, aRelevant Person should also, where relevant, consider AML Rule 7.7.1 regarding failure to conduct or completeCDD and chapter 13 regarding SARs and tipping off.4. For the purposes of AML Rule 7.2.2(1)(d), theDFSA considers that in most situations as soon as reasonably practicable would be within 30 days after the establishment of a business relationship. However, it will depend on the nature of the customer business relationship.AML 7.3 AML 7.3 Customer Due Diligence Requirements
AML 7.3.1 [Deleted]
[Deleted] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Undertaking customer due diligence
AML 7.3.1
(1) In undertakingCustomer Due Diligence required by AML Rule 7.1.1(1)(a) aRelevant Person must:(a) identify the customer and verify the customer's identity;(b) identify anyBeneficial Owners of the customer and take reasonable measures to verify the identity of theBeneficial Owners , so that theRelevant Person is satisfied that it knows who theBeneficial Owners are;(c) if the customer is a legal person or legal arrangement, take reasonable measures to understand the nature of the customer's business and its ownership and control structure; and(d) undertake on-going due diligence of the customer business relationship under AML Rule 7.6.1.(2) If a person ("A") purports to act on behalf of the customer, theRelevant Person must, in addition to (1)(a):(a) verify that A is authorised to act on the customer's behalf; and(b) identify A and verify A's identity.(3) The verification under (1) and (2) must be based on reliable and independent source documents, data or information.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Identifying and verifying the customer
AML 7.3.2
(1) For the purposes of AML Rule 7.3.1(1)(a), aRelevant Person must identify a customer and verify the customer's identity in accordance with this Rule.(2) If a customer is a natural person, aRelevant Person must obtain and verify information about the person's:(a) full name (including any alias);(b) date of birth;(c) nationality;(d) legal domicile; and(e) current residential address (other than a post office box).(3) If a customer is a body corporate, theRelevant Person must obtain and verify:(a) the full name of the body corporate and any trading name;(b) the address of its registered office and, if different, its principal place of business;(c) the date and place of incorporation or registration;(d) a copy of the certificate of incorporation or registration;(e) the articles of association or other equivalent governing documents of the body corporate; and(f) the full names of its senior management.(4) If a customer is a foundation, theRelevant Person must obtain and verify:(a) a certified copy of the charter and by-laws of the foundation or any other documents constituting the foundation; and(b) documentary evidence of the appointment of the guardian or any other person who may exercise powers in respect of the foundation.(5) If a customer is an express trust or other similar legal arrangement, theRelevant Person must obtain and verify:(a) a certified copy of the trust deed or other documents that set out the nature, purpose and terms of the trust or arrangement; and(b) documentary evidence of the appointment of the trustee or any other person exercising powers under the trust or arrangement.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Identifying and verifying beneficial owners: body corporate
AML 7.3.3 AML 7.3.3
(1) If a customer is a body corporate, aRelevant Person must identify and verify theBeneficial Owners under AML Rule 7.3.1(1)(b) in accordance with this Rule.(2) TheRelevant Person must identify:(a) the natural persons who ultimately have a controlling ownership interest in the body corporate, whether legal or beneficial, direct or indirect; and(b) if there is any doubt about whether the natural persons identified under (a) exert control through ownership interests, or if no natural person exerts control through ownership interests, the natural persons exercising control of the body corporate through other means.(3) ARelevant Person does not have to identify an ownership interest under (2)(a) if, having regard to a risk-based assessment of the customer, it is reasonably satisfied that the ownership interest is minor and in the circumstances poses no or negligible risk of money laundering.(4) If aRelevant Person has exhausted all possible means but has not been able to identify theBeneficial Owners under (2), and provided it has no grounds for suspecting money laundering, it must treat the senior management of the body corporate as theBeneficial Owners .(5) If (4) applies, theRelevant Person must keep a record in writing of all the actions it has taken to identify theBeneficial Owners of the body corporate.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.3.3 Guidance
1. In exceptional circumstances, aRelevant Person may not be able to identify any natural person as the ultimate owner or controller of a body corporate. In such a case, provided it has exhausted all other means of identifying the owner or controller and it has no grounds for suspecting money laundering, it can treat each of the members of the senior management of the body corporate as theBeneficial Owners (see AML Rule 7.3.3(4)). However, in such a case theRelevant Person will need to keep records of all the actions it has taken to identify theBeneficial Owners (see AML Rule 7.3.3(5)).2. If the ownership or control arrangements of a customer are of such a nature that theRelevant Person is prevented from identifying theBeneficial Owners (for example, ifBeneficial Owners hold bearer shares or other negotiable instruments and there is no effective system for recording the current holder of the shares or instruments), theRelevant Person is prohibited from establishing a business relationship with the customer under AML Rule 6.1.4.3. For more detailed Guidance on identifying and verifyingBeneficial Owners , see the guidance onCDD at the end of AML section 7.3.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.3.4
A
Relevant Person is not required to comply with AML Rules 7.3.1(1)(b) and (c) if the customer is either:(a) a body corporate that:(i) has its Securities listed by theDFSA , anotherFinancial Services Regulator or aRegulated Exchange ; and(ii) is subject to disclosure requirements which ensure that adequate information about its business, structure and beneficial ownership is publicly available; or(b) a majority-owned subsidiary of a body corporate referred to in (a).Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Identifying and verifying beneficial owners: foundations
AML 7.3.5
(1) If a customer is a foundation, aRelevant Person must identify and verify theBeneficial Owners under AML Rule 7.3.1(1)(b) in accordance with this Rule.(2) TheRelevant Person must identify the founder, guardian, contributors, qualified recipients, other persons entitled to receive any property or income from the foundation and any other natural person who exercises ultimate effective control of the foundation.(3) If the qualified recipients, or other persons entitled to receive property or income from a foundation, are designated by characteristics or by class, theRelevant Person must obtain sufficient information to satisfy itself that it will be able to establish the identity of the qualified recipient or other person before it makes any payment or transfer of property to the recipient or person.(4) TheRelevant Person must verify the identity of a qualified recipient or other person referred to in (3) before it makes any payment, or transfers any property, from the foundation to that recipient or person.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Identifying and verifying beneficial owners: trusts and similar arrangements
AML 7.3.6
(1) If a customer is a legal arrangement, aRelevant Person must identify and verify theBeneficial Owners under AML Rule 7.3.1(1)(b) in accordance with this Rule.(2) TheRelevant Person must identify:(a) for a trust, the settlor, trustee, protector, enforcer, beneficiaries and any other natural person who exercises ultimate effective control over the trust; and(b) for other types of legal arrangements, persons in equivalent or similar positions to those persons referred to in (a).(3) If the beneficiaries of a trust or arrangement are designated by characteristics or by class, theRelevant Person must obtain sufficient information about the beneficiaries to satisfy itself that it will be able to establish the identity of a beneficiary:(a) before it makes a distribution to the beneficiary; or(b) when the beneficiary intends to exercise vested rights.(4) TheRelevant Person must verify the identity of a beneficiary referred to in (3) before it makes a distribution to the beneficiary or the beneficiary exercises vested rights.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Identifying and verifying beneficiary of a life insurance policy
AML 7.3.7 AML 7.3.7
(1) This Rule applies if aRelevant Person is providing a customer with a life insurance or other similar policy.(2) TheRelevant Person must, in addition to complying with AML Rule 7.3.1:(a) if a beneficiary is specifically named in the policy, record the name of that person; and(b) if the beneficiaries of the policy are designated by characteristics or by class, obtain sufficient information to satisfy itself that it will be able to establish the identity of the beneficiaries when any payment is due to be made under the policy.(3) TheRelevant Person must undertake the measures referred to in (2) as soon as the beneficiary of the policy is identified or designated.(4) TheRelevant Person must verify the identity of beneficiaries and anyBeneficial Owners of a beneficiary before it makes a payout under the policy.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.3.7 Guidance
An insurance policy that is similar to a life insurance policy includes life-related protection, or a pension or investment product that pays out to the policyholder or beneficiary upon a particular event occurring or upon redemption.
Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Politically Exposed Persons: other measures
AML 7.3.8 AML 7.3.8
(1) ARelevant Person must take reasonable measures to determine:(a) if a customer, or aBeneficial Owner of a customer, is aPolitically Exposed Person (PEP); and(b) for a life insurance or other similar policy, if a beneficiary of the policy, or aBeneficial Owner of a beneficiary, is aPEP .(2) If a customer, or aBeneficial Owner of a customer, is aPEP , aRelevant Person must:(a) obtain the approval of senior management to commence or continue the business relationship with the customer;(b) take reasonable measures to establish the source of wealth and source of funds of the customer orBeneficial Owner ; and(c) increase the degree and nature of monitoring of the business relationship, to determine whether the customer's transactions or activities appear unusual or suspicious.(3) If a beneficiary of a life insurance or other similar policy, or aBeneficial Owner of a beneficiary, is aPEP , aRelevant Person must:(a) obtain the approval of senior management to make any payout under the policy;(b) take reasonable measures to establish the source of wealth and source of funds of the beneficiary orBeneficial Owner of the beneficiary; and(c) increase the degree and nature of monitoring of its business relationship with the policyholder, to determine whether the customer's transactions or activities appear unusual or suspicious.(4) ARelevant Person must carry out the additionalCustomer Due Diligence referred to in (3) before it makes any payout under the policy.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.3.8 Guidance on CDD
1. Items (a) to (c) in AML Rule 7.3.2(2) should be obtained from a current valid passport or, where a customer does not possess a passport, an official identification document which includes a photograph. The concept of domicile generally refers to the place which a person regards as his permanent home and with which he has the closest ties or which is his place of origin.2. Under AML Rule 7.3.1(3), aRelevant Person is required to verify the identity of a person based on reliable and independent source documents, data or information. ARelevant Person should generally have sight of original identification documents and retain a copy of the identification document. However in complying with AML Rule 7.3.1, it may not always be possible to obtain original documents. Where identification documents cannot be obtained in original form, for example, because aRelevant Person has no physical contact with the customer, theRelevant Person should obtain a copy certified as a true copy by a person of good standing such as a registered lawyer or notary, a chartered accountant, a bank manager, a police officer, anEmployee of the person's embassy or consulate, or other similar person. TheDFSA considers that downloading publicly-available information from an official source (such as a regulator's or other official government website) is sufficient to satisfy the requirements of AML Rule 7.3.1. TheDFSA also considers thatCDD information and research obtained from a reputable company or information-reporting agency may also be acceptable as a reliable and independent source as would banking references and, on a risk-sensitive basis, information obtained from researching reliable and independent public information found on the internet or on commercial databases.3. For higher risk situations theDFSA would expect identification information to be independently verified, using both public and non-public sources.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.3.8 Guidance on identification and verification of Beneficial Owners
4. In determining whether an individual meets the definition of aBeneficial Owner , regard should be had to all the circumstances of the case, in particular the size of an individual's legal or beneficial ownership in a transaction. The question of what is a "minor" ownership interest for the purposes of the definition of aBeneficial Owner in AML Rule 7.3.3 will depend on the individual circumstances of the customer. TheDFSA considers that the question of whether an ownership interest is minor should be considered in the context of theRelevant Person's knowledge of the customer and the customer risk assessment and the risk of money laundering.5. When identifyingBeneficial Owners , aRelevant Person is expected to adopt a substantive (as opposed to form over substance) approach toCDD for legal persons. Adopting a substantive approach means focusing on the money laundering risks of the customer and the product/service and avoiding an approach which focusses purely on the legal form of an arrangement or sets fixed percentages at whichBeneficial Owners are identified (or not). It should take all reasonable steps to establish and understand a corporate customer's legal ownership and control and to identify theBeneficial Owner . TheDFSA does not set explicit ownership or control thresholds in defining theBeneficial Owner because theDFSA considers that the applicable threshold to adopt will ultimately depend on the risks associated with the customer, and so theDFSA expects aRelevant Person to adopt the RBA and justify on reasonable grounds an approach which is proportionate to the risks identified. ARelevant Person should not set fixed thresholds for identifying theBeneficial Owner without objective and documented justification as required by AML Rule 4.1.1. An overly formal approach to defining theBeneficial Owner may result in a criminal "gaming" the system by always keeping his financial interest below the relevant threshold6. TheDFSA considers that in some circumstances no threshold should be used when identifyingBeneficial Owners because it may be important to identify all underlyingBeneficial Owners in order to ensure that they are not associated or connected in some way. This may be appropriate where there are a small number of investors in an account or fund, each with a significant financial holding and the customer-specific risks are higher. However, where the customer-specific risks are lower, a threshold can be appropriate. For example, for a low-risk corporate customer which, combined with a lower-risk product or service, a percentage threshold may be appropriate for identifying "control" of the legal person for the purposes of the definition of aBeneficial Owner .7. For a retail investment fund which is widely-held and where the investors invest via pension contributions, theDFSA would not expect the manager of the fund to look through to any underlying investors where there are none with any material control or ownership levels in the fund. However, for a closely-held fund with a small number of investors, each with a large shareholding or other interest, theDFSA would expect aRelevant Person to identify and verify each of theBeneficial Owners , depending on the risks identified as part of its risk-based assessment of the customer. For a corporate health policy with defined benefits, theDFSA would not expect aRelevant Person to identify theBeneficial Owners .8. Under Federal AML legislation, if the customer is a legal person, theRelevant Person must identify any person who, alone or jointly with other persons, has a controlling ownership interest of 25% or more in the legal person i.e. it applies a specified threshold. This does not affect the approach that should be taken under AML Rule 7.3.1(1)(b) and AML Rule 7.3.3 for verifying the identity ofBeneficial Owners , where no threshold is specified (see Guidance items 4 to 7 above). As a result, under the Federal AML legislation aRelevant Person will need to obtain information identifying natural persons who have a controlling interest of hold more than 25%. Then, in accordance with the risk-based approach in Guidance items 4 to 7, theRelevant Person should determine whether it is necessary also to identify other persons who may beBeneficial Owners , and verify their identityDerived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 7.3.8 Guidance on politically exposed persons
9. Individuals who have, or have had, a high political profile, or hold, or have held, public office, can pose a higher money laundering risk to aRelevant Person as their position may make them vulnerable to corruption. This risk also extends to members of their families and to known close associates.Politically Exposed Person ("PEP") status itself does not, of course, incriminate individuals or entities.10. Generally, a foreignPEP presents a higher risk of money laundering because there is a greater risk that such person, if he was committing money laundering, would attempt to place his money offshore where the customer is less likely to be recognised as aPEP and where it would be more difficult for law enforcement agencies in his home jurisdiction to confiscate or freeze his criminal property.11. Corruption-related money laundering risk increases when aRelevant Person deals with aPEP . Corruption may involve serious crimes and has become the subject of increasing global concern. Corruption offences are predicate crimes under the Federal AML legislation. ARelevant Person should note that customer relationships with family members or close associates ofPEPs involve similar risks to those associated withPEPs themselves.12. TheDFSA considers that after leaving office aPEP may remain a higher risk for money laundering if such person continues to exert political influence or otherwise pose a risk of corruption.13. The fact that an individual is aPEP does not automatically mean that the individual must be assessed to be a high risk customer. ARelevant Person will need to assess the particular circumstances relating to eachPEP to determine what risk category is appropriate. If thePEP is assigned a high risk, then theRelevant Person will need to undertake theEnhanced Customer Due Diligence measures under AML Rule 7.4.1. However, even if aPEP is not assigned a high risk, theRelevant Person is required as a minimum to undertake the additional customer due diligence measures specified in AML Rule 7.3.8(2) and (3) forPEP s.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.4 AML 7.4 Enhanced Customer Due Diligence
AML 7.4.1 AML 7.4.1
Where a
Relevant Person is required to undertakeEnhanced Customer Due Diligence under AML Rule 7.1.1(1)(b) it must, to the extent applicable to the customer:(a) obtain and verify additional:(i) identification information on the customer and anyBeneficial Owner ;(ii) information on the intended nature of the business relationship; and(iii) information on the reasons for a transaction;(b) update more regularly theCustomer Due Diligence information which it holds on the customer and anyBeneficial Owners ;(c) take reasonable measures to establish:(i) the source of funds; and(ii) the source of wealth,
of the customer or, if applicable, of theBeneficial Owner ;(d) increase the degree and nature of monitoring of the business relationship, in order to determine whether the customer's transactions or activities appear unusual or suspicious;(e) obtain the approval of senior management to commence a business relationship with a customer; and(f) where applicable, require that any first payment made by a customer in order to open an account with aRelevant Person must be carried out through a bank account in the customer's name with:(i) aBank ;(ii) aRegulated Financial Institution whose entire operations are subject to regulation and supervision, including AML regulation and supervision, in a jurisdiction with AML regulations which are equivalent to the standards set out in the FATF recommendations; or(iii) aSubsidiary of aRegulated Financial Institution referred to in (ii), if the law that applies to theParent ensures that the Subsidiary also observes the same AML standards as itsParent .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.4.1 Guidance
1. In AML Rule 7.4.1 EnhancedCDD measures are only mandatory to the extent that they are applicable to the relevant customer or the circumstances of the business relationship and to the extent that the risks would reasonably require it. Therefore, the extent of additional measures to conduct is a matter for theRelevant Person to determine on a case by case basis.2. In AML RM117/2013(e), senior management approval may be given by an individual member of theRelevant Person's senior management or by a committee of senior managers appointed to consider high risk customers. It may also be outsourced within the Group.3. For high risk customers, aRelevant Person should, in order to mitigate the perceived and actual risks, exercise a greater degree of diligence throughout the customer relationship and should endeavour to understand the nature of the customer's business and consider whether it is consistent and reasonable.4. ARelevant Person should be satisfied that a customer's use of complex legal structures and/or the use of trust and private investment vehicles, has a genuine and legitimate purpose.5. For enhancedCDD , aRelevant Person has to take reasonable measures to establish the source of funds. That is, where the funds for a particular service or transaction will come from (e.g. a specific bank account held with a specific financial institution) and whether that funding is consistent with the source of wealth of the customer or, if applicable, of theBeneficial Owner .6. For enhancedCDD , where there is aBeneficial Owner , establishing the customer's source of funds and wealth may require enquiring into the Beneficial Owner's source of funds and wealth because the source of the funds would normally be theBeneficial Owner and not the customer.7. TheDFSA considers that taking reasonable measures to establish the source of funds includes obtaining independent corroborating evidence such as proof of dividend payments connected to a shareholding, bank statements, salary/bonus certificates, loan documentation and proof of a transaction which gave rise to the payment into the account. A customer should be able to demonstrate and document how the relevant funds are connected to a particular event which gave rise to the payment into the account or to the source of the funds for a transaction.8. TheDFSA considers that verification of source of wealth includes obtaining independent corroborating evidence such as share certificates, publicly-available registers of ownership, bank or brokerage account statements, probate documents, audited accounts and financial statements, news items from a reputable source and other similar evidence. For example:a. for a legal person, this might be achieved by obtaining its financial or annual reports published on its website or news articles and press releases that reflect its financial situation or the profitability of its business; andb. for a natural person, this might include documentary evidence which corroborates answers given to questions on the source of wealth in an application form or customer questionnaire. For example, if a natural person attributes the source of his wealth to inheritance, he may be asked to provide a copy of the relevant will or grant of probate. In other cases, a natural person may be asked to provide sufficient bank or salary statements covering a number of years to draw up a picture of his source of wealth.9. ARelevant Person may commission a third party vendor report to obtain further information on a customer or transaction or to investigate a customer orBeneficial Owner in very high risk cases. A third party vendor report may be particularly useful where there is little or no publicly-available information on a person or on a legal arrangement or where aRelevant Person has difficulty in obtaining and verifying information.10. In AML Rule 7.4.1(f), circumstances where it may be applicable to require the first payment made by a customer in order to open an account with aRelevant Person to be carried out through a bank account in the customer's name with a financial institution specified in that paragraph include:a. where, following the use of other EnhancedCDD measures, theRelevant Person is not satisfied with the results of due diligence; orb. as an alternative measure, where one of the measures in AML Rule 7.4.1 (a) to (e) cannot be carried out.Derived from RM117/2013 [VER9/07-13]
[Amended] RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.5 AML 7.5 Simplified customer due diligence
AML 7.5.1 AML 7.5.1
(1) Where aRelevant Person is permitted to undertakeSimplified Customer Due Diligence under AML Rule 7.1.1(2), modification of AML Rule 7.3.1 may include:(a) verifying the identity of the customer and anyBeneficial Owners after the establishment of the business relationship under AML Rule 7.2.1(3);(b) deciding to reduce the frequency of, or as appropriate not undertake, customer identification updates;(c) deciding not to verify an identification document other than by requesting a copy;(d) reducing the degree of on-going monitoring of transactions, based on a reasonable monetary threshold or on the nature of the transaction; or(e) not collecting specific information or carrying out specific measures to understand the purpose and intended nature of the business relationship, but infering such purpose and nature from the type of transactions or business relationship established.(2) The modification in (1) must be proportionate to the customer's money laundering risks.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.5.1 Guidance
1. AML Rule 7.5.1(1) provides examples ofSimplified CDD measures. Other measures may also be used by aRelevant Person to modifyCDD in accordance with the customer risks.2. ARelevant Person should not use a "one size fits all" approach for all its low risk customers. Notwithstanding that the risks may be low for all such customers, the degree ofCDD undertaken needs to be proportionate to the specific risks identified on a case by case basis.3. ARelevant Person is not required to identify or verifyBeneficial Owners for retail investment funds which are widely held and for investment funds where the investor invests via pension contributions.4. An example of circumstances where aRelevant Person might reasonably reduce the frequency of or, as appropriate, eliminate customer identification updates would be where the money laundering risks are low and the service provided does not offer a realistic opportunity for money laundering.5. An example of where aRelevant Person might reasonably reduce the degree of on-going monitoring and scrutinising of transactions, based on a reasonable monetary threshold or on the nature of the transaction, would be where the transaction is a recurring, fixed contribution to a savings scheme, investment portfolio or fund or where the monetary value of the transaction is not material for money laundering purposes given the nature of the customer and the transaction type.
