The Dubai Financial Services Authority has published its Annual AML Return, formerly known as the Money Laundering Reporting Officer (MLRO) Report. All firms should trim their AML policies accordingly.

The DFSA says in the report: “The findings are based on analysis...they should not be viewed as exhaustive but as guidance to be applied where relevant.” In drafting up their annual 'AML returns,' firms often misunderstood – or affected to misunderstand – the questions and this is of concern to the regulator.

'Relevant persons' must use their firms' returns to provide both narrative and practical examples of how the firms comply with their regulatory AML obligations. They must also provide specific, qualitative data – for example, the number of particular clients or Political Exposed Persons (PEPs). According to the report, a significant number of firms over the past year did not identify their senior managers or obtain their signatures for various decisions, which presumably include the 'on-boarding' of PEPs.

Most of them were on more solid ground in their money-laundering and terrorist-financing 'threat assessments'. Some were a little too concerned about country risk to the exclusion of risks from business channels and other things. Their transaction monitoring had shown great improvement. They also did well when they kept records and descriptions of their on-boarding processes and the background checks and other verifying exercises that they had to undergo.

A mis-characterisation of clients?

The report/return also states that “many firms appeared to rely on the fact that transactions were booked overseas to not monitor transactions from the DIFC.” This rather obscure phrase might be a reference to the kind of shenanigans that prevail at Deutsche Bank, which recently had to pay a hefty $8.4 million fine, partly because it wilfully mis-characterised customers who lived in Dubai as customers of its Swiss branch and therefore protected by Swiss bank secrecy – an excuse that the regulator swept away in the common-law courts of the Dubai Internationl Financial Centre.

The DFSA, to recap, found out that the Deutsche Bank was not counting many of its DIFC customers as clients, as it should have done according to COB (conduct of business) Rule 2.3.1. Instead, it was treating them as clients of the booking locations (i.e. other branches of Deutsche Bank in Germany or Deutsche Bank (Suisse) SA). They were not being provided with Deutsche Bank DIFC client agreements and ‘key information’ in accordance with COB Rule 3.3.2; they had not been assessed for ‘suitability’ in accordance with COB Rule 3.4.2; they had not been subjected to customer identification and verification in the DIFC in accordance with AML rules 3.4.1 and 3.4.2; and there had been no risk assessments under AML rule 3.7.1. The regulatory fine was the largest ever levied in Dubai.

Reliance

'Reliance' (i.e. the assumption that another regulated body that has processed the customer before has done its job well and there need be no duplication) is another black spot in the report. Firms seem to have taken the word to mean a shifting of responsibility onto an outsourced resource. The report complains: “A significant number of firms misinterpreted questions in this section and failed to appreciate the difference between placing reliance on, or outsourcing 'customer due diligence' measures to a third party, from using a third party information vendor or screening software.”

SAR proportions

The amount of suspicious activity reports or SARs, both internal and external, is a worry for the regulator as well. Its report says that in the last year, firms logged 54 internal notifications relating to suspicious activities, and sent off 50 external SARs to the authorities. It thinks that this is evidence of slipshod work: “The trigger for submitting an internal notification should be as expansive as possible with the MLRO then acting as a second stage and ultimately deciding if an external SAR should be lodged. Accordingly, the DFSA expected that the number of internal notifications would be significantly higher than the number of external SARs.”

The statistics of observance

The regulator has considered 279 AML returns in this latest review; 233 of these were from DFSA-authorised firms and 46 of them were from businesses that the Financial Action Task Force calls designated non-financial businesses or professions (DNFBPs) but everybody else calls 'gatekeepers' and high-value goods dealers; 90% of the returns were received on time, or as the result of an extension of time being agreed with the DFSA; 37% required hardly any follow-up from the DFSA; and 63% of submissions required follow-up including requests for clarification and further information.

The report says that 82% of firms provide AML training every year, with the rest using a variety of other methods such as induction for new starters, quarterly updates or training on an ad hoc or 'issues-driven' basis, perhaps in classes that look at recent regulatory decisions.

Things to do

The report includes the following potted, non-exhaustive list of the DFSA’s expectations of appropriate practices at firms.

• The making of SARs should not be considered merely a reporting requirement for money-laundering reporting officers (MLROs), but the conclusion of a process of 'escalation' [the front office passing suspicions up to the MLRO, or the MLRO asking senior managers for a PEP-related sign-off] and the investigation of suspicious activities and transactions.

• Firms often overlook the requirement for policies and procedures, systems and controls to include mechanisms in which employees are able to communicate suspicions to the MLRO.

• Every firm should encourate such notifications and employees should be erring on the side of caution when making them, the better to ensure that activities and transactions, even if minimally suspicious, are escalated for consideration.

• Once an 'employee notification,' as the DFSA calls it, is made, it is then the MLRO’s obligation to investigate and keep a record of the circumstances under which the notification was made, and determine whether to send a SAR to the Anti-Money Laundering and Suspicious Cases Unit (AMLSCU). Not all internal notifications should result in an SAR, though all notifications should be investigated and the reasoning behind every decision should end up in some form of document.

The most common forms of money-laundering in the Middle East are bulk cash smuggling; gold smuggling; false invoicing; and hawala banking. For some reason or other, the report does not mention the words 'cash' or 'gold' once.