Customer Due Diligence Requirements (CBUAE 2023)

Financial institutions are required to adhere to customer due diligence (CDD) requirements as per the Federal Decretal-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, specifically Article 8.

The minimum CDD requirements include:

• Identifying and verifying the identity of the customer.
• Identifying and verifying, on a risk-based approach, the beneficial owner and any other third parties involved in the relationship, especially when the customer is not the beneficial owner of the funds/assets to be used in the transaction, and when the beneficial owner owns or controls 25% or more of the company.
• Understanding the ownership and corporate structure of the customer, particularly when the customer is a company, a complex structure, or any other legal entity such as a trust or charity.
• Obtaining information on the purpose and nature of the business relationship.
• Keeping all CDD information up to date and monitoring the account and relationship against the expected profile.

When should CDD be undertaken?

Financial institutions should conduct CDD measures in the following cases:

1. Establishing the business relationship.
2. Carrying out occasional transactions in favor of a customer for amounts equal to or exceeding AED 55,000, whether the transaction is carried out in a single transaction or in several transactions that appear to be linked.
3. Carrying out occasional transactions in the form of Wire Transfers for amounts equal to or exceeding AED 3,500.
4. Where there is a suspicion of a crime.
5. Where there are doubts about the veracity or adequacy of previously obtained customer's identification data.

For natural persons, the following details should be collected as part of the CDD requirements:

• Name (as in the identification card or travel document), nationality, address, place of birth, name and address of employer.
• Attach a copy of the original and valid identification card or travel document.
• Obtain approval from the senior management if the customer or the beneficial owner is a politically exposed person (PEP).

Companies and structures presenting a higher level of risk include:

• Companies that can be incorporated without the identity of the ultimate beneficial owners being known.
• Companies that can be incorporated in one jurisdiction where they have no physical presence and operate in another jurisdiction.
• Companies where a corporate service provider acts as the nominee of shareholders' and directors' companies issuing bearer shares.
• Corporate entities, such as special purpose vehicles linked to trusts, that can enhance vulnerabilities.

Additional risks arise with companies operating in the following sectors:

• Money services businesses (money exchangers and remitters).
• Real estate.
• Dealers in high-value goods such as precious metals and stones.

To manage additional risks, all companies or partnerships and their beneficial owners should be brought under the ambit of full CDD procedures, and additional CDD information should be obtained on the nature of the business undertaken.

Account opening for registered and private companies in Dubai requires the following information:

• Full legal name.
• Registered company number, if applicable.
• Registered office address in the country of incorporation.
• Business address.
• Nature of the company's business.
• Completion of the account opening form.

Documents required to evidence the company are:

• Certificate of incorporation.
• Board resolution or mandate to open an account.
• Memorandum of articles and association.
• Registration of address.
• Company structure.
• Ownership and beneficial ownership.
• Names of all directors, controllers, and signatories.
• Latest audited accounts (otherwise management accounts; for new companies, financial projections should be sought).

For private companies and unincorporated businesses, the following documents are required:

• Certified certificate of incorporation.
• Names of beneficial owners holding over 25% of the shares.
• Completed beneficial owners holding over 25% of the shares.
• Source of wealth statement for PEPs and beneficial owners.
• Identification of controllers and/or directors, and signatories (i.e., passports and proof of address).
• Certified list of signatures.

Politically exposed persons (PEPs) are classified as higher risk, and additional inquiries and due diligence measures should be undertaken for accounts and relationships involving PEPs. This includes establishing the source of wealth and the source of funds to be used in the relationship. Documents required for PEPs include a certified passport, proof of address, statement of source of wealth, and media articles on the customer as part of screening.

For customers categorized as PEPs, their accounts should be subject to additional review every month as part of the enhanced due diligence process. The results of these reviews should be recorded in the customer file and signed off by the compliance officer and senior management. Prior approval of the general manager is required for opening new accounts for PEPs from foreign countries or where there are concerns about the domestic/international PEP.

Risk pertaining to cash transactions:

Cash transactions, particularly large cash transactions, present a risk to financial institutions (FIs) as there is little or no supporting information to substantiate the source of funds. Accordingly, transactions involving cash should be subject to additional scrutiny, especially in cases where the transaction is not consistent with the FI's knowledge of the customer. Any questionable activity must be examined to establish the source of funds and/or wealth, if appropriate, and to determine and document the reason for the cash transaction. Third parties depositing cash into customer accounts should be asked to provide documentary evidence of their link to the account holder.

Managers and department managers should be aware of customers whose businesses are cash-intensive, such as retail outlets or restaurants, and this information should be included in the customer profile. The FI should, based on discussions with the customer, understand the expected size and frequency of cash deposits made by customers. Cash transactions should be reasonable for the customer's business, based on knowledge of the customer, and cash transactions that appear inconsistent with the FI's knowledge of the customer should be subject to review.

In addition, large and frequent foreign currency cash transactions are potentially suspicious, particularly if they are inconsistent with the customer's business activities. If, on a single day, the established cash limit is exceeded, or if there is no such limit and cash transactions exceed the legal threshold or its equivalent, then the staff should review the transactions at the end of the day to confirm that no suspicious activity is involved. Cash transactions conducted by customers that exceed the legislated threshold are to be reported to the financial intelligence unit.

Enhanced due diligence and monitoring of higher-risk accounts:

Enhanced due diligence (EDD) and enhanced account monitoring procedures should be put in place to oversee accounts that are considered high risk, such as accounts of politically exposed persons (PEPs), correspondent banking accounts, and those related to trade finance.

CDD, EDD, and Ongoing Monitoring for NPPS:

As innovative technologies emerge and commerce and economic activity increasingly grow online, merchants and consumers are relying on a diverse array of New Payment Products and Services (NPPS). NPPS are new and innovative payment products and services that offer an alternative to traditional financial services. Examples of NPPS include prepaid cards, mobile payments, and internet-based payment services.

Under Article 5 of the AML-CFT Decision, FIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. FIs must perform, no matter the customer type, all the elements of CDD required, which include customer identification and verification, beneficial owner identification, understanding of the nature of the customer's business and purpose of the business relationship, and ongoing monitoring.

In addition to these mandatory elements, FIs should consider the following additional elements of CDD that are particularly important in the context of NPPS:

• User identification and verification: Many NPPS involve digital onboarding and identification methods. FIs must take appropriate steps to ensure they fully understand the customer and verify their identity using approved methods.
• Use of IP addresses and geographical (spatial and temporal) locators: FIs should utilize geographical location tools to understand the geographic risk they might be exposed to by their customers. Additional authentication or verification may be required for customers accessing services from different IP addresses or countries.
• Merchant due diligence: Merchants using NPPS should undergo CDD to understand the nature of their business and expected transaction volumes. FIs should assess the merchant's financial and payments operations and be vigilant of fraudulent practices.

As per Article 7 of the AML-CFT Decision, all customers must be subject to ongoing monitoring to ensure that CDD information on file is accurate, complete, and up-to-date, and to ensure that transactions conducted are consistent with the expected customer profile. FIs should apply solutions that ensure the accuracy and completeness of their data. Ongoing monitoring for merchant relationships should include an examination of chargebacks, customer complaints, and refund requests to identify fraudulent activities.