Benefits of a Well-Articulated EWRA Framework

In this infographic, we have discussed the various benefits of a well-articulated EWRA framework. A well-articulated Enterprise-Wide Risk Assessment (EWRA) forms the foundation for building an effective Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) Program. The benefits discussed in this infographic help with actionable insights into the exposure of financial crime risks to a Regulated Entity.

A well-articulated EWRA provides the following benefits:

1. Embeds ML/TF and PF Risk Awareness into the Regulated Entity’s Organisational Structure

A well-articulated EWRA framework helps thoroughly assess a Regulated Entity’s Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risk exposure. It helps ensure that stakeholders are aware of the ML/TF and PF risks the Regulated Entity is exposed to and enables them to understand the relevance of EWRA during day-to-day operations.

This also fosters a culture of AML/CFT/CPF compliance, ensuring that ML/TF and PF risk management becomes a part of everyday business activities rather than just a regulatory obligation.

2. Provides a Multidimensional and Balanced View of ML/TF and PF Risks

An effective EWRA framework provides a comprehensive perspective on ML/TF and PF risks by considering multiple dimensions, such as:

Customer related risks
Geographical risks
Product or Service related risks
Delivery Channel related risks
Other risks include transactions, bribery, tax evasion, etc.

For more information, read our infographic “An illustrative list of factors for conducting AML Business Risk Assessment”. EWRA is also referred to as AML Business Risk Assessment.

Rather than relying solely on a static approach, a multidimensional approach to EWRA enables Regulated Entities to assess the likelihood and impact of each risk factor and understand the interplay between various risk factors. A well-articulated EWRA framework balances qualitative insights (such as guidance by AML/CFT/CPF regulators and expert advice) with quantitative data (such as risk scores and statistical data), resulting in a well-rounded approach to

This balanced approach facilitates Regulated Entities to make nuanced risk-based decisions regarding ML/TF and PF risk management and controls.

3. Facilitates Development of an Informed and Curated ML/TF and PF Risk Appetite

A well-defined ML/TF and PF risk appetite helps Regulated Entities to balance their business objectives with their ML/TF and PF risk-taking capabilities. The EWRA framework provides the necessary data to develop an informed and carefully curated ML/TF and PF risk appetite that takes into account the nature, size, ML/TF and PF risk exposure, etc, of the Regulated Entity.

4. Enables Establishment of Clear Boundaries for ML/TF and PF Risk Tolerance

ML/TF and PF risk tolerance is the boundary beyond which a Regulated Entity is not willing to bear ML/TF and PF risks. A well-articulated EWRA helps a Regulated Entity establish clear thresholds regarding acceptable and unacceptable ML/TF and PF risks based on its ML/TF and PF risk controls in place.

5. Drives Efficient Allocation of Resources Towards ML/TF and PF Risk Management

A well-articulated EWRA framework ensures that ML/TF and PF risk management resources, whether financial, technological, or human, are allocated efficiently. It helps Regulated Entities prioritise areas of higher ML/TF and PF risks. It also helps Regulated Entities plan their ML/TF and PF risk management efforts. For example, using the EWRA, it can understand the number of staff it needs, the roles and responsibilities required, and the tools and technologies it needs to utilise to optimise its AML/CFT/CPF compliance.

6. Forms a Dynamic Link between ML/TF and PF Risk Identification and ML/TF and PF Risk Control

A well-articulated EWRA framework ensures that ML/TF and PF risks identified during the EWRA process are directly linked to effective ML/TF and PF risk control mechanisms adopted by the Regulated Entity. This dynamic link ensures that all identified financial crime risks are addressed and dealt with through AML/CFT/CPF Policies, Procedures, and Controls.

7. Enables Pre-emptive and Proactive Efforts towards ML/TF and PF Risk Management

An effective EWRA framework empowers Regulated Entities to shift from a reactive approach to a pre-emptive and proactive approach to ML/TF and PF risk management. Through the EWRA, Regulated Entities can anticipate potential financial crime threats and vulnerabilities and implement preventative ML/TF and PF risk mitigation strategies accordingly.

8. Acts as a Framework to Predict and Incorporate Changes in ML/TF and PF Risks

Financial crime risks and typologies are constantly evolving. A well-articulated EWRA framework acts as a predictive tool, enabling Regulated Entities to anticipate and incorporate changes in their ML/TF and PF risk exposure. This is done by systematically analysing historical data, ML/TF and PF risk trends, etc. This foresight allows Regulated Entities to enhance their AML/CFT/CPF Program in response to emerging risks.

9. Strengthens a Regulated Entity’s Competence in ML/TF and PF Risk Management

A well-articulated EWRA framework enhances the overall competency of a Regulated Entity in managing its ML/TF and PF risks. By identifying and assessing its risk exposure, calculating inherent risk, residual risks, and assessing the effectiveness of its risk control measures, Regulated Entities can build a more knowledgeable and ML/TF and PF risk-aware workforce.

Regular role-based training, and data-driven decision-making supported by EWRA ensures that employees, from front-line staff to senior management, are equipped to handle financial crime risks effectively. Strengthening ML/TF and PF risk management competence also builds an AML/CFT/CPF compliance culture where employees proactively contribute to mitigating financial crime risks within their roles.

10. Enables Devising of Customer Risk Assessment Parameters and Set Customer Acceptance, Exit, and Management Policies

Insights from a well-articulated EWRA support Regulated Entities in establishing informed Customer Risk Assessment (CRA) parameters. This helps categorise customers as low, medium, or high risk based on the degree of ML/TF and PF risks they pose to the Regulated Entity. Based on this categorisation, it can then adopt ML/TF and PF risk control measures.

Further, EWRA helps Regulated Entities define customer acceptance, exit policies, and management policies based on its ML/TF and PF risk management capabilities.

11. Helps Ensure Alignment with National Risk Assessment and Sectoral Risk Assessments

A well-articulated EWRA framework ensures that a Regulated Entity takes into consideration and aligns with the findings of National Risk Assessment and Sectoral Risk Assessments. By incorporating findings from these assessments, Regulated Entities can enhance their understanding of ML/TF and PF risks.

For more information, read our infographic on “Integrating External Information for a Holistic EWRA Approach”.

Benefits of a Well-Articulated EWRA Framework: Concluding Thoughts

The benefits of a well-articulated EWRA underscore its importance in a Regulated Entity’s AML/CFT/CPF compliance processes. It acts as the backbone of effective financial crime risk management and empowers Regulated Entities to make informed, risk-based decisions. By continuously updating and integrating EWRA insights into business operations, Regulated Entities can protect themselves against ML/TF and PF risks while comprehensively complying with their obligations under UAE’s AML/CFT/CPF regulations.

How Strong Is Your Money Laundering Risk Management? An Evaluation Checklist

Money Laundering (ML) Risk Management is the process of identifying, assessing, addressing, and monitoring financial crime risks that a Regulated Entity may be exposed to. It involves implementing policies, procedures, and controls to detect and prevent Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks. Regular evaluation of the ML Risk Management practices ensures that any weakness identified is promptly addressed, improving the ability of the Regulated Entity to protect itself from financial crime risks.

Here is the Money Laundering Risk Management Checklist which can be readily used to check the effectiveness of the ML Risk Management practices adopted by a Regulated Entity.

