Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs

Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs

The Central Bank of the UAE (CBUAE) has issued new Guidance on anti-money laundering and combatting the financing of terrorism (AML/CFT) for Licensed Financial Institutions (LFIs), which shall be applicable with immediate effect. The Guidance for LFIs on the use of Digital ID for customer due diligence aims to help the Financial Institution to adopt, understand and implement the statutory obligations concerning AML/CFT and considers the standards issued by Financial Action Task Force (FATF). 

The Guidance talks about using digital ID systems/mechanisms by LFIs to fulfil their obligations about customer due diligence (“CDD”) in relation to natural persons.

Digital ID for Customer Due Diligence Guidance Applicability

The Guidance applies to all the Natural and legal persons licensed and/or supervised by the Central Bank of UAE in the below-mentioned categories:

  • National banks
  • Branches of foreign banks
  • Exchange houses
  • Finance companies
  • Issuers and providers of stored value facilities
  • Licensed retail payment service providers and card schemes
  • Registered hawala providers, 
  • Insurance companies, Agencies, and Brokers.
  • Other LFIs not covered above.
Use of Digital ID for Customer Due Diligence -New Guidance issued by CBUAE for LFIs

Key Takeaways: Guidance on Digital ID for Customer Due Diligence

1. The Guidance talks about Identity proofing, enrollment, and authentication mechanisms with regard to the usage of digital ID systems. The terminology of “Digital ID systems” is defined as under:

“use electronic means to assert and prove a person’s identity online and/or in in-person environments, including through the use of: 

  • Electronic databases, including distributed databases and/or ledgers, to obtain, confirm, store, and/or manage identity evidence; 
  • Digital credentials to authenticate identity for accessing mobile, online, and offline applications; 
  • Biometrics to help identify and/or authenticate individuals; and 
  • Digital application program interfaces (“APIs”), platforms, and protocols that facilitate online identification and the verification and authentication of identity.”

2. LFIs are directed to use national-level identificationsystems and processes prevalent/under-development in UAE, like UAE Pass, Emirates ID, Emirates Facial Recognition, etc

3. LFIs may use the online validation gateway of the Federal Authority for Identity and Citizenship and keep a copy of the Emirates ID and its digital verification in their records.  

4. LFIs should leverage data generated by authentication for ongoing Customer Due-Diligence and transaction monitoring to identify suspicious customer activity/behavior /transactions with sanctioned or High-Risk jurisdictions. 

5. LFIs may rely on customer identification, and verification carried out by a third party but shall make sure to abide by the following.

  • The LFIs shall obtain all relevant information from the third party.
  • Take the required steps to ensure that a third party provides copies of customer documentation/information used for CDD. 
  • Third-party complies with the record-retention requirements provided in Cabinet Decision No. (10) of 2019 and Decree Law No. (20) of 2018 on Anti-Money Laundering 

6. LFIs should take appropriate measures to safeguard and deal with the inherent technology risk and challenges posed by digital ID systems and shall ensure implementation of such processes and systems to reduce the Identity proofing and enrolment risks, e.g. cyberattacks, security/cyber breaches, use of stolen/falsified/synthetic ID details due to the reliance on the open networks like the Internet.

7. The Guidance sets out a strategy for mitigating threats to the identify proofing and enrollment process laid down by the U.S. National Institute of Standards and Technology (“NIST”) Digital Identity Guidelines. 

8. The Guidance also talks about the risks at the authentication stage, like credential stuffing, Phishing, man-in-middle (credential interception), PIN code capture and replay, which are exploited without the owner’s knowledge.

9. LFI’s shall ensure that the Digital ID system adopted shall provide complete confidence/assurance and is working efficiently to produce desired results. The same should be protected against internal and external manipulation and shall detect unauthorized users, cyberattacks, and insider fraud.

10. LFIs shall at first conduct Assurance Level Assessmentto understand the assurance levels of the digital ID system based on its governance, technology, and architecture to determine its reliability and independence. The assessment can be performed by themselves, or they may consider obtaining an audit or assurance certificate from an expert body.

11. Post Assurance Level Assessment, the LFIs shall conduct an Appropriateness Assessment to determine whether the digital ID system is reliable to deal with potential Money Laundering, Terrorism Financing, fraud, and other financing risks. LFI’s Assurance and Appropriateness Assessmentof the digital ID system to perform CDD shall be documented and updated periodically. 

12. The Guidance has various illustrations adapted from NIST Digital ID Guidelines for technical requirements for 

  • the identity proofing and enrollment 
  • authentication protocols and processes
  • authenticator lifecycle management

13. This Guidance focuses on the use of digital ID systems for performing Customer Due-Diligence at the time of Onboarding/opening of account and ongoing monitoring, which will help mitigate the potential risks of Money Laundering and Combatting the Financing of Terrorism and safeguarding the financial system of UAE. 

How can AML UAE help?

AML UAE is one of the top AML Consulting firms providing end-to-end support services for Anti-Money Laundering and Combatting Terrorism Financing to Financial Institutions, DNFBPs and VASPs. We can assist you in conducting Business Risk assessment, selection and assurance assessment of Digital ID systems, complying with ongoing monitoring of Transactions, and identification and reporting of suspicious transactions. 

All-encompassing AML training for your business just a call away.

Contact us now, and let's get started.

Our recent blogs

Contact Form

side bar form

This field is for validation purposes and should be left unchanged.

Share via :

Share on facebook
Share on twitter
Share on linkedin

About the Author

Dipali Vora

Associate Company Secretary

Dipali is an Associate member of ICSI and has a Bachelor’s in Commerce and a General Law degree. She has an overall experience of 7 years in the compliance domain, including Anti-Money Laundering, due diligence, secretarial audit, and managing scrutinizer functions. She currently assists clients by advising and helping them navigate through all the legal and regulatory challenges of Anti-Money Laundering Law. She helps companies to develop, implement, and maintain effective AML/CFT and sanctions programs. She knows Anti-money laundering rules and regulations prevailing in GCC countries and specializes in Enterprise-wide risk assessment, Customer Due-diligence, and Risk assessment.