Guideline-AML and CFT - Lincensed Exchange Houses (11-Nov-2021)
Guideline-AML and CFT - Lincensed Exchange Houses (11-Nov-2021)
Guideline-AML and CFT - Lincensed Exchange Houses (11-Nov-2021)
5. Reporting Obligations......................................................................................... 22
5.1. Reporting to the CBUAE .............................................................................................. 22
5.2. Reporting to the FIU..................................................................................................... 22
6. Prohibition of Tipping Off ................................................................................... 23
Annex1 – Synopsis of the Guidance ....................................................................... 24
Page 2 of 26
CBUAE Classification: Public
1. Introduction
1.1. Purpose
Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree
Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal
Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and
feedback to enhance the effectiveness of implementation of the Crime-combatting measures.”
The purpose of this Guidance is to assist the understanding and effective performance by the United Arab
Emirates Central Bank’s (“CBUAE”) Licensed Exchange Houses (“LEH”) of their statutory obligations under
the legal and regulatory framework in force in the UAE. It should be read in conjunction with the Chapter
16 of the Standards for the Regulations Regarding Licensing and Monitoring for Exchange Business,
Version 1.20 of November 2021 amending Version 1.10 of February 2018 (issued by Notice No. xx/2021
dated xx/xx/2021), the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of
Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on
Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial
Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof. 1 As
such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes
any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for
LEH to be able to demonstrate compliance with these requirements. In the event of a discrepancy between
this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance
may be supplemented with additional separate guidance materials, such as outreach sessions and thematic
reviews conducted by the Central Bank.
Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task
Force (“FATF”), industry best practices and red flag indicators. These are not exhaustive and do not set
limitations on the measures to be taken by LEH in order to meet their statutory obligations under the legal
and regulatory framework currently in force. As such, LEH should perform their own assessments of the
manner in which they should meet their statutory obligations.
This Guidance comes into effect immediately upon its issuance by the CBUAE with LEH expected to
demonstrate compliance with its requirements within one month from its coming into effect.
1.2. Applicability
Unless otherwise noted, this Guidance applies to all Exchange Houses that are licensed and supervised
by the CBUAE.
Federal Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of
Terrorism and Illegal Organizations (“AML-CFT Law)” and its amendment (Federal Decree Law
1 Available at https://www.centralbank.ae/en/cbuae-amlcft.
Page 3 of 26
CBUAE Classification: Public
No. (26) of 2021 amending certain provisions of Federal Decree Law No. 20 for 2018 on Anti-
Money Laundering and Combating the Financing of Terrorism and Financing of Illegal
Organisations).
Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Federal Decree Law
No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal
Organizations (“AML-CFT Decision”).
Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of
United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of
Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and
its Financing and Relevant Resolution (“Cabinet Decision 74”).
CBUAE Regulations regarding Licensing and Monitoring of Exchange Business issued in January
2014 (“the Regulations”) issued by Notice 1/2014 dated 06/01/2014 and its amendment issued by
Notice 269/2016 on 25/08/2016.
Chapter 16 on AML/CFT Compliance of the Standards for the Regulations Regarding Licensing
and Monitoring of Exchange Business, Version 1.20 of November 2021 amending Version 1.10 of
February 2018 (“The Standards”).
Furthermore, LEH may be guided by the FATF standards on AML/CFT, Guidance for a Risk Based
Approach for Money or Value Transfer Services, and Report on Money Laundering through Money
Remittance and Currency Exchange Providers. 2
1.4. Definitions
Beneficial Owner: The ‘Natural Person’ who ultimately owns or exercises effective control, directly or
indirectly, over a customer or the natural person on whose behalf a transaction is being conducted, or the
natural person who exercises effective ultimate control over a legal person or legal arrangement.
Exchange Business: Shall mean: (1) Dealing in sale and purchase of foreign currencies and travelers
cheques; (2) Executing remittance operations in local and foreign currencies; (3) Payment of wages through
establishing a link to the operating system of “wages protection system” (WPS); and (4) Other business
licensed by the CBUAE.
Exchange House: A juridical person licensed in accordance with the provisions of Decretal Federal Law
No. (14) of 2018 Regarding the Central Bank & Organization of Financial Institutions and Activities to carry
on money exchange activity, and conduct funds transfers within and outside the UAE, and any other
businesses determined by the CBUAE.