These checklist majorly covers aspects such as follows:

ML/TF & PF Risk Identification and Assessment

Are you aware of the ML/TF and PF risks you are exposed to?
Do you have a comprehensive methodology to assess your ML/TF and PF Risk Exposure?
Are you aware of the likelihood of the occurrence and impact of the ML/TF and PF risks you are exposed to?
Is your ML/TF and PF Risk Assessment and Exposure properly defined, documented, and regularly revised?

ML/TF and PF Risk Appetite

Have you clearly defined and documented the nature and extent of risks you are willing to take to achieve your business objectives?
Have you followed an effective and comprehensive methodology to develop your Risk Appetite?
Are you clear about the risks you are not willing to take?
Do the various stakeholders of the ML Risk Management process understand your Risk Appetite?
Has the Risk Appetite undergone appropriate reviews and approvals by the senior management?
Is the Risk Appetite tailored to your needs?
Is the Risk Appetite regularly reviewed and updated?

ML/TF and PF Risk Controls

Have you clearly defined and implemented AML/CFT and CPF Policies, Procedures and Controls to respond to ML/TF and PF risks?
Have you carefully considered the Residual Risks?
Have you clearly defined procedures to handle ML/TF and PF that are beyond your Risk Appetite?
Have you taken adequate steps to ensure the oversight over Money Laundering Risk Management?
Do you regularly review your capability to handle and manage the ML/TF and PF risks?
Do you have a culture of AML compliance and risk management throughout your organisational structure?
Have you taken adequate steps to ensure that your staff is aware of the ML/TF and PF risk exposure, red flags, and risk control measures?
Have you allocated adequate resources to ensure the effective functioning of your ML Risk Management systems?
Do you regularly review and update your ML Risk Management measures?

ML Risk Management Self-Evaluation Checklist: The Way Forward

Based on the outcome of such evaluation, Regulated Entities can then focus on areas of vulnerabilities and address the same through positive actionable steps. For example, if through this questionnaire, it is found that a Regulated Entity’s ML Risk Appetite is not up to date, then it can assess and revise its existing ML Risk Appetite to ensure that it is aligned with its business objectives.

Incorporating Geographic Risk in CRA Methodology: A Step-by-Step Approach

A Ready Checklist for Evaluating Geographic Risk During Client Onboarding

Customer Risk Assessment (CRA), an important component of the Customer Due Diligence (CDD) process, requires Regulated Entities in UAE to consider various risk factors while assessing the financial crime risks a customer may pose to the business. One of these factors is Geographic Risk.

Geographic risk includes Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks emanating from the country which the client of a Regulated Entity is associated with.

In this infographic, we have outlined a systematic step-by-step approach for effectively managing country-related financial crime risks posed by a client of a Regulated Entity for effective Anti-Money Laundering (AML) compliance.

Step 1: Incorporate Geographic Risk Parameters in the Customer Risk Assessment Methodology

Regulated Entities need to define ML/TF and PF risk factors and assign relevant risk score, risk level, and weightage to them as a part of their CRA methodology. It must be aligned with the Enterprise-Wide Risk Assessment (EWRA) of the Regulated Entity. Geographic risk is one of the risk factors to be considered and included during the CRA process.

Assessing ML/TF and PF risks related to the country of the client is part of the geographic risks to be considered during the CRA process. Incorporating country related ML/TF and PF risk parameters helps Regulated Entity build accurate and relevant customer risk profiles.

We have detailed country-related ML/TF and PF risk parameters in our infographic on “Factoring Geographic Risk During Client Onboarding: A Checklist”

Step 2: Identify and Verify Client's Country-Related Information

Before onboarding, Regulated Entity should identify and verify a client’s country related information as a part of its Know Your Customer (KYC) process. This includes information about the following:

Nationality or citizenship of the client
Place of birth of the client (for clients that are individuals, or client’s Ultimate Beneficial Owners, and linked parties)
Place of residency of the client
Primary business location, headquarters, location of incorporation, or registration of the client (for legal persons)
Jurisdictions from which the client conducts transactions with the Regulated Entity

Step 3: Perform Customer Risk Assessment

The Regulated Entity should use the information collected during the KYC process, Sanctions Screening, Politically Exposed Person (PEP) Screening, Adverse Media Screening results, and CRA methodology to conduct CRA for the client. This helps the Regulated Entity assess the financial crime risks emanating from the customer, while giving adequate weightage to country-related ML/TF and PF risk factors.

The CRA must be conducted by keeping in mind the specific country related information of the customer.

For example, a client was born in an FATF blacklisted country, but is a resident of country known to have effective AML/CFT/CPF regulations, would pose lower ML/TF and PF risks than a client that has the place of birth, nationality, and residence of an FATF Blacklisted country.

After conducting CRA, the Regulated Entity would understand the client’s ML/TF and PF risk profile.

Step 4: Adopt Risk-Based Customer Due Diligence Measures

The Regulated Entity should adopt ML/TF and PF risk control measures in accordance with the client’s risk profile. If the client has been assessed to pose high ML/TF and PF risks, Enhanced CDD measures should be adopted. If the clients have been assessed to pose low ML/TF and PF risk, Simplified CDD can be adopted. If the client’s level of ML/TF and PF risk is beyond the risk appetite of the Regulated Entity, the Regulated Entity may choose not to board the client.

Further, if the client, their activities, or the transactions they undertake are related to high-risk countries, High-Risk Country Transaction Report (HRC) or High-Risk Country Activity Report (HRCA) must be filed at the goAML portal.

High-risk Countries, as defined by the National Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organizations Committee (NAMLCFTC), are countries that have been Blacklisted by the FATF. Regulated Entity should also report any suspicions of ML/TF and PF that have been detected through the Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR).

For example, consider a situation in which a Regulated Entity is approached by a client from a country Z to conduct a transaction on behalf of the client. During the CRA process, the Regulated Entity can use the country-specific ML/TF and PF risks parameters to assess the financial crime risks associated with country Z. If the Regulated Entity finds out that country Z is an FATF blacklisted country, it needs to file the HRC report. The Regulated Entity must also adopt EDD measures for the client. However, if the ML/TF and PF risks posed by the client are beyond what the Regulated Entity can manage, it can decide to offboard the client to derisk itself.

Step 5: Ensure Ongoing Monitoring

After onboarding the client, the Regulated Entity should ensure that it conducts ongoing monitoring of the business relationship with the client. This helps the Regulated Entity make sure that all client CDD information and their CRA are kept . For example, whenever the FATF Blacklists or Greylists a country, and the client is related to this country, the CRA of the client would change. Further, when a country the client is associated with gets Blacklisted by FATF, the Regulated Entity must file HRC or HRCA Report before continuing business relationship with the client. We have explained this in detail in this blog.

Factoring Country Risk During Client Onboarding: Final Thoughts

Implementing a structured approach to handling country-related ML/TF and PF risks enables Regulated Entities to enhance their AML risk management capabilities and ensure effective compliance with their AML/CFT/CPF obligations. By integrating a country risk rating framework into their CRA methodology, identifying and verifying country-related client information, performing CRA, adopting risk-based due diligence measures, and conducting ongoing monitoring, Regulated Entities can mitigate country-related ML/TF/PF risks effectively.

