Self Assessment : SAR/STR
1. Do you collect and input data for all clients consistently?
2. Do you define the data that should be mandatorily filled as a system requirement (e.g. nationality, employment status, date of on-boarding, PEP status, status as a legal person or legal arrangement, correspondent, jurisdiction of incorporation, etc.)?
3. Do you flag customers as related parties or use any consolidated monitoring techniques (e.g., customers with the same beneficial owners, customers that are part of a corporate group, customers with the same mobile number, residence address)?
4. Do you assign a risk rating to each customer, and is it reflected in your records?
5. Do you have in place controls to identify transactions that are not consistent with the Authorised Persons knowledge of the customer, his business and risk rating?
6. Do you have in place controls to identify any complex or unusually large transactions or unusual patterns of transactions that have no apparent or visible economic or legitimate purpose?
7. Where customers or Business Relationships are identified as high-risk, do you investigate and obtain more information about the purpose of transactions and enhance ongoing monitoring and review of transactions in order to identify potentially unusual or suspicious activities?
8. Are higher-risk customers subject to more stringent transaction monitoring, such as lower thresholds for alerts and more intensive investigation?
9. Do you a documented escalation framework for the alerts generated?
10. Do you conduct and complete an investigation of the alerted activity?
11. Do you document the results of any research or analysis performed and recommend whether an STR or SAR should be filed?
12. In the case of an internal investigation, do you define the reasonable Request For Information “RFI” timeframe to allow the customer to respond to queries raised during a case investigation
13. Do you have clear procedures for making RFIs on the customers of correspondents?
14. Do you have a clear policy for limiting/restricting/terminating a correspondent’s account should the correspondent not respond to RFIs in a timely manner?
15. Do you have a process in place for the expedited filing of urgent reports in appropriate cases?
16. Do you maintain a log of exited/terminated relationships and rejected cases?
17. Do your AML/CFT systems in relation to suspicious transaction/ activity reporting include clear policies and procedures over internal reporting for SARs/STRs?
18. Do your AML/CFT systems in relation to suspicious transaction/ activity include clear policies and procedures for reporting to the UAE FIU?
19. Do your AML/CFT systems in relation to suspicious transaction/ activity reporting include clear policies and procedures for post-reporting risk mitigation and prevention of tipping-off?
20. Do you have measures in place to check, on an ongoing basis, that your AML/CFT systems in relation to suspicious transaction/ activity reporting comply with relevant legal and regulatory requirements and operate effectively?
21. Do you define a well-articulated workflow/ decision tree to decide whether or not a suspicious transaction/activities report should be filed?
22. Do you have a process in place for the expedited filing of urgent suspicious transaction/activities reports in appropriate cases?
23. Does the Compliance Officer or MLRO, or Deputy MRLO file a suspicious transaction/activities report to the FIU within 24 hours of the determination?
24. Are all decisions to file/ not to file suspicious transaction/activities reports documented and signed off by the MLRO or Head of Compliance or their deputy?
25. Do you maintain a register of all suspicious transaction/activities reports made to the FIU, as well as of all reports made by employees to the MLRO, including those where a decision is made by the MLRO not to report to the FIU?
26. Does your record of all ML/TF reports made to the MLRO include the following:
Sufficient details of the customer concerned
Recommended by LinkedIn
The information giving rise to the suspicion?
The date on which the report was made?
The staff members subsequently handling the report?
The result of the assessment?
Whether the internal report result in a suspicious transaction/activities report to the FIU?
27. Do you maintain a customer exit policy that outlines the process for reviewing the overall customer relationship and deciding on the next steps, including ending the relationship and notifying law enforcement and/or other group affiliates, as appropriate?
28. Do you provide sufficient training to your staff to enable them to form suspicion or to recognise the signs when ML/TF is taking place?
29. Do you provide guidance to staff on identifying suspicious activity, taking into account the nature of the transactions and customer instructions that staff are likely to encounter?
30. Do you provide guidance to staff on identifying suspicious activity taking into account the type of product or service?
31. Do you provide guidance to staff on identifying suspicious activity taking into account the means of delivery, the customer risks, geographical risk and any risk derived from the change of circumstances?
32. Do you ensure staff are aware of and alert to the following situations/scenarios and consider them in certain circumstances to possibly give rise to suspicion?
a) Transactions or instructions which have no apparent legitimate purpose and/or appear not to have a commercial rationale
b) Transactions, instructions or activity that involve apparently unnecessary complexity or which do not constitute the most logical, convenient or secure way to do business
c) Where the transaction being requested by the customer, without reasonable explanation, is out of the ordinary range of services normally requested, or is outside the experience of the financial services business and DNFBPs in relation to the particular customer.
d) Where without reasonable explanation, the size or pattern of transactions is out of line with any pattern that has previously emerged
e) Where the customer refuses to provide the information requested without reasonable explanation or who otherwise refuses to cooperate with the CDD and/or ongoing monitoring process.
f) Where a customer who has entered into a business relationship uses the relationship for a single transaction or for only a very short period without a reasonable explanation
g) The extensive use of trusts or offshore structures in circumstances where the customer's needs are inconsistent with the use of such services
h) Transfers to and from high-risk jurisdictions without reasonable explanation, which are not consistent with the customer's declared business dealings or interests
33. Do you ensure that the STRs filed with the FIU are of high quality, taking into account feedback and guidance provided by the FIU and your supervisor from time to time?
34. Upon filing an STR report to FIU, do you conduct an appropriate review of the business relationship, irrespective of any subsequent feedback provided by the FIU, and apply appropriate risk-mitigating measures?
35. Upon filing an STR report to FIU, do you, if necessary, escalate the issue to the senior management to determine how to handle the relationship concerned to mitigate any potential legal or reputational risks posed by the relationship?
36. If the FIU or your supervisor issues a no-consent letter, do you act according to the content of the letter and seek legal advice where necessary?
37. Does the record of all STRs made to the FIU include the following details?
38. Do you have a proper mechanism to provide additional information and documentation to FIU within the timeframe provided?
39. Are the STR/SAR reports and investigations records confidential and maintained in safekeeping and not accessible to all staff? But only accessible to designated staff?