• AML/CFTR Chapter 3 AML/CFTR Chapter 3 The risk-based approach

    • AML/CFTR Part 3.1 AML/CFTR Part 3.1 The risk-based approach generally

      Note for Part 3.1

      Principle 2 (see rule 1.2.2) requires a firm to adopt a risk-based approach to these rules and their requirements.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.1.1 Firms must conduct risk assessment and decide risk mitigation

        (1) A firm:
        (a) must conduct, at regular and appropriate intervals, an assessment (a business risk assessment) of the money laundering and terrorism financing risks that it faces, including risks identified in the National Risk Assessment and those that may arise from:
        (i) the types of customers that it has (and proposes to have) (customer risk);
        (ii) the products and services that it provides (and proposes to provide) (product risk);
        (iii) the technologies that it uses (and proposes to use) to provide those products and services (interface risk); and
        (iv) the jurisdictions with which its customers are (or may become) associated (jurisdiction risk); and

        Examples of 'associated' jurisdictions for a customer
        1 the jurisdiction where the customer lives or is incorporated or otherwise established
        2 each jurisdiction where the customer conducts business or has assets.
        (b) must decide what action is needed to mitigate those risks.
        (2) The firm must be able to demonstrate:
        (a) how it determined the risks that it faces;
        (b) how it took into consideration the National Risk Assessment and other sources in determining those risks;
        (c) when and how it conducted the business risk assessment; and
        (d) how the actions it has taken after the assessment have mitigated, or have failed to mitigate, the risks it faces.
        (3) If the firm fails to take into account the National Risk Assessment and other sources or fails to assess any of the risks it faces, it must give the reasons for its failure to do so, if required by the Regulator.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.1.2 Approach to risk mitigation must be based on suitable methodology

        (1) The intensity of a firm's approach to the mitigation of its money laundering and terrorism financing risks must be based on a suitable methodology (a threat assessment methodology) that addresses the risks that it faces.
        (2) A firm must be able to demonstrate that its threat assessment methodology:
        (a) includes:
        (i) identifying the purpose and intended nature of the business relationship with each customer; and
        (ii) assessing the risk profile of the business relationship by scoring the relationship;

        Note 1 Business relationship is defined in rule 4.2.4.

        Note 2 For scoring the business relationship in relation to customer risk, product risk, interface risk and jurisdiction risk, see rule 3.2.3, rule 3.3.3, rule 3.4.3 and rule 3.5.3, respectively.
        (b) is suitable for the size, complexity and nature of the firm's business;
        (c) is designed to enable the firm:
        (i) to identify and recognise any changes in its money laundering and terrorism financing risks; and
        (ii) to change its threat assessment methodology as needed; and
        (d) includes assessing risks posed by:
        (i) new products and services; and
        (ii) new or developing technologies.
        (3) A firm must also be able to demonstrate that its practice matches its threat assessment methodology.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.1.3 Risk profiling a business relationship

        (1) In developing the risk profile of a business relationship with a customer, a firm must consider at least the following 4 risk elements in relation to the relationship:
        (a) customer risk;
        (b) product risk;
        (c) interface risk;
        (d) jurisdiction risk.
        (2) The firm must identify any other risk elements that are relevant to the business relationship, especially because of the size, complexity and nature of its business and any business of its customer.
        (3) The firm must also consider the risk elements (if any) identified under subrule (2) in relation to the business relationship.
        (4) Together the 4 risk elements mentioned in subrule (1), and any other risk elements identified under subrule (2), combine to produce the risk profile of the business relationship.
        (5) This risk profile must be taken into account in deciding the intensity of the CDD and ongoing monitoring to be conducted for the customer.

        Note Each of the 4 risk elements mentioned in subrule (1) is dealt with in the following Parts of this Chapter.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR Part 3.2 AML/CFTR Part 3.2 Customer risk

      Note for Part 3.2

      This Part relates to the risks posed by the types of customers of a firm.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.2.1 Risk assessment for customer risk

        (1) A firm must assess and document the risks of money laundering, terrorism financing and other illicit activities posed by different types of customers.

        Examples of types of customers
        1 salaried employees with no other significant sources of income or wealth
        2 publicly listed companies
        3 legal arrangements
        4 PEPs
        (2) The intensity of the CDD and ongoing monitoring conducted for a particular customer must be proportionate to the perceived or potential level of risk posed by the relationship with that customer.

        Example

        The duration of the relationship with the customer and the frequency of transactions may affect the intensity of CDD and ongoing monitoring.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.2.2 Policies etc for customer risk

        A firm must have policies, procedures, systems and controls to address the specific risks of money laundering, terrorism financing and other illicit activities posed by different types of customers.

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.2.3 Scoring business relationships — types of customers

        A firm must include, in its methodology, a statement of the basis on which business relationships with customers will be scored, having regard to the different types of customers it has (and proposes to have).