A Ready Checklist for Evaluating Geographic Risk During Client Onboarding

During the Customer Risk Assessment (CRA) process, many factors need to be considered to ensure that financial crime risks that a customer may pose to the Regulated Entity are comprehensively assessed and addressed. This contributes towards building an accurate customer risk profile, allowing Regulated Entities in UAE to take a risk-based approach towards managing Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks.

Country-related ML/TF and PF risk is one such factor. In this infographic, we have discussed the various parameters that can be adopted by Regulated Entities to assess the country-specific ML/TF and PF risks emanating from a customer.

This checklist can be readily utilised by the Regulated Entity to enhance its CRA methodology, while giving adequate weightage to country-related ML/TF and PF risks. A Regulated Entity can rely on this checklist, once the Know Your Customer (KYC) details are collected to identify the country or countries in which the customer holds nationality and usually conducts business transactions.

The parameters to be factored while assessing country risk posed by a customer are detailed in the checklist below:

Whether the country in question has been included by the Financial Action Task Force (FATF) in its Blacklist or Grey List?
Whether the country has been sanctioned by the UN, or are there UN embargoes against the country?
Whether the country has significant levels of corruption, bribery or criminal activity?
Whether the country has political or economic instability, or an ineffective rule of law?
Whether the country is a Conflict Affected and High Risk Area (CAHRA) country?
Whether the country has been assessed by credible sources to present risks of ML/TF and PF? These credible sources include sources such as FATF Mutual Evaluation Reports (MER), Basel AML Index, KnowYourCountry Ratings, etc.
Whether the country has known associations with TF conflict zones and their bordering countries?
Whether the country has been identified as a tax haven?
Whether the country is known to have ineffective AML/CFT/CPF regulatory framework?
Whether the country is known to be a haven for production or transnational shipment of illegal drugs?

Responses to these questions will indicate the level of ML/TF and PF risks the client poses to the Regulated Entity due to their country of nationality or residence or business operations or country in which the entity is headquartered or incorporated in case of a client being a legal entity or legal arrangement.

Some parameters should be given more weightage than others. For instance, client from an FATF Blacklisted country would pose a higher ML/TF and PF risk than a client from FATF Grey listed country. In fact, when dealing with clients from high-risk countries, i.e., FATF Blacklisted country, filing High-Risk Country Report (HRC) or High-Risk Country Activity Report (HRCA) is compulsory.

Based on responses to these questions, Regulated Entity can formulate a probable scenario that gives clarity as to what kind of further due diligence measures must be adopted.

Let’s discuss a practical example to understand how these parameters can be incorporated into the CRA process of the Regulated Entity.

Consider a Regulated Entity ABC. During the course of its operations, it is approached by a client PQR for engaging in business. When conducting Know Your Customer (KYC) for the client, it was found that that the client PQR was born in Country Z, while his nationality is in Country Y. While conducting CRA for the client PQR, Regulated Entity ABC can use the parameters given above to assess the ML/TF and PF risks associated with Country Z and Country Y. Regulated Entity then needs to assign adequate weightage to these assessed risks. For example, if the client has no connections with the country of his birth and is solely connected with the country of his residence, i.e., the country of nationality in this case, then ML/TF and PF risks emanating from Country Y should be given more weightage.

Assessing the ML/TF and PF risks emanating from the countries the client is associated with, along with other risk factors such as customer risk factors, product/service related risk factors, delivery channel related risk factors, etc., ensures for a comprehensive CRA. We have given a detailed list of factors to consider here.

Using the CRA results, Regulated Entity ABC should build a customer risk profile, categorising PQR in accordance with the level of ML/TF and PF risks he poses to the Regulated Entity. On the basis of this, Regulated Entity ABC can apply a risk-based approach to choosing the most appropriate AML/CFT/CPF controls for the customer.

Factoring Geographic Risk During Client Onboarding: Final Thoughts

Factoring in geographic or country-related ML/TF and PF risks contributes to building an accurate customer risk profile. A comprehensive CRA process equips Regulated Entities with the insights needed to adopt a risk-based approach to adopting the most appropriate AML/CFT/CPF measures to manage the assessed risks.

ML/TF Risk Management: Risk Universe, Risk Tolerance, and Risk Appetite

Taking risks is an important part of business growth, while managing those risks is the backbone of business sustainability. Balancing between risk taking and risk controls is what defines effective risk management. It is the same for Money Laundering/ Terrorism Financing (ML/TF) Risk Management, which is an indispensable component of a Regulated Entity’s Anti-Money Laundering (AML) framework.

In this infographic, we have discussed the concepts of Risk Universe, Risk Tolerance, and Risk Appetite in the context of ML/TF Risk Management. Understanding these concepts enables Regulated entities under UAE’s AML regulatory regime to build and implement sound ML/TF Risk Management practices in their organisations and effectively detect, manage, and mitigate financial crime risks.

Let us discuss these concepts in detail.

Risk Universe

A Risk Universe is the broadest concept out of three we seek to discuss here. It means the full range of Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks that a Regulated Entity may face during its business operations. These include:

Foreseeable ML/TF and PF risks, for example, risks assessed during the AML Enterprise-Wide Risk Assessment (EWRA) process
Unforeseeable ML/TF and PF risks
Known ML/TF and PF Risks
Unknown ML/TF and PF Risks
Inherent Risks, or the Gross ML/TF and PF Risks that exist when no risk control measures are in place
Residual Risks or the Net ML/TF and PF risks that exist after risk control measures have been out in place
Any other risk contributing to ML/FT and PF risks.

Risk Tolerance

Risk Tolerance is the outer boundary that defines the extent of a Regulated Entity’s ML/TF and PF risk bearing capacity. It is the boundary beyond which the Regulated Entity is not willing to venture and take risks. Within this boundary, the Regulated Entity can handle the financial crime risks through its AML risk controls in place.

In effect, Risk Tolerance is the absolute limit which a Regulated Entity cannot cross without exposing itself to unmanageable risks, breach of AML obligations, consequential loss of reputation, etc.

Risk Appetite

Risk Appetite is the assessed amount of ML/TF and PF risks that a Regulated Entity is willing to undertake to pursue and fulfil its business objectives. These risks are well within the Regulated Entity’s risk management capabilities. Risk Appetite is an important component of the risk-based approach, allowing Regulated Entities to take informed decisions regarding AML control measures to adopt as per the degree of ML/TF and PF risks it faces.

Since Risk Appetite is the amount of risk that the Regulated Entity accepts to conduct its business operations while remaining compliant with laws and balancing business opportunities, the Risk Appetite should be clearly defined in Regulated Entity’s AML program so that the exercise of AML risk management is in alignment with the Risk Appetite of the Regulated Entity.

Defining Risk Appetite should not be a superficial process. It should be measurable, and quantifiable. It should not be empty statements created in a vacuum and must take into account all relevant data and factors at all levels of the Regulated Entity, including strategic, tactical and operational.

The ML/TF and PF factors that should be considered while drafting the Risk Appetite includes the following:

Customer Related Risks
Geographic Risks
Products/Services/Transactions Related Risks
Delivery Channel Risks
Other Risks

Risk Appetite should be aligned with Risk Universe identified during EWRA, ensuring that all ML/TF and PF risks assessed during the EWRA process are adequately addressed in the Risk Appetite.

