AML Governance for VASPs in the UAE: Building trust and strengthening compliance

AML Governance for VASPs in the UAE: Building trust and strengthening compliance

Virtual assets are increasing their acceptance and significance in the financial system of the UAE. However, with this comes the increased risk of money laundering and terrorist financing, given the inherent nature of anonymity and speed of virtual asset transactions. The UAE authorities have brought the Virtual Assets Service Providers (VASPs) under the Anti-Money Laundering (AML) regulatory landscape to mitigate these financial crime risks. Here, it becomes critical for VASPs in UAE to establish an effective AML governance and oversight function to manage financial crime vulnerabilities.

Why is AML Governance important for VASP in UAE?

The VASPs expose themselves to huge ML/FT risks while onboarding customers across the world without any boundaries. Further, as all the transactions are done virtually, the risk of unidentified originators and virtual asset beneficiaries is involved, which can be exploited for laundering illegal funds or financing terrorist activities.

The authorities have established specific regulatory guidelines, mandating the VASPs to adhere to them and safeguard themselves against financial crime risks. VASPs operating in UAE must register with the relevant authorities and comply with the AML/CFT regulations. Failure to comply with these compliance obligations can result in hefty administrative fines and reputation damage.

The AML regulations in UAE require the VASPs to conduct Enterprise -Wide Risk Assessment to identify the ML/FT risks, adopt a risk-based approach to design and implement internal AML/CFT policies, procedures, and controls, and report any identified suspicion to the Financial Intelligence Unit (FIU).

To mitigate the ML/FT risks and avoid regulatory non-compliance penalties, the VASPs must establish and maintain a robust AML governance and oversight function.

AML Governance for VASPs in the UAE Building trust and strengthening compliance

How to establish a robust AML Governance Function in VASP?

As a first step to AML governance, the VASPs must understand the AML regulations and compliance obligations imposed upon the organization. With a basic understanding of AML compliance requirements, let us understand the critical component of an effective AML governance framework.

Effective AML governance framework

As a first step to AML governance, the VASPs must understand the AML regulations and compliance obligations imposed upon the organization. With a basic understanding of AML compliance requirements, let us understand the critical component of an effective AML governance framework.

Appointment of AML Compliance Officer or Money Laundering Reporting Officer

VASPs must appoint a competent person with adequate knowledge and experience in AML compliance to act as the AML Compliance Officer or the MLRO.

The compliance officer shall be responsible for overall AML/CFT program management.

Identifying the business risks

VASP must perform an Enterprise-Wide Risk Assessment (EWRA) to identify and assess the ML/FT risks that the organization faces. The risk assessment must be based on qualitative and quantitative analysis of the relevant risk factors such as customer base, geographies of operations, nature of transactions, products or services offered by VASP, etc.

As the business activities and ML/FT risk typologies keep evolving, the business risk assessment must be dynamic. VASPs must regularly assess the risk to factor in the changes in business activities, regulatory amendments, and emerging financial crime trends. The risk assessment results should be used to develop the internal AML/CFT policies, procedures, and controls to manage the identified ML/FT risks.

How to conduct AML Business Risk Assessment Priv

Developing the comprehensive AML/CFT framework

VASPs must have in place a well-defined internal AML/CFT program, including policies, procedures, systems, and controls that can adequately identify and manage the ML/FT risks of the organization’s virtual assets operations.

The AML policies and procedures must reflect the VASP’s overall risk and be practical to mitigate the risks.

Having an AML policy is not enough. The VASP must periodically review the policies and procedures to ensure their adequacy, effectiveness, and relevance in combating financial crimes. The AML/CFT framework must, at all times, be effective in addressing the identified business risks and is compliant with AML regulatory requirements.

The policy should document the VASP’s AML obligations, the controls adopted by the VASP to manage the risks, and the roles and responsibilities of the AML Compliance Officer, employees, and senior management towards the AML program.

Robust Customer Onboarding Process

Millions of transactions related to the transfer of virtual assets are conducted amongst multiple originators and beneficiaries worldwide. For an effective AML/CFT compliance framework, an effective customer onboarding process is one of the key elements.

It is pertinent for VASPs to identify these originators and beneficiaries of the transactions and verify their identity. The VASP must screen these customers to understand their connection with the Sanctions List, or Politically Exposed Person (PEP), and the presence of adverse media suggesting criminal history.

As part of the Customer Due Diligence (CDD) process, the VASP should also perform a customer risk assessment to identify the risk each customer poses to the business. Basis the outcome of the customer risk profiling, the VASP must adopt a risk-based approach and perform Enhanced Due Diligence (EDD) measures to manage the increased risk posed by high-risk customers.

CDD does not end here. The VASP must implement systems to monitor the transactions and business relationships on an ongoing and real-time basis to identify unusual or suspicious activities.

Suspicious activities identification and reporting procedures

AML framework is incomplete without adequate internal systems and procedures to identify the ML/FT risk indicators or red flags, suggesting involvement in money laundering activities, criminal proceeds, or terrorism financing. A clear mechanism must be in place to guide the employees to actions to be taken once any suspicious activities are observed and how the reporting shall be done to the AML Compliance Officer.

Further, the guidelines about external reporting to the FIU must also be well defined to ensure the timely filing of a Suspicious Activity Report (SAR) or Suspicious Transactions Report (STR) with the FIU.