        Example

        The risk to the firm from a salaried employee whose only transactions are derived from electronic payments made by the employee's employer are likely to be much lower than the risk to the firm from an individual whose transactions are cash-based with no discernible source for those funds.

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.2.4 Persons associated with terrorist acts etc — enhanced CDD and ongoing monitoring

        (1) This rule applies to a customer of a firm if the firm knows or suspects that the customer is an individual, charity, non-profit organisation or other entity:
        (a) that is associated with, or involved in, terrorist acts, terrorism financing or a terrorist organisation; or
        (b) that is subject to sanctions or other international initiatives.
        (2) Irrespective of the risk score otherwise obtained for the customer, the firm must conduct enhanced CDD and enhanced ongoing monitoring for the customer.

        Note See rule 4.2.2 (What is ongoing monitoring?) and rule 4.3.13 (Ongoing monitoring required).
        (3) A decision to enter into a business relationship with the customer must only be taken with senior management approval after enhanced CDD has been conducted.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.2.5 Measures for PEPs

        A firm must, as a minimum, adopt the following measures to reduce the risks associated with establishing and maintaining business relationships with PEPs:
        (a) the firm must have clear policies, procedures, systems and controls for business relationships with PEPs;
        (b) the firm must establish and maintain an appropriate risk management system to decide whether a potential or existing customer, or the beneficial owner of a potential or existing customer, is a PEP;

        Examples of measures forming part of a risk management system
        1 seeking relevant information from customers
        2 referring to publicly available information
        3 having access to, and referring to, commercial electronic databases of PEPs
        (c) decisions to enter into business relationships with PEPs must only be taken with senior management approval after enhanced CDD has been conducted;
        (d) if an existing customer, or the beneficial owner of an existing customer, is subsequently found to be, or to have become, a PEP—the relationship may be continued only with senior management approval;
        (e) the firm must take reasonable measures to establish the sources of wealth and funds of customers and beneficial owners identified as PEPs;
        (f) PEPs must be subject to enhanced ongoing monitoring.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)
        Amended by QFCRA RM/2020-1 (as from 15th August 2020)

      • AML/CFTR 3.2.6 Legal persons, legal arrangements and facilities—risk assessment process

        (1) A firm's risk assessment process must include a recognition of the risks posed by legal persons, legal arrangements and facilities.

        Examples of legal persons
        1 companies
        2 partnerships
        Example of legal arrangement

        express trust

        Examples of facilities
        1 nominee shareholdings
        2 powers of attorney
        (2) In assessing the risks posed by a legal person or legal arrangement, a firm must ensure that the risk profile of the person or arrangement takes into account the risks posed by any beneficial owners, officers, shareholders, trustees, settlors, beneficiaries, managers and other relevant entities.
        (3) In assessing the risks posed by a facility, a firm must ensure that the facility's risk profile takes into account the risks posed by any reduction in transparency, or any increased ability to conceal or obscure.
        (4) Subrules (2) and (3) do not limit the matters to be reflected in the risk profile of a legal person, legal arrangement or facility.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.2.7 Measures for persons in terrorist list

        (3) A firm must, from the outset of its dealings with an applicant for business and on an ongoing basis during the business relationship, check whether the person is listed:
        (a) under a relevant resolution of the UN Security Council; or
        (b) in a Terrorist Designation Order published by the National Counter Terrorism Committee of the State.
        (4) If the person is listed, the firm:
        (a) must not establish, or continue, a relationship with, or carry out a transaction with or for the person;
        (b) must make a suspicious transaction report to the FIU; and
        (c) must immediately tell the Regulator.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR Part 3.3 AML/CFTR Part 3.3 Product risk

      Notes for Part 3.3

      1 This Part relates to the risks posed by the types of products offered by a firm.
      2 Product includes the provision of a service (see Glossary).
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.1 Risk assessment for product risk

        (1) A firm must assess and document the risks of money laundering, terrorism financing and other illicit activities posed by the types of products it offers (and proposes to offer).

        Examples of types of products
        1 savings accounts
        2 e-money products
        3 payable-through accounts
        4 wire transfers
        5 life insurance contracts
        (2) The intensity of the CDD and ongoing monitoring conducted in relation to a particular type of product must be proportionate to the perceived or potential level of risk posed by the type of product.

        Example

        The level of deposits and the volume of transactions and operations that a customer has may affect the intensity of CDD and ongoing monitoring.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.2 Policies etc for product risk

        A firm must have policies, procedures, systems and controls to address the specific risks of money laundering, terrorism financing and other illicit activities posed by the types of products it offers (and proposes to offer).

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.3 Scoring business relationships — types of products

        A firm must include, in its methodology, a statement of the basis on which business relationships with customers will be scored, having regard to the types of products it offers (and proposes to offer) to them.