For instance, during the Customer Risk Assessment, Regulated Entities should assess whether the ML/TF and PF risks associated with a customer fall within the Risk Appetite of the Regulated Entity.

Interlinking factors amongst Risk Universe, Risk Tolerance, and Risk Appetite

Risk Universe, Risk Tolerance, and Risk Appetite are closely linked concepts. Risk Universe is the broadest concept, representing all ML/TF and PF risks to which any Regulated Entity is exposed, Risk Tolerance represents specific risks within the Risk Universe, that the Regulated Entity can manage with its existing AML controls, and Risk Appetite represents that part of Risk Tolerance which represents risks that the Regulated Entity can comfortably absorb, given the reliance on ML/FT and PF risk mitigation measures it has in place to facilitate the Regulated Entity achieve its business goals.

ML/TF and PF risks that fall within Risk Tolerance and Risk Appetite can be managed by the Regulated Entity by implementing adequate qualitative and quantitative AML controls. These controls include Customer Due Diligence, Name Screening, Enhanced Due Diligence, etc, to name a few.

ML/TF Risk Management: Way Forward

Establishing an ML/TF Risk Management culture and adopting effective Risk Management practices helps Regulated Entities take quick and informed decisions regarding challenges and opportunities in an effective manner. However, to be effective, the ML/TF Risk Management strategies should be communicated through the organisational structure of the Regulated Entity. Further, Risk Appetite and Risk Tolerance are temporal concepts and vary over time, therefore these should be regularly revised and updated.

Service-Based Money Laundering: Professional Services Are Prime Targets

Service-Based Money Laundering (SBML): Professional Services Are Prime Targets

Professional Services such as Trust or Company Service Providers (TCSPs), legal consulting and advisory services, and accounting advisory services in UAE are vulnerable to being misused as channels or means for conducting illicit activities such as money laundering (ML); this is also known as Service-Based Money Laundering (SBML). The infographic lists the factors that make professional services prone to ML risks. The nature of services that professionals provide possess certain characteristics which make them prone to being misused by illicit actors. Let us look into each factor contributing to the misuse of professional services as a front to conduct money laundering and other illicit activities.

No physical commodity Trail

Services provided by professionals such as advisory and consulting are not easily quantifiable and are intangible in nature. Also, services provided by professionals cannot be tracked or crosschecked with invoice quantity as quantification of intangible service cannot be conclusively confirmed as there is no physical commodity trail where the quantity of service can be cross-verified across what’s mentioned in the invoice. This makes it possible for illicit actors to introduce fake invoices to justify transactions, as the authenticity cannot be easily verified and carry out Service-Based Money Laundering (SBML).

Subjective Invoice Value

Professional services are unique in nature, be it consulting or advisory. The nature of service and billing method for each professional service is charged differently by different professionals, even those in the same sector.

Invoice value in professional services is subjective as multiple factors, such as the quality, experience and expertise of the consulting team, their goodwill or reputation in the industry, and the speed or urgency at which solutions are offered, are subjective in nature, varying from one professional service to another.

This subjectiveness of invoice values makes it even more difficult for regulators to develop a standardised mechanism to detect illicit activity behind the mask of seemingly legitimate professional service.

Discretionary Control Over Customer Services

Professional services such as advisory and consulting give these professionals immense amounts of freedom and control over the quality, quantity, duration, nature, and units of services they provide to their customers.

This discretionary control is usually not governed by any regulator besides the requirement of basic professional ethics and responsible conduct requirements, making professional services prone to being misused by launderers to carry out SBML.

Commingling Vulnerability

Commingling is the blending or mixing illicit proceeds with legitimately earned profits or revenue. Due to the lack of physical movement of commodities to justify invoice values, subjective invoice valuations, and discretionary control over services, professional services such as advisory and consulting are vulnerable to commingling illicit proceeds with their legitimate revenue by money launderers.

Low Rate of Face to Face Client Interaction

In this day and age of technology and easy connectivity, most service-based businesses are finalised and conducted through non-face-to-face means that include video-calling coupled with other customer due diligence measures.

The low rate of actual face-to-face client interaction where the customers of professionals visit their office premises is not a frequent occurrence. This lack of actual human interaction and footfall at the business of professional service providers makes it difficult for authorities to identify if a small office with one qualified professional, such as an accountant or a legal advisor, can actually cater to the needs of hundreds of clients mentioned in their books of accounts. This makes professional consulting and advisory services appear as attractive choices for money launderers to carry out Service-Based Money Laundering (SBML).

Multi-Jurisdictional Spread

A professional sitting in the UAE can give advice to a client sitting in Australia, or a client in Switzerland can reach out to a consultant in Dubai for professional advice and consulting. Professional services such as accounting, legal services, trust and company formation services, etc., can be sought and offered across the geographical boundaries of a country.

This makes professional services vulnerable to being misused by criminals for washing their illicit proceeds through SBML due to multi-jurisdictional spread and lack of uniform regulatory controls across such geographies.

Facilitation of Anonymity

Many professional services can be sought and offered through means facilitating anonymity, such as Nominee Directorship, designating Authorised Signatories, establishing trusts to protect the identities of beneficiaries, etc.

This anonymity of the actual person behind the transaction leads to non-disclosure of the ultimate beneficial owner (UBOs), contributing to non-transparency about the actual recipient of the service, making the use of professional service seem like an opportunity to conduct illegal transactions and activities and carry out SBML.

Conclusion

Professional services such as consulting and advisory services in various fields are at risk of being misused by criminals for the purpose of washing the proceeds of crime. Professional service providers must keep these service-based money laundering (SBML) vulnerabilities in mind while conducting business.

Risk Treatment Strategies in AML/CFT and CPF Compliance

Regulated Entities (REs) need to identify areas from which they are exposed to Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF) risks and develop their ML, FT, and PF risk mitigation strategies by relying upon various ‘Risk Treatment’ options. The current infographic explains various ML, FT, and PF Risk Treatment Strategies that Regulated Entities in the UAE can use to mitigate ML, FT and PF risks effectively.

Risk Acceptance

Risk Acceptance is a type of ML, FT, and PF risk treatment strategy where the regulated entity can decide, based on the principles of Risk Based Approach (RBA) and the RE’s ML, FT, and PF risk exposure while considering the RE’s Risk Appetite to decide which types of ML, FT, and PF risk it can accept. For instance, such Risk Acceptance can be documented and defined within the RE’s Customer Acceptance Policy, elaborating on the types of customers it would onboard based on various parameters defined for accepting customers posing different levels of ML, FT, and PF risks, such as low, medium, or high risks.

Risk Avoidance

Another manner of treating ML, FT, and PF risks is to avoid the particular risk factor entirely. Risk avoidance measures are an extreme form of cutting down on ML, FT, and PF risks.

Risk avoidance is sometimes pre-defined by AML laws and regulations, for example, not to conduct business with or suspend business relationships and transactions with Sanctioned individuals or entities whose names appear in relevant and applicable local and globally accepted international terrorist lists.

