Impact of FATF Grey List Update on UAE DNFBPs: AML/CFT Compliance Imperatives

Table of Contents

Impact of FATF Grey List Update on UAE DNFBPs: AML/CFT Compliance Imperatives

The Financial Action Task Force (FATF) is an inter-governmental body that sets international standards for the curbing of Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF). As a global ML/TF and PF watchdog, the FATF identifies countries with weak Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) regulatory regimes and places them in its “Grey List” or “Black List”. In this blog, we will explore the impact of FATF grey list update on DNFBPs in UAE.

The Financial Action Task Force’s Grey List and Blacklist

The FATF continually assesses the AML/CFT/CPF regimes of jurisdictions across the globe. It identifies countries with significant deficiencies in their AML/CFT/CPF regimes and seeks to cooperate with them to address these deficiencies.

The countries identified as having weaknesses in their AML/CFT/CPF regimes are placed on either of the two lists: the Blacklist or the Grey List. The differences between the two lists are as explained here:

Criteria of Differentiation

FATF Blacklist

FATF Grey List

FATF Official Name

High-Risk Jurisdictions Subject to a Call for Action

Jurisdictions under Increased Monitoring

Definition 

FATF Blacklist is a list of countries with serious and strategic deficiencies in their AML/CFT/CPF regimes. 

FATF Grey List is a list of countries that have strategic deficiencies in their AML/CFT/CPF regimes but are committed to cooperating with the FATF to resolve the identified deficiencies through action plans based on decided timeframes.

Implication for the Country

These high-risk countries are subject to a call for action, i.e., FATF members are called upon to apply Enhanced Due Diligence and, in most serious cases, apply counter-measures. 

FATF subjects these countries to increased monitoring. FATF recommends applying a risk-based approach for entities or individuals from grey-listed countries.

Countries on this List (as of October 2024)

North Korea, Iran, Myanmar

Algeria, Angola, Bulgaria, Burkina Faso, Cameroon, Côte d’Ivoire, Croatia, Democratic Republic of Congo, Haiti, Kenya, Lebanon, Mali, Monaco, Mozambique, Namibia, Nigeria, Philippines, South Africa, South Sudan, Syria, Tanzania, Venezuela, Vietnam, Yemen

Both the Black List and Grey List are updated three times a year. The last updates were issued in October 2024. Through this update, the FATF removed Senegal from its Grey List and added Algeria, Angola, Côte d’Ivoire, and Lebanon. No changes were made to the Black List.

Let us now discuss how the FATF updating its Grey List leads to a chain reaction, requiring DNFBPs in UAE to revise their AML/CFT/CPF program.

AML Chain Reaction: How FATF Grey List Update Impacts a DNFBP’s AML Compliance Framework in UAE

When the FATF updates its Grey List, it leads to a butterfly effect, ultimately triggering changes in the AML/CFT/CPF framework adopted by a DNFBP in UAE. Let us understand this chain reaction through its components.

Regulated Entities in UAE

Entities regulated under AML/CFT/CPF laws of UAE include the following:

  • Financial Institutions
  • Designated Non-Financial Businesses and Professions such as:
    • Auditors and Accountants  
    • Dealers in Precious Metals and Stones
    • Lawyers, Notaries, and Other Legal Professionals and Practitioners  
    • Real Estate Agents and Brokers   
    • Company and Trust Service Providers  
    • Any other DNFBPs, as may be notified by the Government 
  • Virtual Assets Service Providers (VASPs)

Trusted Insights. Comprehensive Solutions. Expeditious Delivery.

Strengthen your AML Program with AML UAE’s end-to-end, expert led services.