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.4 Products with fictitious or false names or no names

        (1) A financial institution must not permit any of its products to be used if the product:
        (a) uses a fictitious or false name for a customer; or
        (b) does not identify the customer's name.
        (2) Subrule (1) does not prevent the financial institution from providing a level of privacy to the customer within the financial institution itself by not including the customer's name or details on the account name or customer file if:
        (a) records of the customer's details are kept in a more secure environment in the firm itself; and
        (b) the records are available to the financial institution's senior management and MLRO, and to the Regulator and FIU.
        (3) Without limiting subrule (1), if the financial institution has numbered accounts, the financial institution must maintain them in a way that enables it to fully comply with the AML/CFT Law and these rules.

        Example for subrule (3)

        The financial institution could properly identify the customer for an account in accordance with the AML/CFT Law and these rules and make the customer identification records available to the MLRO, other appropriate officers and employees, the Regulator and the FIU.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.5 Correspondent banking relationships generally

        (1) Before a bank (the correspondent) establishes a correspondent banking relationship with a bank (the respondent) in a foreign jurisdiction, the correspondent must do all of the following:
        (a) gather sufficient information about the respondent to understand fully the nature of its business;
        (b) decide from publicly available information the respondent's reputation and the quality of its regulation and supervision;
        (c) assess the respondent's AML/CFT policies, procedures, systems and controls, and decide that they are adequate and effective;
        (d) obtain senior management approval to establish the relationship;
        (e) document the respective responsibilities of the respondent and correspondent, including in relation to AML and CFT matters;
        (f) be satisfied that, in relation to the respondent's customers that will have direct access to accounts of the correspondent, the respondent:
        (i) will have conducted CDD for the customers and verified the customers' identities;
        (ii) will conduct ongoing monitoring for the customers; and
        (iii) will be able to provide to the correspondent, on request, the documents, data or information obtained in conducting CDD and ongoing monitoring for the customers.
        (2) Without limiting subrule (1) (b), in making a decision for that provision, the correspondent must consider all of the following:
        (a) whether the respondent has been the subject of any investigation, or civil or criminal proceeding, relating to money laundering or terrorism financing;
        (b) the respondent's financial position;
        (c) whether it is regulated and supervised (at least for AML and CFT purposes) by a regulatory or governmental authority, body or agency equivalent to the Regulator in each foreign jurisdiction in which it operates;
        (d) whether each foreign jurisdiction in which it operates has an effective AML/CFT regime;
        (e) if the respondent is a subsidiary of another legal person — the following additional matters:
        (i) the other person's domicile and location (if different);
        (ii) its reputation;
        (iii) whether it is regulated and supervised (at least for AML and CFT purposes) by a regulatory or governmental authority, body or agency equivalent to the Regulator in each jurisdiction in which it operates;
        (iv) whether each foreign jurisdiction in which it operates has an effective AML/CFT regime;
        (v) its ownership, control and management structure (including whether it is owned, controlled or managed by a PEP).
        (3) If the correspondent establishes a correspondent banking relationship with the respondent, the correspondent must:
        (a) if the respondent is in a high risk jurisdiction — conduct enhanced ongoing monitoring of the volume and nature of the transactions conducted under the relationship; and
        (b) in any case — at least annually review the relationship and the transactions conducted under it.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.6 Shell banks

        (1) A shell bank must not be established in, or operate in or from, this jurisdiction.

        Note Shell bank is defined in rule 1.3.8.
        (2) A financial institution must not enter into, or continue, a correspondent banking relationship or correspondent securities relationship with a shell bank.
        (3) A financial institution must not enter into, or continue:
        (a) a correspondent banking relationship with a bank in any jurisdiction if the bank is known to permit its accounts to be used by a shell bank; or
        (b) a correspondent securities relationship with a firm in any jurisdiction if the firm is known to permit its accounts to be used by a shell bank.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.7 Payable-through accounts

        (1) The rule applies if:
        (a) a bank (the correspondent) has a correspondent banking relationship with a bank (the respondent) in a foreign jurisdiction; and
        (b) under the relationship, a customer of the respondent who is not a customer of the correspondent may have direct access to an account of the correspondent.
        (2) The correspondent must not allow the customer to have access to the account unless the correspondent is satisfied that the respondent:
        (a) has conducted CDD for the customer and verified the customer's identity;
        (b) conducts ongoing monitoring for the customer; and
        (c) can provide to the correspondent, on request, the documents, data and information obtained in conducting CDD and ongoing monitoring for the customer.
        (3) If:
        (a) the correspondent asks the respondent for documents, data or information mentioned in subrule (2) (c); and
        (b) the respondent fails to satisfactorily comply with the request;
        the correspondent must immediately terminate the customer's access to accounts of the correspondent and consider making a suspicious transaction report to the FIU.
        (4) Payable-through accounts are correspondent accounts that are used directly by third parties to transact business on their own behalf.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.8 Powers of attorney