Risk avoidance measures are also termed as ‘de-risking’ measures. REs can have such customised de-risking parameters pre-defined within their internal AML, CFT, and CPF policies, Procedures, and Controls framework. For instance, ML, FT, and PF risk treatment strategies using risk avoidance can be documented in the Customer Handling and Customer Offboarding Policies of an RE.

Risk Reduction

One of the frequently used and recommended ML, FT, and PF Risk Treatment Strategies is risk reduction. Risk reduction can be achieved by conducting Customer Due Diligence (CDD) measures that help an RE to identify its customers and allocate appropriate risk ratings (such as high, medium, or low) through Conducting Customer Risk Assessment (CRA) and deploying adequate risk reduction or control measures such as Enhanced Due Diligence (EDD) measures that include obtaining additional information from the customer and obtaining senior management approval before onboarding such high-risk customers.

The risk reduction strategy works by reducing the impact of inherent risks of conducting business, leading to the residual risk coming within the risk appetite of the RE.

Risk Capitalisation

The concept of risk capitalisation is all about using the materialised or identified risks as an opportunity for the business to achieve or fulfil any of its requirements. Risk capitalisation requires using any unfavourable situation in a way that benefits the organisation.

In the case of AML compliance, unfavourable situations arise from materialisation or the occurrence of risky situations, usually through customers being sanctioned or their participation in illicit activities coming to light.

The capitalisation of already identified or materialised ML, FT, and PF risks can be done by ensuring prompt Regulatory Reporting by filing Suspicious Transaction Reports (STRs) with regulatory authorities and remaining compliant with legal obligations.

Conclusion

Regulated Entities must rely on various ML, FT, and PF Risk Treatment Strategies and implement them in combination to mitigate ML, FT, and PF risks effectively.

Streamlining Video KYC: A Guide to Best Practices

Video Know Your Customer or Video KYC is an alternate method of conducting KYC, which forms an intrinsic part of the compliance obligations of a business regulated by UAE’s AML regulations. It leverages enabling technologies to facilitate customer identification and verification, allowing these to be conducted digitally and remotely through video calls. This infographic explores the best practices to streamline Video KYC for seamless, secure, customer-friendly, and effective Video KYC processes.

Formulating a Comprehensive Video KYC Strategy

A comprehensive Video KYC Strategy sets down objectives, standards, requirements, processes, policies, procedures, mechanisms, roles, responsibilities, etc., for seamless conducting of the Video KYC process while staying compliant with Anti-Money Laundering (AML) regulations. Here are the key components that must be included for a thorough Video KYC strategy:

Defining Video KYC Software Selection Parameters:

Businesses should evaluate their specific needs and define criteria for the selection of effective Video KYC software. This ensures the selection of a Video KYC software that ticks all compliance requirements of the business while ensuring a smooth customer experience. The parameters should be set while taking the following into consideration:

Set Data Standardisation Parameters: The software should have default, yet customisable data standards such as consistency in semantics, syntax, language, form, type, etc. This improves data quality and enables accurate and efficient data analysis.
User-Friendly Video KYC Platform: The software should provide an easily navigable interface, ensuring user satisfaction for both the employees of the business and the customer.
Interoperability: The software should have features that help it easily integrate with existing AML compliance tools adopted by the business. Interoperability can be facilitated through APIs.

Identity Lifecycle Management Procedure:

The Video KYC Strategy should set the processes and procedures for Identity Lifecycle Management. Identity Lifecycle Management is the management of a customer’s identity and involves the following stages:

Enrolment Process: Gathering information about the customer’s identity and verifying the same
Issuance of Credentials: Issuing credentials bound to the customer, including username and password, authentication codes, etc.
Use Enablement: Enabling the use of credentials as confirmations during transactions, utilising services, etc.
Management and Maintenance: Maintaining the identity information to make sure it is up-to-date and secure
Retirement Formalities: Removal of identity information when the customer leaves the services of a business and record-keeping requirements under AML regulations are no longer applicable

Employee Training and Awareness:

Businesses should ensure that adequate and role specific training is given at regular intervals to the relevant employees. This ensures that the employees understand their roles and responsibilities and are able to execute them effectively. This training should include the following:

Role-Specific Training: Employees should be trained regarding their specific responsibilities in the Video KYC process.
Training Tailored for Video KYC: Employees should be trained regarding the Video KYC Strategy of the business, including the procedures and processes to implement the same.

Ensuring Watertight Security:

Video KYC Strategy should include a dedicated section for data security to ensure that customer data is protected against vulnerabilities and unauthorised access throughout the Identity Lifecycle. The security policy must include the following components:

Custom Access Control Policy: Businesses should implement Access Control Policies which should accurately reflect internal roles, responsibilities, and positions in the business, minimising unauthorised access.
Authentication Mechanisms: Businesses should implement robust authentication mechanisms to ensure defence against attackers exploiting weaknesses in the security systems and assuming the identities of customers temporarily or permanently.
Adequate Data Encryption & Protocols: Businesses should ensure that all data collected and stored is encrypted so that data integrity and privacy are maintained. An internationally recognised security standard is adopting public/private key based encryption methods.
Vulnerability Assessment: Businesses should include the provision for Vulnerability Assessment. This involves testing a business’s Video KYC security systems and infrastructure to detect any gaps or weaknesses in the systems. It should be conducted by experts with experience and relevant skills and conducted at least annually.

Ensuring Data Privacy and Consent:

The Video KYC Strategy should detail the business’s policies and measures to ensure data privacy and consent. These should include the following components:

Compliance Across Multiple Jurisdictions: When conducting Video KYC across different jurisdictions, businesses should ensure adherence to local data protection regulations, international standards and privacy laws of the countries they serve. The Video KYC Strategy should also address business’s procedures to meet requirements such as taking informed consent of customers before processing their data, data localisation, cross-border data transfers, etc.
Multi-Factor Authentication (MFA) while Transmitting, Accessing, and Storing Personal Data: Multi-Factor Authentication ensures that data remains secure and protected from unauthorised access. It involves authentication through multiple layers of authentication factors, such as knowledge factors, possession factors, and biometric factors.

Ensuring Governance

To implement the Video KYC Strategy, it is important to establish clear roles and governance structures across the operational hierarchy of the business. The role of the following stakeholders should be defined:

Role of Client-Facing Personnel:

Frontline staff are uniquely positioned as they are the first point of contact with the customer. They possess valuable insights into customer preferences and help initiate the Video KYC process by generating cases for the KYC analysts. Their role includes the following:

Clear Communication: Client facing personnel must establish clear communication with the client. This includes understanding the needs of the client, informing them of the Video KYC process, providing instructions, answering questions, etc. This enhances the customer’s trust in the service.
Customer Handling: Client-facing personnel must inculcate soft skills such as patience, professionalism, etc. to effectively handhold the client.
Obtaining Customer Feedback: After the Video KYC process is completed, client-facing personnel should ask for feedback from the customer and incorporate such feedback to improve customer satisfaction.

