Back to Article

ANTI-MONEY LAUNDERING AND COUNTER-TERRORIST FINANCING AND SANCTIONS RULES

Anti-Money Laundering and Counter-Terrorist Financing and Sanctions

1. INTRODUCTION

1.1. Overview of the AML Rules

  1. (a) The Anti-Money Laundering Rules (the "AML Rules") are made in recognition of the application of the Law of the Republic of Kazakhstan No 191-IV dated 28 August 2009 on counteracting legalisation (laundering) of proceeds obtained through criminal means and financing of terrorism (the "AML Law"), the Criminal Code of the Republic of Kazakhstan No 226-V dated 3 July 2014 (the "Criminal Code") and international conventions and treaties ratified by the Republic of Kazakhstan.
  2. (b) In these Rules, a reference to ‘money laundering’ also includes a reference to terrorist financing and financing the proliferation of weapons of mass destruction.

1.2. Purpose of AML Rules

  1. (a) The AML Rules have been designed to provide a single reference point for all persons and entities (collectively called Relevant Persons) who are supervised by the AFSA for anti-money laundering ("AML"), countering the financing of terrorism ("CFT"), and sanctions compliance. This means that they apply to Authorised Firms, Authorised Market Institutions, Designated Non-Financial Businesses and Professions ("DNFBPs"), and Registered Auditors.
  2. (b) The AML Rules must not be read in isolation. Relevant Persons must also be aware of the provisions of the Kazakhstan criminal law referred to in Chapter 3 and developments in international policy and best practice. This is particularly relevant when considering United Nations Security Council ("UNSC") resolutions and unilateral sanctions imposed by other jurisdictions which may apply to a Relevant Person depending on the Relevant Person's jurisdiction of origin, its business and/or customer base.

1.3. [Intentionally omitted]

[Intentionally omitted]

1.4. Financial Action Task Force

  1. (a) The FATF means the Financial Action Task Force, the inter-governmental body that sets standards, develops and promotes policies, to combat money laundering, and includes any successor entity.
  2. (b) The AFSA has had regard to the FATF Recommendations in making these Rules. A Relevant Person is referred to the FATF Recommendations and interpretive notes to assist it in complying with these Rules. However, if a FATF Recommendation or interpretive note conflicts with a Rule, the relevant Rule takes precedence.
  3. (c) A Relevant Person may also wish to refer to the FATF typology reports which provide information on money laundering methods. These can be found on the FATF website www.fatf-gafi.org. Some international groupings, official or informal, publish material that may be useful as context and background in informing the approach adopted by Relevant Persons to AML and CFT. These groupings include Transparency International (www.transparency.org.uk) and the Wolfsberg Group (www.wolfsbergprinciples.com).
  4. (d) The Republic of Kazakhstan, as a member of the United Nations, is required to comply with sanctions issued and passed by the UNSC. These Rules contain specific obligations requiring Relevant Persons to establish and maintain effective systems and controls to comply with UNSC resolutions and sanctions (See Chapter 12).
  5. (e) The FATF has issued guidance on a number of specific UNSC resolutions and sanctions regarding the countering of the proliferation of weapons of mass destruction. Such guidance has been issued to assist in implementing the targeted financial sanctions and activity based financial prohibitions. This guidance can be found on the FATF website www.fatf-gafi.org.
  6. (f) In relation to unilateral sanctions imposed in specific jurisdictions such as the European Union, the United Kingdom (HM Treasury) and the United States of America (Office of Foreign Assets Control of the Department of the Treasury), a Relevant Person must consider and take positive steps to ensure compliance where required or appropriate.

1.5. Structure of the AML Rules

(a) Chapter 2 sets out the application of the AML Rules.

(b) Chapter 3 sets out guidance on relevant Kazakhstan criminal law.

(c) Chapter 4 explains the meaning of the risk-based approach ("RBA"), which must be applied when complying with these Rules.

(d) Chapter 5 explains the concept of customer risk assessments.

(e) Chapter 6 establishes the Rules for Customer Due Diligence ("CDD") and Chapters 7 and 8 set out the different measures that may be appropriate for higher and lower risk customers - Enhanced Due Diligence ("EDD") and Simplified Due Diligence ("SDD").

(f) Chapter 9 sets out when and how a Relevant Person may rely on a third party to undertake all or some of its CDD obligations. Reliance on a third-party CDD reduces the need to duplicate CDD already performed in respect of a customer. Alternatively, a Relevant Person may outsource some or all of its CDD obligations to a service provider.

(g) Chapter 10 sets out certain obligations in relation to correspondent banking and Chapter 11 sets out obligations relating to wire transfers.

(h) Chapter 12 sets out a Relevant Person's obligations in relation to UNSC resolutions and sanctions, and government, regulatory and international findings in relation to AML, CFT, and the financing of weapons of mass destruction.

(i) Chapter 13 sets out the obligation for a Relevant Person to appoint a Money Laundering Reporting Officer ("MLRO") and the responsibilities of this role. It also sets out requirements regarding Suspicious Transaction Reports ("STRs") that are required to be made under the AML Law and explains the concept of "tipping off".

(j) Chapter 14 sets out general obligations, including requirements for AML training, policies, and recordkeeping.

1.6. Interpretation

Words and expressions used in these Rules that require defining are set out in the AIFC Glossary.

2. APPLICATION

2.1. Application

(a)The AML Rules apply to:

  1. (i)every Relevant Person in respect of all its AFSA regulated or supervised activities except an Authorised Firm licenced to operate a Representative Office; and
  2. (ii)the persons specified in AML 2.2 as being responsible for a Relevant Person's compliance with these Rules.

(b) For the purposes of these Rules, a Relevant Person means:

  1. (i)an Authorised Firm;
  2. (ii)an Authorised Market Institution;
  3. (iii)a DNFBP; or
  4. (iv)a Registered Auditor.

Guidance

Only a Centre Participant may be one of the Relevant Persons above. A natural person cannot be a Centre Participant.


2.2. Responsibility for compliance with the AML Rules

  1. (a) Responsibility for a Relevant Person's compliance with these Rules lies with every member of its senior management. Senior management must be fully engaged in the decision-making processes and must take ownership of the RBA set out in Chapter 4.
  2. (b) In carrying out their responsibilities under these Rules every member of a Relevant Person's senior management must exercise due skill, care and diligence.
  3. (c) Nothing in these Rules precludes the AFSA from imposing disciplinary sanctions, taking enforcement action and any other regulatory action deemed necessary against any person including any one or more of the following persons in respect of a contravention of any AML Rule:
  4. (i) a Relevant Person;
  5. (ii) members of a Relevant Person's senior management; or
  6. (iii) an employee of a Relevant Person.
  7. (d) In these Rules “senior management” means:
  8. In relation to a Relevant Person every member of the Relevant Person’s executive management and includes:
  9. (i) for a AIFC entity, every member of the Relevant Person’s Governing Body;
  10. (ii) for a branch, the person or persons who control the day-to-day operations of the Relevant Person in the AIFC and would include, at a minimum, the senior executive officer or equivalent officer, such as the managing director; and
  11. In relation to a customer that is a body corporate, every member of the body corporate’s Governing Body and the person or persons who control the day-to-day operations of the body corporate, including its senior executive officer, chief operating officer and chief financial officer.

2.3. AFSA supervision powers in respect of DNFBPs

The AFSA may conduct reviews of DNFBPs to perform its AML and CFT responsibilities, including as part of its RBA to supervision.

The AFSA may conduct inspections of DNFBPs as part of its RBA to supervising DNFBPs for AML and CFT.


Guidance on AML and CFT supervision

The AFSA receives an annual AML Return from a DNFBP (AML Rule 13.7) which will assist the AFSA in its supervision of DNFBPs.

Additionally, the AFSA may decide to undertake periodic reviews of one or more DNFBPs as part of its RBA to supervision. The AFSA may also provide further guidance on its approach to AML and CFT supervision of DNFBPs. 

The AFSA’s reviews may cover matters such as reviewing the firm’s systems and controls for conducting a money laundering risk assessment, CDD and complying with applicable UNSC resolutions and sanctions.

Reviews may involve interviews with senior management and a review of relevant records.