        (1) This rule applies to a power of attorney if it authorises the holder to exercise control over assets of the grantor.
        (2) Before becoming involved in or associated with a transaction involving the power of attorney, a firm must conduct CDD for both the holder and the grantor.
        (3) For subrule (2), the holder and the grantor are both taken to be customers of the firm.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.9 Bearer negotiable instruments

        (1) In this rule:
        bearer negotiable instrument means:
        (a) a monetary instrument in bearer form such as a traveller's cheque;
        (b) a negotiable instrument, including cheque, promissory note, and money order that is either in bearer form, endorsed without restriction, made out to a fictitious payee, or otherwise in such form that title thereto passes upon delivery;
        (c) an incomplete instrument including a cheque, promissory note and money order signed, but with the payee's name omitted;
        (d) a bearer share; or
        (e) a share warrant to bearer.
        (2) A firm must have adequate AML/CFT customer due diligence policies, procedures, systems and controls for risks related to the use of bearer negotiable instruments.
        (3) Before becoming involved in or associated with a transaction involving the conversion of a bearer negotiable instrument, or the surrender of coupons for a bearer negotiable instrument for payment of dividend, bonus or a capital event, a firm must conduct enhanced CDD for the holder of the instrument and any beneficial owner.
        (4) For subrule (3), the holder and any beneficial owner are taken to be customers of the firm.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.10 Wire transfers

        (1) This rule applies to a transaction conducted by a financial institution (the ordering financial institution) by electronic means on behalf of a person (the originator) with a view to making an amount of money available to a person (the recipient) at another financial institution (the beneficiary financial institution).
        (2) This rule applies to the transaction whether or not:
        (a) the originator and recipient are the same person;
        (b) the transaction is conducted through intermediary financial institutions; or
        (c) the ordering financial institution, the beneficiary financial institution or any intermediary financial institution is outside Qatar.
        (3) However, this rule does not apply to a transaction conducted using a credit or debit card if:
        (a) the card number accompanies all transfers flowing from the transaction; and

        Examples of transfers that may flow from the transaction
        1 withdrawals from a bank account through an ATM
        2 cash advances from a credit card
        3 payments for goods and services
        (b) the card is not used as a payment system to effect a money transfer.
        (4) Also, this rule does not apply:
        (a) to transfers from 1 financial institution to another; or
        (b) if the originator and recipient are both financial institutions acting on their own behalf.
        (5) If the ordering financial institution is in Qatar, it:
        (a) must obtain and keep full originator information; and
        (b) must conduct CDD for the originator;
        unless the beneficiary financial institution and all intermediary financial institutions (if any) are in Qatar and the transaction involves the transfer of less than QR 3,500.

        Note Full originator information is defined in the Glossary.
        (6) To remove any doubt, the ordering financial institution needs only to comply with subrule (5) once for the originator.
        (7) If the ordering financial institution is in Qatar and the beneficiary financial institution or any intermediary financial institution is outside Qatar, the ordering financial institution must include full originator information and full recipient information in a message or payment form accompanying the transfer.

        Note Full recipient information is defined in the Glossary.
        (8) However, if several separate transfers from the same originator are bundled in a batch file for transmission to several recipients in a foreign jurisdiction, the ordering financial institution needs only to include the originator's account number or unique reference number in relation to each individual transfer if the batch file (in which the individual transfers are batched) contains full originator information, and full recipient information for each recipient, that is fully traceable in the foreign jurisdiction.
        (9) If the ordering financial institution, the beneficiary financial institution and all intermediary financial institutions (if any) are in Qatar, the ordering financial institution must include full originator information and full recipient information in a message or payment form accompanying the transfer unless:
        (a) the transaction involves the transfer of less than QR 3,500; or
        (b) both of the following conditions are satisfied:
        (i) full originator information and full recipient information can be made available to the beneficiary financial institution, the Regulator, the FIU and law enforcement authorities within 3 business days after the day the information is requested;
        (ii) law enforcement authorities can compel immediate production of the information.
        (10) Each intermediary financial institution (if any) must ensure that all information relating to the originator and recipient that the financial institution receives in a message or payment form accompanying the transfer is transmitted to the next financial institution.
        (11) If the beneficiary financial institution is in Qatar and is aware that full originator information or full recipient information has not been provided in a message or payment form accompanying the transfer (and is not fully traceable using a batch file as mentioned in subrule (8)), it must:
        (a) either:
        (i) reject the transfer; or
        (ii) obtain the missing or incomplete information from the ordering financial institution; and
        (b) using a risk-sensitive approach, decide whether a suspicious transaction report should be made to the FIU.
        (12) If the ordering financial institution has regularly failed to provide the required information about the originators or recipients of transactions and the beneficiary financial institution is in Qatar, the beneficiary financial institution:
        (a) must take appropriate steps to ensure that the ordering financial institution does not contravene this rule; and
        (b) must report the matter to the FIU.
        Examples of steps
        1 issuing warnings and setting deadlines for the provision of information
        2 rejecting future transfers from the ordering financial institution
        3 restricting or terminating any business relationship with the ordering financial institution
        (13) Despite anything in these rules, no money or value may be transferred by electronic means to a person listed:
        (a) under a relevant resolution of the UN Security Council; or
        (b) in a Terrorist Designation Order published by the National Counter Terrorism Committee of the State.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.11 Additional obligations of firms involved in wire transfers