Mandated to Comply with (AML/CFT and CPF) Laws, Regulations, and Sector Specific Guidelines

The Regulated Entities mentioned above are required to comply with the AML/CFT/CPF regulatory regime of UAE, which includes the following:

1. AML/CFT/CPF Laws

  • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations
  • Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (as amended by Cabinet Resolution No. (24) of 2022)

2. Laws on Specific AML/CFT/CPF Requirements Such As:

  • The Cabinet Decision No. (109) of 2023 On Regulating the Beneficial Owner Procedures
  • Cabinet Resolution No. (132) of 2023 Concerning the Administrative Penalties against Violators of The Provisions of the Cabinet Resolution No. (109) of 2023 Concerning the Regulation of Beneficial Owner Procedures
  • Cabinet Decision No. (16) of 2021 Regarding the Unified List of the Violations and Administrative Fines for the Said Violations of Measures to Combat Money Laundering and Terrorism Financing that are Subject to the Supervision of the Ministry of Justice and the Ministry of Economy,
  • Cabinet Resolution No. (74) of 2020 regarding the Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combatting of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing, and Relevant Resolutions,

3. AML/CFT/CPF Guidance such as:

  • Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions
  • Supplemental Guidance for Auditors
  • Supplemental Guidance for Dealers in Precious Metals and Stones
  • Supplemental Guidance for the Real Estate Sector
  • Supplemental Guidance for Trust & Company Service Providers
  • Lawyers’ Guide on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations
  • Implementation Guide for DNFBPs on Customer Risk-Assessment (CRA) (For a discussion on this Guide, please visit our Update here)

UAE AML Regime's Alignment with International AML Standards

The above laws are part of UAE’s AML/CFT/CPF regulatory regime and are aligned with international AML standards. UAE is committed to mitigating financial crime through international cooperation and domestic action. International cooperation is also a core function of UAE’s Financial Intelligence Unit (UAEFIU). For this purpose, UAE has adopted and implemented International AML/CFT/CPF standards such as:

  • United Nations: As a member of the United Nations, UAE aligns its AML/CFT/CPF regime with requirements that are required to be implemented by UN members. For example, UAE implements United Nations Security Council Resolutions, as provided as a legal requirement under the Cabinet Resolution No. 74 of 2020. This ensures that the Targeted Financial Sanctions Regime of the UN is implemented in UAE. Another example is UAE aligning its regulations with UN’s Global Programme against Money Laundering as well as UAEFIU launching the goAML portal, developed by the United Nations Office on Drugs and Crime. The purpose of goAML portal is to enable the UAE FIU to receive, process, and analyse suspicious activities and suspicious transactions related to money laundering and terrorist financing.
  • Financial Action Task Force (FATF): Recognising FATF’s role as an international ML/TF and PF watchdog, UAE works with FATF to ensure that its domestic laws align with FATF’s 40 Recommendations and 11 Immediate Outcomes. Recognising the positive advancements made by UAE in terms of its AML/CFT/CPF regime, FATF removed UAE from its Grey List in February 2024.
  • The Middle East and North Africa Financial Action Task Force (MENAFATF): UAE is the founding member of MENAFATF, which is an FATF Style Regional Body (FSRB). As a member, UAE cooperates with countries in the Middle East and North Africa (MENA) region to establish effective systems and counter ML/TF and PF threats the region faces.
  • Egmont Group of Financial Intelligence Units: The UAE FIU is part of the Egmont Group and seeks to collaborate with other FIUs to securely exchange information and expertise for the purpose of combatting ML/TF threats and their predicate offences.

Updates & Revisions to International Standards

The international standards, as discussed above, are revised frequently. For example, the FATF updates its Grey List and Black List thrice a year. Through these updates, the FATF removes or adds countries to this list. In October 2024, FATF issued the following update:

  • FATF Grey List Update
    • Additions: Lebanon, Algeria, Angola, and Côte d’Ivoire
    • Removals: Senegal

Revised FATF Grey List: Algeria, Angola, Bulgaria, Burkina Faso, Cameroon, Côte d’Ivoire, Croatia, Democratic Republic of Congo, Haiti, Kenya, Lebanon, Mali, Monaco, Mozambique, Namibia, Nigeria, Philippines, South Africa, South Sudan, Syria, Tanzania, Venezuela, Vietnam, Yemen