3. GUIDANCE ON KAZAKHSTAN CRIMINAL LAW

3.1. Kazakhstan criminal law

  1. (a) Kazakhstan criminal law applies to all Centre Participants and therefore Relevant Persons must be aware of their obligations in respect of the criminal law as well as these Rules. Relevant Kazakhstan criminal law includes the AML Law and the Criminal Code.

4. THE RISK BASED APPROACH

4.1. Obligations of the Risk-Based Approach

4.1.1. General Duty

A Relevant Person must take appropriate steps to identify and assess the risks of money laundering to which its business is exposed, and must establish and maintain policies, procedures, systems and controls to mitigateand manage the risks identified.


A Relevant Person must take appropriate steps to manage and mitigate country-wide risks, including those relevant for the Republic of Kazakhstan identified in the published reports and guidance given by the Financial Intelligence Unit of the Republic of Kazakhstan (the "FIU") regarding the FATF mutual evaluations and follow-up reports, and implement enhanced measures where higher risks are identified.


4.1.2. Nature and size of business

In deciding what steps are appropriate under AML 4.1.1, a Relevant Person must consider the size (as measured by the number of its employees, revenue, or market capitalisation, as appropriate) and nature of its business and the complexity of its activities.

4.1.3. Obligation to assess, manage and mitigate business and customer risks

In order to identify and assess the risks of money laundering a Relevant Person must conduct a business risk assessment and must also conduct customer risk assessments in accordance with Chapter 5 and keep these assessments up to date.

The risks of money laundering that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products must be identified and assessed by a Relevant Person prior to the launch or use of such products, practices and technologies.

A Relevant Person must take appropriate measures to manage and mitigate the risks identified in its risk assessments.

4.2. Business Risk Assessment by Relevant Persons

4.2.1. Risk factors to be considered for business risk assessment

In carrying out a business risk assessment as required under AML 4.1.1 a Relevant Person must take into account risk factors including:

  • (a) its customers;
  • (b) the countries or geographic areas in which it operates;
  • (c) its products or services;
  • (d) its transactions;
  • (e) its delivery mechanisms, channels and partners;
  • (f) the development of new products and new business practices, including new delivery mechanisms, channels and partners; and
  • (g) the use of new or developing technologies for both new and pre-existing products.

4.2.2. Use of the business risk assessment

A Relevant Person must use the information obtained from its business risk assessment to:

  1. (a) develop and maintain the policies, procedures, systems and controls required by AML 4.1.1;
  2. (b) ensure that its policies, procedures, systems and controls adequately mitigate the risks identified;
  3. (c) assess the effectiveness of its policies, procedures, systems and controls ;
  4. (d) assist in allocation and prioritisation of AML resources; and
  5. (e) assist in the carrying out of customer risk assessments under Chapter 5.

4.3. Internal policies, procedures, systems and controls

4.3.1. Requirements of policies, procedures, systems and controls

The policies, procedures, systems and controls adopted by a Relevant Person under AML 4.1.1 must be:

  1. (a) proportionate to the nature, scale, complexity and money laundering risks of the activities of the Relevant Person’s business;
  2. (b) comprised of, at minimum, organisation of the development and maintenance of the policies, procedures, systems and controls required by AML 4.1.1:
  3. (i)risk management;
  4. (ii)customer identification;
  5. (iii)transaction monitoring and reviewing;
  6. (iv)employees training and awareness programme;
  7. (v)appropriate representation of compliance function in the management;
  8. (vi)adequate screening procedures to ensure high standards when hiring employees; and
  9. (vii)independent audit function to test the system.
  10. (c) approved by its senior management; and
  11. (d) monitored, reviewed and updated regularly.

4.3.2. Purpose of policies, procedures, systems and controls

The policies, procedures, systems and controls must provide for the identification and scrutiny of:

  1. (a) complex or unusually large transactions, or an unusual pattern of transactions;
  2. (b) transactions which have no apparent economic or legal purpose; and
  3. (c) other activity which the Relevant Person regards as particularly likely by its nature to be related to money laundering.

4.3.3. Record of policies, procedures, systems and controls

A Relevant Person must maintain a written record of the policies, procedures, systems and controls established under AML 4.1.1. The Rules regarding record-keeping for the purposes of these Rules are in AML 14.5.

Guidance on the risk based approach

  1. (a) AML 4.1.1 requires a Relevant Person to adopt an approach to AML which is proportionate to the risks inherent in its business. This is illustrated in Figure 1 below. The AFSA expects the RBA to be a key part of the Relevant Person's AML compliance culture and to cascade down from the senior management to the rest of the organisation. It requires the full commitment and support of senior management, and the active cooperation of all employees. Embedding the RBA within its business allows a Relevant Person to make decisions and allocate AML resources in the most efficient and effective way.
  2. (b) No system of checks will detect and prevent all money laundering. A RBA will, however, balance the cost burden placed on Relevant Persons and their customers, against a realistic assessment of the threat of the Relevant Person’s business being used in connection with money laundering. It will focus the effort where it is needed and will have most impact.
  3. (c) In implementing the RBA, a Relevant Person is expected to have in place processes to identify and assess money laundering risks. After the risk assessment, the Relevant Person is expected to monitor, manage and mitigate the risks in a way that is proportionate to the Relevant Person's exposure to those money laundering risks. The general principle is that where there are higher risks of money laundering, a Relevant Person is required to take enhanced measures to manage and mitigate those risks, and that, correspondingly, when the risks are lower, simplified measures are permitted.
  4. (d) The RBA discourages a "tick-box" approach to AML. Instead, a Relevant Person is required to assess relevant money laundering risks and adopt a proportionate response to such risks.
  5. (e) Unless a Relevant Person understands the money laundering risks to which it is exposed, it cannot take appropriate steps to prevent its business being used for the purposes of money laundering. Money laundering risks vary from business to business depending on the nature of the business, the type of customers a business has, and the nature of the products and services sold.
  6. (f) Relevant Persons that do not offer complex products or services and that have limited international exposure may not need an overly complex or sophisticated business risk assessment.
  7. (g) Using the RBA, a Relevant Person assesses its own vulnerabilities to money laundering and takes all reasonable steps to eliminate or manage such risks. The results of this assessment will also feed into the Relevant Person’s risk assessment of its customers (see Chapter 6).
  8. (h) Risk management is a continuous process, carried out on a dynamic basis. A money laundering risk assessment is not a one-time exercise. The AFSA expects a Relevant Person's risk management processes for managing money laundering risks are kept under regular review and that any changes made to policies, procedures, systems and controls are recorded.

5. CUSTOMER RISK ASSESSMENT

5.1. Assessing customer money laundering risks

5.1.1. Requirement to conduct a customer risk assessment

A Relevant Person must:

  • (a) undertake a risk-based assessment of every customer; and
  • (b) assign the customer a risk rating proportionate to the customer's money laundering risks.

5.1.2. Timing of the customer risk assessment

The customer risk assessment in AML 5.1.1 must be completed prior to conducting CDD for new customers, and where, for an existing customer, there is a material change in circumstances.

5.1.3. Conduct of the customer risk assessment

When undertaking a risk-based assessment of a customer under AML 5.1.1 a Relevant Person must:

  1. (a) identify the customer, any beneficial owner(s) and any person acting on behalf of a customer;
  2. (b) obtain information on the purpose and intended nature of the business relationship;
  3. (c) consider the type of customer, its ownership and control structure, and its beneficial ownership (if any);
  4. (d) consider the nature of the customer's business relationship with the Relevant Person;
  5. (e) consider the customer's country of origin, residence, nationality, place of incorporation or place of business;
  6. (f) consider the relevant product, service or transaction;
  7. (g) consider the beneficiary of a life insurance policy, where applicable; and
  8. (h) consider the outputs of the business risk assessment under Chapter 4.

5.1.4. Identification of Politically Exposed Persons

The policies, procedures, systems and controls adopted by the Relevant Person in accordance with AML 5.1.1 must enable it to determine whether a customer or a beneficial owner is a Politically Exposed Person ("PEP").

5.1.5. Identification of control structure

A Relevant Person must not establish a business relationship with a customer which is a legalperson if the ownership or control structure of the customer prevents the Relevant Person from identifying all of the customer's beneficial owners.