        (1) A firm that acts as an intermediary financial institution in a cross-border wire transfer and a firm (the beneficiary financial institution) that makes money available to the recipient after the cross-border wire transfer must take reasonable measures, on a risk-sensitive basis, to identify transfers to this jurisdiction that lack full originator information or full recipient information. The measures may include following-up (whether during, or after, the transfer) on information that is lacking about the originator or recipient.
        (2) A firm that acts as intermediary financial institution or beneficiary financial institution must develop, establish and maintain policies, procedures, systems and controls to determine:
        (a) when to execute, reject or suspend a wire transfer that lacks the full originator information or full recipient information; and
        (b) when to take appropriate follow-up action.
        (3) A firm that acts as intermediary financial institution in a cross-border wire transfer must ensure that all originator and recipient information accompanying the transfer is retained with it.
        (4) A firm that acts as ordering financial institution, intermediary financial institution or beneficiary financial institution must keep full originator information and full recipient information for at least 10 years after:
        (a) if the firm acted as ordering financial institution—the day the originator asked the firm to make the wire transfer;
        (b) if the firm acted as intermediary financial institution—the day the firm transmitted the information to another intermediary or to the beneficiary financial institution; or
        (c) if the firm acted as beneficiary financial institution—the day the money received via wire transfer is made available to the recipient.
        (5) If a wire transfer between 2 financial institutions in Qatar (domestic wire transfer) is necessary to effect a cross-border wire transfer and, because of technical limitations, the full originator information and full recipient information cannot remain with the domestic wire transfer, the intermediary financial institution to which the domestic wire transfer is made must, if the intermediary financial institution is a firm, make and keep a record of the information received by it from the ordering financial institution or other intermediary financial institution in relation to the transaction. The record must be kept for 10 years after the day it is made.
        (6) If a cross-border wire transfer is effected by the same firm as both ordering and beneficiary financial institutions, or if a firm controls both the originator and recipient of the wire transfer, the firm must take into account the information obtained from both sides of the transfer in considering whether to make a suspicious transaction report. If the firm suspects that the transfer may involve money laundering or terrorism financing, it must:
        (a) make a report in each jurisdiction affected by the transfer; and
        (b) make available, to the FIU (or its equivalent) in the jurisdiction, information relevant to the transfer.
        (7) For wire transfers of more than QR 3,500, the beneficiary financial institution must verify the identity of the recipient before making money available, except if the recipient's identity has previously been verified.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.3.12 Correspondent securities relationships generally

        (1) Before a firm (the correspondent) establishes a correspondent securities relationship with another firm (the respondent) in a foreign jurisdiction, the correspondent must do all of the following:
        (a) gather sufficient information about the respondent to understand fully the nature of its business;
        (b) decide from publicly available information the respondent's reputation and the quality of its regulation and supervision;
        (c) assess the respondent's AML/CFT policies, procedures, systems and controls, and decide that they are adequate and effective;
        (d) obtain senior management approval to establish the relationship;
        (e) document its responsibilities and those of the respondent, including in relation to AML and CFT matters;
        (f) be satisfied that, in relation to the respondent's customers that will have direct access to accounts of the correspondent, the respondent:
        (i) will have conducted CDD for the customers and verified the customers' identities; and
        (ii) will conduct ongoing monitoring for the customers; and
        (iii) will be able to provide to the correspondent, on request, the documents, data or information obtained in conducting CDD and ongoing monitoring for the customers.
        (2) Without limiting subrule (1) (b), in making a decision for that provision, the correspondent must consider all of the following:
        (a) whether the respondent has been the subject of any investigation, or civil or criminal proceeding, relating to money laundering or terrorism financing;
        (b) the respondent's financial position;
        (c) whether it is regulated and supervised (at least for AML and CFT purposes) by a regulatory or governmental authority, body or agency equivalent to the Regulator in each foreign jurisdiction in which it operates;
        (d) whether each foreign jurisdiction in which it operates has an effective AML/CFT regime;
        (e) if the respondent is a subsidiary of another legal person—the following additional matters:
        (i) the other person's domicile and location (if different);
        (ii) its reputation;
        (iii) whether it is regulated and supervised (at least for AML and CFT purposes) by a regulatory or governmental authority, body or agency equivalent to the Regulator in each jurisdiction in which it operates;
        (iv) whether each foreign jurisdiction in which it operates has an effective AML/CFT regime;
        (v) its ownership, control and management structure (including whether it is owned, controlled or managed by a PEP).
        (3) If the correspondent establishes a correspondent securities relationship with the respondent, the correspondent must:
        (a) if the respondent is in a high risk jurisdiction—conduct enhanced ongoing monitoring of the volume and nature of the transactions conducted under the relationship; and
        (b) in any case—at least annually review the relationship and the transactions conducted under it.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR Part 3.4 AML/CFTR Part 3.4 Interface risk

