Clari5 Market Insights

United Arab Emirates

Central Bank of the UAE

New Guidance for FIs on Risks Related to VAs & VASPs

The Central Bank of the UAE has Issued a New Guidance for Licensed Financial Institutions on Risks Related to Virtual Assets and Virtual Asset Service Providers

By when must Financial Institutions (FIs) comply with the mandate?

FIs must meet the CBUAE guidelines by June 30, 2023.

Why has CBUAE issued the new mandate?

The UAE region is seeing a huge uptick in money laundering activities related to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) in the ongoing times. Virtual assets, like more traditional forms of value such as cash and e-money, can be used to move or store value related to any kind of illicit activity, from fraud to the proliferation of weapons of mass destruction like illicit sale of narcotics and firearms. Computer-based fraud and extortion, drug trafficking, cybercrimes, purchases from online dark web marketplaces, existence of professional money laundering schemes that allow criminals to cash out proceeds generated in virtual currency via illicit online markets are also observed.

VAs and VASPs have become a vulnerable area because of the Anonymity or pseudo-anonymity of blockchain transactions, Weak Regulatory and Supervisory Architecture in the jurisdictions, Insufficient Preventive Measures, and Downstream services to third-party (i.e., non-customer) VASPs.

Virtual asset markets offer less consumer protection than traditional financial markets, with correspondingly greater risks of fraud and manipulation. Hence these Virtual assets may be targets for hackers, who have been able to breach sophisticated security systems to steal funds, without the company holding your virtual assets and not being able to offer you the kind of help you expect from a bank. Therefore, CBUAE issued these guidelines.

Highlights of the mandate

The guidance published by CBUAE is applicable to all National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers, and Insurance companies, agencies, and brokers.

The CBUAE has laid out Requirements for Non-Objection for Opening New Accounts for VASPs for Administrative Accounts, Transactional Accounts, Jurisdiction, Control Assurance and Non-Objection Process.

The CBUAE has also laid out Mitigation steps for ML / TF Risks Related to VASP Customers and VA-Related Customer Transactions which include:

Risk-Based Approach
LFIs must perform, document, and keep up to date an enterprise-wide risk assessment that includes an assessment of risks related to VASP or VA-exposed customers. This risk assessment should consider all the risk factors relevant to VASPs and VA activities, including those arising in relation to its customers, Products and services, Delivery channels, and Geographies. FIs need to perform a one-time review and assessment of their existing customer portfolio to understand if any existing customers meet the definition of a VASP or engage in VA transactions and establish a compliance monitoring plan.

Customer Due Diligence
Under Article 5 of the AML-CFT Decision, LFIs must conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. As part of General CDD, follow the steps of Customer Identification and Verification, Beneficial Owner Identification and Verification, Understanding the Nature of the Customer’s Business and the Nature and Purpose of the Business Relationship, Ongoing Monitoring throughout the business relationship, Sanctions Screening of all parties, and of Customer Rejection and Exit. Besides that, there needs to be Specific Due Diligence done for All VASP Customers, and Enhanced Measures taken for Higher-Risk Customers.

Transaction Monitoring and Suspicious Transaction Reporting
Under Article 16 of the AML-CFT Decision, LFIs must monitor activity by all customers to identify Behaviour that is potentially suspicious and that may need to be the subject of an STR or SAR. LFIs should ensure that transaction monitoring rules or keyword searches are designed and updated with sufficient frequency to allow the LFI to detect undisclosed VASP activity as well as significant transactions between their customers and third-party VASPs. LFIs should monitor transactions for recognized indicators of suspicious VA activities or possible attempts to evade targeted financial sanctions and AML / CFT reporting requirements or other controls.

Sanctions Obligations and Freezing Without Delay
Guidelines need to be followed as per the United Nations Security Council.

An effective training program of the employees will be tailored and customized to the LFI’s risks and nature of its operations.

Governance and Independent Audit
‘Three lines of defense’ model and AML / CFT program to be followed for the preventive measures mentioned in the paper.

Record Keeping
Specific guidelines on maintaining records of measures taken, data analysis and results.

The CBUAE has also laid out Mitigation steps for ML / TF Risks Related to LFIs’ Proprietary Investments in VAs which include Specific Due Diligence for All VASP Counterparties and Enhanced Measures for High-Risk VASP Counterparties similar as above.

How Clari5 helps UAE’s FIs quickly comply with CBUAE’s mandate

Need More Information?