6. For the avoidance of doubt, aRelevant Person should not conductSimplified CDD where there is any suspicion of money laundering.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 7.6 AML 7.6 Ongoing Customer Due Diligence
AML 7.6.1 AML 7.6.1
(1) When undertaking ongoing
Customer Due Diligence under Rule 7.3.1(1)(d), aRelevant Person must, using the risk-based approach:(a) monitor transactions undertaken during the course of its customer relationship to ensure that the transactions are consistent with theRelevant Person's knowledge of the customer, his business and risk rating;(b) pay particular attention to any complex or unusually large transactions or unusual patterns of transactions that have no apparent or visible economic or legitimate purpose;(c) enquire into the background and purpose of the transactions in (b);(d) review the adequacy of theCustomer Due Diligence information it holds on customers andBeneficial Owners to ensure that the information is kept up to date, particularly for customers with a high risk rating; and(e) review each customer to ensure that the risk rating assigned to a customer under Rule 6.1.1(1)(b) remains appropriate for the customer in light of the money laundering risks.(2) A
Relevant Person must carry out a review under (1)(d) and (e) periodically and at other appropriate times when a material change or event occurs relating to a customer.AML 7.6.1 Guidance
1. In complying with Rule 7.6.1(1)(d), aRelevant Person should undertake a periodic review to ensure that non-static customer identity documentation is accurate and up-to-date. Examples of non-static identity documentation include passport number and residential/business address and, for a legal person, its share register or list of partners.2. ARelevant Person should undertake a review under Rule 7.6.1(1)(d) and (e), both periodically and at other appropriate times such as when:a. theRelevant Person changes itsCDD documentation requirements;b. an unusual transaction with the customer is expected to take place;c. there is a material change in the business relationship with the customer; ord. there is a material change in the nature or ownership of the customer.3. The degree of the on-going due diligence to be undertaken will depend on the customer risk assessment carried out under Rule 6.1.1.4. ARelevant Person's transaction monitoring policies, procedures, systems and controls, which may be implemented by manual or automated systems, or a combination thereof, are one of the most important aspects of effectiveCDD . Whether aRelevant Person should undertake the monitoring by means of a manual or computerised system (or both) will depend on a number of factors, including:a. the size and nature of theRelevant Person's business and customer base; andb. the complexity and volume of customer transactions.AML 7.6.2 AML 7.6.2 Ongoing sanctions screening
A
Relevant Person must review its customers, their business and transactions against United Nations Security Council sanctions lists and against any other relevant sanctions list when complying with Rule 7.6.1(1)(d).AML 7.6.2 Guidance
In AMLRule 7.6.2, a "relevant sanctions list" may include U.A.E EU, U.K. HM Treasury, U.S. OFAC lists and any other list which may apply to a
Relevant Person .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 7.7 AML 7.7 Failure to conduct or complete customer due diligence
AML 7.7.1 AML 7.7.1
(1) Where, in relation to any customer, aRelevant Person is unable to conduct or complete the requisiteCustomer Due Diligence in accordance with AML Rule 7.1.1 it must, to the extent relevant:(a) not carry out a transaction with or for the customer through a bank account or in cash;(b) not open an account or otherwise provide a service;(c) not otherwise establish a business relationship or carry out a transaction;(d) terminate or suspend any existing business relationship with the customer;(e) return any monies or assets received from the customer; and(f) consider whether the inability to conduct or completeCustomer Due Diligence necessitates the making of a Suspicious Activity Report under AML Rule 13.3.1(c).(2) ARelevant Person is not obliged to comply with (1) (a) to (e) if:(a) to do so would amount to "tipping off" the customer, in breach of Federal AML legislation; or(b) the FIU directs theRelevant Person to act otherwise.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]AML 7.7.1 Guidance
1. In complying with Rule 7.7.1(1) aRelevant Person should apply one or more of the measures in (a) to (f) as appropriate in the circumstances. WhereCDD cannot be completed, it may be appropriate not to carry out a transaction pending completion ofCDD . WhereCDD cannot be conducted, including where a material part of theCDD , such as identifying and verifying aBeneficial Owner cannot be conducted, aRelevant Person should not establish a business relationship with the customer.2. ARelevant Person should note that Rule 7.7.1 applies to both existing and prospective customers. For new customers it may be appropriate for aRelevant Person to terminate the business relationship before a product or service is provided. However, for existing customers, while termination of the business relationship should not be ruled out, suspension may be more appropriate depending on the circumstances. Whichever route is taken, theRelevant Person should be careful not to tip off the customer.3. ARelevant Person should adopt the RBA forCDD of existing customers. For example, if aRelevant Person considers that any of its existing customers (which may include customers which it migrates into theDIFC ) have not been subject toCDD at an equivalent standard to that required by this module, it should adopt the RBA and take remedial action in a manner proportionate to the risks and within a reasonable period of time whilst complying with Rule 7.7.1.AML 8 AML 8 Reliance and Outsourcing
Derived from RM117/2013 [VER9/07-13]AML 8.1 AML 8.1 Reliance on a third party
AML 8.1.1 AML 8.1.1
(1) ARelevant Person may rely on the following third parties to conduct one or more elements ofCustomer Due Diligence on its behalf:(a) anAuthorised Person ;(b) a law firm, notary, or other independent legal business, accounting firm, audit firm or insolvency practitioner or an equivalent person in another jurisdiction;(c) aFinancial Institution ; or(d) a member of theRelevant Person's Group.(2) In (1), aRelevant Person may rely on the information previously obtained by a third party which covers one or more elements ofCustomer Due Diligence .(3) Where aRelevant Person seeks to rely on a person in (1) it may only do so if and to the extent that:(a) it immediately obtains the necessaryCustomer Due Diligence information from the third party in (1);(b) it takes adequate steps to satisfy itself that certified copies of the documents used to undertake the relevant elements ofCustomer Due Diligence will be available from the third party on request without delay;(c) if a person in (1)(b) to (d) is in another country, the person is:(i) subject to requirements in relation to customer due diligence and record keeping which meet the standards set out in theFATF Recommendations; and(ii) supervised for compliance with those requirements in a manner that meets the standards for regulation and supervision set out in theFATF Recommendations;(d) the person in (1) has not relied on any exception from the requirement to conduct any relevant elements ofCustomer Due Diligence which theRelevant Person seeks to rely on; and(e) in relation to (2), the information is up to date.(4) Where aRelevant Person relies on a member of itsGroup , suchGroup member need not meet the condition in (3)(c) if:(a) theGroup applies and implements aGroup -wide policy on customer due diligence, record keeping,Politically Exposed Persons andAML programmes which meets the standards set out in theFATF Recommendations; and(b) where the effective implementation of those Customer Due Diligence, record keeping andPEP requirements andAML programmes are supervised atGroup level by aFinancial Services Regulator or other competent authority in a country, the supervision and regulation meets the standards set out in theFATF Recommendations.(5) If aRelevant Person is not reasonably satisfied that a customer orBeneficial Owner has been identified and verified by a third party in a manner consistent with these Rules, theRelevant Person must immediately perform theCustomer Due Diligence itself with respect to any deficiencies identified.(6) Notwithstanding theRelevant Person's reliance on a person in (1), theRelevant Person remains responsible for compliance with, and liable for any failure to meet theCustomer Due Diligence requirements in this module.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 8.1.1 Guidance
1. In complying with AML Rule 8.1.1(3)(a), "immediately obtaining the necessaryCDD information" means obtaining all relevantCDD information, and not just basic information such as name and address. Compliance can be achieved by having that relevant information sent by email or other appropriate means. For the avoidance of doubt, aRelevant Person is not required automatically to obtain the underlying certified documents used by the third party to undertake itsCDD . ARelevant Person must, however, under AML Rule 8.1.1(3)(b) ensure that the certified documents are readily available from the third party on request.2. TheDFSA would expect aRelevant Person , in complying with AML Rule 8.1.1(5), to fill any gaps in theCDD process as soon as it becomes aware that a customer orBeneficial Owner has not been identified and verified in a manner consistent with these Rules.3. If aRelevant Person acquires another business, either in whole or in part, theDFSA would permit theRelevant Person to rely on theCDD conducted by the business it is acquiring but would expect theRelevant Person to have done the following:a. as part of its due diligence for the acquisition, to have taken a reasonable sample of the prospective customers to assess the quality of theCDD undertaken; andb. to undertakeCDD on all the customers to cover any deficiencies identified in a. as soon as possible following the acquisition, prioritising high risk customers.4. Where a particular jurisdiction's laws (such as secrecy or data protection legislation) would prevent aRelevant Person from having access toCDD information upon request without delay as referred to in AML Rule 8.1.1(3)(b), theRelevant Person should undertake the relevantCDD itself and should not seek to rely on the relevant third party.5. If aRelevant Person relies on a third party located in a foreign jurisdiction to conduct one or more elements of CDD on its behalf, theRelevant Person must ensure that the foreign jurisdiction has AML regulations that are equivalent to the standards in theFATF Recommendations (see AML Rule 8.1.1(3)(c) and AML Rule 8.1.2).Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 8.1.2
(1) When assessing under AML Rule 8.1.1(3)(c) or (4) if requirements, supervision or regulation in another jurisdiction meet
FATF standards, aRelevant Person must take into account factors including, among other things:(a) mutual evaluations, assessment reports or follow-up reports published byFATF , theIMF , the World Bank, theOECD or other International Organisations;(b) membership ofFATF or other international or regional groups such as theMENAFATF or the Gulf Co-operation Council;(c) contextual factors such as political stability or the level of corruption in the jurisdiction;(d) evidence of recent criticism of the jurisdiction, including in:(i)FATF advisory notices;(ii) public assessments of the jurisdiction'sAML regime by organisations referred to in (a); or(iii) reports by other relevant non-government organisations or specialist commercial organisations; and(e) whether adequate arrangements exist for co-operation between the AML regulator in that jurisdiction and theDFSA .(2) A
Relevant Person making an assessment under (1) must rely only on sources of information that are reliable and up-to-date.(3) A
Relevant Person must keep adequate records of how it made its assessment, including the sources and materials considered.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 8.2 AML 8.2 Outsourcing
AML 8.2.1 AML 8.2.1
A
Relevant Person which outsources any one or more elements of itsCustomer Due Diligence to a service provider (including within itsGroup ) remains responsible for compliance with, and liable for any failure to meet, such obligations.Derived from RM117/2013 [VER9/07-13]AML 8.2.1 Guidance
1. Prior to appointing an outsourced service provider to undertakeCDD , aRelevant Person should undertake appropriate due diligence to assure itself of the suitability of the outsourced service provider and should ensure that the outsourced service provider's obligations are clearly documented in a binding agreement.2. AnAuthorised Person should be mindful of its obligations regarding outsourcing set out in GEN Rules 5.3.21 and 5.3.22.Derived from RM117/2013 [VER9/07-13]AML 8.3 AML 8.3 Money Service Providers