      Note for Part 3.4

      This Part relates to the risks posed by the mechanisms through which business relationships with a firm are started or conducted.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR Division 3.4.A AML/CFTR Division 3.4.A Interface risks—general

        • AML/CFTR 3.4.1 Risk assessment for interface risk

          (1) A firm must assess and document the risks of money laundering, terrorism financing and other illicit activities posed by the mechanisms through which its business relationships are started and conducted.
          (2) The intensity of the CDD and ongoing monitoring conducted in relation to a particular mechanism must be proportionate to the perceived or potential level of risk posed by the mechanism.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.2 Policies etc for interface risk

          (1) A firm must have policies, procedures, systems and controls to address the specific risks of money laundering, terrorism financing and other illicit activities posed by the types of mechanisms through which its business relationships are started and conducted.
          (2) Without limiting subrule (1), the policies, procedures, systems and controls must include measures:
          (a) to prevent the misuse of technological developments in money laundering and terrorism financing schemes; and
          (b) to manage any specific risks associated with non-face-to-face business relationships or transactions.
          Examples of non-face-to-face business relationships or transactions
          1 business relationships concluded over the Internet or through the post
          2 services and transactions provided or conducted over the Internet, using ATMs or by telephone or fax
          3 electronic point of sale transactions using prepaid, reloadable or account-linked value cards
          Examples of policies, procedures, systems and controls for par (b)
          1 requiring third party certification of identification documents presented by or for non-face-to-face customers
          2 requiring additional identification documents for non-face-to-face customers
          3 developing independent contact with non-face-to-face customers
          4 requiring first payments by or for non-face-to-face customers to be made through accounts in the customers' names with financial institutions subject to similar customer due diligence standards
          (3) The policies, procedures, systems and controls must apply in relation to establishing business relationships and conducting ongoing monitoring.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.3 Scoring business relationships—interface risk

          A firm must include, in its methodology, a statement of the basis on which business relationships with customers will be scored, having regard to the mechanisms through which its business relationships are started or conducted.

          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.4 Electronic verification of identification documentation

          (1) A firm may rely on electronic verification of identification documentation if it complies with the risk-based approach and other requirements of these rules.
          (2) However, the firm must make and keep a record that clearly demonstrates the basis on which it relied on the electronic verification of identification documentation.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.5 Payment processing using on-line services

          A financial institution may permit payment processing to take place using on-line services if it ensures that the processing is subject to:

          (a) the same monitoring as its other services; and
          (b) the same risk-based methodology.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.6 Concession for certain non-face-to-face transactions

          (1) This rule applies if:
          (a) a customer of a firm would normally be required to produce evidence of identity before transacting business with the firm involving the making of a payment;
          (b) it is reasonable in all the circumstances for payment to be made by post or electronically, or for details of the payment to be given by telephone; and
          (c) payment is to be made from an account held in the customer's name at a financial institution.
          (2) However, this rule does not apply if:
          (a) initial or future payments can be received from third parties;
          (b) cash withdrawals can be made, unless the withdrawals can only be made by the customer on a face-to-face basis where identity can be confirmed; or

          Example of exception

          a passbook account where evidence of identity is required to make withdrawals
          (c) redemption or withdrawal proceeds can be paid to a third party or to an account that cannot be confirmed as belonging to the customer, unless the proceeds can only be paid to an executor or personal representative on the death of the customer.
          (3) If this rule applies, the firm may waive identification requirements for the customer.
          (4) However, a repayment may be made to another firm only if the other firm has confirmed that the amount of the repayment is either to be paid to the customer or reinvested elsewhere in the name of the customer.
          (5) This rule applies to a joint account as if a reference to the customer included a reference to any of the customers.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR Division 3.4.B AML/CFTR Division 3.4.B Reliance on others generally

        • AML/CFTR 3.4.7 Activities to which Division 3.4.B does not apply

          This Division does not apply to a firm in relation to CDD conducted for the firm:

          (a) by a third-party service provider under an outsourcing;
          (b) by an agent under a contractual arrangement between the firm and the agent;
          (c) if the firm is a bank — under a correspondent banking relationship to which the firm is a party; or
          (d) under a correspondent securities relationship to which the firm is a party.

