Process of an Effective Transaction Monitoring Program

Transaction monitoring is one of the most critical steps in the customer due diligence process, and it allows regulated entities to keep a check on suspicious transactions and mitigate money laundering and financial crimes.

However, to ensure that transaction monitoring is robust, an effective transaction monitoring program must be developed.

The first step in developing the program is conducting an enterprise-wide risk assessment to identify the risks regulated entities face from customers, products, and services and adopt the risk-based approach.

The second step is to define the transaction monitoring red flags. These red flags and risk indicators will help correctly identify suspicious transactions during ongoing monitoring. While defining these red flags, the business must consider the evolving trends and typologies associated with the industry in which it operates.

Based on the overall assessed risk and the identified red flags, the regulated entity needs to create transaction monitoring rules. The monitoring system will check the transactions against the defined rules. These rules must be validated and tested before the system is made live for ongoing monitoring.

If a transaction is carried out that doesn’t satisfy any of the rules, it will be marked suspicious, and an alert or warning should be triggered. The compliance team must check the alerts and generate a detailed report containing the nature of the alert, investigation requirements, customer risk classification, primary assessment of the nature of the risk indicator, etc.

In case of suspicion, the compliance team must file an internal Suspicious Transaction Report (STR), which the Compliance Officer will evaluate and perform an independent investigation, as may be required. Based on the review, the Compliance Officer shall report the suspicion on the goAML Portal or classify it as a “false positive” along with the reason.

The transaction monitoring rules and risk parameters must be periodically reviewed and updated to reduce the number of false alerts and identify suspicious activities in a timely manner.

Key Benefits of Conducting Independent AML Audit

An independent AML audit is necessary as per the UAE’s anti-money laundering laws. While the business is obliged to conduct an AML audit, there are several benefits it provides to the entity.

When you conduct an internal AML audit (which is not independent of the AML function), there is a chance that the internal AML compliance department will miss out on covering all aspects and be influenced by internal factors. On the other hand, independent AML audits provide the business with an honest view that is free from any internal influence.

Based on the independent AML auditor’s opinion, the AML compliance department can make changes to the existing policies, procedures, and controls. This also allows the business to update the AML compliance framework with the latest regulatory requirements. For instance, if the government has introduced a change in record-keeping requirements, periodic AML audits will bring it to notice, according to which the business can make the required changes.

Moreover, you can analyze the gaps between the current and recommended ML/FT risk mitigation measures and learn how to enhance AML efforts to better identify and manage financial crime risks.

Senior management-backed independent AML audit function helps build an AML compliance-oriented culture and a seriousness about combating financial crimes.

When you take such focused actions to elevate AML compliance, you earn goodwill in the market and stand out as a reputed regulated entity, committed to combating financial crimes.

Overall, an independent AML audit not only supports AML compliance but also helps the business build a robust framework, the right environment, and boost the business stakeholders’ confidence in the business.

Key Risk Indicators Linked to Customer Address Verification

While conducting customer due diligence (CDD), one of the important steps is to Know Your Customer (KYC).

The KYC process requires the regulated entity to obtain details about the customer’s identity and place of residence or place of business, as the case may be. As part of KYC, the regulated entities must verify the address using a reliable, independent source (such as obtaining a valid copy of utility bills, bank statements, tenancy contracts, etc.). Address verification is one critical measure to establish the legitimacy of the customer’s identity and identify suspicious activities.

The address verification process is not restricted to learning about the customer’s address. The regulated entities need to make sure that the address truly belongs to the customer and exists for real. If the customer is cooperative and provides genuine information during the address verification, then the regulated entities can give it a green signal (if no other red flags are observed).

However, there are certain scenarios when the regulated entities need to be cautious and take action to mitigate the chances of the incorrect or fake addresses provided, obscuring the identity and indulging in financial crime. With this infographic, understand the key risk indicators associated with the customer address, which a regulated entity must be cautious of.

AML Compliance Requirements in UAE

It is pertinent to understand the various AML compliance requirements entrusted upon the DNFBPs, to effectively implement the AML program across the organization and mitigate the financial crime risks.

