• AML/CFTR Part 4.3 AML/CFTR Part 4.3 Customer due diligence and ongoing monitoring

    • AML/CFTR 4.3.1 Firm to assess applicants for business

      A firm must decide, from the outset of its dealings with an applicant for business, whether the person is seeking to establish a business relationship with the firm or is an occasional customer seeking to carry out a one-off transaction.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.2 When CDD required — basic requirement

      (1) A firm must conduct CDD for a customer when:
      (a) it establishes a business relationship with the customer;
      (b) it conducts a one-off transaction for the customer with a value (or, for transactions that are or appear (whether at the time or later) to be linked, with a total value) of at least QR 50,000;

      Note A firm must have systems and controls to identify one-off transactions that are linked to the same person (see rule 4.3.15 (1)).
      (c) it suspects the customer of money laundering or terrorism financing; or
      (d) it has doubts about the veracity or adequacy of documents, data or information previously obtained in relation to the customer for the purposes of identification or verification.
      Note CDD must also be conducted under rule 3.3.8 (Powers of attorney) and rule 3.3.10 (Wire transfers).
      (2) This rule is subject to:
      •   rule 3.4.9 (Introducers)
      •   rule 3.4.10 (Group introductions)
      •   rule 3.4.11 (Intermediaries)
      •   rule 4.3.4 (When CDD may not be required — acquired businesses)
      •   rule 5.2.2 (2) (Firm must ensure no tipping-off occurs).
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.3 Firm unable to complete CDD for customer

      (1) This rule applies if a firm cannot complete CDD for a customer.

      Examples
      1 the firm is unable to verify the customer's identity using reliable, independent source, data or information
      2 the customer exercises cancellation or cooling-off rights
      (2) The firm:
      (a) must immediately terminate any relationship with the customer;
      (b) must not establish a relationship with, or carry out a transaction with or for, the customer; and
      (c) must consider whether it should make a suspicious transaction report to the FIU.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.4 When CDD may not be required — acquired businesses

      (1) This rule applies if a firm acquires the business of another firm, either in whole or as a product portfolio (for example, the mortgage book).
      (2) The firm is not required to conduct CDD for all customers acquired with the business if:
      (a) all customer account records are acquired with the business; and
      (b) due diligence inquiries before the acquisition did not give rise to doubt that the AML/CFT procedures followed for the business were being conducted in accordance with the AML/CFT Law and these rules or the law of another jurisdiction that has an effective AML/CFT regime.
      (3) However, if the AML/CFT procedures followed by the acquired business were not conducted (or it is not possible to establish whether they were conducted) in accordance with the AML/CFT Law and these rules or the law of another jurisdiction that has an effective AML/CFT regime, the firm's senior management must prepare or approve, and document, an action plan that ensures that the firm conducts CDD for all of the customers acquired with the business as soon as possible.
      (4) Also, if subrule (3) does not apply, but full customer records are not available to the firm for all of the customers acquired with the business, the firm's senior management must prepare or approve, and document, an action plan that ensures that the firm conducts CDD for all of the customers for whom full customer records are not available to the firm as soon as possible.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.5 Timing of CDD — establishment of business relationship

      (1) A firm must conduct CDD for a customer before it establishes a business relationship with the customer.
      (2) However, the CDD may be conducted during the establishment of the relationship if:
      (a) this is necessary in order not to interrupt the normal conduct of business; and

      Examples of where it may be necessary in order not to interrupt the normal conduct of business
      1 non-face-to-face business
      2 securities transactions
      (b) there is little risk of money laundering or terrorism financing and these risks are effectively managed;

