• AML/CFTR Chapter 2 AML/CFTR Chapter 2 General AML and CFT responsibilities

    • AML/CFTR Part 2.1 AML/CFTR Part 2.1 The firm

      • AML/CFTR 2.1.1 Firms to develop AML/CFT programme

        (1) A firm must develop a programme against money laundering and terrorism financing.
        (2) The type and extent of the measures adopted by the firm as part of its programme must be appropriate having regard to the risk of money laundering and terrorism financing and the size, complexity and nature of its business.
        (3) However, the programme must, as a minimum, include:
        (a) developing, establishing and maintaining internal policies, procedures, systems and controls to prevent money laundering and terrorism financing;
        (b) adequate screening procedures to ensure high standards when appointing or employing officers or employees;

        Note See also Part 6.1 (Screening procedures).
        (c) an appropriate ongoing training programme for its officers and employees;

        Note See also Part 6.2 (AML/CFT training programme).
        (d) an independent review and testing of the firm's compliance with its AML/CFT policies, procedures, systems and controls in accordance with subrule (4);
        (e) appropriate compliance management arrangements; and

        Note See also:
        •   rule 2.1.5 (Compliance by officers, employees, agents etc)
        •   rule 2.1.6 (Application of AML/CFT Law requirements, policies etc to branches and associates)
        •   rule 2.1.7 (Application of AML/CFT Law requirements, policies etc to outsourced functions and activities).
        (f) the appropriate ongoing assessment and review of the policies, procedures, systems and controls.

        Note See also rule 2.1.4 (Assessment and review of policies etc).
        (4) The review and testing of the firm's compliance with its AML/CFT policies, procedures, systems and controls must be adequately resourced and must be conducted at least once every 2 years. The person making the review must be professionally competent, qualified and skilled, and must be independent of:
        (a) the function being reviewed; and
        (b) the division, department, unit or other part of the firm where that function is performed.
        Note The review and testing may be conducted by the firm's internal auditor, external auditor, risk specialist, consultant or an MLRO from another branch of the firm. Testing would include, for example, sample testing the firm's AML/CFT programme, screening of employees, record making and retention and ongoing monitoring for customers.
        (5) The firm must make and keep a record of the results of its review and testing under subrule (4) and must give the Regulator a copy of the record by 31 July 2021 and every 2 years thereafter.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.1.2 Policies etc must be risk-sensitive, appropriate and adequate

        A firm's AML/CFT policies, procedures, systems and controls must be risk-sensitive, appropriate and adequate having regard to the risk of money laundering and terrorism financing and the size, complexity and nature of its business.

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.1.3 Matters to be covered by policies etc

        (1) A firm's AML/CFT policies, procedures, systems and controls must, as a minimum, cover:
        (a) CDD and ongoing monitoring;
        (b) record making and retention;
        (c) the detection of suspicious transactions;
        (d) the internal and external reporting obligations;
        (e) the communication of the policies, procedures, systems and controls to the firm's officers and employees; and
        (f) anything else required under the AML/CFT Law or these rules.
        (2) Without limiting subrule (1), the firm's AML/CFT policies, procedures, systems and controls must:
        (a) provide for the identification and scrutiny of:
        (i) complex or unusual large transactions, and unusual patterns of transactions, that have no apparent economic or visible lawful purpose; and
        (ii) any other transactions that the firm considers particularly likely by their nature to be related to money laundering or terrorism financing;
        (b) require the taking of enhanced CDD to prevent the use for money laundering or terrorism financing of products and transactions that might favour anonymity;
        (c) provide appropriate measures to reduce the risks associated with establishing business relationships with PEPs;
        (d) before any function or activity is outsourced by the firm, require an assessment to be made and documented of the money laundering and terrorism financing risks associated with the outsourcing;
        (e) require the risks associated with the outsourcing of a function or activity by the firm to be monitored on an ongoing basis;
        (f) require everyone in the firm to comply with the requirements of the AML/CFT Law and these rules in relation to the making of suspicious transaction reports;
        (g) set out the conditions that must be satisfied to permit a customer to use the business relationship even before the customer's identity (or the identity of the beneficial owner of the customer) is verified;