To help you ensure complete compliance with AML UAE regulations and avoid non-compliance penalties and reputational damage, we have summarised all the AML obligations of the DNFBPs in the present infographic. The infographic can be your ready reckoner, guiding you through the customer onboarding process and due diligence, mandatory reporting to FIU (DPMSR or REAR or CNMR, etc.), and ongoing customer relationship monitoring.

AML UAE is the AML Consultancy firm to handhold you during your AML compliance journey so that you do not miss any AML requirements and protect your business from being exposed to financial crimes.

AML Compliance Requirements: Related Resources and Insights

Related Infographics

Understanding the Difference between UAE Federal AML Law and DIFC AML Rulebook

The primary difference among UAE Federal Law, DIFC, and ADGM Rulebook is the Supervisory Authority that governs, regulates, and administers fulfilment of AML Compliance requirements by Regulated Entities under the purview of each jurisdiction.

The regulated entities operating in the Dubai International Financial Centre (DIFC) are required to comply with the DFSA-issued AML Rulebook, along with the AML Federal Decree-Law and the corresponding Cabinet Decision. Though the DIFC AML Rulebook is developed in line with the Federal AML regulations, there are a few differences between the two, which the DFSA-regulated entities must take into consideration.

The above-mentioned infographic distinguishes the following AML provisions under the Federal Law and the DIFC AML Rulebook:

1. One of the differences, indirectly mentioned above, is related to the Supervisory Authority. The DIFC-based entities are subject to AML supervision by the DFSA – Dubai Financial Service Authority. While, the mainland companies subject to Federal AML regulations vary based on the nature of operations – such as the Central Bank of UAE for Financial Institutions, Ministry of Economy for the Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Assets Regulatory Authority (VARA) for Dubai-based Virtual Asset Service Providers (VASPs).

2. With respect to the real estate sector, only real estate brokers and agents are subject to AML compliance as per Federal Law. However, the DIFC AML Rulebook extends the compliance regime to the DIFC-based real estate developers as well.

3. Moreover, the following two classes of activities or professions are additionally covered under the definition of “Designated Non-Financial Businesses and Professions” (DNFBPs) under the DIFC AML Rulebook:

Insolvency firms
Person engaged in the issuance of Non-Fungible Tokens (NFTS) or utility tokens or providing related services.

4. The AML documentation requirement is for a minimum period of 6 years in DIFC, as compared to a minimum of 5 years under Federal AML Law.

5. The DIFC AML Rulebook mandates that regulated entities have a UAE resident as an AML Compliance Officer or Money Laundering Reporting Officer (MLRO). There is no such requirement under Federal AML Laws.

6. In addition to the AML compliance obligations imposed under Federal AML Laws, the DIFC entities are required to comply with the following two AML requirements:

Filing an AML Annual Return with the DFSA (for the period starting from August of the previous year till July of the year in which reporting is to be done) and
Appointing a Deputy (MLRO) to manage the AML program in the absence of MLRO.

Ensuring compliance with the DIFC AML Rulebook is very crucial for the regulated entities operating in or from the DIFC.

Let AML UAE be your handholding partner, guiding you throughout the AML compliance journey. With our experience in Federal AML Laws and the DIFC AML Rulebook, we can assist your business in customizing the AML program to stay regulatory compliant and safe against ML/FT vulnerabilities.

UAE Federal Laws vs DIFC Rule Book: Related Resources and Insights

Related Infographics

Red flags associated with High-Risk Jurisdictions

The regulated entities in the UAE must take a risk-based approach and manage their money laundering, terrorist financing, and proliferation financing risks. One important risk factor is the jurisdictions the entity works with. In this infographic, we will understand the red flags associated with high-risk jurisdictions. The regulated entities must take appropriate countermeasures while dealing with such high-risk countries.

Geographic risk is associated with countries with poor AML/CFT framework, high levels of corruption, drug production and cartel activities, unstable political environment, and lack of transparency. Such countries are also known as secrecy or tax havens.

Red flags are potential risk indicators for money laundering, terrorist financing, or proliferation financing. This infographic lists red flags associated with high-risk countries and jurisdictions.

