Entire Section

  • AML 8 AML 8 Reliance and Outsourcing

    Derived from RM117/2013 [VER9/07-13]

    • AML 8.1 AML 8.1 Reliance on a third party

      • AML 8.1.1 AML 8.1.1

        (1) A Relevant Person may rely on the following third parties to conduct one or more elements of Customer Due Diligence on its behalf:
        (a) an Authorised Person;
        (b) a law firm, notary, or other independent legal business, accounting firm, audit firm or insolvency practitioner or an equivalent person in another jurisdiction;
        (c) a Financial Institution; or
        (d) a member of the Relevant Person's Group.
        (2) In (1), a Relevant Person may rely on the information previously obtained by a third party which covers one or more elements of Customer Due Diligence.
        (3) Where a Relevant Person seeks to rely on a person in (1) it may only do so if and to the extent that:
        (a) it immediately obtains the necessary Customer Due Diligence information from the third party in (1);
        (b) it takes adequate steps to satisfy itself that certified copies of the documents used to undertake the relevant elements of Customer Due Diligence will be available from the third party on request without delay;
        (c) if a person in (1)(b) to (d) is in another country, the person is:
        (i) subject to requirements in relation to customer due diligence and record keeping which meet the standards set out in the FATF Recommendations; and
        (ii) supervised for compliance with those requirements in a manner that meets the standards for regulation and supervision set out in the FATF Recommendations;
        (d) the person in (1) has not relied on any exception from the requirement to conduct any relevant elements of Customer Due Diligence which the Relevant Person seeks to rely on; and
        (e) in relation to (2), the information is up to date.
        (4) Where a Relevant Person relies on a member of its Group, such Group member need not meet the condition in (3)(c) if:
        (a) the Group applies and implements a Group-wide policy on customer due diligence, record keeping, Politically Exposed Persons and AML programmes which meets the standards set out in the FATF Recommendations; and
        (b) where the effective implementation of those Customer Due Diligence, record keeping and PEP requirements and AML programmes are supervised at Group level by a Financial Services Regulator or other competent authority in a country, the supervision and regulation meets the standards set out in the FATF Recommendations.
        (5) If a Relevant Person is not reasonably satisfied that a customer or Beneficial Owner has been identified and verified by a third party in a manner consistent with these Rules, the Relevant Person must immediately perform the Customer Due Diligence itself with respect to any deficiencies identified.
        (6) Notwithstanding the Relevant Person's reliance on a person in (1), the Relevant Person remains responsible for compliance with, and liable for any failure to meet the Customer Due Diligence requirements in this module.
        Derived from RM117/2013 [VER9/07-13]
        [Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
        [Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]

        • AML 8.1.1 Guidance

          1. In complying with AML Rule 8.1.1(3)(a), "immediately obtaining the necessary CDD information" means obtaining all relevant CDD information, and not just basic information such as name and address. Compliance can be achieved by having that relevant information sent by email or other appropriate means. For the avoidance of doubt, a Relevant Person is not required automatically to obtain the underlying certified documents used by the third party to undertake its CDD. A Relevant Person must, however, under AML Rule 8.1.1(3)(b) ensure that the certified documents are readily available from the third party on request.
          2. The DFSA would expect a Relevant Person, in complying with AML Rule 8.1.1(5), to fill any gaps in the CDD process as soon as it becomes aware that a customer or Beneficial Owner has not been identified and verified in a manner consistent with these Rules.
          3. If a Relevant Person acquires another business, either in whole or in part, the DFSA would permit the Relevant Person to rely on the CDD conducted by the business it is acquiring but would expect the Relevant Person to have done the following:
          a. as part of its due diligence for the acquisition, to have taken a reasonable sample of the prospective customers to assess the quality of the CDD undertaken; and
          b. to undertake CDD on all the customers to cover any deficiencies identified in a. as soon as possible following the acquisition, prioritising high risk customers.
          4. Where a particular jurisdiction's laws (such as secrecy or data protection legislation) would prevent a Relevant Person from having access to CDD information upon request without delay as referred to in AML Rule 8.1.1(3)(b), the Relevant Person should undertake the relevant CDD itself and should not seek to rely on the relevant third party.
          5. If a Relevant Person relies on a third party located in a foreign jurisdiction to conduct one or more elements of CDD on its behalf, the Relevant Person must ensure that the foreign jurisdiction has AML regulations that are equivalent to the standards in the FATF Recommendations (see AML Rule 8.1.1(3)(c) and AML Rule 8.1.2).
          Derived from RM117/2013 [VER9/07-13]
          [Amended] DFSA RM196/2016 (Made 7th December 2016). [VER13/02-17]
          [Amended] DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]

