Skip to main content

E. Client Due Diligence

1. VASPs shall adopt a risk-based application of CDD measures in accordance with the Federal AML-CFT Laws.
2. VASPs are required to undertake CDD measures to verify the identity of the client and the UBO[s] before or during the establishment of a business relationship for the purposes of providing services relating to VA Activities, or before executing a transaction [whether or not denominated in Virtual Assets] for a client with whom there is no business relationship.
3. VASPs shall undertake CDD measures in the following circumstances—
 
  a. when establishing a business relationship with a client for the purposes of providing services relating to VA Activities;
  b. when carrying out occasional transactions in favour of a client for amounts equal to or exceeding AED 3,500, whether the transaction is carried out in a single transaction or in several transactions that appear to be linked;
  c. where there is an instruction from a client to handle a potential Suspicious Transaction;
  d. where there are doubts about the veracity or adequacy of previously obtained identification information of a client; and
  e. when carrying out any transaction for high-risk clients as characterised in the Federal AML-CFT Laws.
 
4. VASPs should undertake CDD measures in their ongoing supervision of business relationships with clients, including—
 
  a. auditing transactions that are carried out throughout the period of the business relationship, to ensure that the transactions conducted are consistent with the information on file regarding clients and the risks they pose, including, where necessary, the source of funds; and
  b. ensuring that the documents, data or information obtained from CDD measures are up-to-date and appropriate by regularly reviewing such records, particularly those of high-risk clients as characterised in the Federal AML-CFT Laws.
 
5. As part of the CDD process, VASPs shall verify clients’ identity by reference to the following documents, data or information from a reliable and independent source—
 
  a. For individuals
 
    i. full name as shown on an identification card or a travel document [along with a copy of the original and valid identification card or travel document];
    ii. nationality;
    iii. address;
    iv. place of birth;
    v. name and address of employer; and
    vi. if the client is a Politically Exposed Person, approval from the MLRO and a member of the Senior Management is required prior to establishing a business relationship with such client.
 
  b. For Entities which are not individuals
 
    i. full name of the Entity;
    ii. type of Entity;
    iii. constitutional documents [e.g. memorandum of association and articles of association] attested by competent authorities within the UAE;
    iv. principle place of business;
    v. names of individuals holding Senior Management positions in the Entity; and
    vi. if the UBO is a Politically Exposed Person, approval from the MLRO and a member of the Senior Management is required prior to establishing a business relationship with such client.
 
6. VASPs are further required to—
 
  a. verify that any Entity purporting to act on behalf of the client is so authorised, and verify the identity of that Entity in accordance with Rule III.E.5 of this Compliance and Risk Management Rulebook;
  b. understand the intended purpose and nature of the business relationship with the client, and obtain, when necessary, information related to this purpose; and
  c. where the VASP’s client is a business or otherwise provides services to other clientele, understand the nature of the client’s business as well as the client’s ownership and control structure, including but not limited to the following—
 
    i. the identity of UBO[s];
    ii. whether such structure includes any DAOs and, if so, the intended purpose of such DAOs;
    iii. the type, nature and pursuits of the clientele of a prospective client and where necessary carry out appropriate due diligence on the client’s clientele in order to ensure compliance with the Federal AML-CFT Laws.
 
7. If a VASP is unable to conduct appropriate CDD on a client, it shall not—
 
  a. establish or maintain a business relationship with such client; or
  b. execute any transaction for such client.
 
8. If a VASP relies on third parties to perform CDD, it shall remain liable for ensuring such third parties perform CDD in accordance with all relevant Rules and Directives. VASPs that rely on third parties to undertake CDD on their behalf must therefore implement adequate measures in keeping with the nature and size of their businesses [including VA Activities] to ensure that such third parties’ performance of CDD is in accordance with all relevant Rules and Directives.