AML 8 AML 8 Reliance and OutsourcingDerived from RM117/2013 [VER9/07-13]
AML 8.1 AML 8.1 Reliance on a third party
AML 8.1.1 AML 8.1.1(1) A
Relevant Personmay rely on the following third parties to conduct one or more elements of Customer Due Diligenceon its behalf:(a) an Authorised Person;(b) a law firm, notary, or other independent legal business, accounting firm, audit firm or insolvency practitioner or an equivalent person in another jurisdiction;(c) a Financial Institution; or(d) a member of the Relevant Person'sGroup.(2) In (1), a Relevant Personmay rely on the information previously obtained by a third party which covers one or more elements of Customer Due Diligence.(3) Where a Relevant Personseeks to rely on a person in (1) it may only do so if and to the extent that:(a) it immediately obtains the necessary Customer Due Diligenceinformation from the third party in (1);(b) it takes adequate steps to satisfy itself that certified copies of the documents used to undertake the relevant elements of Customer Due Diligencewill be available from the third party on request without delay;(c) if a person in (1)(b) to (d) is in another country, the person is:(i) subject to requirements in relation to customer due diligence and record keeping which meet the standards set out in the FATFRecommendations; and(ii) supervised for compliance with those requirements in a manner that meets the standards for regulation and supervision set out in the FATFRecommendations;(d) the person in (1) has not relied on any exception from the requirement to conduct any relevant elements of Customer Due Diligencewhich the Relevant Personseeks to rely on; and(e) in relation to (2), the information is up to date.(4) Where a Relevant Personrelies on a member of its Group, such Groupmember need not meet the condition in (3)(c) if:(a) the Groupapplies and implements a Group-wide policy on customer due diligence, record keeping, Politically Exposed Personsand AMLprogrammes which meets the standards set out in the FATFRecommendations; and(b) where the effective implementation of those Customer Due Diligence, record keeping and PEPrequirements and AMLprogrammes are supervised at Grouplevel by a Financial Services Regulatoror other competent authority in a country, the supervision and regulation meets the standards set out in the FATFRecommendations.(5) If a Relevant Personis not reasonably satisfied that a customer or Beneficial Ownerhas been identified and verified by a third party in a manner consistent with these Rules, the Relevant Personmust immediately perform the Customer Due Diligenceitself with respect to any deficiencies identified.(6) Notwithstanding the Relevant Person'sreliance on a person in (1), the Relevant Personremains responsible for compliance with, and liable for any failure to meet the Customer Due Diligencerequirements in this module.
AML 8.1.1 Guidance1. In complying with AML Rule 8.1.1(3)(a), "immediately obtaining the necessary
CDDinformation" means obtaining all relevant CDDinformation, and not just basic information such as name and address. Compliance can be achieved by having that relevant information sent by email or other appropriate means. For the avoidance of doubt, a Relevant Personis not required automatically to obtain the underlying certified documents used by the third party to undertake its CDD. A Relevant Personmust, however, under AML Rule 8.1.1(3)(b) ensure that the certified documents are readily available from the third party on request.2. The DFSAwould expect a Relevant Person, in complying with AML Rule 8.1.1(5), to fill any gaps in the CDDprocess as soon as it becomes aware that a customer or Beneficial Ownerhas not been identified and verified in a manner consistent with these Rules.3. If a Relevant Personacquires another business, either in whole or in part, the DFSAwould permit the Relevant Personto rely on the CDDconducted by the business it is acquiring but would expect the Relevant Personto have done the following:a. as part of its due diligence for the acquisition, to have taken a reasonable sample of the prospective customers to assess the quality of the CDDundertaken; andb. to undertake CDDon all the customers to cover any deficiencies identified in a. as soon as possible following the acquisition, prioritising high risk customers.4. Where a particular jurisdiction's laws (such as secrecy or data protection legislation) would prevent a Relevant Personfrom having access to CDDinformation upon request without delay as referred to in AML Rule 8.1.1(3)(b), the Relevant Personshould undertake the relevant CDDitself and should not seek to rely on the relevant third party.5. If a Relevant Personrelies on a third party located in a foreign jurisdiction to conduct one or more elements of CDD on its behalf, the Relevant Personmust ensure that the foreign jurisdiction has AML regulations that are equivalent to the standards in the FATFRecommendations (see AML Rule 8.1.1(3)(c) and AML Rule 8.1.2).
(1) When assessing under AML Rule 8.1.1(3)(c) or (4) if requirements, supervision or regulation in another jurisdiction meet
FATFstandards, a Relevant Personmust take into account factors including, among other things:(a) mutual evaluations, assessment reports or follow-up reports published by FATF, the IMF, the World Bank, the OECDor other International Organisations;(b) membership of FATFor other international or regional groups such as the MENAFATFor the Gulf Co-operation Council;(c) contextual factors such as political stability or the level of corruption in the jurisdiction;(d) evidence of recent criticism of the jurisdiction, including in:(i) FATFadvisory notices;(ii) public assessments of the jurisdiction's AMLregime by organisations referred to in (a); or(iii) reports by other relevant non-government organisations or specialist commercial organisations; and(e) whether adequate arrangements exist for co-operation between the AML regulator in that jurisdiction and the DFSA.
Relevant Personmaking an assessment under (1) must rely only on sources of information that are reliable and up-to-date.
Relevant Personmust keep adequate records of how it made its assessment, including the sources and materials considered.Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]
AML 8.2 AML 8.2 Outsourcing
AML 8.2.1 AML 8.2.1
Relevant Personwhich outsources any one or more elements of its Customer Due Diligenceto a service provider (including within its Group) remains responsible for compliance with, and liable for any failure to meet, such obligations.Derived from RM117/2013 [VER9/07-13]
AML 8.2.1 Guidance1. Prior to appointing an outsourced service provider to undertake
CDD, a Relevant Personshould undertake appropriate due diligence to assure itself of the suitability of the outsourced service provider and should ensure that the outsourced service provider's obligations are clearly documented in a binding agreement.2. An Authorised Personshould be mindful of its obligations regarding outsourcing set out in GEN Rules 5.3.21 and 5.3.22.Derived from RM117/2013 [VER9/07-13]
AML 8.3 AML 8.3 Money Service Providers
AML 8.3.1(1) An Authorised Firm that Provides Money Services must:(a) maintain a complete, current and accurate register of all agents it uses to conduct its Money Services business and make the register available to the DFSA upon request;(b) include all agents referred to in (a) as part of its AML compliance programme and monitor agents’ compliance with the programme;(c) comply with all applicable AML requirements in the jurisdictions in which it operates, whether directly or through the use of agents;(d) when executing Payment Transactions, assess and consider all relevant information including information about the payer, payee and any beneficiary, as applicable, to determine whether a Suspicious Activity Report should be made; and(e) if appropriate, make a Suspicious Activity Report in any jurisdiction impacted or connected to a suspicious Payment Transaction, and make available relevant transaction information to the authorities responsible for AML compliance in the relevant jurisdiction.(2) An Authorised Firm making an assessment under (1) must rely only on sources of information that are reliable and up-to-date.(3) An Authorised Firm must keep adequate records of how it made its assessment under (1), including the sources and materials considered.Derived from DFSA RMI271/2020 (Made 26th February 2020). [VER17/04-20]