A Relevant Person must not establish a business relationship with a customer which is a legal person if the ownership or control structure of the customer prevents the Relevant Person from identifying all of the customer's beneficial owners.

5.1.6. Prohibition on relationships with Shell Banks

A Relevant Person must not establish or maintain a business relationship with a Shell Bank.

Guidance on customer risk assessments

  1. (a) The findings of the customer risk assessment will assist the Relevant Person in determining the level of CDD that should be applied in respect of each customer and beneficial owner.
  2. (b) In assessing the nature of a customer, a Relevant Person should consider such factors as the legal structure of the customer, the customer's business or occupation, the location of the customer's business and the commercial rationale for the customer's business model.
  3. (c) In assessing the customer business relationship, a Relevant Person should consider how the customer is introduced to the Relevant Person and how the customer is serviced by the Relevant Person, including for example, whether the Person will be a private banking customer, will open a bank or trading account, or whether the business relationship will be purely advisory.
  4. (d) The risk assessment of a customer, which is illustrated in Figure 2 below, requires a Relevant Person to allocate an appropriate risk rating to every customer. Risk ratings areto be described as "low", "medium" or "high", on a sliding numeric scale with 1 to 3 as "low" risk, 4 to 7 as "medium" risk, and 8 to 10 as "high" risk. Depending on the outcome of a Relevant Person's assessment of its customer's money laundering risk, a Relevant Person should decide what degree of CDD will need to be conducted.
  5. (e) In AML 5.1.5, ownership arrangements which may prevent the Relevant Person from identifying one or more beneficial owners include bearer shares, nominee shareholder arrangements, and other negotiable instruments in which ownership is determined by possession.

Guidance on the term "customer"

  1. (a) The point at which a person becomes a customer will vary from business to business. However, the AFSA considers that it would usually occur at or prior to the business relationship being formalised, for example, by the signing of a customer agreement or the acceptance of terms of business.
  2. (b) A person would not normally be a customer of a Relevant Person merely because such person receives marketing information from a Relevant Person or where a Relevant Person refers a person who is not a customer to a third party (including a Group member).
  3. (c) A counterparty would generally be a "customer" for the purposes of these Rules and would therefore require a Relevant Person to conduct CDD on such a person. However, this would not include a counterparty in a transaction undertaken on a Regulated Exchange. Nor would it include suppliers of ordinary business services, to the Relevant Person such as cleaning, catering, stationery, IT or other similar services.

Guidance on high risk customers

  1. (a) In complying with AML 5.1.1, a Relevant Person should consider the following customer risk factors which may indicate that a customer poses a higher risk of money laundering:
  2. (i) the business relationship is conducted in unusual circumstances;
  3. (ii) the customer is resident in a geographical area considered by FATF to be an area of high risk;
  4. (iii) the customer is a legal person or arrangement that is a vehicle for holding personal assets;
  5. (iv) the customer is a company that has nominee shareholders or shares in bearer form;
  6. (v) the customer is a cash-intensive business;
  7. (vi) the corporate structure of the customer is unusual or excessively complex given the nature of the company’s business; and
  8. (vii) the customer has been subject to adverse press or public information related to potential money laundering activities.
  9. (b) In complying with AML 5.1.1 a Relevant Person should also consider the following product, service, transaction or delivery channel risk factors:
  10. (i) the product involves private banking;
  11. (ii) the product or transaction is one which might favour anonymity;
  12. (iii) the situation involves non-face-to-face business relationships and/or transactions, without certain safeguards, such as electronic signatures;
  13. (iv) payments will be received from third parties who are unknown to the Relevant Person;
  14. (v) new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for new and existing products;
  15. (vi) the service provides nominee directors, nominee shareholders or shadow directors for hire, or offers the formation of companies in third countries; and
  16. (vii) the service involves undocumented or verbal agreements with counterparties or customers.
  17. (c) In complying with AML 5.1.1 a Relevant Person should also consider the following geographical risk factors:
  18. (i) countries identified by credible sources, such as FATF mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective systems to counter money laundering and terrorist financing; and
  19. (ii) countries subject to sanctions, embargos or similar measures issued by, for example, the United Nations Security Council or identified by credible sources as having significant levels of corruption or other criminal activity and countries or geographic areas identified by credible sources as providing funding or support for terrorism.

Guidance on low risk customers

  1. (a) In complying with AML 5.1.1 the following types of customers may pose a lower risk of money laundering:
  2. (i) a governmental entity, or a publicly-owned enterprise;
  3. (ii) an individual resident in a geographical area of lower risk which has AML regulations which are equivalent to the standards set out in the FATF Recommendations;
  4. (iii) Customers with a long-term and active business relationship with the Relevant Person;
  5. (iv) a regulated Financial Institution whose entire operations are subject to regulation and supervision, including AML regulation and supervision, in a jurisdiction with AML regulations which are equivalent to the standards set out in the FATF Recommendations; or
  6. (v) a company whose Securities are listed on a Regulated Market in a jurisdiction which has AML regulations which are equivalent to the standards set out in the FATF Recommendations;
  7. (b) In complying with AML 5.1.1 the following types of product, service, transaction or delivery channel risk factors may pose a lower risk of money laundering:
  8. (i) a contract of insurance which is non-life insurance;
  9. (ii) a contract of insurance which is a life insurance product which does not provide for an early surrender option, and cannot be used as collateral;
  10. (iii) a contract of insurance which is life insurance for which the annual premium is low by comparison with prevailing market standards;
  11. (iv) a contract of insurance for the purposes of a pension scheme where the contract contains no surrender clause and cannot be used as collateral;
  12. (v) a pension, superannuation or similar scheme which provides retirement benefits to employees, where contributions are made by an employer or by way of deduction from an employee's wages and the scheme rules do not permit the assignment of a member's interest under the scheme; or
  13. (vi) arbitration, litigation, or advice on litigation prospects.
  14. (c) The assignment of a low risk customer AML rating should not be automatic and should be applied only after an assessment of a customer's actual AML risk as required in AML 5.1.1. In conducting this assessment, however, Relevant Persons should make use of, and build upon, the business risk assessment(s) it has undertaken in accordance with Chapter 4.

Guidance on Shell Banks

  1. (a) AML 5.1.6 prohibits a Relevant Person from establishing or maintaining a business relationship with a Shell Bank.
  2. (b) The presence of a local agent or administrative staff would not constitute a physical presence in the country in which the customer is incorporated or licensed.

6. CUSTOMER DUE DILIGENCE

6.1. Conducting Customer Due Diligence

6.1.1. Obligation to conduct Customer Due Diligence

A Relevant Person must:

(a) conduct CDD under AML 6.3.1 for each of its customers including when the customer is carrying out occasional transactions the value of which singularly or in several linked operations (whether at the time or later), equal or exceed USD 15,000; and

(a-a) conduct CDD under AML 6.3.1 for each of its customers including when the customer is
carrying out occasional transactions with Digital Assets the value of which singularly or in several linked operations (whether at the time or later), equal or exceed USD 1,000; and

(b) in addition to (a) and (a-a), conduct EDD under AML 7.1.1 in respect of:

(i) each customer it has assigned as high risk;

(ii) business relationships and transactions with persons from countries with high geographical risk factors.

6.1.2. Conducting Simplified Due Diligence

(a)A Relevant Person may conduct SDD in accordance with AML 8.1.1 by modifying the CDD under AML 6.3.1 for any customer it has assigned as low risk. A Relevant Person must not conduct SDD measures in specific high-risk scenarios or when there is a suspicion of money laundering;

(b)A Relevant Person must ensure that assignment of low risk is based on an adequate risk analysis and SDD is commensurate with the risk level identified.

Guidance on Customer Due Diligence

(a)A Relevant Person should conduct CDD in a manner proportionate to the customer's money laundering risks identified under Chapter 6. When the money laundering risks are identified as high, a Relevant Person must conduct EDD under Chapter 7.

(b)This means that all customers are subject to CDD under AML 6.3.1. However, for high risk customers, additional EDD measures should also be conducted under AML 7.1.1.

(c)The broad objective is that the Relevant Person should know at the outset of the relationship who its customers (and, where relevant, beneficial owners) are, where they operate, what they do and their expected level of activity. In addition to AML 6.1.1(a), a Relevant Person must obtain documents on the legal form and the powers that regulate and bind the legal person or arrangement. The Relevant Person must then consider how the profile of the customer’s financial behaviour builds up over time, allowing the Relevant Person to identify transactions or activity that may be suspicious.