AML 8.3.1
(1) An Authorised Firm that Provides Money Services must:(a) maintain a complete, current and accurate register of all agents it uses to conduct its Money Services business and make the register available to the DFSA upon request;(b) include all agents referred to in (a) as part of its AML compliance programme and monitor agents’ compliance with the programme;(c) comply with all applicable AML requirements in the jurisdictions in which it operates, whether directly or through the use of agents;(d) when executing Payment Transactions, assess and consider all relevant information including information about the payer, payee and any beneficiary, as applicable, to determine whether a Suspicious Activity Report should be made; and(e) if appropriate, make a Suspicious Activity Report in any jurisdiction impacted or connected to a suspicious Payment Transaction, and make available relevant transaction information to the authorities responsible for AML compliance in the relevant jurisdiction.(2) An Authorised Firm making an assessment under (1) must rely only on sources of information that are reliable and up-to-date.(3) An Authorised Firm must keep adequate records of how it made its assessment under (1), including the sources and materials considered.Derived from DFSA RMI271/2020 (Made 26th February 2020). [VER17/04-20]AML 9 AML 9 Correspondent Banking, Electronic Fund Transfers and Audit
AML 9.1 AML 9.1 Application
AML 9.1.1
This chapter applies only to an
Authorised Person .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 9.2 AML 9.2 Correspondent Banking
AML 9.2.1
An
Authorised Firm proposing to have a correspondent banking relationship with a respondent bank must:(a) undertake appropriateCustomer Due Diligence on the respondent bank;(b) as part of (a), gather sufficient information about the respondent bank to understand fully the nature of the business, including making appropriate enquiries on its management, its major business activities and the countries or jurisdictions in which it operates;(c) determine from publicly-available information the reputation of the respondent bank and the quality of supervision, including whether it has been subject to a money laundering or terrorist financing investigation or relevant regulatory action;(d) assess the respondent bank's AML controls and ascertain if they are adequate and effective in light of theFATF Recommendations;(e) ensure that prior approval of theAuthorised Firm's senior management is obtained before entering into a new correspondent banking relationship;(f) ensure that the respective responsibilities of the parties to the correspondent banking relationship are properly documented; and(g) be satisfied that, in respect of any customers of the respondent bank who have direct access to accounts of theAuthorised Firm , the respondent bank:(i) has undertakenCustomer Due Diligence (including ongoingCustomer Due Diligence ) at least equivalent to that in Rule 7.3.1 in respect of each customer; and(ii) is able to provide the relevantCustomer Due Diligence information in (i) to theAuthorised Firm upon request; and(h) document the basis for its satisfaction that the requirements in (a) to (g) are met.Derived from RM117/2013 [VER9/07-13]AML 9.2.2 AML 9.2.2
An
Authorised Firm must:(a) not enter into a correspondent banking relationship with aShell Bank ; and(b) take appropriate measures to ensure that it does not enter into, or continue a corresponding banking relationship with, a bank which is known to permit its accounts to be used byShell BankS .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 9.2.2 Guidance
AML Rule 9.2.2 prohibits an
Authorised Firm from entering into a correspondent banking relationship with aShell Bank or a bank which is known to permit its accounts to be used byShell Banks . See the Guidance after AML Rule 6.1.7 for more information about what constitutes aShell Bank .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3 AML 9.3 Electronic fund transfers
Application
AML 9.3.1
(1) This section applies to an
Authorised Person when it sends or transmits funds by electronic means, or when it receives funds (including serial payments and cover payments) by electronic means, on the account of a payer or payee.(2) This section does not apply to a transfer and settlement between
Financial Institutions if theFinancial Institutions are acting on their own behalf as the payer and the payee.Definitions
AML 9.3.2
In this section:
(a) "batch transfer" means a transfer that consists of a number of individual fund transfers that are bundled for transmission, whether the individual fund transfers are intended ultimately for one or more payees;(b) "beneficiary institution" means theFinancial Institution that receives the fund transfer from the ordering institution, whether directly or through an intermediary institution, and makes the funds available to the payee;(c) "cover payment" means a fund transfer that combines a payment message sent directly by the ordering institution to the beneficiary institution with the routing of the funding instruction from the ordering institution to the beneficiary institution through one or more intermediary institutions;(d) "cross-border fund transfer" means a fund transfer where the ordering institution and the beneficiary institution are located in different countries and includes any chain of fund transfers in which at least one of theFinancial Institutions involved is located in a different country;(e) "customer identification number" means a number that is different from the uniquetransaction reference number and:(i) uniquely identifies the payer to the ordering institution; and(ii) refers to a record held by the ordering institution that contains at least one of the following: the payer's address, national identity number or date and place of birth;(f) "domestic fund transfer" means a fund transfer where the ordering institution and beneficiary institution are located in the same country and includes any chain of fund transfers that takes place entirely within a country, even if the system used to transfer the payment message is located in another country;(g) "fund transfer" means anytransaction carried out on behalf of a payer through aFinancial Institution by electronic means with a view to making an amount of funds available to a payee at a beneficiary institution, irrespective of whether the payer and the payee are the same person;(h) "intermediary institution" means theFinancial Institution in a serial payment or cover payment chain that receives and transmits a fund transfer on behalf of the ordering institution and the beneficiary institution, or another intermediary institution;(i) "ordering institution" means theFinancial Institution that transfers the funds upon receiving the request for a fund transfer on behalf of the payer;(j) "payee" means the natural orlegal person identified by the payer as the recipient of the requested fund transfer;(k) "payer" means the account holder who allows the fund transfer from that account or, if there is no account, the natural orlegal person that places the fund transfer order with the ordering institution to perform the fund transfer;(l) "serial payment" means a direct sequential chain of payment where the fund transfer and accompanying payment message travel together from the ordering institution to the beneficiary institution, directly or through one or more intermediary institutions;(m) "straight-through processing" means paymenttransactions that are conducted electronically without the need for manual intervention; and(n) "unique transaction reference number" means a combination of letters, numbers or symbols, determined by theFinancial Institution in accordance with the protocols of the payment and settlement system or messaging system used for the fund transfer, and which permits the traceability of the fund transfer.Requirements for ordering institution
AML 9.3.3
Before effecting a fund transfer, an
Authorised Person that is an ordering institution must:(a) identify the payer and verify the identity of the payer if the identity has not previously been identified; and(b) record adequate details of the fund transfer that are sufficient to permit its reconstruction, including but not limited to, the date of the transfer, the payer and payee, and the type and amount of currency transferred and the value date.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.4
For a cross-border fund transfer where the amount to be transferred is $1000 or less, an
Authorised Person that is an ordering institution must include in the message or payment instruction that accompanies or relates to the fund transfer the following:(a) the name of the payer;(b) the payer's account number (or uniquetransaction reference number if no account number exists);(c) the name of the payee; and(d) the payee's account number (or uniquetransaction reference number if no account number exists).Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.5
For a cross-border fund transfer where the amount to be transferred is more than $1,000, an
Authorised Person that is an ordering institution must, in addition to the information required by AML Rule 9.3.4, include in the message or payment instruction that accompanies or relates to the fund transfer any one of the following:(a) the payer's address:(b) the payer's national identity number, such as an identity card number or passport number;(c) the payer'scustomer identification number; or(d) the date and place of birth of the payer.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.6
If several individual cross-border fund transfers from a single payer are bundled in a batch file for transmission, then, in complying with AML Rules 9.3.4 and 9.3.5, an
Authorised Person that is an ordering institution must ensure that:(a) the batch file contains the payer information required under AML Rule 9.3.4 and, if applicable, AML Rule 9.3.5;(b) it has verified the payer information referred to in (a); and(c) the batch file contains the payee information required under AML Rule 9.3.4 for each payee and that information is fully traceable in the payee's country.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.7 AML 9.3.7
For a domestic fund transfer, an
Authorised Person that is an ordering institution must either:(a) include in the message or payment instruction that accompanies or relates to the fund transfer the following:(i) the name of the payer;(ii) the payer's account number (or unique transaction reference number if no account number exists); and(iii) any one of the following:(A) the payer's address;(B) the payer's national identity number, such as an identity card number or passport number;(C) the payer's customer identification number; or(D) the date and place of birth of the payer; or(b) include only the payer's account number (or uniquetransaction reference number if no account number exists), provided that:(i) those details will permit thetransaction to be traced back to the payer and payee; and(ii) the ordering institution must provide the payer information set out in paragraph (a) within 3 business days of a request for the information by the beneficiary institution or the DFSA or immediately upon request of a law enforcement agency.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.7 Guidance
The payer's address referred to in AML Rule 9.3.5 or AML Rule 9.3.7 should be the address that the
Relevant Person has verified as part of itsCustomer Due Diligence on the payer.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.8
An
Authorised Person that is an ordering institution must retain a record of payer and payee information it has collected under this section.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.9
An
Authorised Person that is an ordering institution must not execute a fund transfer if it is unable to comply with the requirements in AML Rules 9.3.3 to 9.3.8.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Requirements for beneficiary institution
AML 9.3.10
An
Authorised Person that is a beneficiary institution must take reasonable measures, including post-event monitoring or real-time monitoring where feasible, to identify cross-border fund transfers that lack the required payer or payee information.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.11
For a cross-border fund transfer, an
Authorised Person that is a beneficiary institution must identify and verify the identity of the payee if the identity has not been previously verified.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Requirements for intermediary institution
AML 9.3.12
An