        Note For the situations when verification of identity may be delayed, see rules 4.3.5 and 4.5.1 (2).
        (h) ensure that there are appropriate systems and measures to enable the firm to implement any targeted financial sanction that may be required under Law No. (27) of 2019 on Combating Terrorism, and for complying with any other requirements of that law; and

        Note Targeted financial sanction is defined in the Glossary.
        (i) be designed to ensure that the firm can otherwise comply, and does comply, with the AML/CFT Law and these rules.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.1.4 Assessment and review of policies etc

        A firm must carry out regular assessments of the adequacy of, and at least annually review the effectiveness of, its AML/CFT policies, procedures, systems and controls in preventing money laundering and terrorism financing.

        Note For other annual assessments and reviews, see:

        •   rule 2.3.8 (Minimum annual report by MLRO)
        •   rule 2.3.9 (Consideration of MLRO reports)
        •   rule 3.3.5 (3) (Correspondent banking relationships generally)
        •   rule 3.3.12 (3) (Correspondent securities relationships generally).
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.1.5 Compliance by officers, employees, agents etc

        (1) A firm must ensure that its officers, employees, agents and contractors, wherever they are, comply with:
        (a) the requirements of the AML/CFT Law and these rules; and
        (b) its AML/CFT policies, procedures, systems and controls;
        except so far as the law of another jurisdiction prevents this subrule from applying.
        (2) Without limiting subrule (1), the firm's AML/CFT policies, procedures, systems and controls:
        (a) must require officers, employees, agents and contractors, wherever they are, to provide the firm's MLRO with suspicious transaction reports for transactions in, from or to this jurisdiction; and
        (b) must provide timely, unrestricted access by the firm's senior management and MLRO, and by the Regulator and FIU, to documents and information of the firm, wherever they are held, that relate directly or indirectly to its customers or accounts or to transactions in, from or to this jurisdiction;
        except so far as the law of another jurisdiction prevents this subrule from applying.
        (3) Subrule (2) (a) does not prevent a suspicious transaction report also being made in another jurisdiction for a transaction in, from or to this jurisdiction.
        (4) This rule does not prevent the firm from applying higher, consistent standards in its AML/CFT policies, procedures, systems and controls in relation to customers whose transactions or operations extend over 2 or more jurisdictions.
        (5) If the law of another jurisdiction prevents a provision of this rule from applying to an officer, employee, agent or contractor of the firm, the firm must immediately tell the Regulator about the matter.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.1.6 Application of AML/CFT Law requirements, policies etc to branches and associates