6.2. Timing of Customer Due Diligence

6.2.1. Establishment of business relationship

A Relevant Person must conduct CDD measures:

  1. (a) when it is establishing a business relationship with a customer; and
  2. (b) after establishing a business relationship with a customer.

6.2.2. After the establishment of a business relationship

A Relevant Person must also conduct appropriate CDD if, at any time:

  1. (a) in relation to an existing customer, it doubts the veracity or adequacy of documents, data or information obtained for the purposes of CDD;
  2. (b) it suspects money laundering; or
  3. (c) there is a change in the risk rating applied by the Relevant Person to an existing customer, or it is otherwise warranted by a change in circumstances of the customer

6.2.3. Establishing a business relationship before Customer Due Diligence is complete

A Relevant Person may establish or retain a business relationship with a customer before completing the verification required by AML 6.3.1 if the following conditions are met:

  1. (a) deferral of the verification of the customer or beneficial owner is necessary in order not to interrupt the normal conduct of a business relationship;
  2. (b) risk management procedures concerning the conditions under which a customer may utilise the business relationship prior to verification have been adopted and are in place; and there is little risk of money laundering occurring and any such risks identified can be effectively managed by the Relevant Person;
  3. (c) in relation to a bank account opening, there are adequate safeguards in place to ensure that the account is not closed and transactions are not carried out by or on behalf of the account holder (including any payment from the account to the account holder) before verification has been completed; and
  4. (d) subject to (c), the relevant verification is completed as soon as reasonably practicable before or during the establishment of a business relationship and when transactions for occasional customers are being conducted; and in any event, no later than 30 days after the establishment of a business relationship.

6.2.4. Inability to complete Customer Due Diligence within 30 days

Where a Relevant Person is not reasonably able to comply with the 30-day requirement in AML 6.2.3(d), it must, prior to the end of the 30-day period:

  • (a) document the reason for its non-compliance;
  • (b) complete the verification in AML 6.2.3 as soon as possible; and
  • (c) record the non-compliance event.

6.2.5. Cessation of business

The AFSA may specify a period within which a Relevant Person must complete the verification required by AML 6.2.3 failing which the AFSA may direct the Relevant Person to cease any business relationship with the customer.

Guidance on timing of Customer Due Diligence

  1. (a) For the purposes of AML 6.2.2(a), examples of situations which might lead a Relevant Person to have doubts about the veracity or adequacy of documents, data or information previously obtained could be where there is a suspicion of money laundering in relation to that customer, where there is a material change in the way that the customer's account is operated, which is not consistent with the customer's business profile, or where it appears to the Relevant Person that a person other than the customer is the real customer.
  2. (b) In AML 6.2.3, situations that the Relevant Person may take into account include, for example, accepting subscription monies during a short offer period; executing a timecritical transaction, which if not executed immediately, would or may cause a customer to incur a financial loss due to price movement or loss of opportunity; and when a customer seeks immediate insurance cover.
  3. (c) When complying with AML 6.2.1, a Relevant Person should also, where appropriate, consider AML 6.6.1 regarding failure to conduct or complete CDD and Chapter 13 regarding STRs and tipping off.

6.3. Conducting Customer Due Diligence

6.3.1. Obligation to verify and understand

In conducting CDD required by AML 6.1.1,a Relevant Person must:

  1. (a) verify the identity of the customer and any person acting on behalf of the customer, including his authorisation to so act, based on original or properly certified documents, data or information issued by or obtained from a reliable and independent source;
  2. (a-a)  verify the identity of any beneficial owner(s) of the customer;
  3. (b)obtain information on and understand the purpose and intended nature of the business relationship;
  4. (c)understand the customer's sources of funds;
  5. (d)understand the customer's sources of wealth; and
  6. (e)conduct on-goingdue diligence of the customer business relationship under AML 6.4.1.

6.3.2. Customer obligation for life insurance

In complying with AML 6.3.1 for life insurance or other similar policies, a Relevant Person must:

  1. (a)verify the identity of customers as soon as reasonably practicable before or during the establishment of a business relationship and when transactions for occasional customers are being conducted;
  2. (a-a)  verify the identity of any named beneficiaries of the insurance policy at the time of pay-out;
  3. (b)verify the identity of the persons in any class of beneficiary, or where these are not identifiable, ensure that it obtains sufficient information to be able to verify the identity of such persons at the time of pay-out;
  4. (c)if a beneficiary of the insurance policy who is a legal person or a legal arrangement presents a higher risk, take enhanced measures which should include reasonable measures to identify and verify the identity of the beneficial owner of the beneficiary, at the time of pay-out;
  5. (d)take reasonable measures to determine whether the beneficiaries of the insurance policy and/or, where required, the beneficial owner of the beneficiary, are PEPs, at the latest at the time of the pay-out, and, in cases of higher risks, inform senior management before the pay-out of the policy proceeds, conduct enhanced scrutiny on the whole business relationship with the policyholder, and consider making a STR; and
  6. (e)include the beneficiary of a life insurance policy as a relevant risk factor in determining whether enhanced CDD measures are applicable.


6.3.3. Customer is a Politically Exposed Person

Where a customer, or a beneficial owner of the customer, is a PEP, a Relevant Person must ensure that, in addition to AML 6.3.1 it also:

  1. (a) increases the degree and nature of monitoring of the business relationship, in order to determine whether the customer's transactions or activities appear unusual or suspicious; and
  2. (b) obtains the approval of senior management to commence a business relationship with the customer.

Guidance on undertaking Customer Due Diligence

  1. (a) A Relevant Person should, in complying with AML 6.3.1(a), and adopting the RBA, obtain, verify and record, for every customer who is a natural person, the following identification information:
  2. (i) full name (including any alias);
  3. (ii) date of birth;
  4. (iii) nationality;
  5. (iv) legal domicile; and
  6. (v) current residential address (not a P.O. box).
  7. (b) Items (i) to (iii) above should be obtained from a current valid passport or, where a customer does not possess a passport, an official identification document which includes a photograph. The concept of domicile generally refers to the place which a person regards as his permanent home and with which he has the closest ties or which is his place of origin.
  8. (c) A Relevant Person should, in complying with AML 6.3.1(a), and adopting the RBA, obtain, verify and record, for every customer which is a legal person, the following identification information:
  9. (i) full business name and any trading name;
  10. (ii) registered or business address;
  11. (iii) date of incorporation or registration;
  12. (iv) place of incorporation or registration;
  13. (v) a copy of the certificate of incorporation or registration;
  14. (vi) a valid commercial or professional licence;
  15. (vii) the identity of the directors, partners, trustees or equivalent persons with executive authority of the legal person or who holds the position of senior managing official; and
  16. (viii) for a trust, a certified copy of the trust deed to ascertain the nature and purpose of the trust and documentary evidence of the appointment of the current trustees.
  17. (d) In complying with AML 6.3.1(a), it may not always be possible to obtain original documents. Where identification documents cannot be obtained in original form, for example, because a Relevant Person has no physical contact with the customer, the Relevant Person should obtain a copy certified as a true copy by a person of good standing such as a registered lawyer or notary, a chartered accountant, a bank manager, a police officer, an employee of the person's embassy or consulate, or other similar person. Downloading publicly available information from an official source (such as a regulator or government website) is sufficient to satisfy the requirements of AML 6.3.1(a) CDD information and research obtained from a reputable company or informationreporting agency may also be acceptable as a reliable and independent source, as would banking references and, for lower risk customers, information obtained from researching reliable and independent public information found on the internet or on commercial databases.
  18. (e) For higher risk situations, identification information is to be independently verified, using both public and non-public sources.
  19. (f) In complying with AML 6.3.1(b) a Relevant Person is required to "understand" a customer's source of funds. This means understanding where the funds for a particular service or transaction will come from (e.g. a specific bank or trading account held with a specific financial institution) and whether that funding is consistent with the customer's source of wealth. The best way of understanding the source of funds is by obtaining information directly from the customer, which will usually be obtained during the onboarding process. The Relevant Person should keep appropriate evidence of how they were able to understand the source of funds, for example, a copy of the customer account opening form, customer questionnaire or a memo of a call with the relationship manager at a financial institution.
  20. (g) In complying with AML 6.3.1(c) a Relevant Person is required to "understand" a customer's source of wealth. For a natural person, this might include questions about the source of wealth in an application form or customer questionnaire. The understanding may also be gained through interactions with the relationship manager at a financial institution. It could also be gained by obtaining information from a reliable and independent publicly available source, for example, from published accounts or a reputable news source. The understanding need not be a dollar for dollar account of the customer's global wealth, but it should provide sufficient detail to give the Relevant Person comfort that the customer's wealth is legitimate and also to provide a basis for subsequent on-going due diligence. The understanding of the customer's source of wealth should be clearly documented.
  21. (h) Understanding a customer's sources of funds and wealth is also important for the purposes of undertaking on-going due diligence under AML 6.3.1(d) Initial funding of an account or investments from an unknown or unexpected source may pose a money laundering risk. Similarly, a sound understanding of the customer's source of funds and wealth also provides useful information for a Relevant Person's transaction monitoring programme.
  22. (i) An insurance policy which is similar to a life policy would include life-related protection, or a pension, or investment product which pays out to the policy holder or beneficiary upon a particular event occurring or upon redemption.