          Note See:

          •   rule 2.1.5 (Compliance by officers, employees, agents etc)
          •   rule 2.1.7 (Application of AML/CFT Law requirements, policies etc to outsourced functions and activities)
          •   rule 3.3.5 (Correspondent banking relationships generally)
          •   rule 3.3.12 (Correspondent securities relationships generally).
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.8 Reliance on certain third parties generally

          (1) A firm may rely on introducers, intermediaries or other third parties to conduct some elements of CDD for a customer, or to introduce business to the firm, if it does so under, and in accordance with, this Division.
          (2) However, the firm (and, in particular, its senior management) remains responsible for the proper conduct of CDD and ongoing monitoring for its customers.
          (3) In determining whether to rely on a third party for purposes of this rule, the firm must have regard to any relevant findings published by international organisations, governments and other bodies about the jurisdiction where the third party is located.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.9 Introducers

          (1) This rule applies in relation to a customer introduced to a firm by a third party (the introducer) if:
          (a) the introducer's function in relation to the customer is merely to introduce the customer to the firm; and
          (b) the firm is satisfied that the introducer:
          (i) is regulated and supervised (at least for AML and CFT purposes) by the Regulator or by an equivalent regulatory or governmental authority, body or agency in another jurisdiction;
          (ii) is subject to the AML/CFT Law and these rules or to equivalent legislation of another jurisdiction;
          (iii) is based, or incorporated or otherwise established, in Qatar or a foreign jurisdiction that has an effective AML/CFT regime; and
          (iv) is not subject to a secrecy law or anything else that would prevent the firm from obtaining any information or original documentation about the customer that the firm may need for AML and CFT purposes.
          (2) The firm may rely on the CDD conducted by the introducer for the customer and need not:
          (a) conduct CDD itself for the customer; or
          (b) obtain any of the original documents obtained by the introducer in conducting CDD for the customer.
          (3) However, the firm must not start a business relationship with the customer relying on subrule (2) unless:
          (a) it has received from the introducer an introducer's certificate for the customer;
          (b) it has received from the introducer all information about the customer obtained from the CDD conducted by the introducer for the customer that it would need if it had conducted the CDD itself; and
          (c) it has, or can immediately obtain from the introducer on request, a copy of every document relating to the customer that it would need if it were conducting CDD itself for the customer.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.10 Group introductions

          (1) This rule applies in relation to a customer introduced to a financial institution in Qatar (the local firm) by another financial institution (B) in the same group, whether in or outside Qatar, if:
          (a) B or another financial institution in the group (the relevant financial institution) has conducted CDD for the customer; and
          (b) subject to subrule (2), the local firm is satisfied that all of the following conditions have been met:
          (i) the relevant financial institution is regulated and supervised (at least for AML and CFT purposes) by the Regulator or by an equivalent regulatory or governmental authority, body or agency in another jurisdiction;
          (ii) it is subject to the AML/CFT Law and these rules or to equivalent legislation of another jurisdiction;
          (iii) it is based, or incorporated or otherwise established, in Qatar or a foreign jurisdiction that has an effective AML/CFT regime;
          (iv) the local firm has all information about the customer obtained from the CDD conducted by the relevant financial institution for the customer that the firm would need if it had conducted the CDD itself;
          (v) the local firm has, or can immediately obtain from the relevant financial institution on request, a copy of every document relating to the customer that it would need if it were conducting CDD itself for the customer.
          (2) The local firm need not satisfy itself that all of the conditions in subrule (1) (b) have been met if the Regulator (or the equivalent regulatory or governmental authority, body or agency in another jurisdiction where the relevant financial institution is established) has determined that:
          (a) the group's AML/CFT programme, CDD and record-keeping requirements comply with AML/CFT Law and these rules;
          (b) the group's implementation of the programme and compliance with the requirements are subject to effective consolidated supervision by the Regulator or its equivalent; and
          (c) the group's AML/CFT policies, procedures, systems and controls adequately mitigate risks related to operations in high risk jurisdictions.
          (3) The local firm may rely on the CDD conducted by the relevant financial institution and need not:
          (a) conduct CDD itself for the customer; or
          (b) obtain any of the original documents obtained by the relevant financial institution in conducting CDD for the customer.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

        • AML/CFTR 3.4.11 Intermediaries

          (1) This rule applies to a firm in relation to a customer of an intermediary, wherever located, if the customer is introduced to the firm by the intermediary.