        (1) This rule applies to a firm if:
        (a) it has a branch or associate in Qatar; or
        (b) it has a branch in a foreign jurisdiction, or an associate in a foreign jurisdiction over which it can exercise control.
        (2) The firm must ensure that the branch or associate, and the officers, employees, agents and contractors of the branch or associate, wherever they are, comply with:
        (a) the requirements of the AML/CFT Law and these rules; and
        (b) the firm's AML/CFT policies, procedures, systems and controls;
        except so far as the law of another jurisdiction prevents this subrule from applying.
        (3) Without limiting subrule (2), the firm's AML/CFT policies, procedures, systems and controls:
        (a) must require the branch or associate, and the officers, employees, agents and contractors of the branch or associate, wherever they are, to provide to the firm's MLRO suspicious transaction reports for transactions in, from or to this jurisdiction; and
        (b) must provide timely, unrestricted access by the firm's senior management and MLRO, and by the Regulator and FIU, to documents and information of the branch or associate, wherever they are held, that relate directly or indirectly to its customers or accounts or to transactions in, from or to this jurisdiction;
        except so far as the law of another jurisdiction prevents this subrule from applying.
        (4) Subrule (3) (a) does not prevent a suspicious transaction report also being made in another jurisdiction for a transaction in, from or to this jurisdiction.
        (5) Despite subrule (2), if the AML/CFT requirements of this jurisdiction and another jurisdiction differ, the branch or associate must apply the requirements that impose the highest standard, except so far as the law of another jurisdiction prevents this subrule from applying.
        (6) Also, this rule does not prevent the firm and its branches, or the firm and the other members of its group, from applying higher, consistent standards in their AML/CFT policies, procedures, systems and controls in relation to customers whose transactions or operations extend across the firm and its branches or the firm and the other members of its group.
        (7) If the law of another jurisdiction prevents a provision of this rule from applying to the branch or associate or any of its officers, employees, agents or contractors, the firm:
        (a) must immediately tell the Regulator about the matter; and
        (b) must apply additional measures to manage the money laundering and terrorism financing risks (for example, by requiring the branch or associate to give to the firm additional information and reports).
        (8) If the Regulator is not satisfied with the additional measures applied by the firm under subrule (7) (b), the Regulator may, on its own initiative, apply additional supervisory measures by, for example, directing the firm:
        (a) in the case of a branch — to suspend the transactions through the branch in the foreign jurisdiction; or
        (b) in the case of an associate — to suspend the transactions of the associate insofar as they relate to Qatar.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.1.7 Application of AML/CFT Law requirements, policies etc to outsourced functions and activities

        (1) This rule applies if a firm outsources any of its functions or activities to a third party.

        Note See also rule 2.1.3 (2) (d) and (e) (Matters to be covered by policies etc) for other requirements relating to outsourcing.
        (2) The firm, and its senior management, remain responsible for ensuring that the AML/CFT Law and these rules are complied with.
        (3) The firm must, through a service level agreement or otherwise, ensure that the third party, and the officers, employees, agents and contractors of the third party, wherever they are, comply with the following in relation to the outsourcing:
        (a) the requirements of the AML/CFT Law and these rules;
        (b) the firm's AML/CFT policies, procedures, systems and controls;
        except so far as the law of another jurisdiction prevents this subrule from applying.
        (4) Without limiting subrule (3), the firm's AML/CFT policies, procedures, systems and controls:
        (a) must require the third party, and the officers, employees, agents and contractors of the third party, wherever they are, to provide suspicious transaction reports for transactions in, from or to this jurisdiction involving the firm (or the third party on its behalf) to the firm's MLRO; and
        (b) must provide timely, unrestricted access by the firm's senior management and MLRO, and by the Regulator and FIU, to documents and information of the third party, wherever they are held, that relate directly or indirectly to the firm's customers or accounts or to transactions in, from or to this jurisdiction involving the firm (or the third party on its behalf);
        except so far as the law of another jurisdiction prevents this subrule from applying.
        (5) Subrule (4) (a) does not prevent a suspicious transaction report also being made in another jurisdiction for a transaction in, from or to this jurisdiction.
        (6) If the law of another jurisdiction prevents a provision of this rule from applying to the third party or any of its officers, employees, agents or contractors:
        (a) the third party must immediately tell the firm about the matter; and
        (b) the firm must immediately tell the Regulator about the matter.
        (7) If the firm is an authorised firm, this rule is in addition to any other provision of the Regulator's Rules about outsourcing.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR Part 2.2 AML/CFTR Part 2.2 Senior management

      Note for Part 2.2

      Principle 1 (see rule 1.2.1) requires the senior management of a firm to ensure that the firm's policies, procedures, systems and controls are implemented, and that they appropriately and adequately address the requirements of the AML/CFT Law and these rules.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.2.1 Overall senior management responsibility

        The senior management of a firm is responsible for the effectiveness of the firm's policies, procedures, systems and controls in preventing money laundering and terrorism financing.