Role of KYC Analyst:

A KYC Analyst is responsible for the KYC processes of a business, including conducting Video KYC. The KYC Analyst ensures that the Video KYC process aligns with the business’s customer onboarding parameters and its AML compliance obligations. In terms of Video KYC, the role of the KYC Analyst includes the following:

Identifying and Escalating Behavioural Red Flags and ML/TF & PF Typologies: KYC analysts assess information obtained through the Video KYC process and identify suspicious behaviours or inconsistencies in customer information that may signal potential Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) risks. KYC Analysts then escalate the case to the AML Compliance Officer for further investigation and regulatory reporting.
Familiarity with Video KYC Tool: The KYC Analysts are well versed in operating the Video KYC tool efficiently to validate the authenticity of customer identity.
Preparation for Video KYC Interview: Prior to the Video KYC interview, KYC analysts prepare by reviewing the background information about the customer with the help of the frontline staff, as well as the Video KYC Policy of the business.
Proficiency in Biometric Identification: Biometrics is the identification of customers using biological or behavioural traits. KYC Analysts are trained to leverage the Video KYC tool to understand the biometric attributes of the customer, especially those related to behavioural aspects. This helps the KYC Analysts effectively authenticate customer identities and detect suspicious behaviour.

Role of AML Compliance Officer:

The AML Compliance Officer is in charge of overseeing the entire AML program of the business, including video KYC. The AML Compliance Officer has the following responsibilities in the Video KYC process:

Handling Escalations: The AML Compliance Officer investigates and ensures regulatory reporting of all cases of suspicious activities or transactions escalated to them by the KYC Analyst.
Decision Making for Enhanced Due Diligence (EDD): When a customer is categorised as high-risk during the Video KYC process, the AML Compliance Officer ensures that EDD is conducted for such customers and regulatory reporting is done whenever required.

Role of Senior Management:

The Senior Management plays a pivotal role in establishing an AML compliance culture in the business by setting the right tone from the top. This involves the following roles:

Monitoring Implementation of Video KYC: Senior Management takes note of the Vulnerability Report and the inputs of the AML Compliance Officer to monitor the implementation of the Video KYC Policy and ensure that any weaknesses brought to their attention are quickly addressed.
Supporting with Developing Adequate Infrastructure: Senior management ensures that the business develops and invests in the right technology, infrastructure, and skilled workforce for the smooth functioning of the Video KYC process.

Ensuring Regulatory Compliance for Remote Onboarding

Adhering to applicable regulations not only helps protect businesses from legal penalties but also ensures that customer information is handled responsibly. The applicable laws include the following:

General Laws

Data Privacy and Protection Laws
Guidelines for Adopting Enabling Technology
Customer Protection Regulations

Prevailing in UAE as well as other countries from where the customers of regulated entities belong.

UAE's AML Regime:

Broadly comprises of the following legislations:

Federal Decree by Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing.
Cabinet Resolution No. (134) of 2025 Concerning the Executive Regulations of Federal Decree-Law No. (10) of 2025 Concerning Combating Money Laundering, Terrorist Financing, and the Financing of the Proliferation of Weapons.
- Refer: A guide to Anti Money Laundering AML Laws in UAE | 2024
The Cabinet Decision No. (109) of 2023 On Regulating the Beneficial Owner Procedures – Refer: The Complete Guide to the Ultimate Beneficial Owner Verification.
Cabinet Resolution No. (74) of 2020 regarding the Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combatting of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing, and Relevant Resolutions – Refer: Targeted Financial Sanctions (TFS): Legal Requirements in UAE.

Best Practices for Video KYC: Final Thoughts

Video KYC enables KYC processes to be conducted digitally, helping businesses serve clients remotely while ensuring compliance with their AML compliance obligations. Adopting the best practices discussed in this infographic helps ensure that the Video KYC process of the business runs effectively and handles customer data securely.

A Guide to Best Practices for Implementing pKYC: The Perpetual Advantage

Regulated Entities in the UAE can significantly benefit from adopting perpetual Know Your Customer (pKYC) measures. Regulated Entities can maximise their outcomes and make the most out of relying on pKYC tools or software by taking up certain best practices as discussed in this infographic. These best practices broadly include formulating the strategy for pKYC implementation, supportive role of top management, generating pKYC awareness, leveraging technology, evolving with regulatory changes, and developing Key Performance Indices (KPIs) while regularly monitoring them for efficacy and anomalies.

Formulate a Strategy for pKYC Implementation

Regulated Entities can start by having a place, a formal strategy for pKYC implementation; such a strategy must be inclusive of some of the fundamentals such as:

Scope out Organisational Goals:

As in what the Regulated Entity aims to achieve with pKYC implementation, including the extent to which they intend to automate the pKYC process and what are their expectations in terms of features, timelines, workforce training, budgetary concerns such as resource allocation.

Identify KYC to pKYC Migration Requirements:

A pKYC strategy must consider the fact that whenever the Regulated Entity has to switch from manual to automated solutions or from one pKYC tool to another, they must consider data migration requirements and limitations, identifying requirements would help with pKYC software selection process.

Organise pKYC Software Demos and Shortlist Suitable Vendor Options:

pKYC implementation strategy must provide for organising software demos to understand which tool suits the requirements the most, going through demos helps with shortlisting potential pKYC vendors.

Select, Test, and Implement pKYC Software:

pKYC implementation strategy must include parameters to select, test, validate, and implement pKYC software.

Define Knowledge Base:

The regulated Entity’s pKYC implementation strategy must define a knowledgebase that includes formal documentation of processes relied on by the pKYC tool, user manuals, guidebooks, rulebooks, reference charts, etc., that helps humans using the system make decisions, implement training programs, and complete other related activities.

Top Management Support:

Another best practice that Regulated Entities should implement is paving the way for management support in the pKYC implementation, as compliance is always about setting the ‘tone-from-the top’ where the conduct and the drive for Anti-Money Laundering (AML) compliance by senior management set the tone of a compliance culture in an organisation. The senior management must play a proactive role in the following activities:

Put together a pKYC Software Implementation Team that includes specifically chosen individuals who understand the requirement at hand.
Deploy Adequate Resources based on the fundamentals of a risk-based approach (RBA) so that Money Laundering, Financing Of Terrorism, And Proliferation Financing (ML, FT and PF) risks are mitigated effectively.
Assist with Decision-Making as sometimes the Software Implementation Team would require direction and guidance with making crucial decisions.
Drive pKYC Deployment Plan by taking regular follow ups of the status of progress with the pKYC implementation.

Generate pKYC Awareness:

The implementation success of pKYC depends heavily on the ability of the personnel or end-users to understand what is going on and what would be the level of their involvement and what actions would they be expected to take. This can be made possible by generating pKYC awareness in following ways:

Put in place formalised End-User Training Program that contains details as to the timing, nature, frequency, training content, mode of imparting the training, trainer details and credentials, and the learning outcomes expected from the end-user training.
Educate End-Users with pKYC Requirements as pKYC has its own characteristics that distinguishes it from the regular KYC, requiring knowledge updation.
Define Users and their Roles to assign responsibilities of each individual employee regarding their role in pKYC implementation for clarity and easy operation of the pKYC tool.
Educate with Workflows and Timelines as employees need to be aware of whom to escalate a customer profile for further CDD measures if alerts are generated and what is the expected timeframe within which they must conclude their work.
Encourage Knowledge Sharing as this solves the major component of implementation as sharing and communication facilitates identification of bugs if any and ensure smooth operations.