          Example of intermediary

          a fund manager who has an active, ongoing business relationship with a customer in relation to the customer's financial affairs and holds funds on the customer's behalf
          (2) The firm may treat the intermediary as its customer, and need not conduct CDD itself for the intermediary's customer, if the firm is satisfied that all of the following conditions have been met:
          (a) the intermediary is a firm;
          (b) it is regulated and supervised (at least for AML and CFT purposes) by the Regulator or by an equivalent regulatory or governmental authority, body or agency in another jurisdiction;
          (c) it is subject to the AML/CFT Law and these rules or to equivalent legislation of another jurisdiction;
          (d) it is based, or incorporated or otherwise established, in Qatar or a foreign jurisdiction that has an effective AML/CFT regime;
          (e) the firm has all information about the customer obtained from the CDD conducted by the intermediary for the customer that the firm would need if it had conducted the CDD itself;
          (f) the firm has, or can immediately obtain from the intermediary on request, a copy of every document relating to the customer that it would need if it were conducting CDD itself for the customer.
          (3) If the firm is not satisfied that all of the conditions in subrule (2) have been met, the firm must conduct CDD itself for the customer.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR Division 3.4.C AML/CFTR Division 3.4.C Third party certification—identification documents

        • AML/CFTR 3.4.12 Third party certification of identification documents

          (1) A firm must not rely, for CDD, on the certification of an identification document by a third party rather than sighting the document itself unless it is reasonable for it to rely on that certification.
          (2) Without limiting subrule (1), the firm must not rely on the certification of an identification document by a third party unless the third party is an individual approved under subrule (3).
          (3) The senior management of the firm may approve an individual under this subrule if the firm's MLRO has certified that the MLRO is satisfied, on the basis of satisfactory documentary evidence, that the individual:
          (a) adheres to appropriate ethical or professional standards;
          (b) is readily contactable; and
          (c) conducts his or her occupation or profession in Qatar or a foreign jurisdiction with an effective AML/CFT regime.
          Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR Part 3.5 AML/CFTR Part 3.5 Jurisdiction risk

      Note for Part 3.5

      This Part relates to the risks posed by the types of jurisdiction with which customers are (or may become) associated.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.1 Risk assessment for jurisdiction risk

        (1) A firm must assess and document the risks of involvement in money laundering, terrorism financing and other illicit activities posed by the different types of jurisdictions with which its customers are (or may become) associated.

        Examples of 'associated' jurisdictions for a customer
        1 the jurisdiction where the customer lives or is incorporated or otherwise established
        2 each jurisdiction where the customer conducts business or has assets
        (2) The intensity of the CDD and ongoing monitoring conducted for customers associated with a particular jurisdiction must be proportionate to the perceived or potential level of risk posed by the jurisdiction.

        Examples of jurisdictions requiring enhanced CDD
        1 jurisdictions with ineffective AML/CFT regimes
        2 jurisdictions with impaired international cooperation
        3 jurisdictions subject to international sanctions
        4 jurisdictions with high propensity for corruption
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.2 Policies etc for jurisdiction risk

        A firm must have policies, procedures, systems and controls to address the specific risks of money laundering, terrorism financing and other illicit activities posed by the types of jurisdictions with which its customers are (or may become) associated.

        Examples of 'associated' jurisdiction for a customer

        See examples to rule 3.5.1 (1).

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.3 Scoring business relationships—types of associated jurisdictions

        A firm must include, in its methodology, a statement of the basis on which business relationships with customers will be scored, having regard to the types of jurisdictions with which customers are (or may become) associated.

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.4 Decisions about effectiveness of AML/CFT regimes in other jurisdictions

        (1) This rule applies to a firm in making a decision about whether a jurisdiction has an effective AML/CFT regime.
        (2) The firm must consider the following 3 factors in relation to the jurisdiction:
        (a) legal framework;
        (b) enforcement and supervision;
        (c) international cooperation.
        (3) In considering these 3 factors, the firm must have regard to the relevant findings about jurisdictions published by international organisations, governments and other bodies.

        Example of international organisation

        FATF
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.5 Jurisdictions with impaired international cooperation

        A firm must guard against customers or introductions from jurisdictions where the ability to cooperate internationally is impaired and must, therefore, subject business relationships from these jurisdictions to enhanced CDD and enhanced ongoing monitoring.

        Examples of impairment

        failings in the jurisdiction's judicial or administrative arrangements

        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.6 Non-cooperative, high risk and sanctioned jurisdictions

        A firm must conduct enhanced CDD and enhanced ongoing monitoring in relation to transactions conducted under a business relationship if a source of wealth or funds of the relationship derives from a jurisdiction:

        (a) that is identified by FATF as a non-cooperative or high risk country or territory (however described); or
        (b) that is subject to international sanctions.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)

      • AML/CFTR 3.5.7 Jurisdictions with high propensity for corruption

        (1) A firm:
        (a) must assess and document the jurisdictions that are more vulnerable to corruption; and
        (b) must conduct enhanced CDD and enhanced ongoing monitoring for customers from high risk jurisdictions whose line of business is more vulnerable to corruption.

        Example of line of business more vulnerable to corruption

        arms sales
        (2) If a firm's policy permits the acceptance of PEPs as customers, the firm must take additional measures to mitigate the additional risk posed by PEPs from jurisdictions with a high propensity for corruption.
        Derived by QFCRA RM/2019-8 (as from 1st February 2020)