  • FATF Black List Update
    • Additions: No Changes
    • Removals: No Changes

The FATF Black List, as of October 2024: North Korea, Iran, Myanmar

Adapting Compliance Frameworks to FATF Grey List Changes

The following components of the AML/CFT/CPF program need to be revised by the DNFBP when the FATF updates its Grey List:

Enterprise-Wide Risk Assessment (EWRA)

Under UAE’s AML/CFT/CPF laws, EWRA is to be conducted by Regulated Entities to identify, assess, and determine the likelihood and impact of ML/TF and PF risks it is exposed to. This helps Regulated Entities adopt risk control measures that are in line with and proportional to their risk exposure.

FATF Grey List is a list of countries which the FATF has identified as having weak AML/CFT/CPF measures. When the FATF revises its Grey List, customers from that country may pose an increased risk of ML/TF and PF due to weak AML/CFT/CPF measures in their jurisdiction.

For Regulated Entities in UAE, this Update needs to be reflected in the EWRA so that the Regulated Entity is adequately prepared to handle the increased ML/TF and PF risks from customers located in a Grey Listed Country. This allows the Regulated Entity to adopt a risk-based approach towards risk control and mitigation.

AML Policies and Procedures:

After reassessing their risk exposure through the EWRA, Regulated Entities need to revise their ML/TF and PF risk control measures under their AML/CFT/CPF Policies and Procedures to efficiently handle the increased risk they face from customers located in FATF Grey Listed Countries. These include steps such as:

  • Changes in Customer Risk Assessment (CRA) parameters, including risk factors, weightage, and scores
  • Re-KYC and revision of CRA for preexisting customers from the countries that were recently Grey Listed
  • Adoption of heightened risk control measures for customers from Grey Listed countries, such as Enhanced Due Diligence (EDD), increased frequency of monitoring, stringent transaction monitoring, etc.
  • Conducting staff training to ensure that all relevant employees understand the heightened ML/TF and PF risks emanating from customers that are from Grey Listed countries and are equipped with the skills to recognise and help mitigate these risks

Customer Due Diligence (CDD) Measures Concerning Customers or Suppliers Associated with “FATF Jurisdictions Subject to Increased Monitoring”:

As per AML/CFT/CPF regulations of UAE, Enhanced Due Diligence (EDD) should be conducted for customers . Depending upon the risk-based approach adopted by the Regulated Entity, the entity may need to perform EDD on customers hailing from an FATF Grey Listed country. EDD involves the collection of information such as:

  • Seeking additional details from the customer, such as their Source of Funds or Source of Wealth, and verifying such information
  • Conducting adverse media and social profile checks
  • Requiring first payment from a bank account that is in the customer’s own name
  • Seeking approval from the Compliance Officer and Senior Management before onboarding
  • Enhanced monitoring of customer’s activities, information, and transactions

Recalibrating Configuration of AML Software Solutions:

AML software solutions are tools that help Regulated Entities implement their AML Program efficiently by optimising AML processes and taking away manual delays and errors. To efficiently manage the increased risks posed by customers from Grey Listed countries, Regulated Entities should recalibrate the configuration of their AML software. For example, they can reassign the weightage in their Customer Risk Assessment (CRA) software and update the monitoring thresholds in their transaction monitoring software.

Complete. Consistent. Accurate.

Engage us to create the most suitable AML/CFT policies and procedures for your business.

