United Arab Emirates: Financial Institution Risk Assessment Mandated by Regulators
The United Arab Emirates (UAE) financial regulatory authorities have mandated that all financial institutions conduct a regular risk assessment to identify and mitigate money laundering and terrorist financing (ML/FT) risks.
Regulatory Requirements
The risk assessment is required under Article 4 of the Anti-Money Laundering and Combating Financing of Terrorism (AML-CFT) Decision and Paragraphs 16.2 and 16.3 of the Standards. This mandate applies to all financial institutions, including banks, insurance companies, investment firms, and other financial entities.
Risk Assessment Process
As part of the risk assessment, financial institutions must:
- Identify, assess, and understand ML/FT risks associated with their businesses
- Develop a risk assessment methodology to determine the extent to which they are vulnerable to these risks
- Determine the nature and extent of Anti-Money Laundering (AML) and Combating Financing of Terrorism (CFT) resources necessary to mitigate and manage these risks
The risk assessment process involves six steps:
- Scope Determination: Determine the scope of the risk assessment, including the types of customers, products, services, and geographic locations to be assessed.
- Risk Identification: Identify potential ML/FT risks associated with the financial institution’s business operations.
- Inherent Risk Assessment: Assess the inherent risk level of each identified risk.
- Controls Evaluation: Evaluate the effectiveness of existing controls in mitigating the identified risks.
- Residual Risk Assessment: Determine the residual risk level after considering the effectiveness of existing controls.
- Risk Mitigation: Develop and implement measures to mitigate the identified ML/FT risks.
Financial institutions must also assess various areas of risk, including:
- Customer risk
- Products and services risk
- Delivery channel risk
- New technologies risk
- Jurisdiction or geographic risk
- Counterparty risk
- Other areas of risk
Senior Management Involvement
Senior management must be closely engaged in the risk assessment process and take responsibility for conducting an appropriate assessment. The financial institution’s:
- Risk appetite statement
- Risk assessment methodology
- Risk assessment findings
must be reviewed and approved at least annually by senior management.
Update and Review of the Risk Assessment
The risk assessment must be regularly updated annually at a minimum, as well as in response to major changes in the financial institution’s operations. The risk assessment must also be fully aligned with:
- Products, services, customers, and geographic locations
- Changes in its operations
- Appetite statement
- Legal and regulatory framework in force in the UAE
- Guidance issued by the Central Bank of the United Arab Emirates (CBUAE)
External Resources
Financial institutions may consult external resources to plan and perform comprehensive and appropriate risk assessments, including:
- FATF Guidance on the Risk-Based Approach for Money Services Businesses
- Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption
Use of Findings
The risk assessment findings must be used to inform AML/CFT Program policies, procedures, internal controls, and training to effectively mitigate risks. The findings should also inform the financial institution’s risk-based approach by directing an efficient allocation of AML/CFT risk management resources to the areas of greatest concern. The findings should be provided to all business lines across the financial institution, its senior management, and relevant employees.