Politically Exposed Person (PEP): natural persons who are or have been entrusted with a prominent
public function in the UAE or any other foreign country such as heads of states or governments, senior
politicians, senior government officials, judicial or military officials, senior executive managers of state-
owned corporations, and senior officials of political parties, and persons who are, or have previously been,
entrusted with the management of an international organization or any prominent function within such an
organization; and the definition also includes the following:
1. Direct family members (of the PEP who are spouses, children, spouses of children, parents)
2FATF: Guidance-RBA-money-value-transfer-services.pdf (fatf-gafi.org); and Money laundering through money remittance and
currency exchange providers (fatf-gafi.org)
Page 4 of 26
CBUAE Classification: Public
Instant Money Transfer Service Provider: A money remitting institution licensed and regulated by an
appropriate Regulator in its home country who will have the necessary proprietary software applications
and infrastructure to transfer funds instantly from an agent in one country to an agent in another country
and/or domestically.
Legal person: Any entities other than natural persons that can establish in their own right a permanent
customer relationship with a financial institution or otherwise own property. This can include companies,
bodies corporate, foundations, partnerships, or associations, along with similar entities.
Legal arrangement: A relationship established by means of a contract between two or more parties which
does not result in the creation of a legal personality. Examples include trusts or other similar arrangements.
Many legal arrangements allow for ownership, control, and enjoyment of funds to be divided between at
least two different persons.
Licensed Exchange House (LEH): An Exchange House licensed by the CBUAE.
Source of funds: How the money, involved in the transaction, was originally derived or earned. Examples
of source of funds are: salary, wages, inheritance, gratuity, end of service benefits, bank loan, income from
businesses, sale of property, sale of land, sale of investments, etc. For verification of the source of funds,
documents include but are not limited to salary slip, labor contract, court order, bank statements, etc.
Page 5 of 26
CBUAE Classification: Public
Risks to the Exchange Houses sector also stem from generally uneven regulatory disparity, supervision
and enforcement of the sector globally because Exchange Business often involves different jurisdictions.
Criminals may seek to exploit differences in regulatory requirements in different jurisdictions or deficiencies
in certain jurisdictions to move, structure and conceal their funds.
Exchange Houses may also potentially be abused by criminal groups and corrupt employees or agents co-
operating with criminals, who may seek to own an Exchange House outright, or indirectly through an
associate, or could seek to coerce employees through financial incentives in order to use the Exchange
House to circumvent AML/CFT obligations and advance criminal schemes.
LEH should ensure the AML/CFT Program includes the following ten (10) essential components,
which are described in detail in the following sections:
Risk assessment,
Policies and procedures,
Governance and the Compliance Officer,
Page 6 of 26
CBUAE Classification: Public
The risk assessment creates the basis for the LEH’s risk-based approach. LEH may utilize a variety of
models or methodologies to analyze their risks. In general, the risk assessment process would entail the
following six (6) steps:
Define in-scope Assess the Assess the Identify and Calculate Develop and
processes exposure to impact and evaluate Residual Risk implement
threats and likelihood of effectiveness of (Inherent Risk mitigation plans
vulnerabilities in risks and controls and Rating minus against risks
order to identify assign inherent identify Controls that are above
risks risk ratings weaknesses Evaluation = an acceptable
Residual Risk level
Rating)
The nature and extent of any assessment of ML/FT risks must be appropriate to the nature, size, and
complexity of the LEH’s business. The risk assessment should cover all relevant factors including but not
limited to:
Customer risk;
Products and services risk;
Delivery channel risk;
New technologies risk;
Jurisdiction or geographic risk;
Counterparty risk; and
Other areas of risk.
As per Article 4.2 of the AML-CFT Decision as well as Paragraphs 16.2 and 16.3 of the Standards, the
senior management of the LEH must be closely engaged in the risk assessment process and take
Page 7 of 26
CBUAE Classification: Public
responsibility for conducting an appropriate assessment. It must review and approve at least on an annual
basis the LEH’s risk appetite statement, risk assessment methodology, and risk assessment findings. If an
initial risk assessment assesses the LEH as higher risk, it may be necessary to conduct a more intensive
assessment of certain areas of the LEH’s operations. In assessing ML/FT risks, the LEH must have the
following elements in place:
Page 8 of 26
CBUAE Classification: Public
4For more details and information, please refer to the CBUAE’s Guidance for Licensed Financial Institutions providing services to
Cash-Intensive Businesses available at https://www.centralbank.ae/en/cbuae-amlcft
Page 9 of 26
CBUAE Classification: Public
that group. Where a LEH has large exposure to higher-risk customer types and to higher-risk customers
as assessed by individual risk ratings, its overall inherent risk will generally be higher.
4. DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should
keep detailed records of its assumptions, statistics used to complete this process, and the resulting
analysis and outcomes.
Products or services that may inherently favor anonymity, or products that can readily cross
international borders, such as cash, online money transfers, stored value cards, money orders and
international money transfers by mobile phone.
Products or services that have a very high or no transaction limit.
The global reach of the product or service offered.
The complexity of the product or service offered.
Products or services that permit the exchange of cash for a negotiable instrument, such as a stored
value card or a money order.
3. CALCULATE EXPOSURE: The LEH should consider what proportion of its total products and services,
and of total transactional activity, is associated with higher and lower-risk products and services. Where
a LEH has large exposure to higher-risk products and services, its overall inherent risk will generally
be higher.
4. DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should
keep detailed records of its assumptions, statistics used to complete this process, and the resulting
analysis and outcomes.
Page 10 of 26
CBUAE Classification: Public
2. ASSESS: The LEH should assign an inherent risk rating to the delivery channels identified. The rating
should take into consideration the characteristics and attributes of these delivery channels that make
them more susceptible to abuse by illicit actors, and could include factors such as whether the delivery
channel makes it more difficult to observe the customer’s behavior or to be certain that the person
transacting is in fact the identified customer, allows for faster transactions, or involves reliance on a
third party.
3. CALCULATE EXPOSURE: The LEH should then determine what proportion of its transactional activity
involves each delivery channel, both by volume and value. Where a LEH delivers a large proportion of
its products or services via higher-risk delivery channels, its overall risk is likely to be higher as well.
4. DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should
keep detailed records of its assumptions, statistics used to complete this process, and the resulting
analysis and outcomes.
Page 11 of 26
CBUAE Classification: Public
The jurisdictions in which their customers are resident or of which they are nationals (for Non-
Resident Customers only);
The jurisdictions to which they send remittances to or receive remittances from; and
The jurisdictions to or from which they import or export foreign currency.
LEH need not include every single jurisdiction to or from which they send or receive remittances or with
which their customers have ties in the risk assessment, but should at least include the jurisdictions to
which they have regular or routine exposure.
2. ASSESS: The LEH should assign each jurisdiction identified above an inherent risk-rating, based on
the degree of ML/FT risk present in that jurisdiction. The LEH is strongly encouraged to develop its own
country risk model that takes into consideration any publications issued by the National Anti-Money
Laundering and Combating the Financing of Terrorism and financing of Illegal Organizations Committee
(NAMLCFTC) 5, the UAE Financial Intelligence Unit (FIU), the FATF lists of High-Risk Jurisdictions
subject to a Call for Action and Jurisdictions under Increased Monitoring, 6 as well as the Organization
for Economic Cooperation and Development (OECD) list of jurisdictions classified as uncooperative tax
havens.7 The LEH should also consider whether a jurisdiction:
Has been identified by credible sources as providing an environment conducive to funding or
supporting terrorist activities or that have designated terrorist organizations operating within them.
Has been identified by credible sources as having significant levels of organized crime, corruption,
or other criminal activity, including source or transit countries for illegal drugs, human trafficking
and smuggling and illegal gambling.
Is subject to sanctions, embargoes or similar measures issued by international organizations such
as the United Nations.
Has been identified by credible sources as having weak governance/law enforcement/regulatory
regimes, including countries identified by the FATF as having weak AML/CFT regimes 8, for which
financial institutions should give special attention to business relationships and transactions.
Finally, the LEH should take into consideration its own knowledge and experiences, such as the number
of Suspicious Transaction Reports (STR) or Suspicious Activity reports (SAR) filed that involve each
jurisdiction.
3. CALCULATE EXPOSURE: The LEH should consider what proportion of its total customer base and
transactional activity, by volume and value, is associated with or linked to higher or lower-risk
jurisdictions. Based on its documented understanding of the risks, the LEH may decide to weigh its
exposure so that a cross-border transaction to a beneficiary in a high-risk jurisdiction has a greater
impact than, for example, a domestic transaction between two UAE residents where one party is a
citizen of a high-risk jurisdiction. Where a LEH has large exposure to higher-risk jurisdictions, its overall
inherent risk will generally be higher.