Guidance on identification and verification of beneficial owners

  1. (a) In determining whether an individual meets the definition of a beneficial owner or controller, regard should be had to all the circumstances of the case.
  2. (b) When identifying beneficial owners, a Relevant Person is expected to adopt a substantive (as opposed to form over substance) approach to CDD for legal persons. Adopting a substantive approach means focusing on the money laundering risks of the customer and the product/service and avoiding an approach which focusses purely on the legal form of an arrangement or sets fixed percentages at which beneficial owners are identified (or not).
  3. (c) A Relevant Person should take all reasonable steps to establish and understand a corporate customer's legal ownership and control and to identify the beneficial owner. There are no explicit ownership or control thresholds in defining the beneficial owner because the applicable threshold to adopt will ultimately depend on the risks associated with the customer, and so a Relevant Person must adopt the RBA and pursue on reasonable grounds an approach which is proportionate to the risks identified. A Relevant Person should not set fixed thresholds for identifying the beneficial owner without objective and documented justification. An overly formal approach to defining the beneficial owner may result in a criminal "gaming" the system by always keeping his financial interest below the relevant threshold.
  4. (d) In some circumstances no threshold should be used when identifying beneficial owners because it may be important to identify all underlying beneficial owners to ensure that they are not associated or connected in some way. This may be appropriate where there are a small number of investors in an account or fund, each with a significant financial holding and the customer-specific risks are higher. However, where the customer-specific risks are lower, a threshold can be appropriate. For example, for a low-risk corporate customer which, combined with a lower-risk product or service, a percentage threshold may be appropriate for identifying "control" of the legal person for the purposes of the definition of a beneficial owner.
  5. (e) For a retail investment fund, which is widely-held and where the investors invest via pension contributions, the manager of the fund is not expected to look through to underlying investors where there are none with any material control or ownership levels in the fund. However, for a closely-held fund with a small number of investors, each with a large shareholding or other interest, a Relevant Person should identify and verify each of the beneficial owners, depending on the risks identified as part of its risk-based assessment of the customer.
  6. (f) Where a Relevant Person carries out identification and verification in respect of actual and potential beneficial owners of a trust, this should include the trustee, settlor, the protector, the enforcer, beneficiaries, other persons with power to appoint or remove a trustee and any person entitled to receive a distribution, whether or not such person is a named beneficiary.
  7. (g) Where no natural person is identified as a beneficial owner, the relevant natural person who holds the position of senior managing official should be identified as such and verified.

Guidance on Politically Exposed Persons

  1. (a) Individuals who have, or have had, a high political profile, or hold, or have held, public office, can pose a higher money laundering risk to a Relevant Person as their position may make them vulnerable to corruption. This risk also extends to members of their families and to their close associates. PEP status itself does not incriminate individuals or entities. It does, however, put the customer into a higher risk category.
  2. (b) Generally, a foreign PEP presents a higher risk of money laundering because there is a greater risk that such person, if he/she was committing money laundering, would attempt to place his/her money offshore where the customer is less likely to be recognised as a PEP and where it would be more difficult for law enforcement agencies in his/her home jurisdiction to confiscate or freeze his/her criminal property.
  3. (c) Corruption-related money laundering risk increases when a Relevant Person deals with PEPs. Corruption may involve serious crimes and has become the subject of increasing global concern. Customer relationships with family members or close associates of PEPs involve similar risks to those associated with PEPs themselves.
  4. (d) After leaving office PEPs may remain a higher risk for money laundering if they continue to exert political influence, directly or indirectly, or otherwise pose a risk of corruption.

6.3.4. Existing customer becoming a Politically Exposed Person

A Relevant Person must not continue its business relationship with an existing customer if the customer (or a beneficial owner of the customer) becomes a PEP, unless the Relevant Person obtains the approval of its senior management.


Guidance on conducting Customer Due Diligence

  1. (a)A Relevant Person should, in complying with AML 6.3.1(a),and adopting the RBA, obtain, verify and record, for every customer who is a natural person, the following identification information:
  2. (i)full name (including any alias);
  3. (ii)date of birth;
  4. (iii)nationality;
  5. (iv)legal domicile; and
  6. (v)current residential address (not a P.O. box).
  7. (b)Items (i) to (iii) above should be obtained from a current valid passport or, where a customer does not possess a passport, an official identification document which includes a photograph. The concept of domicile generally refers to the place which a person regards as his permanent home and with which he has the closest ties or which is his place of origin.
  8. (c)A Relevant Person should, in complying with AML 6.3.1(a),and adopting the RBA, obtain, verify and record, for every customer which is a legal person, the following identification information:
  9. (i)full business name and any trading name;
  10. (ii)registered or business address;
  11. (iii)date of incorporation or registration;
  12. (iv)place of incorporation or registration;
  13. (v)a copy of the certificate of incorporation or registration;
  14. (vi)a valid commercial or professional licence;
  15. (vii)the identity of the directors, partners, trustees or equivalent persons with executive authority of the legal person or the relevant natural person who is a member of senior management; and 
  16. (viii)for a trust, a certified copy of the trust deed to ascertain the nature and purpose of the trust and documentary evidence of the appointment of the current trustees.
  17. (d)In complying with AML 6.3.1(a),it may not always be possible to obtain original documents. Where identification documents cannot be obtained in original form, for example, because a Relevant Person has no physical contact with the customer, the Relevant Person should obtain a copy certified as a true copy by a person of good standing such as a registered lawyer or notary, a chartered accountant, a bank manager, a police officer, an employee of the person's embassy or consulate, or other similar person. Downloading publicly-available information from an official source (such as a regulator or government website) is sufficient to satisfy the requirements of AML 6.3.1(a) CDD information and research obtained from a reputable company or information- reporting agency may also be acceptable as a reliable and independent source, as would banking references and, for lower risk customers, information obtained from researching reliable and independent public information found on the internet or on commercial databases.
  18. (e)For higher risk situations, identification information is to be independently verified, using both public and non-public sources.
  19. (f)In complying with AML 6.3.1(c)a Relevant Person is required to "understand" a customer's source of funds. This means understanding where the funds for a particular service or transaction will come from (e.g. a specific bank or trading account held with a specific financial institution) and whether that funding is consistent with the customer's source of wealth. The best way of understanding the source of funds is by obtaining information directly from the customer, which will usually be obtained during the on-boarding process. The Relevant Person should keep appropriate evidence of how they were able to understand the source of funds, for example, a copy of the customer account opening form, customer questionnaire or a memo of a call with the relationship manager at a financial institution.
  20. (g)In complying with AML 6.3.1(d)a Relevant Person is required to "understand" a customer's source of wealth. For a natural person, this might include questions about the source of wealth in an application form or customer questionnaire. The understanding may also be gained through interactions with the relationship manager at a financial institution. It could also be gained by obtaining information from a reliable and independent publicly available source, for example, from published accounts or a reputable news source. The understanding need not be a dollar for dollar account of the customer's global wealth, but it should provide sufficient detail to give the Relevant Person comfort that the customer's wealth is legitimate and also to provide a basis for subsequent on-going due diligence. The understanding of the customer's source of wealth should be clearly documented.
  21. (h)Understanding a customer's sources of funds and wealth is also important for the purposes of conducting on-going due diligence under AML 6.3.1(e) Initial funding of an account or investments from an unknown or unexpected source may pose a money laundering risk. Similarly, a sound understanding of the customer's source of funds and wealth also provides useful information for a Relevant Person's transaction monitoring programme.
  22. (i)An insurance policy which is similar to a life policy would include life-related protection, or a pension, or investment product which pays out to the policy holder or beneficiary upon a particular event occurring or upon redemption.

