The guidance is part of the rapidly evolving rules on anti-money laundering and aims to promote UAE as a jurisdiction compliant with best practices.

By Brian Meenagh, Ksenia Koroleva, and Matthew Rodwell

On August 1, 2022, the UAE Central Bank (CBUAE) issued the Guidance for Licensed Financial Institutions on the Risks Relating to Payments.[1]

The guidance was issued to implement the requirements of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations. It sets out the CBUAE’s expectations as to the appropriate compliance measures to be adopted within payments ecosystems. The guidance is not intended to amend or replace existing CBUAE requirements and should be read in conjunction with the CBUAE’s existing rules[2] and guidance materials[3].

Drafted in accordance with guidance issued by the Financial Action Task Force (FATF), the CBUAE guidance aims to promote the UAE as a jurisdiction compliant with anti-money laundering best practices. It does not, however, set forth an exhaustive list of measures, and financial institutions are ultimately expected to perform their own risk-based assessments as to appropriate measures to be adopted.

The guidance is effective from the date of its issuance, and financial institutions are expected to demonstrate compliance within one month.

Definitions

  • The guidance applies to financial institutions licensed by the CBUAE, including UAE banks, branches of foreign banks, exchange houses, finance companies, stored value facilities, retail payment service providers, and card schemes (LFIs). It applies to any LFIs, whether they are primarily payment sector participants or have more limited exposure.
  • The guidance relates to the operations of LFIs in the “payment sector”, which is broadly defined as “different forms of payments that are transmitted and exchanged across various delivery channels, frequently utilizing digital platforms, systems, services and products”. This definition would cover, among other matters, any activities relating to smartphone-based applications linked to customer accounts.
  • Under the guidance, the payment sector covers both traditional payment products and services (PPS) and new payment products and services (NPPS), which denote new and innovative payment products and services that offer an alternative to traditional financial services. An example of NPPS are prepaid cards.

Understanding Risks

The key concern that the guidance seeks to address is that, when operating in the rapidly developing payment sector, LFIs may be exposed not only to other LFIs, but also to third parties operating globally and not necessarily licensed by the CBUAE or any other regulator. The exposure may be both direct (within the same payment system) and indirect (through third parties).

Payment transactions are often highly intermediated, which results in no person having full visibility into the funds transfer chain. Payment sector participants generally only conduct checks on their immediate customers or counterparties or tend to rely on their counterparties (e.g., correspondent banks or affiliates in different jurisdictions) for checks on the other persons. Gaps in controls emerge in many cases, especially if activities are not regulated.

The payment sector can therefore be attractive to illicit actors, who often choose specific PPS and NPPS due to limited controls over the movement of funds, regulatory gaps, and transaction speed.

The combined effect is that LFIs can be involved in complex, obscure, and multi-layered activities that pose enhanced money laundering risks.

The guidance is therefore intended to educate LFIs about the key risks and types of transactions that require scrutiny. Examples include peer-to-peer payments, cross-border transfers, intermediation, nesting (in which LFIs are only able to see the bulk of operations rather than individual transactions of the end-customer), use of agents or affiliates, dealing with merchants, dealings with correspondent banks, and outsourcing.

Mitigating Risks

The guidance requires LFIs to take a risk-based approach to mitigating and managing risks related to the payment sector. It describes in detail recommended compliance measures, which apply, to varying degrees, to LFIs providing retail services and services to other payment sector participants.

The key provisions include a step plan that LFIs should follow in approaching compliance:

  • LFIs should map the risks they are facing, which should cover all PPS provided by the relevant LFI, as well as its relevant UAE and foreign direct relationships. The assessments should be reflected in risk ratings.

The analysis should be tailored to the type of service in question and focus primarily on the area of geographic operation (e.g., whether there are any high-risk jurisdictions), scope of allowed transactions (e.g., whether peer-to-peer payments are allowed), regulatory status (licensed versus unlicensed entity), use of intermediaries, etc.

  • LFIs should implement the design and operation of compliance programs to ensure greater attention to areas of higher risks. The compliance program needs to ensure ongoing monitoring and accuracy of information.

This step should include, in respect of retail services, customer due diligence (know your customer, including via UAE governmental services, such as UAE-Pass), use of location indicators, imposing limits on certain types of dealings (e.g., maximum storage values), merchant due diligence (e.g., number of complaints it obtains, volumes of operations). It should also include sanctions screening.

In respect of corporate customers, LFIs need to identify beneficial owners owning 25% or more of shares or, if no person satisfies this criterion, persons holding senior management positions in the entity. LFIs should ensure they have contractual rights to obtain this information and consider terminating the relationship, if no access can be provided.

LFIs should also conduct analysis of the materials pertaining to payment sector participants, including by reviewing their promotional materials, website, identifying key merchants, evaluating policies, and controls.

The guidance also sets forth specific requirements with respect to due diligence of correspondent banks. These requirements include collecting information on the nature of the business and evaluating regulatory status, policies (including in respect of merchant due diligence), and controls (in particular, in respect of nesting transactions). They also include obtaining senior management approval before establishing a new correspondent banking relationship, reviewing reports and audit results, and understanding and documenting the scope of responsibilities relating to anti-money laundering.

In some cases (e.g., providing payment services as part of a network), LFIs should assume full responsibility for customer due diligence.

  • LFIs should implement appropriate controls and trainings to minimize or eliminate the features making PPS and NPPS attractive to illicit actors.

For example, the guidance suggests that LFIs providing retail services should consider using geolocation to prevent customer access from high-risk countries, imposing transaction limits, imposing a requirement for customers to only fund accounts and withdraw funds via regulated domestic financial institutions, and using multi-factor authentication.

Appropriate regular training should be provided to employees and agents, including agents of delivery, onboarding, and cash acceptance. The employees’ and agents’ knowledge in these areas should be periodically tested.

  • The guidance also reiterates the importance of filing suspicious transaction reports to the UAE Financial Intelligence Unit (FIU) using the “goAML” portal. The general principle under the guidance is that LFIs are ultimately responsible for using all information they have to monitor transactions processed or conducted through them. The guidance encourages LFIs to outsource transaction monitoring.

Conclusion

The guidance is part of the rapidly developing anti-money laundering rules in the UAE and the increasing use of traditional and new types of payment services. It supplements the existing rules with recommendations on compliance, aiming to ensure that LFIs determine the nature of operations and take measures to exercise some degree of control over operations and service providers to combat illicit finance.

Latham & Watkins will continue to monitor developments related to anti-money laundering rules in the Middle East, including the forthcoming additional rules and regulations.

Endnotes

[1] https://www.centralbank.ae/media/ggbcp1uz/amlcft-guidance-for-licensed-financial-institutions-on-the-risks-relating-to-payments.pdf

[2] For example, (1) Decree Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations as amended by Decree Federal Law No. (26) of 2021; (2) Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Decree Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations as amended by Cabinet Decision No. (24) of 2022; (3) Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution; (4) Stored Value Facilities (SVF) Regulation of 2020; (5) Retail Payment Services and Card Schemes Regulation of 2021; (6) Large Value Payment Systems Regulation of 2021; and (7) Retail Payment Systems Regulation of 2021.

[3] Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated June 19, 2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated June 27, 2019).