Authorised Person that is an intermediary institution must retain all the required payer and payee information accompanying the fund transfer.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.13
If technical limitations prevent the required payer or payee information accompanying a cross-border fund transfer from remaining with a related domestic fund transfer, an
Authorised Person that is a receiving intermediary institution must maintain a record, for at least five years, of all the information received from the ordering institution or another intermediary institution.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.14
An
Authorised Person that is an intermediary institution must take reasonable measures, which are consistent with straight-through processing, to identify crossborder fund transfers that lack the required payer or payee information.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]Systems and controls concerning fund transfers
AML 9.3.15 AML 9.3.15
A
Relevant Person must ensure that itsAML systems and controls referred to in AML Rule 5.2.1 include risk management policies and procedures specifying the steps to be taken if a fund transfer lacks information required under this section, including when to reject or amend a transfer and any follow-up action that is to be taken.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 9.3.15 Guidance
The
DFSA considers that concealing or removing in a fund transfer any of the information required by this section would be a breach of the requirement to ensure that the fund transfer contains accurate payer and payee information.AML 9.4 AML 9.4 Audit
AML 9.4.1 AML 9.4.1
An
Authorised Person must ensure that its audit function, established under GEN Rule 5.3.13, includes regular reviews and assessments of the effectiveness of the Authorised Person's money laundering policies, procedures, systems and controls, and its compliance with its obligations in this AML module.Derived from RM117/2013 [VER9/07-13]AML 9.4.1 Guidance
1. The review and assessment undertaken for the purposes of Rule 9.4.1 may be undertaken:a. internally by theAuthorised Person's internal audit function; orb. by a competent firm of independent auditors or compliance professionals.2. The review and assessment undertaken for the purposes of Rule 9.4.1 should cover at least the following:a. sample testing of compliance with theAuthorised Person's CDD arrangements;b. an analysis of all notifications made to theMLRO to highlight any area where procedures or training may need to be enhanced; andc. a review of the nature and frequency of the dialogue between the senior management and theMLRO .Derived from RM117/2013 [VER9/07-13]AML 9.5 AML 9.5 [Deleted]
AML 9.5.1 [Deleted]
Deleted by DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 10 AML 10 Sanctions and Other International Obligations
AML 10.1 AML 10.1 [Deleted]
AML 10.1.1 [Deleted]
[deleted]
Deleted by DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 10.2 AML 10.2 Relevant United Nations resolutions and sanctions
AML 10.2.1 AML 10.2.1
(1) ARelevant Person must establish and maintain effective systems and controls to ensure that on an ongoing basis it is properly informed as to, and takes reasonable measures to comply with, relevant resolutions or sanctions issued by the United Nations Security Council.(2) ARelevant Person must immediately notify theDFSA when it becomes aware that it is:(a) carrying on or about to carry on an activity;(b) holding or about to hold money or other assets; or(c) undertaking or about to undertake any other business whether or not arising from or in connection with (a) or (b);for or on behalf of a person, where such carrying on, holding or undertaking constitutes or may constitute a contravention of a relevant sanction or resolution issued by the United Nations Security Council.(3) ARelevant Person must ensure that the notification stipulated in (2) above includes the following information:(a) a description of the relevant activity in (2) (a), (b) or (c); and(b) the action proposed to be taken or that has been taken by theRelevant Person with regard to the matters specified in the notification.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 10.2.1 Guidance
1. In AML Rule 10.2.1(1), taking reasonable measures to comply with a United Nations Security Council resolution or sanction may include, for example, aRelevant Person not undertaking a transaction for or on behalf of a person or undertaking further due diligence in respect of a person.2. Relevant United Nations Security Council resolutions or sanctions mentioned in AML Rule 10.2.1 may, among other things, relate to money laundering, terrorist financing or the financing of weapons of mass destruction or otherwise be relevant to the activities carried on by theRelevant Person . For example:a. aRelevant Person should exercise due care to ensure that it does not provide services to, or otherwise conduct business with, a person engaged in money laundering, terrorist financing or the financing of weapons of mass destruction; andb. anAuthorised Market Institution should exercise due care to ensure that it does not facilitate fund raising activities or listings by persons engaged in money laundering or terrorist financing or financing of weapons of mass destruction.3. ARelevant Person should be proactive in checking for, and taking measures to comply with, relevant resolutions or sanctions issued by the United Nations Security Council. The DFSA expectsRelevant Persons to perform checks on an ongoing basis against their customer databases and records for any names appearing in resolutions or sanctions issued by the United Nations Security Council as well as to monitor transactions accordingly.4. ARelevant Person may use a database maintained elsewhere for an up-to-date list of resolutions and sanctions, or to perform checks of customers or transactions against that list. For example, it may wish to use a database maintained by its head office or aGroup member. However, theRelevant Person retains responsibility for ensuring that its systems and controls are effective to ensure compliance with this module.5.Relevant Persons should also be aware of their obligations under Cabinet Decision No. 20 of 2019, which include the obligation to check on a daily basis the sanctions lists issued by the United Nations Security Council.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 10.3 AML 10.3 Government, Regulatory and International Findings
AML 10.3.1 AML 10.3.1
(1) ARelevant Person must establish and maintain systems and controls to ensure that on an ongoing basis it is properly informed as to, and takes reasonable measures to comply with, any findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions (each of which is referred to in this Rule as a "finding") issued by:(a) the government of theU.A.E. or any government departments in the U.A.E.;(b) the Central Bank of theU.A.E. or the FIU;(c)FATF ;(d)U.A.E. enforcement agencies; and(e) theDFSA ,concerning the matters in (2).(2) For the purposes of (1), the relevant matters are:(a) arrangements for preventing money laundering, terrorist financing or the financing of weapons of mass destruction in a particular country or jurisdiction, including any assessment of material deficiency against relevant countries in adopting international standards; and(b) the names of persons, groups, organisations or entities or any other body where suspicion of money laundering or terrorist financing or the financing of weapons of mass destruction exists.(3) For the purposes of (1), measures in a finding that aRelevant Person must comply with include, but are not limited to, measures:(a) requiring specific elements of enhanced due diligence;(b) requiring enhanced reporting mechanisms or systematic reporting of financialtransactions ;(c) limiting business relationships or financialtransactions with specified persons or persons in a specified jurisdiction;(d) prohibitingRelevant Persons from relying on third parties located in a specified jurisdiction to conduct customer due diligence;(e) requiring correspondent relationships with banks in a specified jurisdiction to be reviewed, amended or, if necessary, terminated;(f) prohibiting the execution of specified electronic fund transfers; or(g) requiring increased external audit requirements for financial groups with respect to branches and subsidiaries located in a specified jurisdiction.(4) ARelevant Person must immediately notify the DFSA in writing if it becomes aware of non-compliance by a person with a finding and provide the DFSA with sufficient details of the person concerned and the nature of the non-compliance.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 10.3.1 Guidance
1. The purpose of this Rule is to ensure that aRelevant Person takes into consideration the broad range of tools used by competent authorities and international organisations to communicate AML/CTF risks to stakeholders.2. The Rule also permits theDFSA to require enhanced due diligence or other specific countermeasures to address risks identified in a specific country or jurisdiction. TheDFSA may impose such countermeasures either when called upon to do so byFATF or independently of anyFATF request.3.Relevant Persons considering transactions or business relationships with persons located in countries or jurisdictions that have been identified as deficient, or against which theU.A.E. or theDFSA have outstanding advisories, should be aware of the background against which the assessments, or the specific recommendations have been made. These circumstances should be taken into account in respect of introduced business from such jurisdictions, and when receiving inward payments for existing customers or in respect of inter-bank transactions.4. TheRelevant Person's MLRO is not obliged to report all transactions from these countries or jurisdictions to the FIU if they do not qualify as suspicious under the Federal AML legislation. See AML chapter 13 on Suspicious Activity Reports.5. Transactions with counterparties located in countries or jurisdictions which are no longer identified as deficient or have been relieved from special scrutiny (for example, taken off sources mentioned in this Guidance) may nevertheless require attention which is higher than normal.6. In order to assistRelevant Persons , theDFSA will, from time to time, publishU.A.E. ,FATF or other findings, guidance, directives or sanctions. However, theDFSA expects aRelevant Person to take its own steps in acquiring relevant information from various available sources. For example, aRelevant Person may obtain relevant information from the consolidated list of financial sanctions in the U.A.E Cabinet, European Union Office, HM Treasury (United Kingdom) lists, and the Office of Foreign Assets Control (OFAC) of the United States Department of Treasury.7. In addition, the systems and controls mentioned in AML Rule 10.3.1 should be established and maintained by aRelevant Person taking into account its risk assessment under chapters 5 and 6. In AML Rule 10.3.1, taking reasonable measures to comply with a finding may mean that aRelevant Person cannot undertake a transaction for or on behalf of a person or that it may need to undertake further due diligence in respect of such a person.8. ARelevant Person should be proactive in obtaining and appropriately using available national and international information, for example, suspect lists or databases from credible public or private sources with regard to money laundering, including obtaining relevant information from sources mentioned in Guidance 6 above. TheDFSA encouragesRelevant Persons to perform checks against their customer databases and records for any names appearing on such lists and databases as well as to monitor transactions accordingly. As set out in the Guidance after Rule 10.2.1, aRelevant Person may use a database maintained elsewhere for an up-todate list of sanctions or to conduct checks of customers or transactions against the list. However, it retains responsibility for ensuring the effectiveness of its systems and controls.9. The risk of terrorists entering the financial system can be reduced ifRelevant Persons apply effective AML strategies, particularly in respect ofCDD .Relevant Persons should assess which countries carry the highest risks and should conduct an analysis of transactions from countries or jurisdictions known to be a source of terrorist financing.10. TheDFSA may requireRelevant Persons to take any special measures it may prescribe with respect to certain types of transactions or accounts where theDFSA reasonably believes that any of the above may pose a money laundering risk to theDIFC .Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 11 AML 11 Money Laundering Reporting Officer
AML 11.1 AML 11.1 [Deleted]
[deleted]
Deleted by DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 11.1.1 [Deleted]