Guidance on identification and verification of beneficial owners

  1. (a)In determining whether an individual meets the definition of a beneficial owner or controller, regard should be had to all the circumstances of the case.
  2. (b)When identifying beneficial owners, a Relevant Person is expected to adopt a substantive (as opposed to form over substance) approach to CDD for legal persons. Adopting a substantive approach means focusing on the money laundering risks of the customer and the product/service and avoiding an approach which focusses purely on the legal form of an arrangement or sets fixed percentages at which beneficial owners are identified (or not).
  3. (c)A Relevant Person should take all reasonable steps to establish and understand a corporate customer's legal ownership and control and to identify the beneficial owner. An approach based only on defined thresholds without regard to the relevant risks in defining the beneficial owner may result in inadequate determination of beneficial ownership, for example, a criminal "gaming" the system by always keeping his financial interest below the relevant threshold.
  4. A Relevant Person must consider a customer’s risk rating and the source of funds when reviewing transactions as required by AML 6.4.1.
  5. (d)In some circumstances no threshold should be used when identifying beneficial owners because it may be important to identify all underlying beneficial owners to ensure that they are not associated or connected in some way. This may be appropriate where there area small number of investors in an account or fund, each with a significant financial holding and the customer-specific risks are higher. However, where the customer-specific risks are lower, a threshold can be appropriate. For example, for a low-riskcorporate customer which, combined with a lower-risk product or service, a percentage threshold may be appropriate for identifying "control" of the legal person for the purposes of the definition of a beneficial owner.
  6. (e)For a retail investment fund, which is widely-held and where the investors invest via pension contributions, the manager of the fund is not expected to look through to underlying investors where there are none with any material control or ownership levels in the fund. However, for a closely-held fund with a small number of investors, each with a large shareholding or other interest, a Relevant Person should identify and verify each of the beneficial owners, depending on the risks identified as part of its risk-based assessment of the customer.
  7. (f)Where a Relevant Person carries out identification and verification in respect of actual and potential beneficial owners of a trust, the identification and verification should include the trustee, settlor, the protector, the enforcer, beneficiaries, other persons with power to appoint or remove a trustee and any person entitled to receive a distribution (whether or not such person is a named beneficiary). For legal arrangements other than a trust, the identification and verification should include persons in positions similar to those in a trust exercising ultimate effective control over the legal arrangement (including through a chain of control or ownership) and entitled to receive a distribution (whether or not such person is a named beneficiary).
  8. (g)A Relevant Person should identify and take reasonable measures to verify the identity of the natural person(s) (if any) who ultimately has a controlling ownership interest in a legal person to the extent that there is doubt under verification as to whether the person(s) with the controlling ownership interest is the beneficial owner(s). If no natural person exerts control through ownership interests, the Relevant Person should identify and take reasonable measures to verify the identity of the natural person(s) (if any) exercising control of the legal person or arrangement through other means.
  9. (h)Where no natural person is identified as a beneficial owner who ultimately has a controlling ownership interest (or who has control through other means) in a legal person, the relevant natural person who holds the position of a member of senior management should be identified as such and verified.

Guidance on Politically Exposed Persons

  1. (a)Individuals who have, or have had, a high political profile, or hold, or have held, public office, can pose a higher money laundering risk to a Relevant Person as their position may make them vulnerable to corruption. This risk also extends to members of their families and to their close associates. PEP status itself does not incriminate individuals or entities. It does, however, put the customer into a higher risk category.
  2. (b)Generally, a PEP presents a higher risk of money laundering because there is a greater risk that such person, if he/she was committing money laundering, would attempt to place his/her money offshore where the customer is less likely to be recognised as a PEP and where it would be more difficult for law enforcement agencies in his/her home jurisdiction to confiscate or freeze his/her criminal property.
  3. (c)Corruption-related money laundering risk increases when a Relevant Person deals with PEPs. Corruption may involve serious crimes and has become the subject of increasing global concern. Customer relationships with family members or close associates of PEPs involve similar risks to those associated with PEPs themselves.
  4. (d)After leaving office PEPs may remain a higher risk for money laundering if they continue to exert political influence, directly or indirectly, or otherwise pose a risk of corruption.

6.4. On-going Customer Due Diligence

6.4.1. On-going obligation

When conducting on-goingCDD under AML 6.3.1, a Relevant Person must, using the RBA:

  1. (a)monitor and review transactions undertaken during the course of its customer relationship to ensure that the transactions are consistent with the Relevant Person’s knowledge of the customer, its business, its risk rating, and its source of funds;
  2. (b)pay particular attention to any complex or unusually large transactions or unusual patterns of transactions that have no apparent or visible economic or legitimate purpose;
  3. (c)enquire into the background and purpose of the transactions in (b);
  4. (d)periodically review the adequacy of the CDD information it holds on customers and beneficial owners to ensure that the information is kept up to date, particularly for customers with a high-riskrating;
  5. (e)periodically review each customer to ensure that the risk rating assigned to a customer under AML 5.1.1(b)remains appropriate for the customer in light of the money laundering risks; and
  6. (f)at appropriate times apply CDD to existing customers based on materiality and risk considering whether and when CDD has been previously conducted and the adequacy of the CDD information obtained.

Guidance on on-going Customer Due Diligence

  1. (a)In complying with AML 6.4.1 a Relevant Person should undertake a periodic review to ensure that non-static customer identity documentation is accurate and up-to-date. Examples of non-static identity documentation include passport number and residential/business address and, for a legal person, its share register or list of partners.
  2. (b)A Relevant Person should undertake a review under AML 6.4.1(d) particularly when:
  3. (i)the Relevant Person changes its CDD documentation requirements;
  4. (ii)an unusual transaction with the customer is expected to take place;
  5. (iii)there is a material change in the business relationship with the customer; or
  6. (iv)there is a material change in the nature or ownership of the customer.
  7. (c)The degree of the on-going due diligence to be conducted will depend on the customer risk assessment carried out under AML 5.1.1.
  8. (d)A Relevant Person’s transaction monitoring policies, procedures, systems and controls, which may be implemented by manual or automated systems, or a combination of these, are one of the most important aspects of effective CDD. Whether a Relevant Person should undertake the monitoring by means of a manual or computerised system (or both)will depend on a number of factors, including:
  9. (i)the size and nature of the Relevant Person’s business and customer base; and
  10. (ii)the complexity and volume of customer transactions.

6.5. Checking sanctions lists

6.5.1. Sanctions list review

A Relevant Person must review its customers, their business and transactions against UNSC sanctions lists and against any other Kazakhstan Sanctions List when complying with AML 6.4.1(d).

6.6. Failure to conduct or complete Customer Due Diligence

6.6.1. Prohibitions

Where, in relation to any customer, a Relevant Person is unable to conduct or complete the requisite CDD in accordance with AML 6.3.1 it must, to the extent relevant:

  1. (a) not carry out a transaction with or for the customer through a bank account or in cash;
  2. (b) not open an account or otherwise provide a service;
  3. (c) not otherwise establish a business relationship or carry out a transaction;
  4. (d) terminate or suspend any existing business relationship with the customer;
  5. (e) [intentionally omitted]; and
  6. (f) consider whether the inability to conduct or complete CDD necessitates the making of a STR (see Chapter 13).
  7. A Relevant Person is prohibited from knowingly keeping anonymous accounts or accounts in obviously fictitious names.

6.6.2. Exceptions

A Relevant Person is not obliged to comply with AML 6.6.1</a>(a) to (e) if:

  1. (a) to do so would amount to "tipping off" the customer, in contravention of the AML Law; or
  2. (b) the FIU directs the Relevant Person to act otherwise.