Page 12 of 26
CBUAE Classification: Public
4. DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should
keep detailed records of its assumptions, statistics used to complete this process, and the resulting
analysis and outcomes.
Domestic and Foreign correspondent banking arrangements, such as those with banks, exchange
houses, or any other financial institutions for the purpose of money transfer services.
Money transfer arrangements with instant money transfer service providers.
Hedging arrangements with local or foreign institutions.
Arrangements to import or export banknotes from/to foreign institutions, such as Banks, exchange
houses, or other financial institutions outside the UAE.
Arrangements with local or foreign entities to offer special products/services.
1. IDENTIFY: LEH should identify all counterparties that fit the description above, including with affiliates
and other members of the same group.
2. ASSESS: The LEH should assign an inherent risk rating to each counterparty. The determination of
the counterparty’s risk should include a consideration of all characteristics and attributes that make the
counterparty more or less susceptible to abuse by illicit actors, as well as characteristics and features
of the counterparty relationship that could increase or decrease risk. This could include for example:
Page 13 of 26
CBUAE Classification: Public
4. DOCUMENT: A LEH’s approach to categorizing risk should be clearly documented. The LEH should
keep detailed records of its assumptions, statistics used to complete this process, and the resulting
analysis and outcomes.
Page 14 of 26
CBUAE Classification: Public
Policies and procedures should be clearly communicated to all relevant employees. They should be easy
to follow and be designed to support the compliant and effective functioning of the AML/CFT program and
prevent employees from engaging in misconduct.
Page 15 of 26
CBUAE Classification: Public
Please refer to the table below on when to use each KYC measure and to refer to the respective
paragraphs in the Standards for the detailed requirements:
Page 16 of 26
CBUAE Classification: Public
Unless otherwise required, such as in the cases above mentioned, LEH should update the KYC information
on customers and counterparties on a risk-based schedule, with KYC on higher-risk customers being
updated more frequently. KYC updates should include a refresh of all elements of initial KYC, and in
particular must ascertain whether:
Page 17 of 26
CBUAE Classification: Public
The customer continues to have an active status with the LEH Point of Sale system.
The customer/counterparty is domiciled in the same jurisdiction.
The customer/counterparty is engaged in the same type of business, and in the same geographies.
The customer/counterparty’s transactions continue to fit its profile and business, and are consistent
with the business the customer expected to engage in when the business relationship was
established, or the business that the LEH expected to engage in when it established the
counterparty relationship.
If any of the above characteristics have changed, the LEH should risk-rate the customer/counterparty again.
Furthermore, LEH should conduct EDD when the revised risk rating demands it or if the
customer/counterparty’s history of transactions is not consistent with its profile and the expectations
established at account opening. In particular, if the customer/counterparty’s transactions/behavior have
resulted in the filing of an STR/SAR with the FIU, the LEH should review the customer/counterparty profile
and the activity that led to the report and make a determination as to whether the risk rating should be
raised or the relationship should be terminated. LEH may consider requiring that the customer/counterparty
update them as to any changes in its beneficial ownership. Even if this requirement is in place, however,
LEH must not rely on the customer/counterparty to notify it of a change, but must still update KYC on a
schedule appropriate to the customer’s risk rating.
Page 18 of 26
CBUAE Classification: Public
systems should create an audit trail of all activity related to alert generation, investigation, and disposition
to have a clear understanding of the activity, and potentially report it to the relevant authorities.
For more details and information, please refer to the CBUAE Guidance for Licensed Financial Institutions
on Transaction Monitoring Screening and Sanction screening9.
The following is an indicative and non-exhaustive list of risk factors associated with transactions10.
Activity detected during monitoring (in many of these scenarios the customer’s activity may be
apparent both during point-of-sale interaction and back-end transaction monitoring):
o Transfers to the same person from different individuals or to different persons from the same
individual with no reasonable explanation.
o Unusually large aggregate wire transfers or high volume or frequency of transactions with no logical
or apparent reason.
o Customer uses aliases, nominees or a variety of different addresses.
o Customers whose concentration ratio of transfers made to a jurisdiction is notably higher than what
is to be expected considering overall customer base.
o Customer transfers/receives funds from persons involved in criminal activities as per the
information available.