Deleted by DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 11.2 AML 11.2 Appointment of a MLRO
AML 11.2.1
(1) ARelevant Person must appoint an individual asMLRO , with responsibility for implementation and oversight of its compliance with the Rules in this module, who has an appropriate level of seniority and independence to act in the role.(2) TheMLRO in (1) and AML Rule 11.2.5 must be resident in theU.A.E. , except in the case of the MLRO for aRegistered Auditor .AML 11.2.2 AML 11.2.2
The individual appointed as the
MLRO of aRepresentative Office must be the same individual who holds the position ofPrincipal Representative of thatRepresentative Office .Derived from RM117/2013 [VER9/07-13]AML 11.2.2 Guidance
1.Authorised Firms are reminded that under GEN Rule 7.5.1, theMLRO function is a mandatory appointment. For the avoidance of doubt, the individual appointed as theMLRO of anAuthorised Firm , other than aRepresentative Office , is the same individual who holds theLicensed Function of Money Laundering Reporting Officer of thatAuthorised Firm .Authorised Firms are also reminded that the guidance under GEN Rule 7.5.2 sets out the grounds under which theDFSA will determine whether to grant a waiver from the residence requirements for anMLRO . The same guidance would apply by analogy to otherRelevant Persons seeking a waiver from theMLRO residence requirements.2. The individual appointed as theMLRO of anAuthorised Market Institution is the same individual who holds the position ofMoney Laundering Reporting Officer of thatAuthorised Market Institution under the relevantAMI Rule.Derived from RM117/2013 [VER9/07-13]AML 11.2.3
An
Authorised Firm , other than aRepresentative Office , must appoint an individual to act as a deputyMLRO of theAuthorised Firm to fulfil the role of theMLRO in his absence.Derived from RM117/2013 [VER9/07-13]AML 11.2.4 AML 11.2.4
A
Relevant Person's MLRO must deal with theDFSA in an open and co-operative manner and must disclose appropriately any information of which the DFSA would reasonably be expected to be notified.Derived from RM117/2013 [VER9/07-13]AML 11.2.4 Guidance
1. The individual appointed as the deputyMLRO of anAuthorised Firm need not apply forAuthorised Individual status for performing theLicensed Function ofMoney Laundering Reporting Officer , subject to Rules in GEN section 11.6.2. ARelevant Person other than anAuthorised Firm should make adequate arrangements to ensure that it remains in compliance with this module in the event that itsMLRO is absent.Adequate arrangements would include appointing a temporaryMLRO for the period of theMLRO's absence or making sure that theRelevant Person's AML systems and controls allow it to continue to comply with these Rules when theMLRO is absent.Derived from RM117/2013 [VER9/07-13]AML 11.2.5 AML 11.2.5
A
Relevant Person may outsource the role ofMLRO to an individual outside theRelevant Person provided that the relevant individual under the outsourcing agreement is and remains suitable to perform theMLRO role.Derived from RM117/2013 [VER9/07-13]AML 11.2.5 Guidance
Where a
Relevant Person outsources specific AML tasks of itsMLRO to another individual or a third party provider, including within a corporateGroup , theRelevant Person remains responsible for ensuring compliance with the responsibilities of theMLRO . TheRelevant Person should satisfy itself of the suitability of anyone who acts for it.Derived from RM117/2013 [VER9/07-13]AML 11.3 AML 11.3 Qualities of a MLRO
AML 11.3.1 AML 11.3.1
A
Relevant Person must ensure that itsMLRO has:(a) direct access to its senior management;(b) sufficient resources including, if necessary, an appropriate number of appropriately trainedEmployees to assist in the performance of his duties in an effective, objective and independent manner;(c) a level of seniority and independence within theRelevant Person to enable him to act on his own authority; and(d) timely and unrestricted access to information sufficient to enable him to carry out his responsibilities in Rule 11.4.1.Derived from RM117/2013 [VER9/07-13]AML 11.3.1 Guidance
The
DFSA considers that aRelevant Person will need to consider this Rule when appointing an outsourcedMLRO . Any externalMLRO that is appointed will need to have the actual or effective level of seniority that the role requires.Derived from RM117/2013 [VER9/07-13]AML 11.4 AML 11.4 Responsibilities of a MLRO
AML 11.4.1
A
Relevant Person must ensure that itsMLRO implements and has oversight of and is responsible for the following matters:(a) the day-to-day operations for compliance by theRelevant Person with its AML policies, procedures, systems and controls;(b) acting as the point of contact to receive notifications from theRelevant Person's Employees under AML Rule 13.2.2;(c) taking appropriate action under AML Rule 13.3.1 following the receipt of a notification from anEmployee ;(d) makingSuspicious Activity Reports in accordance with Federal AML legislation;(e) acting as the point of contact within theRelevant Person for competentU.A.E. authorities and theDFSA regarding money laundering issues;(f) responding promptly to any request for information made by competentU.A.E. authorities or theDFSA ;(g) receiving and acting upon any relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions described in chapter 10; and(h) establishing and maintaining an appropriate money laundering training programme and adequate awareness arrangements under chapter 12.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 12 AML 12 AML Training and Awareness
AML 12.1 AML 12.1 Training and awareness
AML 12.1.1 AML 12.1.1
A
Relevant Person must(a) provide AML training to all relevantEmployees at appropriate and regular intervals;(b) ensure that its AML training enables itsEmployees to:(i) understand the relevant legislation relating to money laundering, including Federal AML legislation;(ii) understand its policies, procedures, systems and controls related to money laundering and any changes to these;(iii) recognise and deal with transactions and other activities which may be related to money laundering;(iv) understand the types of activity that may constitute suspicious activity in the context of the business in which anEmployee is engaged and that may warrant a notification to theMLRO under AML Rule 13.2.2;(v) understand its arrangements regarding the making of a notification to theMLRO under AML Rule 13.2.2;(vi) be aware of the prevailing techniques, methods and trends in money laundering relevant to the business of theRelevant Person ;(vii) understand the roles and responsibilities ofEmployees in combating money laundering, including the identity and responsibility of theRelevant Person's MLRO and deputy, where applicable; and(viii) understand the relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions described in chapter 10; and(c) ensure that its AML training:(i) is appropriately tailored to theRelevant Person's activities, including its products, services, customers, distribution channels, business partners, level and complexity of its transactions; and(ii) indicates the different levels of money laundering risk and vulnerabilities associated with the matters in (c)(i).Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 12.1.1 Guidance
1. TheDFSA considers it appropriate that all new relevant Employees of aRelevant Person be given appropriate AML training as soon as reasonably practicable after commencing employment with theRelevant Person .2.Relevant Persons should take a risk-based approach to AML training. TheDFSA considers that AML training should be provided by aRelevant Person to each of its relevantEmployees at intervals appropriate to the role and responsibilities of theEmployee . In the case of anAuthorised Firm theDFSA expects that training should be provided to each relevantEmployee at least annually.3. The manner in which AML training is provided by aRelevant Person need not be in a formal classroom setting, rather it may be via an online course or any other similarly appropriate manner.4. A relevantEmployee would include a member of the senior management or operational staff, anyEmployee with customer contact or which handles or may handle customer monies or assets, and any otherEmployee who might otherwise encounter money laundering in the business.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 13 AML 13 Suspicious Activity Reports
AML 13.1 AML 13.1 Application and Definitions
AML 13.1.1 [Deleted]
[deleted]
Deleted by DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 13.1.2
In this chapter, "money laundering" and "terrorist financing" mean the criminal offences defined in the Federal AML legislation.
Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 13.2 AML 13.2 Internal Reporting Requirements
AML 13.2.1
A
Relevant Person must establish and maintain policies, procedures, systems and controls in order to monitor and detect suspicious activity or transactions in relation to potential money laundering or terrorist financing.Derived from RM117/2013 [VER9/07-13]AML 13.2.2 AML 13.2.2
A
Relevant Person must have policies, procedures, systems and controls to ensure that whenever anyEmployee , acting in the ordinary course of his employment, either:(a) knows;(b) suspects; or(c) has reasonable grounds for knowing or suspecting;that a person is engaged in or attempting money laundering or terrorist financing, that
Employee promptly notifies theRelevant Person's MLRO and provides theMLRO with all relevant details.Derived from RM117/2013 [VER9/07-13]AML 13.2.2 Guidance
1. Circumstances that might give rise to suspicion or reasonable grounds for suspicion include:a. Transactions which have no apparent purpose, which make no obvious economic sense, or which are designed or structured to avoid detection;b. Transactions requested by a person without reasonable explanation, which are out of the ordinary range of services normally requested or are outside the experience of aRelevant Person in relation to a particular customer;c. where the size or pattern of transactions, without reasonable explanation, is out of line with any pattern that has previously emerged or are deliberately structured to avoid detection;d. where a customer refuses to provide the information requested without reasonable explanation;e. where a customer who has just entered into a business relationship uses the relationship for a single transaction or for only a very short period of time;f. an extensive use of offshore accounts, companies or structures in circumstances where the customer's economic needs do not support such requirements;g. unnecessary routing of funds through third party accounts; orh. unusual transactions without an apparently profitable motive.2. The requirement forEmployees to notify theRelevant Person's MLRO should include situations when no business relationship was developed because the circumstances were suspicious.3. ARelevant Person may allow itsEmployees to consult with their line managers before sending a report to theMLRO . TheDFSA would expect that such consultation does not prevent making a report whenever anEmployee has stated that he has knowledge, suspicion or reasonable grounds for knowing or suspecting that a person may be involved in money laundering. Whether or not anEmployee consults with his line manager or otherEmployees , the responsibility remains with theEmployee to decide for himself whether a notification to theMLRO should be made.4. AnEmployee , including theMLRO , who considers that a person is engaged in or engaging in activity that he knows or suspects to be suspicious would not be expected to know the exact nature of the criminal offence or that the particular funds were definitely those arising from the crime of money laundering or terrorist financing.5.CDD measures form the basis for recognising suspicious activity. Sufficient guidance must therefore be given to theRelevant Person's Employees to enable them to form a suspicion or to recognise when they have reasonable grounds to suspect that money laundering or terrorist financing is taking place. This should involve training that will enable relevantEmployees to seek and assess the information that is required for them to judge whether a person is involved in suspicious activity related to money laundering or terrorist financing.6. A transaction that appears unusual is not necessarily suspicious. Even customers with a stable and predictable transaction profile will have periodic transactions that are unusual for them. Many customers will, for perfectly good reasons, have an erratic pattern of transactions or account activity. So the unusual is, in the first instance, only a basis for further inquiry, which may in turn require judgement as to whether it is suspicious. A transaction or activity may not be suspicious at the time, but if suspicions are raised later, an obligation to report then arises.7. EffectiveCDD measures may provide the basis for recognising unusual and suspicious activity. Where there is a customer relationship, suspicious activity will often be one that is inconsistent with a customer's known legitimate activity, or with the normal business activities for that type of account or customer. Therefore, the key to recognising 'suspicious activity' is knowing enough about the customer and the customer's normal expected activities to recognise when their activity is abnormal.8. ARelevant Person may consider implementing policies and procedures whereby disciplinary action is taken against anEmployee who fails to notify theRelevant Person's MLRO .Derived from RM117/2013 [VER9/07-13]