      • AML 8.1.2

        (1) When assessing under AML Rule 8.1.1(3)(c) or (4) if requirements, supervision or regulation in another jurisdiction meet FATF standards, a Relevant Person must take into account factors including, among other things:

        (a) mutual evaluations, assessment reports or follow-up reports published by FATF, the IMF, the World Bank, the OECD or other International Organisations;
        (b) membership of FATF or other international or regional groups such as the MENAFATF or the Gulf Co-operation Council;
        (c) contextual factors such as political stability or the level of corruption in the jurisdiction;
        (d) evidence of recent criticism of the jurisdiction, including in:
        (i) FATF advisory notices;
        (ii) public assessments of the jurisdiction's AML regime by organisations referred to in (a); or
        (iii) reports by other relevant non-government organisations or specialist commercial organisations; and
        (e) whether adequate arrangements exist for co-operation between the AML regulator in that jurisdiction and the DFSA.

        (2) A Relevant Person making an assessment under (1) must rely only on sources of information that are reliable and up-to-date.

        (3) A Relevant Person must keep adequate records of how it made its assessment, including the sources and materials considered.

        Derived from DFSA RM231/2018 (Made 6th June 2018) [VER15/07-18]

    • AML 8.2 AML 8.2 Outsourcing

      • AML 8.2.1 AML 8.2.1

        A Relevant Person which outsources any one or more elements of its Customer Due Diligence to a service provider (including within its Group) remains responsible for compliance with, and liable for any failure to meet, such obligations.

        Derived from RM117/2013 [VER9/07-13]

        • AML 8.2.1 Guidance

          1. Prior to appointing an outsourced service provider to undertake CDD, a Relevant Person should undertake appropriate due diligence to assure itself of the suitability of the outsourced service provider and should ensure that the outsourced service provider's obligations are clearly documented in a binding agreement.
          2. An Authorised Person should be mindful of its obligations regarding outsourcing set out in GEN Rules 5.3.21 and 5.3.22.
          Derived from RM117/2013 [VER9/07-13]

    • AML 8.3 AML 8.3 Money Service Providers

      • AML 8.3.1

        (1) An Authorised Firm that Provides Money Services must:
        (a) maintain a complete, current and accurate register of all agents it uses to conduct its Money Services business and make the register available to the DFSA upon request;
        (b) include all agents referred to in (a) as part of its AML compliance programme and monitor agents’ compliance with the programme;
        (c) comply with all applicable AML requirements in the jurisdictions in which it operates, whether directly or through the use of agents;
        (d) when executing Payment Transactions, assess and consider all relevant information including information about the payer, payee and any beneficiary, as applicable, to determine whether a Suspicious Activity Report should be made; and
        (e) if appropriate, make a Suspicious Activity Report in any jurisdiction impacted or connected to a suspicious Payment Transaction, and make available relevant transaction information to the authorities responsible for AML compliance in the relevant jurisdiction.
        (2) An Authorised Firm making an assessment under (1) must rely only on sources of information that are reliable and up-to-date.
        (3) An Authorised Firm must keep adequate records of how it made its assessment under (1), including the sources and materials considered.
        Derived from DFSA RMI271/2020 (Made 26th February 2020). [VER17/04-20]