Nexus Between FATF Grey List Updates and AML Compliance Obligations of DNFBPs in UAE

Under UAE’s AML/CFT/CPF regime, DNFBPs are required to take into account the updates made by FATF to its Grey List, and align these update with their AML/CFT/CPF program. This is evident from the following:

  • Cabinet Decision No. (10) of 2019 requires DNFBPs to implement EDD measures for customers from high-risk countries
  • As provided by Circular No. MOEC/AML/004/2024 dated 29 October 2024, released by the UAE Ministry of Economy, all DNFBPs are required to take into account the lists and information released by the FATF and National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations. The DNFBPs must incorporate these lists and information, and updates in them, while implementing their AML/CFT/CPF program, specifically their Customer Due Diligence measures. Enhanced Due Diligence must be conducted wherever appropriate based on the level of risks the DNFBP is exposed to. While doing so, it should also revise its CDD measures applicable to countries whose names have been removed from the lists released by FATF.
  • The Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for DNFBPs mention considering the regulatory framework of the country of their customers, especially when such countries have been identified by the FATF as having weak AML/CFT measures, while conducting identifying and assessing ML/TF and PF risks it is exposed to.
  • The Implementation Guide For DNFBPs on Customer Risk-Assessment, in its list of geography-related factors that must be considered during CRA, includes FATF Black or Grey Listed countries as countries that are considered high-risk. It also provides that this factor must be given higher weightage during the CRA process so as to arrive at the overall risks associated with a customer. Therefore, DNFBPs need to compulsorily ensure that the changes made to the FATF Grey List are reflected in their AML/CFT/CPF Policies, Procedures, and Controls.

AML Chain Reaction: How FATF Grey List Update Impacts a UAE-based DNFBP’s AML Compliance Framework

Let us now discuss how DNFBPs can revise their AML/CFT/CPF Program when FATF updates its Grey List by considering case studies explaining the AML Chain Reaction through practical examples.

The Impact of FATF Grey List Update on Auditors and Accountants

Auditors and accountants have access to the accounts, books, legal structures, records transactions, etc, and therefore are in a unique position to detect suspicious activities or transactions indicating ML/TF and PF risks.

Consider the example of the Accounting Firm PQR. A majority of its customer base is companies operating in UAE. It has a client ANC LLC, which is a corporation established in UAE. However, while conducting reKYC of ANC LLC, PQR came to know that ANC LLC’s ownership structure has changed and ANC LLC now has Ultimate Beneficial Owners (UBOs) belonging to a Country A. Country A was recently Grey Listed by the FATF. ANC LLC is reluctant to provide further information about its UBOs, particularly their Source of Funds and Source of Wealth.

At this point, Accounting Firm PQR faces the following challenges:

  • Since the UBOs are from an FATF Grey Listed Country, they pose an increased ML/TF threat.
  • Since PQR handles clients mostly from UAE, its local jurisdiction, managing ML/TF and PF risks from customers from an FATF Grey Listed country may not be within its risk appetite.

Accounting Firm PQR can take the following steps to ensure full compliance with its AML/CFT/CPF obligations:

  • During its Customer Risk Assessment, it should categorise the customer ANC LLC as belonging to the High Risk Category, and therefore adopt Enhanced Due Diligence for the customer accordingly.
  • Since ANC LLC is reluctant to provide information that is required under AML/CFT/CPF laws as part of the EDD process, and the risks emanating from ANC LLC are beyond the risk appetite of PQR, PQR can decide to offboard the client to derisk itself.
  • PQR should revise the risk factors it considers during its Customer Risk Assessment to ensure that the risk profiles of clients accurately reflect the ML/TF and PF risks they pose.
  • It should revise its client acceptance and exit policies to reflect its risk management of clients from FATF Grey Listed countries.
  • It should file a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) if it finds any activities or transactions that indicate financial crimes.

The Impact of FATF Grey List Update on Dealers in Precious Metals and Stones

DPMS sector is vulnerable to ML/TF and PF threats due to the high level of liquidity, anonymity, and mobility it offers. Consider the case of a medium-sized DMPS named ABC. During its trade operations, ABC deals with clients from many jurisdictions, importing precious metals and diamonds and processing them.  Having conducted its ML/TF risk assessment, ABC knows that 10-12% of customers and trade partners are from Country Z, which is known for its diamond trade.