Businesses dealing with such high-risk jurisdictions must watch out for the red flags to safeguard themselves from various risks such as fraud, theft, reputational damage, and regulatory fines and penalties. Depending upon the risk-based approach adopted by the regulated entity, the entity needs to identify, assess, and counter jurisdiction risk.

Jurisdiction risk must be considered while performing the Enterprise-Wide Risk Assessment and Customer Risk Assessment. If the entity observes any red flags associated with high-risk jurisdictions, it must employ countermeasures such as enhanced due diligence, ongoing monitoring, and regulatory reporting (HRC and HRCA reporting).

As per the FATF blacklist, Iran, North Korea, and Myanmar are treated as high-risk jurisdictions. For more understanding about FATF blacklist and grey list, Read our article What are FATF Blacklist and Grey list countries? February 2024.

Red Flags Associated With Smurfing

Smurfing is one of the widely used money laundering techniques. In this technique, the money launderer fragments the large cash amount into smaller amounts to keep it below the threshold level set for AML checks (such as applying Customer Due Diligence measures, ongoing monitoring and reporting) and then deposits it into financial institutions.

AML laws and regulations mandate that reporting entities take the right measures to identify and prevent smurfing activities. They are obliged to maintain red-flag indicators that indicate suspicious transactions and activities related to potential smurfing attempts and submit the necessary report with the Financial Intelligence Unit (FIU) by filing a Suspicious Transactions Report and Suspicious Activity Report, as the case may respectively.

Such risk indicators may include multiple cash deposits of equal amounts from one or more persons from various locations to the same bank account or multiple accounts opened by a single person who does not have any apparent business transactions through these accounts but is merely used for the distribution of illegal funds.

This infographic provides a list of red flags associated with the smurfing technique that you can implement in your AML program. These red flags relate to transactions, customer behaviour, and account activity.

By implementing these red flag indicators in your anti-money laundering compliance program, you can shield your business from smurfing and related financial crime activities.

Gold Supply Chain: Uncovering the ML/FT Red Flags

The gold supply chain has several stages, including extracting, transporting, handling, etc., and is highly vulnerable to financial crime risks. Some of these risks are associated with specific supply chain stages or the players involved in the gold supply chain, whereas other risks are common to all the stages of the gold supply chain.

To easily identify and facilitate the mitigation of ML/FT risks observed in the course of the gold supply chain, we have provided a substantive list of red flags and bifurcated them into various categories for better understanding:

Red Flags associated with Gold Mining Companies
Red Flags associated with Shipping
Red Flags associated with Gold Trading Companies
Red Flags associated with Transactions and Activities
Red Flags associated with Geography

The range of the risk indicators is very wide, covering non-compliance of the environment regulations by a mining company, while routing the gold shipment through refineries in jurisdictions that do not offer any economic advantage. Inconsistencies in the transaction value or volume or excessive dealing with unregulated markets are also ML/FT red flags that may suggest abuse of the gold supply chain.

Whenever any of these red flags are observed, immediate action and investigation are demanded. The proactive approach is necessary to ensure a secure gold supply chain and effectively mitigate ML/FT risks.

Adverse Media Screening Process

Conduct Negative News Research Using Search Engines

Adverse Media Screening is an important step in the customer due diligence process. It helps to provide additional information necessary to establish the prospect’s true identity and avoid onboarding the ones who are known to be involved in money laundering and other financial crimes.

Adverse media screening is all about researching; one needs to research whether there’s any negative news involving any fraud, scam or financial crime related to the prospect or existing customer. One can use information available from reliable and independent public sources for this purpose.

Conduct Negative News Research Using Search Engines

The first way to conduct the research is through multiple search engines, such as Google and Bing.