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 2.2.2 Particular responsibilities of senior management

        (1) The senior management of a firm must ensure:
        (a) that the firm develops, establishes and maintains effective AML/CFT policies, procedures, systems and controls in accordance with these rules;
        (b) that the firm has adequate screening procedures to ensure high standards when appointing or employing officers or employees;
        (c) that the firm identifies, designs, delivers and maintains an appropriate ongoing AML/CFT training programme for its officers and employees;

        Note See Part 6.2 (AML/CFT training programme) for details of the firm's training requirements.
        (d) that independent review and testing of the firm's compliance with its AML/CFT policies, procedures, systems and controls are conducted in accordance with rule 2.1.1 (4);
        (e) that regular and timely information is made available to senior management about the management of the firm's money laundering and terrorism financing risks;
        (f) that the firm's money laundering and terrorism financing risk management policies and methodology are appropriately documented, including the firm's application of them;
        (g) that there is at all times an MLRO for the firm who:
        (i) has sufficient seniority, knowledge, experience and authority;
        (ii) has an appropriate knowledge and understanding of the legal and regulatory responsibilities of the role, the AML/CFT Law and these rules;
        (iii) has sufficient resources, including appropriate staff and technology, to carry out the role in an effective, objective and independent way;
        (iv) has timely, unrestricted access to all information of the firm relevant to AML and CFT, including, for example:
        (A) all customer identification documents and all source documents, data and information;
        (B) all other documents, data and information obtained from, or used for, CDD and ongoing monitoring; and
        (C) all transaction records; and
        (v) has appropriate back-up arrangements to cover absences, including a Deputy MLRO to act as MLRO;
        (h) that a firm-wide AML/CFT compliance culture is promoted within the firm;

        Guidance

        The Regulatory Authority expects a firm's senior management to ensure that there is an AML/CFT culture within the firm where:
        •   senior management consistently enforces a top-down approach to its AML/CFT responsibilities;
        •   there is a demonstrable and sustained firm-wide commitment to the AML/CFT principles and compliance with the AML/CFT Law, these rules and the firm's AML/CFT policies, procedures, systems and controls;
        •   AML/CFT risk management and regulatory requirements are embedded at all levels of the firm and in all elements of its business or activities.
        (i) that appropriate measures are taken to ensure that money laundering and terrorism financing risks are taken into account in the day-to-day operation of the firm, including in relation to:
        (i) the development of new products;
        (ii) the taking on of new customers; and
        (iii) changes in the firm's business profile; and
        (j) that all reasonable steps have been taken so that a report required to be given to the Regulator for AML or CFT purposes is accurate, complete and given promptly.
        (2) This rule does not limit the particular responsibilities of the senior management of the firm.

        Note See, for example, Division 2.3.C (Reporting by MLRO to senior management).
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR Part 2.3 AML/CFTR Part 2.3 MLRO and Deputy MLRO

      • AML/CFTR Division 2.3.A AML/CFTR Division 2.3.A Appointment of MLRO and Deputy MLRO

        • AML/CFTR 2.3.1 Appointment — MLRO and Deputy MLRO

          (1) A firm must ensure that there is at all times an MLRO and a Deputy MLRO for the firm.
          (2) Accordingly, the firm must, from time to time, appoint an individual as its MLRO and another individual as its Deputy MLRO.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.2 Eligibility to be MLRO or Deputy MLRO

          (1) The MLRO and Deputy MLRO for a firm:
          (a) must be employed at the management level by the firm, or by a legal person in the same group, whether as part of its governing body, management or staff; and
          (b) must have sufficient seniority, knowledge, experience and authority for the role, and in particular:
          (i) to act independently; and
          (ii) to report directly to the firm's senior management.
          (2) The MLRO for a QFC insurer (other than a QFC captive insurer) that is a company incorporated under the Companies Regulations 2005, or a QFC bank, must be ordinarily resident in Qatar.
          (3) In the case of any other firm:
          (a) if the firm proposes to appoint as MLRO an individual who is not ordinarily resident in Qatar, the firm must satisfy the Regulator that the MLRO function can be adequately exercised by an MLRO who is not resident in Qatar; and
          (b) if the Regulator considers that the MLRO function for the firm cannot be adequately exercised by an MLRO who is not resident in Qatar, the Regulator may direct the firm to appoint as MLRO an individual who is ordinarily resident in Qatar.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR Division 2.3.B AML/CFTR Division 2.3.B Roles of MLRO and Deputy MLRO