9 Available at https://www.centralbank.ae/en/cbuae-amlcft.
10 FATF: Guidance-RBA-money-value-transfer-services.pdf (fatf-gafi.org)
Page 19 of 26
CBUAE Classification: Public
o A network of customers using shared contact information (such as address, telephone or e-mail)
where such sharing is not normal or reasonably justifiable.
Transactions received:
o Transactions that are not accompanied by the required originator or beneficiary information.
o Additional customer or transactional information was requested from an ordering counterparty but
not received.
o Large number of transactions received at once or over a certain period of time which do not seem
to match the recipient’s usual past pattern.
For more information and details on their obligations in relation to their sanctions obligations LEH should
consult Paragraph 16.25 of the Standards; the Executive Office of the Committee for Goods and Materials
Subjected to Import and Export Control‘s “Guidance on Targeted Financial Sanctions for Financial
Institutions and designated non-financial business and professions”; the “CBUAE Guidance for Licensed
Financial Institutions on the Implementation of Targeted Financial Sanctions” as well as the “CBUAE
Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions
screening”11.
Furthermore, LEH must sign up for the Integrated Enquiries Management System (IEMS) introduced by the
FIU to automate and facilitate the execution process of requests for information, implementing decisions of
public prosecutions and any other type of ML/FT requests. Via this system, the FIU can make requests to
all LFIs simultaneously with the goal of processing requests and providing results to Law Enforcement
Agencies more efficiently. For more information, LEH should consult the IEMS User Guide published by
FIU12.
4.7. Training
As per Paragraph 16.23 of the Standards LEH must provide comprehensive AML/CFT compliance training
to all employees. The effective application of AML/CFT policies and procedures depends on the employees
understanding not only of the processes they are required to follow, but also the risks these processes are
designed to mitigate, and the possible consequences of those risks. Employees should remain abreast on
an ongoing basis of emerging ML/FT typologies and new internal and external risks. The AML/CFT
compliance training should be relevant to the LEH’s ML/FT risks, business activities and up to date with the
latest legal and regulatory obligations and internal controls. It should be tailored to particular lines of
business within the LEH, equipping employees with a sound understanding of specialized ML/FT risks they
Page 20 of 26
CBUAE Classification: Public
are likely to face, and their obligations in relation to those risks and must be provided to all new employees
within thirty (30) calendar days from the date of joining. Thereafter, refresher training must be provided to
all employees at regular intervals depending on the ML/FT risk exposure of each employee; for example,
employees who deal directly with customers, products or services must be trained annually at a minimum.
Refresher training must also be provided whenever there are changes in the legal and regulatory framework
in force in the UAE or the LEH’s AML policy/procedures. Furthermore, the AML/CFT compliance training
should be provided to relevant employees upon learning of a confirmed negative risk assessment result or
audit finding, or other deficiency pertaining to the AML/CFT Program. Evidence for all trainings conducted
must be retained for inspection by the CBUAE.
Page 21 of 26
CBUAE Classification: Public
conflicts of interest for employees with AML/CFT responsibilities and should act to reduce or manage such
conflicts of interest.
Furthermore, under Paragraph 16.28 of the Standards, the LEH must watch out for its employee’s behavior
and be aware of possible indicators of illicit behavior displayed by employees, such as:
An employee whose lifestyle cannot be supported by his/her salary, which may indicate receipt of
tips or bribes.
An employee who is reluctant to take a vacation, which may indicate they have consented or are
being forced to provide services to customers in violation of the law or company policy.
An employee who is associated with an unusually large number of transactions or a transaction in
an unusually large amount, which may indicate they have consented or are being forced to provide
services to customers in violation of the law or company policy.
5. Reporting Obligations
5.1. Reporting to the CBUAE
As per Paragraph 4.21 of the Standards, LEH must submit reports to the CBUAE, which may be updated
from time to time in terms of the frequency and form of submission and their deadline. For the submission
of periodical returns/reports via the online system, the LEH must obtain access to the CBUAE reporting
portals, such as its Integrated Regulatory Reporting System, Remittance Reporting System and/or other
applicable system.
Page 22 of 26
CBUAE Classification: Public
For more details and information, please refer to Paragraph 16.27 of the Standards as well as the “CBUAE
Guidance for Licensed Financial Institutions on Suspicious Transaction Reporting” 13.
Page 23 of 26
Annex1 – Synopsis of the Guidance
Page 24 of 26
CBUAE Classification: Public
Page 25 of 26
CBUAE Classification: Public
Page 26 of 26