      Examples of measures to effectively manage risks
      1 limiting the number, types and amount of transactions that may be conducted during the establishment of the relationship
      2 monitoring large or complex transactions being carried out outside the expected norms for the relationship
      (c) the CDD is completed as soon as practicable after contact is first established with the customer; and
      (d) the CDD is conducted in accordance with the policies, procedures, systems and controls on the use of the business relationship even before the customer's identity is verified.
      Note Under rule 2.1.3 (2) (g), a firm must have policies, procedures, systems and controls that set out the conditions that must be satisfied to permit a customer to use the business relationship even before the customer's identity (or the identity of the beneficial owner of the customer) is verified.
      (3) Also, CDD may be conducted for the beneficiary under a life insurance contract after the business relationship has been established if they are conducted at or before:
      (a) the time of payout; or
      (b) the time the beneficiary exercises a right vested under the contract.
      (4) In addition, CDD for a bank account holder may be conducted after the account has been opened if there are adequate safeguards in place to ensure that:
      (a) the account is not closed before they are completed; and
      (b) no payments are made from the account, and no other transactions are carried out by or on behalf of the account holder, before they are completed.
      (5) If the firm establishes a business relationship with the customer under subrule (2), (3) or (4) but cannot complete CDD for the customer, the firm:
      (a) must immediately terminate any relationship with the customer;
      (b) must not carry out a transaction with or for the customer; and
      (c) must consider whether it should make a suspicious transaction report to the FIU.
      (6) Subrule (5) (c) does not apply if the firm:
      (a) is a lawyer, notary, other legal professional, accountant, auditor, tax consultant or insolvency practitioner; and
      (b) is:
      (i) providing legal advice to the client; or
      (ii) defending or representing the client in, or concerning, legal proceedings, including providing advice on instituting or avoiding legal proceedings.
      Note For lawyers, notaries, other legal professionals and accountants, see rule 5.2.4 on giving advice and tipping-off.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.6 Timing of CDD — one-off transactions

      (1) A firm must conduct CDD for a customer before it conducts a one-off transaction for the customer.
      (2) If the firm cannot complete CDD for the customer, the firm:
      (a) must immediately terminate any relationship with the customer;
      (b) must not carry out the transaction with or for the customer; and
      (c) must consider whether it should make a suspicious transaction report to the FIU.
      (3) Subrule (2) (c) does not apply if the firm:
      (a) is a lawyer, notary, other legal professional, accountant, auditor, tax consultant or insolvency practitioner; and
      (b) is:
      (i) providing legal advice to the client; or
      (ii) defending or representing the client in, or concerning, legal proceedings, including providing advice on instituting or avoiding legal proceedings.
      Note For lawyers, notaries, other legal professionals and accountants, see rule 5.2.4 on giving advice and tipping-off.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.7 When CDD required — additional requirement for existing customers

      (1) A firm must also conduct CDD for existing customers at other appropriate times on a risk-sensitive basis.
      (2) Without limiting subrule (1), a firm must conduct CDD for an existing customer if there is a material change in the nature or ownership of the customer.
      (3) Without limiting subrule (2), a firm must decide whether to conduct CDD for a customer if:
      (a) the firm's customer documentation standards change substantially;
      (b) there is a material change in the way an account is operated or in any other aspect of the business relationship with the customer;
      (c) a significant transaction with or for the customer is about to take place; or
      (d) the firm becomes aware that it lacks sufficient information about the customer.
      Note See rule 3.3.4 (Products with fictitious or false names or no names).
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.8 Extent of CDD — general requirement

      (1) A firm must:
      (a) decide, consistently with these rules, the extent of CDD for a customer on a risk-sensitive basis depending on, among other factors, the customer risk, the product risk, the interface risk and the jurisdiction risk; and
      (b) be able to demonstrate to the Regulator that the extent of the is appropriate in view of the risks of money laundering and terrorism financing.
      (2) Without limiting subrule (1), a firm must conduct enhanced CDD for a customer if, for example, the business relationship of the customer is assessed as carrying a higher money laundering or terrorism financing risk.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.9 Extent of CDD — legal persons and arrangements

      (1) This rule applies if a firm is required to conduct CDD for a legal person (other than a corporation) or a legal arrangement.
      (2) If the firm identifies the class of persons in whose main interest the legal person or legal arrangement is established or operated as a beneficial owner, the firm is not required to identify all the members of the class.
      (3) However, if the CDD is required to be conducted for a legal arrangement and the beneficiaries and their contributions have al been decided, the firm must identify each beneficiary who is to receive at least 20% of the funds of the arrangement (by value).