[Amended] RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 13.3 AML 13.3 Suspicious Activity Report
AML 13.3.1
A
Relevant Person must ensure that where theRelevant Person's MLRO receives a notification under AML Rule 13.2.2, theMLRO , without delay:(a) inquires into and documents the circumstances in relation to which the notification made under AML Rule 13.2.2 was made;(b) determines whether in accordance with Federal AML legislation a Suspicious Activity Report must be made to the FIU and documents such determination;(c) if required, makes a Suspicious Activity Report to the FIU as soon as practicable; and(d) notifies theDFSA of the making of such Suspicious Activity Report immediately following its submission to the FIU.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 13.3.2
Where, following a notification to the
MLRO under 13.2.2, no Suspicious Activity Report is made, aRelevant Person must record the reasons for not making a Suspicious Activity Report.Derived from RM117/2013 [VER9/07-13]AML 13.3.3 AML 13.3.3
A
Relevant Person must ensure that if theMLRO decides to make a Suspicious Activity Report, his decision is made independently and is not subject to the consent or approval of any other person.Derived from RM117/2013 [VER9/07-13]AML 13.3.3 Guidance
1.Relevant Persons are reminded that the failure to report suspicions of money laundering or terrorist financing may constitute a criminal offence that is punishable under the laws of theState .2. SARs under Federal AML legislation should be sent to the FIU via the FIU's electronic system or by other means approved by the FIU.3. In the preparation of a SAR, if aRelevant Person knows or assumes that the funds which form the subject of the report do not belong to a customer but to a third party, this fact and the details of theRelevant Person's proposed course of further action in relation to the case should be included in the report.4. If aRelevant Person has reported a suspicion to the FIU, it must in accordance with the Federal AML legislation provide any additional information requested by the FIU. The FIU may instruct theRelevant Person on how to continue its business relationship, including effecting any transaction with a person. If the customer in question expresses his wish to move the funds before theRelevant Person receives instruction from the FIU on how to proceed, theRelevant Person should immediately contact the FIU for further instructions.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 13.3.4 [Deleted]
Deleted by DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 13.4 AML 13.4 Tipping-off
AML 13.4 Guidance
1.Relevant Persons are reminded that in accordance with Federal AML legisaltion,Relevant Persons or any of theirEmployees must not disclose, directly or indirectly, to theCustomer or to any other person that they have reported, or are intending to report, a suspicious transaction. They also must not disclose information contained in an SAR or the fact that a suspicious transaction is being investigated.2. If aRelevant Person reasonably believes that performingCDD measures will tip-off a customer or potential customer, it may choose not to pursue that process and should file a SAR.Relevant Persons should ensure that theirEmployees are aware of and sensitive to these issues when considering theCDD measures.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 13.5 AML 13.5 Freezing assets
AML 13.5 Guidance
The DFSA has power under the
Regulatory Law to restrict anAuthorised Person from disposing of or transferring property including, for example, assets or other funds suspected of relating to money laundering. It may also apply to theCourt for an order restraining a person from transferring or disposing of any assets suspected of relating to money laundering. In cases involving suspected money laundering, the DFSA will usually take such action in co-ordination with the FIU.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 14 AML 14 General
AML 14.1 AML 14.1 Groups, branches and subsidiaries
AML 14.1.1 AML 14.1.1
(1) ARelevant Person which is aDIFC entity must ensure that its policies, procedures, systems and controls required by Rule 5.2.1 apply to:(a) any of its branches orSubsidiaries ; and(b) any of itsGroup entities in theDIFC .(2) Where the anti-money laundering requirements in another jurisdiction differ from those in theDIFC , theRelevant Person must require itsbranch orSubsidiary in that jurisdiction to apply the higher of the two standards, to the extent permitted by the law of that jurisdiction.(3) Where the law of another jurisdiction does not permit the implementation of policies, procedures, systems and controls that are equivalent to or higher than those that apply to theRelevant Person in theDIFC , theRelevant Person must:(a) inform theDFSA in writing; and(b) apply appropriate additional measures to manage the money laundering risks posed by the relevant branch orSubsidiary .AML 14.1.1 Guidance
A
Relevant Person which is aDIFC entity should conduct a periodic review to verify that any branch orSubsidiary operating in another jurisdiction is in compliance with the obligations imposed under these Rules.Derived from RM117/2013 [VER9/07-13]AML 14.1.2 AML 14.1.2
A
Relevant Person must:(a) communicate the policies and procedures which it establishes and maintains in accordance with these Rules to itsGroup entities, branches andSubsidiaries ; and(b) document the basis for its satisfaction that the requirement in Rule 14.1.1(2) is met.Derived from RM117/2013 [VER9/07-13]AML 14.1.2 Guidance
In relation to an
Authorised Firm , if theDFSA is not satisfied in respect of AML compliance of its branches andSubsidiaries in a particular jurisdiction, it may take action, including making it a condition on theAuthorised Firm's Licence that it must not operate a branch orSubsidiary in that jurisdiction.Derived from RM117/2013 [VER9/07-13]AML 14.2 AML 14.2 Group policies
AML 14.2.1
A
Relevant Person which is part of aGroup must ensure that it:(a) has developed and implemented policies and procedures for the sharing of information betweenGroup entities, including the sharing of information relating toCustomer Due Diligence and money laundering risks;(b) has in place adequate safeguards on the confidentiality and use of information exchanged between Group entities, including consideration of relevant data protection legislation;(c) remains aware of the money laundering risks of theGroup as a whole and of its exposure to theGroup and takes active steps to mitigate such risks;(d) contributes to aGroup -wide risk assessment to identify and assess money laundering risks for theGroup ; and(e) provides itsGroup -wide compliance, audit and AML functions with customer account and transaction information from branches and subsidiaries when necessary for AML purposes.AML 14.3 AML 14.3 Notifications
AML 14.3.1
A
Relevant Person must inform theDFSA in writing as soon as possible if, in relation to its activities carried on in or from theDIFC or in relation to any of its branches orSubsidiaries , it:(a) receives a request for information from a regulator or agency responsible for AML, counter-terrorism financing, or sanctions regarding enquiries into potential money laundering or terrorist financing or sanctions breaches;(b) becomes aware, or has reasonable grounds to believe, that a money laundering event has occurred or may have occurred in or through its business;(c) becomes aware of any money laundering or sanctions matter in relation to theRelevant Person or a member of itsGroup which could result in adverse reputational consequences to theRelevant Person ; or(d) becomes aware of a significant breach of a Rule in this module or a breach of Federal AML legislation by theRelevant Person or any of its Employees.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 14.4 AML 14.4 Record keeping
AML 14.4.1
A
Relevant Person must maintain the following records:(a) a copy of all documents and information obtained in undertaking initial and ongoingCustomer Due Diligence ;(b) records (consisting of the original documents or certified copies) in respect of the customer business relationship, including:(i) business correspondence and other information relating to a customer's account;(ii) sufficient records of transactions to enable individual transactions to be reconstructed; and(iii) internal findings and analysis relating to a transaction or any business, such as if thetransaction or business is unusual or suspicious, whether or not it results in aSuspicious Activity Report ;(c) notifications made under AML Rule 13.2.2};(d) Suspicious Activity Reports and any relevant supporting documents and information, including internal findings and analysis;(e) any relevant communications with the FIU;(f) the documents in AML Rule 14.4.2; and(g) any other matter that theRelevant Person is expressly required to record under these Rules,for at least six years from the date on which the notification or report was made, the business relationship ends or the transaction is completed, whichever occurs last.
Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]
AML 14.4.1A
A
Relevant Person must provide to theDFSA or a law enforcement agency immediately on request a copy of a record referred to in AML Rule 14.4.1.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]AML 14.4.2 AML 14.4.2
A Relevant Person must document, and provide to the
DFSA immediately on request, any of the following:(a) the risk assessment of its business undertaken under Rule 5.1.1;(b) how the assessment in (a) was used for the purposes of complying with Rule 6.1.1(1);(c) the risk assessment of the customer undertaken under Rule 6.1.1(1)(a); and(d) the determination made under Rule 6.1.1(1)(b).AML 14.4.2 Guidance
1. The records required to be kept under AML Rule 14.4.1 may be kept in electronic format, provided that such records are readily accessible and available to respond promptly to anyDFSA requests for information.Authorised Persons are reminded of their obligations in GEN Rule 5.3.24.2. If the date on which the business relationship with a customer has ended remains unclear, it may be taken to have ended on the date of the completion of the last transaction.3. The records maintained by aRelevant Person should be kept in such a manner that:a. theDFSA or another competent authority is able to assess the Relevant Person's compliance with legislation applicable in theDIFC ;b. any transaction which was processed by or through theRelevant Person on behalf of a customer or other third party can be reconstructed;c. any customer or third party can be identified; andd. theRelevant Person can satisfy without delay any regulatory enquiry or court order to disclose information.4. TheDFSA would ordinarily expect a Relevant Person to be able to provide a copy of a record or assessment referred to in AML Rule 14.4.1 or AML Rule 14.4.2 within 24 hours of a request by theDFSA . However, if a request is complex or if records are kept outside theDIFC as set out in AML Rule 14.4.3, theDFSA may allow further time to comply with the request.AML 14.4.3
Where the records referred to in Rule 14.4.1 are kept by the
Relevant Person outside theDIFC , aRelevant Person must:(a) take reasonable steps to ensure that the records are held in a manner consistent with these Rules;(b) ensure that the records are easily accessible to theRelevant Person ; and(c) upon request by theDFSA , ensure that the records are immediately available for inspection.AML 14.4.4
A
Relevant Person must:(a) verify if there is secrecy or data protection legislation that would restrict access without delay to the records referred to in Rule 14.4.1 by theRelevant Person , theDFSA or the law enforcement agencies of theU.A.E. ; and(b) where such legislation exists, obtain without delay certified copies of the relevant records and keep such copies in a jurisdiction which allows access by those persons in (a).Derived from RM117/2013 [VER9/07-13]AML 14.4.5 AML 14.4.5
A Relevant Person must be able to demonstrate that it has complied with the training and awareness requirements in chapter 12 through appropriate measures, including the maintenance of relevant training records.