Guidance on failure to conduct or complete Customer Due Diligence

  1. (a) Where CDD cannot be completed, it may be appropriate not to carry out a transaction pending completion of CDD. Where CDD cannot be conducted, including where a material part of the CDD, such as identifying and verifying a beneficial owner cannot be conducted, a Relevant Person should not establish a business relationship with the customer.
  2. (b) A Relevant Person should note that AML 6.6.1 applies to both existing and prospective customers. For new customers, it may be appropriate for a Relevant Person to terminate the business relationship before a product or service is provided. The Relevant Person should be careful not to "tip off" the customer.
  3. (c) A Relevant Person should adopt the RBA for CDD of existing customers. For example, if a Relevant Person considers that any of its existing customers have not been subject to CDD at an equivalent standard to that required by these Rules, it should adopt the RBA and take remedial action in a manner proportionate to the risks and within a reasonable period of time whilst complying with AML 6.6.1.

7. ENHANCED DUE DILIGENCE

7.1. Conducting Enhanced Due Diligence

7.1.1. Obligation to conduct Enhanced Due Diligence

A Relevant Person must conduct EDD where money laundering risks are higher.

Where a Relevant Person is required to conduct EDD under AML 6.1.1 it must, to the extent applicable to the customer:

  1. (a) obtain and verify additional:
  2. (i) identification information on the customer and any beneficial owner;
  3. (ii)information on the intended nature of the business relationship; and
  4. (iii)information on the reasons for a transaction;
  5. (b) update more regularly the CDD information which it holds on the customer and any beneficial owners;
  6. (c) verify information on:
  7. (i) the customer's sources of funds;
  8. (ii)the customer's sources of wealth;
  9. (d) increase the degree and nature of monitoring of the business relationship, to determine whether the customer's transactions or activities appear unusual or suspicious;
  10. (e) obtain the approval of senior management to commence a business relationship with a customer; and
  11. (f) where applicable, require that any first payment made by a customer to open an account with a Relevant Person must be carried out through a bank account in the customer's name with:
  12. (i) a bank;
  13. (ii)a regulated Financial Institution whose entire operations are subject to regulation and supervision, including AML regulation and supervision, in a jurisdiction with AML regulations which are equivalent to the standards set out in the FATF Recommendations; or
  14. (iii)a Subsidiary of a regulated Financial Institution referred to in (ii), if the law that applies to the parent ensures that the Subsidiary also observes the same AML standards as its parent.

Guidance on conducting Enhanced Due Diligence

  1. (a) EDD measures are only mandatory to the extent that they are applicable to the relevant customer or the circumstances of the business relationship and to the extent that the risks would reasonably require it. Therefore, the extent of additional measures to conduct is a matter for the Relevant Person to determine on a case by case basis.
  2. (b) For high risk customers, a Relevant Person should, in order to mitigate the perceived and actual risks, exercise a greater degree of diligence throughout the customer relationship and should endeavour to understand the nature of the customer's business and consider whether it is consistent and reasonable.
  3. (c) A Relevant Person should be satisfied that a customer's use of complex legal structures and/or the use of trust and private investment vehicles, has a genuine and legitimate purpose.
  4. (d) For EDD, where there is a beneficial owner, verification of the customer's source of funds and wealth may require enquiring into the beneficial owner's source of funds and wealth because the source of the funds would normally be the beneficial owner and not the customer.
  5. (e) Verification of sources of funds might include obtaining independent corroborating evidence such as proof of dividend payments connected to a shareholding, bank statements, salary/bonus certificates, loan documentation and proof of a transaction which gave rise to the payment into the account.
  6. (f) A customer should be able to demonstrate and document how the relevant funds are connected to a particular event which gave rise to the payment into the account or to the source of the funds for a transaction.
  7. (g) Verification of sources of wealth might include obtaining independent corroborating evidence such as share certificates, publicly-available registers of ownership, bank or brokerage account statements, probate documents, audited accounts and financial statements, news items from a reputable source and other similar evidence. For example:
  8. (i) for a legal person, this might be achieved by obtaining its financial or annual reports published on its website or news articles and press releases that reflect its financial situation or the profitability of its business; and
  9. (ii) for a natural person, this might include documentary evidence which corroborates answers given to questions on the sources of wealth in an application form or customer questionnaire. For example, if a natural person attributes the source of his wealth to inheritance, he/she may be asked to provide a copy of the relevant will or grant of probate. In other cases, a natural person may be asked to provide sufficient bank or salary statements covering a number of years to draw up a picture of his/her sources of wealth.
  10. (h) A Relevant Person might commission a third party report to obtain further information on a customer or transaction or to investigate a customer or beneficial owner in very high risk cases. A third party report may be particularly useful where there is little or no publicly available information on a person or on a legal arrangement or where a Relevant Person has difficulty in obtaining and verifying information.
  11. (i) In AML 7.1.1(f) circumstances where it may be applicable to require the first payment made by a customer in order to open an account with a Relevant Person to be carried out through a bank account in the customer's name with a financial institution specified in AML 7.1.1(f) include:
  12. (i) where, following the use of other EDD measures, the Relevant Person is not satisfied with the results of due diligence; or
  13. (ii) as an alternative measure, where one of the measures in AML 6.4.1 cannot be carried out.

8. SIMPLIFIED DUE DILIGENCE

8.1. Conduct of Simplified Due Diligence

8.1.1. Modifications to AML 6.3.1 for Simplified Due Diligence

Where a Relevant Person is permitted to conduct SDD under AML 6.1.2, modification of AML 6.3.1 may include:

  1. (a) verifying the identity of the customer and identifying any beneficial owners after the establishment of the business relationship;
  2. (b) deciding to reduce the frequency of, or as appropriate not undertake, customer identification updates;
  3. (c) deciding not to verify an identified beneficial owner;
  4. (d) deciding not to verify an identification document other than by requesting a copy;
  5. (e) not enquiring as to a customer's source of funds or source of wealth;
  6. (f) reducing the degree of on-going monitoring of transactions, based on a reasonable monetary threshold or on the nature of the transaction; or
  7. (g) not collecting specific information or carrying out specific measures to understand the purpose and intended nature of the business relationship, but inferring such purpose and nature from the type of transactions or business relationship established.

8.1.2. Proportionality

The modification in AML 8.1.1 must be proportionate to the customer's money laundering risks. Guidance on Simplified Due Diligence

  1. (a) AML 8.1.1 provides examples of SDD measures. Other measures may also be used by a Relevant Person to modify CDD in accordance with the customer risks.
  2. (b) A Relevant Person should not use a "one size fits all" approach for all its low risk customers. Notwithstanding that the risks may be low, the degree of CDD conducted needs to be proportionate to the specific risks identified on a case by case basis. For example, for customers where the money laundering risks are very low, a Relevant Person may decide simply to identify the customer and verify such information only to the extent that this is commercially necessary. On the other hand, a low risk customer which is undertaking a complex transaction might require more comprehensive SDD.
  3. (c) For the avoidance of doubt, a Relevant Person is always required to identify beneficial owners, except for retail investment funds which are widely held, and investment funds where the investor invests via pension contributions. However, a Relevant Person may decide not to verify beneficial owners of a low risk customer.
  4. (d) An example of circumstances where a Relevant Person might reasonably reduce the frequency of or, as appropriate, eliminate customer identification updates would be where the money laundering risks are low and the service provided does not offer a realistic opportunity for money laundering.
  5. (e) An example of where a Relevant Person might reasonably reduce the degree of on-going monitoring and scrutinising of transactions, based on a reasonable monetary threshold or on the nature of the transaction, would be where the transaction is a recurring, fixed contribution to a savings scheme, investment portfolio or fund or where the monetary value of the transaction is not material for money laundering purposes given the nature of the customer and the transaction type.

9. RELIANCE AND OUTSOURCING

9.1. Reliance on a third party

9.1.1. Permitted reliance

A Relevant Person may rely on the following third parties to conduct one or more elements of CDD on its behalf:

  1. (a) an Authorised Person;
  2. (b) a law firm, notary, or other independent legal business, accounting firm, audit firm or insolvency practitioner or an equivalent person in another jurisdiction;
  3. (c) a Regulated Financial Institution; or
  4. (d) a member of the Relevant Person’s Group.