Leverage Technology:

A Regulated Entity looking for implementing pKYC can leverage technology by:

Defining Configuration Requirements in the implementation strategy which are tailored to meet the specific requirements of the Regulated Entity based on its unique situation and risk based approach.
Alerts Configuration and Management to customise alerts on the basis of workflows and responsibilities assigned which are based on parameters triggered through any change in customer details directly impacting customer risk profiling and customer risk rating.
Integrate pKYC System with Existing Systems through API integration and interoperability features of software systems for streamlined workflow without operational overlaps.

Evolve with Regulatory Changes:

A pKYC system that does not keep up with regulatory updates is at the risk of becoming obsolete in no time. Regulated Entities need pKYC tool to evolve with regulatory changes by:

Developing a thorough understanding of Regulated Entity’s AML and CDD Obligations in UAE to make sure there are no blind spots in AML compliance requirements.
Keeping pace with regulatory changes often requires updating trigger points that generate alerts in pKYC system, this is made possible through proactive Scenario Development where the pKYC implementation team and transaction monitoring analyst of Regulated Entities need to upgrade systems by feeding in new rules or thresholds for generating alerts through “scenarios” they feed into pKYC configuration panel, helping keep up with changes in laws and obligations.
Craft Regulatory Change Management Plan as having a plan in place facilitates with taking action when the situation materialises where laws have changed, requiring re-configuration of alert systems and inclusion or deletion of any change in pKYC formats, templates or questionnaires.
Relying on Expert AML Compliance Advisory Services when in doubt as to what should be the right move to ensure continuous compliance with AML regulations in UAE.

Develop and Monitor KPIs:

To ensure that pKYC system is operating smoothly without glitches, Regulated Entities need to develop parameters to Monitor Key Performance Indicators (KPIs) such as:

Develop Feedback Channels through Post-implementation Support that encourages open communication from both, the customers as well as employees using pKYC tool where they can report any issues they are facing so that support team either in-house or of the vendor of pKYC tool can assist with problem-solving.
Ensure Operational Efficiency as timely identification of bugs, glitches, lags, etc., helps with achieving operational efficiency.
Identify what Post-implementation Success looks like and run Comparative Analysis by assessing KPIs achieved against projected KPIs assured by the vendor to identify variation in performance of the system so that timely action to rectify problems can be taken.
Adapt and Fine-Tune pKYC tool as need arises as when KYC can become perpetual, its system’s maintenance requires to be on perpetual or continuous basis to ensure its relevance in constantly evolving landscape.

Conclusion

Regulated Entities can achieve the best out pKYC by adopting the best practices that guide towards increased efficiency.

Source of funds and source of wealth: Essential element of Customer Due Diligence

Money laundering is about concealing the origin of illegal funds and making them appear as if they were earned through legitimate sources. Once the criminal proceeds are integrated into the financial system, it becomes challenging to trace the original illegal source or the owner of the funds. To mitigate this risk, the UAE AML regulations mandate that regulated organizations – Financial Institutions, DNFBPs, and VASPs– obtain information about the source of funds and wealth and establish its legitimacy in case of high-risk customers or where ML/FT suspicion is observed.

Understanding the source of funds and the customer’s wealth brings transparency to the transactions. These details help the regulated organization determine the customer’s financial profile, which sets a base for monitoring the transaction and immediately identifies any unusual transaction inconsistent with the customer’s financial capacity.

It also helps determine the nature and source of the customer’s wealth, which is pertinent to understanding if the customer’s activities are directly or indirectly associated with any criminal activities or organization.

The Source Of Wealth due diligence is conducted at the time of customer onboarding or account opening and refreshed as per the customer’s risk categorization. Further, the SoW due diligence includes the collection of documents from the customer. Once the documents are collected, the compliance teams check if the SoW is reasonable and in line with the customer’s profile. If the documents are insufficient or there are queries, the customer is contacted, and the required information is obtained. Sometimes, the compliance team takes Source of Wealth information from the publicly available registry and reputable sources; in such cases, the reliability of the source is evaluated and taken into consideration while finalizing the genuineness of Source of Funds.

The extent and nature of the information collection for the Source of Funds depends on the risk-based approach adopted by the regulated entity. The compliance team collects SoF information regarding the activities that generated the funds used in a transaction, the method of transfer, the financial institution from which the transaction originated, the country from which the fund transfer is made, and the existence of any third parties in the fund transfer.

Establishing the legitimacy of the high-risk customer’s source of funds and wealth enhances the quality and effectiveness of the organization’s AML framework to mitigate the ML/FT risks.

With this visual depiction, let us understand the significance of the source of funds and wealth as part of AML’s efforts.

What is Source of Funds in Financial Crime Compliance?

Source of Funds (SoF) is the origin of funds used in carrying out a business transaction. The SoF is the origin and means of a business transaction made by the customer. It is focused on the funds transferred by the customer to a regulated entity. Further investigation on the Source of Funds places higher reliance on the customer’s personal and financial background and the risk-based approach taken by the regulated entity.

The concept of the source of funds may not be clear to the end customers, and they may wonder what the Source of Funds is in KYC, but it’s part of the Enhanced Due Diligence process carried out to control and mitigate ML/TF risks.

What is Source of Wealth in Financial Crime Compliance?

The Source of Wealth (SoW) is the origin of the accumulated monetary assets of an individual. It involves an analysis of the economic activities undertaken by a person to accumulate the entire body of wealth. In accounting terms, it’s the overall net worth (assets minus liabilities) of a person.

Examples of Source of Wealth

Following are the examples of Source of Wealth:

1. Family Wealth:

The wealth generated from inheritance, gifts, pension benefits, lawsuit settlement, divorce settlement, etc.

2. Personal Wealth:

The wealth generated from lottery wins, the sale of artworks, the sale of a fixed asset, and other personal backgrounds and circumstances.

3. Employment Activities:

The wealth generated from salaries, commissions, bonuses, or pension or other retirement benefit schemes.

4. Business Activities:

The wealth generated from the sale of products and services, business income, and other commercial activities like brokerage, commission, etc.

5. Investment Activities:
The wealth generated from the sale of investments such as properties, shares and securities, royalties, patents, etc.

Examples of Source of Funds

Following are the examples of Source of Funds:

1. Salaries, Bonuses, Pension or other retirement benefit payouts

2. Interest income on bonds, FDs, personal savings account

3. Dividend income or return on investments

4. Proceeds of real-estate sale transaction

5. Inheritance or gifts

6. Winnings from lottery or casino

What is the difference between Source of Funds and Source of Wealth?

1. The source of Wealth is the origin of the entire body of wealth, whereas the Source of Funds is a narrow term. It is only concerned about the origin of funds used for a transaction.

2. The Source of Wealth has more relevance when onboarding a customer and performing his risk assessment and when you think the risks associated with a customer have changed. The Source Funds investigation is necessitated every time a transaction is made with a high-risk customer.

For compliance officers, the Source of Funds and the Source of Wealth go hand in hand. If the value of the transaction is more than the customer’s wealth, it requires a detailed investigation into the Source of Funds.

What if the result of Source of Wealth Due Diligence is unsatisfactory?