Derived from RM117/2013 [VER9/07-13]AML 14.4.5 Guidance
1. In complying with Rule 14.4.3,Authorised Persons are reminded of their obligations in GEN Rule 5.3.24.2. TheDFSA considers that "appropriate measures" in Rule 14.4.5 may include the maintenance of a training log setting out details of:a. the dates when the training was given;b. the nature of the training; andc. the names ofEmployees who received the training.Derived from RM117/2013 [VER9/07-13]AML 14.5 AML 14.5 Annual AML Return
AML 14.5.1 AML 14.5.1
A
Relevant Person must complete the AML Return form inAFN and submit it to theDFSA by the end of September each year. The annual AML Return must cover the period from 1 August of the previous year to 31 July of the reporting year.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]
[Amended] DFSA RM177/2016 (Made 19th June 2016) [VER12/08-16]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 14.5.1 Guidance
Relevant Persons should be aware of their obligation under Cabinet Decision No. 10 of 2019 to prepare and submit semi-annual reports to their senior management, and to send a copy of those reports, with senior management remarks and decisions, to the relevant Supervisory Authority.Derived from DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]Transitional
AML 14.5.2 AML 14.5.2
A
Relevant Person must:(a) for its financial year ending in 2016, complete and submit the AML Return form under AML Rule 14.5.1 within four months of its financial year end and the return must cover that financial year; and(b) for the 2017 calendar year, complete and submit the AML Return form by the end of September 2017 and the return must cover the period from 1 August 2016 until 31 July 2017.Derived from DFSA RM177/2016 (Made 19th June 2016) [VER12/08-16]AML 14.5.2 Guidance
In respect of a financial year ending in 2016, a
Relevant Person must submit its AML Return four months after its financial year end. For the 2017 calendar year, it must report for the period 1 August 2016 to 31 July 2017. For someRelevant Persons , this may result in an overlap of periods covered by each return.Derived from DFSA RM177/2016 (Made 19th June 2016) [VER12/08-16]AML 14.6 AML 14.6 Communication with the DFSA
AML 14.6.1
A
Relevant Person must:(a) be open and cooperative in all its dealings with theDFSA ; and(b) ensure that any communication with theDFSA is conducted in the English language.Derived from RM117/2013 [VER9/07-13]AML 14.7 AML 14.7 Employee Disclosures
AML 14.7.1 AML 14.7.1
A
Relevant Person must ensure that it does not prejudice anEmployee who discloses any information regarding money laundering to theDFSA or to any other relevant body involved in the prevention of money laundering.Derived from RM117/2013 [VER9/07-13]AML 14.7.1 Guidance
The
DFSA considers that "relevant body" in Rule 14.7.1 would include the FIU or another financial intelligence unit, the police, or a Dubai or Federal ministry.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]
[Amended] DFSA RM258/2019 (Made 26th June 2019). [VER16/07-19]AML 14.8 AML 14.8 Decision making procedures
AML 14.8.1 AML 14.8.1
The procedures in Schedule 3 to the Regulatory Law apply to a decision of the DFSA to impose an administrative penalty under Article 14(1) of Federal Law No. 20 of 2018.
Derived from DFSA RMI271/2020 (Made 26th February 2020). [VER17/04-20]AML 14.8.2 AML 14.8.2
If the DFSA decides to exercise its power under Article 14(1) of Federal Law No. 20 of 2018 in relation to a person, the person may refer the matter to the FMT for review.
Derived from DFSA RMI271/2020 (Made 26th February 2020). [VER17/04-20]AML 14.8.2 Guidance
The Rules in this section apply where the DFSA makes a decision to impose an administrative penalty under Federal Law No. 20 of 2018. The administrative penalties referred to in that Article include fines, bans from working in a sector, suspension or restriction of activities and other measures. The DFSA may also impose sanctions under DIFC laws, for example, under Article 90 of the Regulatory Law, in which case, the relevant provision will specify the procedures that apply.
Derived from DFSA RMI271/2020 (Made 26th February 2020). [VER17/04-20]AML 15 AML 15 DNFBP Registration and Supervision
AML 15 Guidance
1. ADNFBP should ensure that it complies with and has regard to relevant provisions of the Regulatory Law. The Regulatory Law gives theDFSA a power to superviseDNFBPs' compliance with relevant AML laws in theState . TheRegulatory Law requires aDNFBP to be registered by theDFSA to conduct its activities in theDIFC . AML Rule 15.1.2 sets out the criteria aDNFBP must meet to be registered. The Regulatory Law also gives theDFSA a number of other important powers in relation toDNFBPs , including powers of enforcement. This includes a power to obtain information and to conduct investigations into possible breaches of the Regulatory Law. TheDFSA may also impose fines for breaches of the Regulatory Law or the Rules. It may also suspend or withdraw the registration of a DNFBP in various circumstances.2. TheDFSA takes a risk-based approach to regulation of persons which it supervises. Generally, theDFSA will work withDNFBPs to identify, assess, mitigate and control relevant risks where appropriate. RPP describes theDFSA's enforcement powers under the Regulatory Law and outlines its policy for using these powers.3. AML Rule 3.2.1 defines a DNFBP by setting out a list of businesses or professions which, if carried on in or from theDIFC , constitute a DNFBP.4. In determining if a person is carrying on a business or profession in theDIFC that falls within the DNFBP definition, the DFSA will adopt a 'substance over form' approach. That is, it will consider what business or profession is in fact being carried on, and its main characteristics, and not just what business or profession the person purports, or is licensed, to carry on in theDIFC .5. The DFSA considers that "a law firm, notary firm or other independent legal business" in paragraph (1)(d) of the DNFBP definition, includes any business or profession that involves a legal service, including advice or services related to laws in the State or other jurisdictions. The DFSA does not consider it necessary for the purposes of the definition that:a. the relevant person is licensed to provide legal services in the State; orb. the individuals or employees providing the legal service are qualified or authorised to do so, whether in the State or in any other jurisdiction.6. The DFSA considers that "an accounting firm, audit firm or insolvency firm" in paragraph (1)(e) of the DNFBP definition, includes forensic accounting services that use accounting skills, principles and techniques to investigate suspected illegal activity or to analyse financial information for use in legal proceedings.7. The DFSA would also consider a tax advisory business carried on in or from theDIFC to be a DNFBP as it is likely to involve elements of both legal and accounting services i.e. advice on taxation law and the use of accounting skills to analyse financial records, and so fall within either paragraph (1)(d) or (e) of the DNFBP definition.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.1 AML 15.1 Registration and Notifications
AML 15.1.1
An applicant for registration as a
DNFBP must apply to theDFSA by completing and submitting the appropriate form in theAFN Sourcebook.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.1.2
(1) To be registered as a
DNFBP , an applicant must demonstrate to theDFSA 's satisfaction that:(a) it is fit and proper to perform anti-money laundering functions; and(b) it has adequate resources and systems and controls, including policies and procedures, to comply with applicable anti-money laundering requirements under FederalAML legislation, theRegulatory Law and theseRules .(2) In assessing if an applicant is fit and proper under (1)(a), the
DFSA may, without limiting the matters it may take into account under that paragraph, consider the applicant, its senior management, its beneficial owners, other entities in itsGroup and any other person with whom it has a relationship.(3) The
DFSA will in assessing if an applicant is fit and proper, consider the cumulative effect of matters that, if taken individually, may be regarded as insufficient to give reasonable cause to doubt the fitness and propriety of the applicant.Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]Annual Information Return
Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.1.3
A
DNFBP must complete the annual information return inAFN for each calendar year and submit the return to theDFSA by 31 January of the following year.Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]Notification of changes
Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.1.4
A
DNFBP must promptly notify theDFSA of any change in its:(a) name;(b) legal status;(c) address;(d)MLRO ; or(e) senior management; or.(f) beneficial ownership.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.2 AML 15.2 Request to withdraw registration
Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.2.1 AML 15.2.1
(1) A
DNFBP must notify theDFSA in writing 14 days in advance of it ceasing to carry on itsDNFBP business activities in or from theDIFC .(2) The notice must include a request to cancel its registration, an explanation of the reason for it ceasing business, and attached copies of any relevant documents.
Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.2.1 Guidance
1. ADNFBP may request the withdrawal of its registration because, for example, it no longer meets the definition of aDNFBP , becomes insolvent or enters into administration, or proposes to leave theDIFC .2. In addition to being able to withdraw registration at aDNFBP 's request, theDFSA may suspend or withdraw the registration of aDNFBP on its own initiative in various circumstances (see Article 71F of theRegulatory Law ).Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]
[Amended] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.2.2 [Deleted]
[Deleted] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.2.3 [Deleted]
[Deleted] DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.2.4 [Deleted]
[Deleted] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]AML 15.2.5 [Deleted]
[Deleted] DFSA RM132/2014 (Made 21st August 2014). [VER10/06-14]AML 15.3 AML 15.3 Disclosure of regulatory status
AML 15.3.1
A
DNFBP must not:(a) misrepresent its regulatory status with respect to theDFSA expressly or by implication; or(b) use or reproduce theDFSA logo without express written permission from theDFSA and in accordance with any conditions for use.Derived from RM117/2013 [VER9/07-13]AML 15.4 AML 15.4 Transitional
Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.4.1 AML 15.4.1
(1) This
Rule applies to aPerson who, immediately before the commencement date, was registered as aDNFBP , other than aPerson who was registered as aDNFBP by reason only of being a dealer in any saleable item of a price equal to or greater than $15,000. (2) ThePerson is on the commencement date taken to continue to be registered by theDFSA as aDNFBP . (3) ThePerson must, by no later than the end of the transitional period, certify in writing to theDFSA :(a) that it continues to carry on itsDNFBP business or profession in or from theDIFC ;(b) the names of the individuals who comprise its senior management;(c) details of its beneficial owners;(d) the name of the individual it has appointed asMLRO ; and(e) that it has in place adequate resources and systems and controls to comply with applicable anti-money laundering requirements under the Law, theseRules and Federal AML legislation.(4) The
DFSA may require the certification in (3) to be in such form and verified in such manner as it thinks fit.(5) In this
Rule :(a) "commencement date" means the day on which the Regulatory Law Amendment Law 2018 comes into force; and(b) "transitional period" means the period starting on the commencement date and ending three months after that date.Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 15.4.1 Guidance
If a
DNFBP fails to provide the duly completed certification to theDFSA by the end of the transitional period, it will contravene theseRules . TheDFSA may because of that failure take steps to suspend or withdraw theDNFBP 's registration.Derived from DFSA RM223/2018 (Made 18th April 2018). [VER14/07-18]AML 16 AML 16 Transitional Rules
AML 16.1 AML 16.1 Application
AML 16.1.1
This chapter applies to every person to whom a provision of the Previous Regime applied.
Derived from RM117/2013 [VER9/07-13]AML 16.1.2
For the purposes of this chapter:
(a) "Ancillary Service Provider " has the meaning that it had under the Previous Regime;(b) "Commencement Date" means 14 July 2013;(c) "Current Regime" means the Rules in force on the Commencement Date;(d) "DNFBP " has the meaning that it had in DNF chapter 2 under the Previous Regime; and(e) "Previous Regime" means the Rules that were in force immediately prior to the Commencement Date.Derived from RM117/2013 [VER9/07-13]
[Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]AML 16.2 AML 16.2 General
AML 16.2.1
A
Relevant Person must continue to maintain any records required to be maintained under the Previous Regime until such time as the requirement to hold such record would have expired had the Previous Regime still been in force.Derived from RM117/2013 [VER9/07-13]AML 16.3 AML 16.3 Specific relief — Ancillary Service Provider and DNFBPs
AML 16.3.1
A person who, immediately prior to the Commencement Date, was an
Ancillary Service Provider or was registered as aDNFBP is deemed, on the Commencement Date, to be registered as aDNFBP for the purposes of the Current Regime.Derived from RM117/2013 [VER9/07-13]