After its assessment, the FATF placed Country Z on its Grey List. Before this event, the DPMS had been conducting standard Customer Due Diligence practices based on a risk-based approach for its customers from Country Z. Due to the Grey Listing of Country Z, ABC will face the following challenges:

  • Customers from a grey-listed country pose an elevated risk of being involved in financial crimes, as assessed by the recent FATF Plenary
  • ABC is at greater risk of being used as a conduit for illicit financial transactions if the appropriate risk mitigation measures are not in place

To effectively comply with its AML/CFT/CPF obligations and ensure that ML/TF and PF risks are not missed, ABC can take the following actions:

  • Revise its EWRA to reflect the ML/TF and PF risks emanating from the customers from Country Z
  • Assign new risk weightage in Customer Risk Assessment criteria to reflect the revised EWRA
  • Conduct re-KYC for all existing customers
  • Conduct Enhanced Due Diligence for customers from Country Z depending on the risk-based approach adopted by ABC
  • For customers that pose increased ML/ TF or PF risks, or their KYC and other details cannot be verified with sufficient proof, ABC may consider offboarding such clients
  • For customers that are involved in suspicious activities or transactions, ABC should report them by filing STR/SAR report in the goAML portal
  • ABC must also conduct re-training of its staff involved in the compliance process, from front-facing staff to senior management, to ensure that they recognise ML/TF/PF risks emanating from customers from Country Z and play their role in the AML/CFT/CPF compliance journey effectively

The Impact of FATF Grey List Update on Company and Trust Service Providers

Consider the case of a Trust and Company Service Provider (TCSP) firm DEF in UAE, which has a limited but important customer base in Country X, comprising mostly high-net worth individuals. Country X was recently Grey Listed by the FATF due to concerns regarding weaknesses in its AML/CFT/CPF regulatory measures. It is approached by an existing client that belongs to Country X, seeking to establish a company in UAE. The client is a high-net worth individual, and has had a good relationship with the TCSP. The TCSP faces the following challenges:

  • Since Country X was Grey Listed, the TCSP’s CRA of the client is outdated
  • The TCSP’s risk control measures to manage the risks emanating from the client are inadequate

The TCSP can take the following steps to realign its AML/CFT/CPF program and efficiently manage the changed ML/TF and PF risks emanating from the client without harming their business relationship:

  • Revise its EWRA, assessing its exposure to ML/TF/PF emanating from customers of Country X
  • Reassess its risk appetite based on the EWRA and revise its risk weightage in Customer Risk Assessment
  • Conduct re-KYC of the client, and revise CRA accordingly
  • If the ML/TF and PF risks emanating from the client are within the risk appetite of the TCSP, it can continue with accepting the service request from the client. If the revised CRA indicates that the ML/TF and PF risks are not manageable with the present risk control measures, the TCSP should consider not accepting the service request from the client
  • To facilitate client onboarding from country X in the future, while staying compliant, the TCSP can consider adopting more advanced AML/CFT/CPF compliance solutions such as rigorous ongoing monitoring and transaction monitoring software

Make your reporting on goAML accurate, easier, and effective

With our AML professionals’ expert guidance and handholding.

The Impact of FATF Grey List Update on Lawyers, Notaries, and Other Legal Professionals and Practitioners

Lawyers and other legal professionals are considered gatekeepers, since they are exposed to sensitive information and oversee the movement of funds while acting on behalf of their customers.