      Note See also rule 4.6.11 (Customer identification documentation — legal arrangements).
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.10 CDD for beneficiaries of life insurance policies — general

      (1) A financial institution must conduct the either of the following measures on each beneficiary of a life insurance policy or other investment-related insurance policy as soon as the beneficiary is identified or designated:
      (a) for an identified beneficiary (whether a natural or legal person or a legal arrangement) — recording the beneficiary's name;
      (b) for a beneficiary designated by characteristics or class (for example, spouse or children at the time that the insured event occurs) or by some other means (for example, under a will)) — obtaining enough information about the beneficiary to satisfy the financial institution that it will be able to establish the identity of the beneficiary at the time of the payout.
      (2) The institution must verify the identity of each beneficiary at the time of the payout.
      (3) In deciding whether enhanced CDD is applicable, a financial institution must consider the beneficiary of a life insurance policy as a risk factor. If the financial institution decides that a beneficiary who is a legal person or a legal arrangement presents a higher risk, the enhanced CDD should include reasonable measures to identify, and verify the identity of, the beneficiary's beneficial owner at the time of payout.
      (4) If a financial institution is unable to comply with this rule, it must consider making a suspicious transaction report to the FIU.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.11 CDD for PEPs as beneficiaries of life insurance policies

      (1) Before making a payout from a life insurance policy, a financial institution must take reasonable measures to determine whether the beneficiary, or the beneficial owner of the beneficiary, of the policy is a PEP.
      (2) If the beneficiary or its beneficial owner is a PEP and the PEP presents a higher risk, the firm:
      (a) must inform its senior management;
      (b) must conduct enhanced CDD of its business relationship with the policyholder; and
      (c) must make a suspicious transaction report to the FIU.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.12 CDD for purchaser and vendor of real estate

      A DNFBP acting as real estate agent in relation to a transaction for the sale of real property must conduct CDD on both the buyer and seller of the property (even if the DNFBP acts for only 1 of the parties to the transaction).

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.13 Ongoing monitoring required

      (1) A firm must conduct ongoing monitoring for each customer.

      Note See rule 4.2.2 (What is ongoing monitoring?).
      (2) Without limiting subrule (1), the firm must pay special attention to all complex, unusual large transactions, or unusual patterns of transactions, that have no apparent or visible economic or lawful purpose.

      Examples
      1 significant transactions relative to the business relationship with the customer
      2 transactions that exceed set limits
      3 very high turnover inconsistent with the size of the balance
      4 transactions that fall outside the regular pattern of an account's activity
      (3) The firm must examine as far as possible the background and purpose of a transaction mentioned in subrule (2) and must make a record of its findings.
      (4) A record made for subrule (2) must be kept for at least 10 years after the day it is made.
      (5) This rule is subject to rule 5.2.2 (2) (Firm must ensure no tipping-off occurs).
      (6) In this rule:
      transaction, in relation to insurance business, means the insurance product itself, the premium payment and the benefits.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.14 Procedures for ongoing monitoring

      (1) A firm must have policies, procedures, systems and controls for ongoing monitoring for its customers.
      (2) The systems and controls:
      (a) must flag transactions for further examination; and
      (b) must provide for:
      (i) the prompt further examination of these transactions by a senior independent person;
      (ii) appropriate action to be taken on the findings of the further examination; and
      (iii) if there is knowledge or suspicion of money laundering or terrorism financing raised by the findings — a report to be made promptly to the firm's MLRO.
      (3) The monitoring provided by the systems and controls may be:
      (a) in real time (that is, transactions are reviewed as they take place or are about to take place); or
      (b) after the event (that is, transactions are reviewed after they have taken place).
      (4) The monitoring may be, for example:
      (a) by reference to particular types of transactions or the customer's risk profile;
      (b) by comparing the transactions of the customer, or the customer's risk profile, with those of customers in a similar peer group; or
      (c) through a combination of those approaches.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 4.3.15 Linked one-off transactions

      (1) A firm must have systems and controls to identify one-off transactions that are linked to the same person.

      Note See rule 4.2.5 (What is a one-off transaction?).
      (2) If a firm knows or suspects, or has reasonable grounds to know or suspect, that a series of linked one-off transactions involves money laundering or terrorism financing, the firm must make a suspicious transaction report to the FIU.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)