Support from the senior management

No business function can be successful without the support from senior management. Similar is the case of the AML function. The senior management plays a critical role in ensuring the effectiveness of the AML governance framework by setting the right compliance tone at the top and providing strategic oversight of the implemented AML/CFT policies and procedures.

The management must establish the VASP’s ML/FT risks appetite and review and approve the VASP’s business risk assessment and the developed AML/CFT compliance program. Management should ensure that the risk assessment and AML policies, procedures, and controls are periodically reviewed and updated to manage the risks effectively.

Further, the one important role of senior management is ensuring its compliance department is well-staffed with adequate resources necessary to manage the ML/FT risks and stay AML compliant.

As part of the AML governance and oversight function, the senior management and board of directors must seek periodic reports from the AML compliance officer capturing the VASP’s ML/FT exposure, identify suspicious actions taken by the compliance officer, any AML gaps observed, etc.

Responsibilities of Senior Management around AML program under UAE AML Laws

Effective oversight function with periodic AML review and independent AML audit

To ensure the effectiveness of the AML/CFT measures adopted by the VASPs, it is important to establish an independent AML audit and also an internal periodic AML review function. The policies, procedures, systems, and controls implemented by the VASPs must be periodically reviewed to test the quality, adequacy, and effectiveness of the AML/CFT program.

A periodic AML review and interviews with the AML compliance team must be conducted to check whether the AML policies are effectively followed across the organization and to identify any gaps in policies, procedures, or implementation flaws. This periodic review shall assist the VASPs in remediating the AML non-compliance or vulnerabilities before it has a multifield impact on the operations. The internal reviews can be considered as frequent routine checks on the effectiveness of AML/CFT systems and controls, necessary to ensure that the AML measures are up-to-date and capable of identifying the financial crime risks.

Further, the VASP must appoint an independent person, having adequate AML understanding and experience to conduct the AML review. An independent AML audit shall be a more focused and unbiased review by a third party (possibly an external person) to ensure that VASP has an appropriate framework to manage the risks and stay AML compliant.

AML training program

AML governance function is incomplete without the involvement of the entire staff and their contribution towards the AML/CFT program. AML Compliance Officer of the VASP must develop a robust and comprehensive AML training program for the staff, including senior management, to ensure that all the employees of the organization understand the ML/FT risks, compliance obligations, and their roles and responsibilities towards VASP’s AML/CFT efforts.

AML training shall ensure that staff is well aware of internal AML/CFT policies and procedures and can exercise sound judgement when any suspicion is observed.

Designing a comprehensive AML Training Program

AML governance using technology and data analytics

AML governance and oversight would be challenging without deploying adequate technology and data analytics tools in this virtual asset world where everything is online. With technology, VASPs can automate the ML/FT risk assessment and deploy adequate measures to mitigate the same. With the humungous volume of virtual asset transactions, technologies like Artificial Intelligence and Machine Learning make transaction monitoring easy and real-time, generating alerts for unusual activities and reducing false positives.

Further, data analytics algorithms can be trained to identify unusual customer behaviour, detect suspicious transactions, and identify patterns that may indicate money laundering or terrorist financing.

VASPs can effectively detect and prevent money laundering and terrorist financing involving virtual assets by integrating technology and data analytics in their AML governance and oversight functions.

Collaborating with regulatory authorities and industry partners

As an element of effective AML governance, VASPs are recommended to stay connected with AML regulatory and supervisory authorities to seek guidance on various AML/CFT compliance obligations. Further, seeking the authorities’ feedback on implementing AML measures is also critical to enhance and improve the AML/CFT function.

Webinars and awareness sessions conducted by the authorities can also be helpful for VASPs to manage their ML/FT risks and detect emerging ML/FT typologies.

Collaboration with other VASPs can also help understand the industry’s best practices to identify and manage the ever-evolving ML/FT risks arising from virtual asset transfers.

Measuring the effectiveness of your AML governance and oversight function

VASPs need to review and enhance their AML governance and oversight function. This can be done using key performance indicators (KPIs) such as –

  • Periodicity of AML/CFT report furnished by AML Compliance Officer to senior management
  • Identified gaps and time and actions taken to remediate the same
  • Feedback received from the authorities
  • Number of suspicions observed
  • Quality and frequency of the AML training program
  • Finding of internal AML review and independent AML audit

Though not exhaustive, assessing certain factors can give insights into the effectiveness of the VASP’s AML governance and oversight function.

How can AML UAE assist VASPs in UAE in establishing effective AML Governance Function?

Effective AML Governance and Oversight functions are critical for VASPs to stay AML compliant and manage the financial crime risks.

A robust AML/CFT program, commitment, and support from senior management, deployment of emerging technologies, comprehensive AML training, periodic AML review, audit, etc., can enhance the quality and relevance of the VASP’s AML/CFT framework.

AML UAE is one of the leading AML firms in UAE, supporting regulated entities, including VASP, to establish and maintain a strong internal AML/CFT compliance program aligned with its overall ML/FT risks and regulatory requirements. We also help the VASPs set up solid AML governance and Oversight functions, constantly contributing towards enhancing the effectiveness of the VASP’s AML/CFT measures.

Make significant progress in your fight against financial crimes,

With the best consulting support from AML UAE.

Our recent blogs

Contact Form

side bar form

This field is for validation purposes and should be left unchanged.

Share via :

Share on facebook
Share on twitter
Share on linkedin

About the Author

Jyoti Maheshwari


Jyoti has over 7 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.