Consider the case of ABC, a law firm situated in the UAE. Through its EWRA, ABC is aware that 5% of its client base is from Country Z, while 2% of its client base is from Country X. The FATF, after its recent Plenary, adds Country Z to its Grey List, while removing Country X from the same. Due to this update, Law Firm ABC will face the following challenges:

  • Its EWRA and Customer Risk Assessment parameters do not reflect the change in ML/TF and PF risk factors emanating from customers from Country Z and Country X
  • Its risk mitigation measures are inadequate to manage risks posed by customers from Country Z, while its risk control measures for customers from Country X may not be proportional to the risks posed by them, resulting in inefficient allocation of resources

Law Firm ABC can take the following actions:

  • Upgrade its EWRA and Customer Risk Assessment parameters such as risk scores, risk weightage, etc., to align the same with the heightened risks posed by customers from Country Z, and reduced risks posed by customers from Country X
  • Adopt risk control measures to handle ML/TF and PF risks posed by customers from Country Z, including conducting Enhanced Due Diligence, frequent monitoring of transactions, conducting re-KYC on a regular basis, etc
  • Revise risk control measures adopted for customers from Country X, which are proportional to the reduced ML/TF and PF risks posed by them. This will ensure implementation of a risk-based approach, and lead to efficient allocation of resources.

The Impact of FATF Grey List Update on Real Estate Agents and Brokers

The Real Estate sector attracts money launderers due to the high-value associated with real estate transactions, especially cross-border transactions.

Consider the case of a Real Estate Agency, XYZ, in UAE. It facilitates the buying and selling of real estate and often handles clients from foreign jurisdictions. Over the past five years, 30% of its clients have been from Country B. Recently, Country B was Grey Listed by the FATF.

Since a major chunk of XYZ’s clients are from Country B, it now faces the following challenges:

  • XYZ’s EWRA no longer reflects its ML/TF and PF risk exposure since it does give adequate weightage to risks posed by clients from Country B
  • The Customer Risk Assessment methodology of XYZ needs revisions to reflect the Grey Listed status of Country B
  • XYZ needs to upgrade its risk mitigation measures, such as name screening, transaction monitoring, etc
  • XYZ will have to train its staff to make them aware of the increased risk of ML/TF and PF posed by clients from Country B, as well as the FATF findings of common typologies or ML/TF and PF risks that Country B faces through its Mutual Evaluation Report (MER)

XYZ can take the following steps to ensure that its AML/CFT/CPF Program is upgraded and can handle the risks posed by customers from Country B:

  • XYZ needs to revise its EWRA and reassess its ML/TF and PF risk exposure
  • Based on the revised EWRA, XYZ would need to adopt risk mitigation strategies to adequately manage the increased ML/TF and PF risks it faces. These strategies may include greater scrutiny of transactions, Source of Funds, Source of Wealth, ensuring incorporation of advanced name screening tools, etc
  • XYZ needs to revise the risk weightage methodology it uses for its Customer Risk Assessment to align it with the revised EWRA and ensure adequate representation of the ML/TF and PF risks posed by customers from Country B
  • The risk control strategies that have been adopted should be reflected in the AML/CFT/CPF Policies, Procedures, and Controls of XYZ
  • XYZ should make sure that its staff, comprising of the three lines of defense, gets adequate training to understand the revised EWRA, Customer Risk Assessment factors and weightage, and AML/CFT/CPF Policies, Procedures, and Controls. This will help them understand their role and implement the AML/CFT/CPF program of XYZ in an efficient manner
  • XYZ should reassess its residual risk based on the risk control measures it adopted and see if it is within its risk appetite. This ensures that XYZ takes a risk-based approach towards ML/TF and PF risk mitigation and controls.

Navigating FATF Grey List Updates for UAE DNFBPs: Final Thoughts

Therefore, the FATF Grey List update is an important event that leads DNFBPs to revise and change various components of their AML/CFT/CPF program, such as their Enterprise-Wide Risk Assessment, Customer Risk Assessment factors, Customer Due Diligence measures, etc. DNFBPs need to be vigilant and ensure that their AML/CFT/CPF policies, procedures, and controls align with the latest update in FATF Grey List.

AML UAE – your partner for AML training requirements

Contact us now, and let's get started.

Share via :

Share on facebook
Share on twitter
Share on linkedin

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.