If the result of Source of Wealth Due Diligence falls short of the required standards as backed by the risk-based approach taken by the entity, the entity can:
1. Offboard the customer
2. Decide against onboarding a customer
3. Assign a higher risk rating to the customer
4. Enhance monitoring on customer’s activities and transactions
5. Put threshold-based controls on customer’s activities
6. Place restrictions on transactions, products, and payment methods

7. Raise an internal STR and assign it to the compliance officer for further investigation into the Source of Funds and Source of Wealth
8. If the compliance officer has a suspicion as to ML/TF then he considers filing the STR with the UAE FIU goAML portal

Legal Background: Enhanced Due Diligence and SoF and SoW

Article 4.2 of Cabinet Resolution No. (134) of 2025 concerning the implementing regulation of Federal Decree by Law No. (10) of 2025 Regarding Anti-Money Laundering, and Combating the Financing of Terrorism and Proliferation Financing requires Financial Institutions, DNFBPs, and VASPs to apply Enhanced CDD measures to manage high risks and take reasonable measures to identify the Source of Funds and Source of Wealth of customers and beneficial owners. The Enhanced Due Diligence (EDD) requires the regulated entity to obtain necessary documents and information and satisfy itself as to AML Source of Funds requirements and Source of Wealth Requirements.

SoF and SoW in Customer Risk Assessment

Source of Funds verification limits opportunities for criminals to exploit financial systems. The type of documents to rely on when performing a Source of Funds check depends on the associated risks with a transaction. Documents required to check the Source of Funds include bank statements, documents confirming the sale of real estate, the sale of shares and securities, and a win from a casino.

Source of Funds and Source of Wealth information play a vital role in Customer Risk Assessment. The following factors require due consideration:

1. Whether the Source of Wealth information is adequately obtained and documented in Customer’s Profile
2. Whether the Source of Funds information at the time of customer onboarding has been adequately obtained and documented in the customer’s profile
3. Whether the ongoing Source of Funds information is adequately obtained and documented
4. Whether there are any open queries as to SoF or SoW
5. Whether the customer is a Politically Exposed Person (PEP)
5. Whether there is negative news, criminal history, ML/TF charges associated with the customer
6. Whether the customer is genuine and reputable
7. Whether the Source of Funds or Source of Wealth originates from a high-risk country

What documents can verify Source of Funds and Source of Wealth

The Source of Wealth and the Source of Funds documents must be issued by a reputable company, commercial provider, or government agency. The following documents, data, or information could be considered reliable while collecting SoF and SoW information:

1. Government-issued data and documents – Tax returns, Property Register, etc.
2. Bank statement, passbook
3. Payslip
4. Stamped grant of probate
5. Audited Financial Statements
6. Will
7. Sale and purchase agreements
8. Import and export documents

When to conduct the source of funds and source of wealth enquiries

Enquiries into the source of Funds and Source of Wealth are conducted in accordance with the regulatory requirements, the entity’s risk-based approach, and the AML/CFT policies and procedures.

The AML/CFT policies and procedures must clearly identify triggers for necessitating the performance of Source of Wealth and Source of Funds enquiries.

Here are some events that would trigger Source of Wealth and Source of Funds verification:

1. SoF and SoW checks are required when onboarding or conducting a transaction with a high-risk customer.
2. As a part of ongoing monitoring of a business relationship with a high-risk customer
3. When there’s a change in the customer’s risk profile (Non-PEP customer becoming a PEP)
4. When the customer’s transactions are inconsistent with his profile
5. When a transaction is complex, or it is a high-value transaction
6. When a transaction is destined to or originates from a high-risk country

Best Practices for Source of Funds Due Diligence

The AML/CFT policies and procedures of the company must answer the question of how to check the Source of Funds. Here are best practices for AML Source of Funds Due Diligence:

1. Assess the overall risk associated with the customer and the transaction being carried out
2. Analyse documents and information collected and determine if the nature and size of the transaction align with the customer’s profile
3. Document the rationale and any other relevant information and final decision as to onboarding or otherwise for future reference.

Best Practices for Source of Wealth Due Diligence

The AML/CFT policies and procedures of the company must answer the question of how to check the Source of Wealth. Here are best practices for AML Source of Wealth Due Diligence:

1. Consider the risk rating of the customer and ensure that the source of wealth information aligns with the customer’s profile
2. Collect documents and information, including audited financial statements, tax returns, payslips, inheritance certificates, and so on.
3. Document the decision-making process and record your observations and the final decision.

The importance of AML Source of Funds Verification

Investigating a customer’s Source of Funds is important to fighting financial crimes like money laundering and terrorist financing. In cases where the SoF and SoW do not match the customer’s risk profile or intended volume and nature of transactions, filing a suspicious transaction report or suspicious activity report may be necessary.

The AML source of Funds check confirms that the funds used in carrying out a business transaction are coming from legal sources or genuine business activities. It is an essential component of AML/CFT compliance for high-risk customers. Failure to perform Source of Funds checks can result in fraud, reputational damage, fines, and penalties.

The importance of AML Source of Wealth Verification<

The Source of Wealth identifies what the customer does for a living and the origin of the wealth accumulated. The entire purpose of Source of Wealth Due Diligence is to avoid working with clients who have acquired their wealth through illegal means and to comply with regulatory AML/CFT requirements.

Proof of Funds

Proof of Funds (PoF) is the document evidencing the origin and means of a financial transaction. It demonstrates that the customer has the funds to carry out a particular transaction. A Bank statement usually depicts the balance available in the customer’s account to complete a transaction.
There is a difference between Proof of Funds (POF) and Source of Funds (SoF). The Proof of Funds (PoF) only focuses on documentary evidence, whereas the Source of Funds questions the origin of funds.

AML UAE is one of the leading AML Consultancy Service Providers in the UAE, assisting clients with tailoring the AML/CFT policies and procedures, implementing the robust AML framework, drafting the comprehensive Customer Due Diligence procedures, including Enhanced Due Diligence measures, imparting AML Training to the Compliance Officer and team, etc.

Benefits of a Well-Articulated EWRA Framework

Benefits of a Well-Articulated EWRA Framework

Benefits of a Well-Articulated EWRA Framework: Concluding Thoughts

Related Posts

How Strong Is Your Money Laundering Risk Management? An Evaluation Checklist

ML Risk Management Self-Evaluation Checklist: The Way Forward

Related Posts

Incorporating Geographic Risk in CRA Methodology: A Step-by-Step Approach

A Ready Checklist for Evaluating Geographic Risk During Client Onboarding

Factoring Country Risk During Client Onboarding: Final Thoughts

Related Posts

A Ready Checklist for Evaluating Geographic Risk During Client Onboarding

A Ready Checklist for Evaluating Geographic Risk During Client Onboarding

Factoring Geographic Risk During Client Onboarding: Final Thoughts

Related Posts

ML/TF Risk Management: Risk Universe, Risk Tolerance, and Risk Appetite

ML/TF Risk Management: Risk Universe, Risk Tolerance, and Risk Appetite

Interlinking factors amongst Risk Universe, Risk Tolerance, and Risk Appetite

ML/TF Risk Management: Way Forward

Related Posts

Service-Based Money Laundering (SBML): Professional Services Are Prime Targets