        • AML/CFTR 2.3.3 General responsibilities of MLRO

          The MLRO for a firm is responsible for:

          (a) overseeing the implementation of the firm's AML/CFT policies, procedures, systems and controls in relation to this jurisdiction, including the operation of the firm's risk-based approach;
          (b) ensuring that appropriate policies, procedures, systems and controls are developed, established and maintained across the firm to monitor the firm's day-to-day operations:
          (i) for compliance with the AML/CFT Law, these rules, and the firm's AML/CFT policies, procedures, systems and controls; and
          (ii) to assess, and regularly review, the effectiveness of the policies, procedures, systems and controls in preventing money laundering and terrorism financing;
          (c) being the firm's key person in implementing the firm's AML/CFT strategies in relation to this jurisdiction;
          (d) supporting and coordinating senior management focus on managing the firm's money laundering and terrorism financing risks in individual business areas;
          (e) helping to ensure that the firm's wider responsibility for preventing money laundering and terrorism financing is addressed centrally; and
          (f) promoting a firm-wide view to be taken of the need for AML/CFT monitoring and accountability.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.4 Particular responsibilities of MLRO

          (1) The MLRO for a firm is responsible for:
          (a) receiving, investigating and assessing internal suspicious transaction reports for the firm;
          (b) making suspicious transaction reports to the FIU and telling the Regulator about them;
          (c) acting as central point of contact between the firm, and the FIU, the Regulator and other State authorities, in relation to AML and CFT issues;
          (d) responding promptly to any request for information by the FIU, the Regulator and other State authorities in relation to AML and CFT issues;
          (e) receiving and acting on government, regulatory and international findings about AML and CFT issues;
          (f) monitoring the appropriateness and effectiveness of the firm's AML/CFT training programme;
          (g) reporting to the firm's senior management on AML and CFT issues;
          (h) keeping the Deputy MLRO informed of significant AML/CFT developments (whether internal or external); and
          (i) exercising any other functions given to the MLRO, whether under the AML/CFT Law, these rules or otherwise.
          (2) If the Regulator issues guidance, the MLRO must bring it to the attention of the firm's senior management. The firm must make and keep a record of:
          (a) whether the senior management took the guidance into account;
          (b) any action that the senior management took as a result; and
          (c) the reasons for taking or not taking action.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.5 Role of Deputy MLRO

          (1) The Deputy MLRO for a firm acts as the firm's MLRO during absences of the MLRO and whenever there is a vacancy in the MLRO's position.
          (2) When the Deputy MLRO acts as MLRO, these rules apply in relation to the Deputy MLRO as if the Deputy MLRO were the MLRO.
          (3) However, to remove any doubt, rule 2.3.2 (2) (Eligibility to be MLRO or Deputy MLRO) does not apply in relation to the Deputy MLRO of a QFC insurer (other than a QFC captive insurer) that is a company incorporated under the Companies Regulations 2005 or a QFC bank when the Deputy MLRO acts as MLRO.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.6 How MLRO must carry out role

          The MLRO for a firm must act honestly, reasonably and independently, particularly in:

          (a) receiving, investigating and assessing internal suspicious transaction reports; and
          (b) deciding whether to make, and making, suspicious transaction reports to the FIU.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR Division 2.3.C AML/CFTR Division 2.3.C Reporting by MLRO to senior management