One needs to search for the name of the prospect or customer along with the word strings that contain all the relevant words necessary to confirm the existence of the negative media. Two such strings are:

launder OR fraud OR bribe OR corrupt OR arrest OR blackmail OR breach OR convict OR court case OR embezzle OR extort OR felon OR fined OR guilty
illegal OR imprisonment OR jail OR kickback OR litigate OR mafia OR murder OR prosecute OR terrorism OR theft OR unlawful OR verdict OR politic OR sanctions

For instance, if you want to conduct an adverse media check for a person named Mr. A, then you’ll do the following searches on the search engine:

A launder OR fraud OR bribe OR corrupt OR arrest OR blackmail OR breach OR convict OR court case OR embezzle OR extort OR felon OR fined OR guilty
A illegal OR imprisonment OR jail OR kickback OR litigate OR mafia OR murder OR prosecute OR terrorism OR theft OR unlawful OR verdict OR politic OR sanctions

By conducting these searches, employees gain results having any of these trigger words associated with a person having the same name.

Using Software for Adverse Media Research

You can also use software applications for conducting adverse media screening. While using software, you only need to put the name, and it will provide you with the adverse media details related to the person and associated sources. Then, one can check these details and conclude the customer’s identity and the involvement or connection with financial crimes.

Adverse Media Search Through Social Media

Another way is to conduct research through social media websites such as LinkedIn, Facebook, and Instagram. You can search the name of the person and verify the profile details based on the key identifiers of the customer and the social profile popped up. Then, check if the person is tagged in any negative posts. You can also check adverse hashtags and pages running against them, which gives rise to the suspicion that the person has committed fraud, scam, or a financial crime.

Actions on Adverse Media Check Outcomes

If you find a match while conducting adverse media screening, you must thoroughly evaluate the details and classify the customer as “high-risk,” considering all other risk assessment parameters and applying Enhanced Due Diligence measures.

In case of no match or false match, the business can onboard the customer and establish a business relationship. This onboarding decision does not solely depend on adverse media screening but takes into account the other identification details and the transactional parameters.

Mastering Risk-Based Approach: 7 Deficiencies to conquer

The Enterprise-Wide adoption of a Risk-Based Approach is essential in countering Money Laundering (ML) and Terrorist Financing (TF) risks. The regulated entities in the UAE must adopt a Risk-Based Approach and design their AML/CFT program and controls commensurate with the risks the entity is exposed to. If the entity operates in a high-risk environment, it should have more controls to manage the overall risks and keep them within its risk appetite. Here is the article ‘Mastering Risk-Based Approach: 7 Deficiencies to Conquer’ to help you counter financial crimes effectively:

Top 7 Deficiencies around the adoption of a Risk-Based Approach (RBA)

1. Undocumented RBA methodology

The regulated entities are required to document the RBA methodology adopted by the company. Some companies fail to document or adequately describe the overall RBA methodology.

2. Lack of application of the RBA

The entities must adopt the RBA and apply it uniformly across the company. Some entities fail to adopt it and deploy controls commensurate with the nature, size, and complexity of business, client relationships, geographies, delivery channels, and products and services.

3. Undocumented Risk Appetite

Sometimes, risk appetite is not formally defined, documented, or communicated to the concerned team; hence, no uniform approach is taken to mitigate the risks.

4. Deficiencies around Enterprise-Wide Risk Assessment (EWRA)

Some entities fail to carry out the Enterprise-Wide Risk Assessment (EWRA) and identify the risks they are exposed to, the likelihood of a risk materialising, controls deployed, and the residual risks associated with the company.

5. Failure to review EWRA

The EWRA is not a static exercise. The date of the review and its timing must be recorded, and the next EWRA review date must also be documented. The EWRA must be reviewed at least every year. If there are reasons to believe that the risks associated with the company have changed, it needs to be performed even earlier. Most entities fail to realise this and do not review their gross and residual risks, and hence fail to deploy appropriate controls to mitigate such risks.

6. Deficiencies around Customer Risk Assessment (CRA)

Some entities fail to understand the importance of customer risk assessment, and they do not identify the risks associated with a customer and hence fail to apply proper risk mitigation measures.

7. Missing authorisation from the top management

Top management authorisation is necessary in high-risk situations while onboarding the client or conducting the transaction. Some of the entities fail to meet this requirement.

Process of an Effective Transaction Monitoring Program