        • AML/CFTR 2.3.7 MLRO reports

          (1) The senior management of a firm must, on a regular basis, decide what reports should be given to it by the MLRO, and when the reports should be given to it, to enable it to discharge its responsibilities under the AML/CFT Law and these rules.
          (2) However, the MLRO must give the senior management a report that complies with rule 2.3.8 (Minimum annual report by MLRO) for each calendar year. The report must be given in time to enable compliance with rule 2.3.9 (2).
          (3) To remove any doubt, subrule (2) does not limit the reports:
          (a) that the senior management may require to be given to it; or
          (b) that the MLRO may give to the senior management on the MLRO's own initiative to discharge the MLRO's responsibilities under the AML/CFT Law and these rules.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.8 Minimum annual report by MLRO

          (1) This rule sets out the minimum requirements that must be complied with in relation to the report that must be given to the senior management by the MLRO for each calendar year (see rule 2.3.7 (2)).
          (2) The report must assess the adequacy and effectiveness of the firm's AML/CFT policies, procedures, systems and controls in preventing money laundering and terrorism financing.
          (3) The report must include the following for the period to which it relates:
          (a) the numbers and types of internal suspicious transaction reports made to the MLRO;
          (b) the number of these reports that have, and the number of these reports that have not, been passed on to the FIU;
          (c) the reasons why reports have or have not been passed on to the FIU;
          (d) the numbers and types of breaches by the firm of the AML/CFT Law, these rules, or the firm's AML/CFT policies, procedures, systems and controls;
          (e) areas where the firm's AML/CFT policies, procedures, systems and controls should be improved, and proposals for making appropriate improvements;
          (f) a summary of the AML/CFT training delivered to the firm's officers and employees;
          (g) areas where the firm's AML/CFT training programme should be improved, and proposals for making appropriate improvements;
          (h) the number and types of customers of the firm that are categorised as high risk;
          (i) progress in implementing any AML/CFT action plans;

          Note These provisions require action plans:
          •   rule 2.3.9 (b) (Consideration of MLRO reports)
          •   rule 4.3.4 (3) and (4) (When CDD may not be required — acquired businesses)
          •   rule 6.2.2 (3) (b) (Training must be maintained and reviewed).
          (j) the outcome of any relevant quality assurance or audit reviews in relation to the firm's AML/CFT policies, procedures, systems and controls;
          (k) the outcome of any review of the firm's risk assessment policies, procedures, systems and controls.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.9 Consideration of MLRO reports

          (1) The senior management of a firm must promptly:
          (a) consider each report made to it by the MLRO; and
          (b) if the report identifies deficiencies in the firm's compliance with the AML/CFT Law or these rules — approve an action plan to remedy the deficiencies.
          (2) For the report that must be given for each calendar year under rule 2.3.7 (2), the senior management must confirm in writing that it has considered the report and, if an action plan is required, has approved such a plan. The firm's MLRO must give the Regulator a copy of the report and confirmation before 1 June of the next year.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR Division 2.3.D AML/CFTR Division 2.3.D Additional obligations etc of firm with non-resident MLRO

        • AML/CFTR 2.3.10 Annual reports

          A firm whose MLRO is not ordinarily resident in Qatar must report to the Regulator, in a form approved for this rule under the General Rules 2005, before 1 June in each year.

          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.11 Visits by non-resident MLRO

          A firm whose MLRO is not ordinarily resident in Qatar must ensure that the MLRO inspects the firm's operations in Qatar frequently enough to allow him or her to assess the accuracy and reliability of the information supplied to the Regulator in the reports required by rule 2.3.10.

          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 2.3.12 Regulatory Authority may direct firm to appoint resident MLRO

          (1) This rule applies if, for any reason, the Regulator considers that the MLRO function for a firm is not being adequately exercised by an individual who is not ordinarily resident in Qatar.
          (2) The Regulator may direct the firm:
          (a) to require the individual to be ordinarily resident in Qatar; or
          (b) to appoint another individual who is ordinarily resident in Qatar.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)