9.1.2. Reliance on information previously obtained

In AML 9.1.1, a Relevant Person may rely on the information previously obtained by a third party which covers one or more elements of CDD.

9.1.3 Extent of reliance

Where a Relevant Person seeks to rely on a person in AML 9.1.1, it may only do so if and to the extent that:

  1. (a) it immediately obtains the necessary CDD information including customer and beneficial owner identification and verification documents, and information on the purpose and nature of the business relationship or transaction from the third party in AML 9.1.1;
  2. (a-a) the third parties in AML 9.1.1 have taken necessary measures within the scope of CDD, particularly, customer identification and record keeping;
  3. (b) it takes adequate steps to satisfy itself that certified copies of the documents used to undertake the relevant elements of CDD will be available from the third party on request without delay. It is deemed sufficient that the third party certifies the customer identification documents as “the true copy of the original”;
  4. (b-a) regular assurance testing is carried out in respect of the third party arrangements, to ensure that the CDD documents can be retrieved without undue delay and that the documentation received is sufficient;
  5. (c) the person in AML 9.1.1(b) to (d) is subject to regulation, including AML regulation, by a Financial Services Regulator or other competent authority in a country with AML regulations which are equivalent to the standards set out in the FATF Recommendations and it is supervised for compliance with such regulations;
  6. (d) the person in AML 9.1.1 has not relied on any exception from the requirement to conduct any relevant elements of CDD which the Relevant Person seeks to rely on; and
  7. (e) in relation to AML 9.1.2, the information is up to date.

9.1.4. Reliance on Group member

Where a Relevant Person relies on a member of its Group, such Group member need not meet the condition in AML 9.1.3(c) if:

  1. (a) the Group applies and implements a Group-wide policy on CDD and record keeping which is equivalent to the standards set by the FATF;
  2. (b) where the effective implementation of those CDD and record keeping requirements and AML programmes are supervised at Group level by a Financial Services Regulator or other competent authority in a country with AML regulations which are equivalent to the standards set out in the FATF Recommendations; and
  3. (c) the Group’s AML policies adequately mitigate any high geographical risk factors.

9.1.5. Obligation to remedy deficiencies

If a Relevant Person is not reasonably satisfied that a customer or beneficial owner has been identified and verified by a third party in a manner consistent with these Rules, the Relevant Person must immediately perform the CDD itself with respect to any deficiencies identified.

9.1.6. Responsibility for compliance

Notwithstanding the Relevant Person’s reliance on a person in AML 9.1.1, the Relevant Person remains responsible for compliance with, and liable for any failure to meet the CDD requirements in these Rules.

A Relevant Person must ensure that:

(a)a third party in AML 9.1.1 performed all appropriate CDD and record-keeping measures;

(b)the third party has an existing business relationship with the customer and that relationship is independent from the relationship to be formed by the customer with the Relevant Person; and

(c)the information provided by the third party satisfies the Relevant Person’s own CDD requirements.


Guidance on reliance

  1. (a) [intentionally omitted]
  2. (b) In complying with AML 9.1.3(a) “immediately obtaining the necessary CDD information" means obtaining all relevant CDD information, and not just basic information such as name and address of the customer or beneficial owner. Compliance can be achieved by having that relevant information sent by fax, email or other appropriate means. For the avoidance of doubt, a Relevant Person is not required automatically to obtain the underlying certified documents used by the third party to conduct its CDD. A Relevant Person must, however, under AML 9.1.3(b) ensure that the certified documents are readily available from the third party on request.
  3. (c) A Relevant Person, in complying with AML 9.1.5, should fill any gaps in the CDD process as soon as it becomes aware that a customer or beneficial owner has not been identified and verified in a manner consistent with these Rules.
  4. (d) If a Relevant Person acquires another business, either in whole or in part, the Relevant Person may rely on the CDD conducted by the business it is acquiring but would expect the Relevant Person to have done the following:
  5. (i) as part of its due diligence for the acquisition, to have taken a reasonable sample of the prospective customers to assess the quality of the CDD conducted; and
  6. (ii) to conduct CDD on all the customers to cover any deficiencies identified in (i) as soon as possible following the acquisition, prioritising high risk customers.
  7. (e) Where a jurisdiction’s laws (such as secrecy or data protection legislation) would prevent a Relevant Person from having access to CDD information upon request without delay as referred to in AML 9.1.3(b) the Relevant Person should conduct the relevant CDD itself and should not seek to rely on the relevant third party.
  8. (f) If a Relevant Person relies on a third party located in a foreign jurisdiction including Kazakhstan to conduct one or more elements of CDD, the Relevant Person must ensure that such other jurisdiction has AML regulations that are equivalent to the standards set out in the FATF Recommendations (see AML 9.1.3(c)).
  9. (g) When assessing if AML regulations in another jurisdiction are equivalent to FATF standards, a Relevant Person may consider a number of factors including, but not limited to: FATF membership, FATF Mutual Evaluation reports, FATF-style or IMF/World Bank evaluations, membership of an international or regional 'group', contextual factors such as political stability or the level of corruption, evidence of relevant criticism of a jurisdiction including FATF advisory notices or independent and public assessments of the jurisdiction's overall AML regime such as IMF/World Bank or other reports by reputable NGOs or specialised commercial agencies. A Relevant Person should, in making its assessment, rely only on sources that are up-to-date and that include the latest AML developments from a reliable and competent source. The assessment may also consider whether adequate arrangements exist for co-operation between the AML regulator in that jurisdiction and the AIFC. A Relevant Person must retain sufficient records of the sources and materials considered when undertaking this AML assessment.

9.2. Outsourcing

9.2.1. Responsibility for service providers

A Relevant Person which outsources any one or more elements of its CDD to a service provider (including within its Group) remains responsible for compliance with, and liable for any failure to meet, such obligations.

Guidance on outsourcing

A Relevant Person should conduct appropriate due diligence to assure itself of the suitability of a service provider and should ensure that the provider’s obligations are clearly documented in a binding agreement.

For general requirements regarding outsourcing refer to GEN 5.2.

10. CORRESPONDENT BANKING

10.1. Application

10.1.1. Limits on application

This Chapter applies only to Authorised Persons.

10.2. Correspondent Banking

10.2.1. Obligations in respect of correspondent banking relationships

An Authorised Firm proposing to have a correspondent banking relationship with a respondent bank must:

  1. (a) conduct appropriate CDD on the respondent bank;
  2. (b) as part of (a), gather sufficient information about the respondent bank to understand fully the nature of the business, including making appropriate enquiries on its management, its major business activities and the countries or jurisdictions in which it operates;
  3. (c) determine from publicly-available information the reputation of the respondent bank and the quality of supervision, including whether it has been subject to a money laundering investigation or relevant regulatory action;
  4. (d) assess the respondent bank's AML controls and ascertain if they are adequate and effective in light of the FATF Recommendations;
  5. (e) ensure prior approval of the Authorised Firm’s senior management is obtained before entering into a new correspondent banking relationship;
  6. (f) understand the respective responsibilities of the parties to the correspondent banking relationship and properly document those responsibilities;
  7. (g) be satisfied that, in respect of any customers of the respondent bank who have direct access to accounts of the Authorised Firm, the respondent bank:
  8. (i) has conducted CDD (including on-going CDD) at least equivalent to that in AML 6.3.1 in respect of each customer;
  9. (ii) will conduct ongoing CDD at least equivalent to that in AML 6.4.1, in respect of each customer; and
  10. (iii) can provide the relevant CDD information in (i) to the Authorised Firm upon request; and
  11. (h) document the basis for its satisfaction that the requirements in (a) to (g) are met.

In the process of completing the CDD, prior to establishing a correspondent banking relationship, the Authorised Firm must consider all of the following:

  1. (a) whether it is regulated and supervised for AML and CFT purposes by a regulatory or governmental authority, body or agency equivalent to the Regulator in each foreign jurisdiction in which it operates;
  2. (b) whether each foreign jurisdiction in which it operates has an effective AML and CFT regime;
  3. (c) if the respondent is a subsidiary of another legal person—the following additional matters:
  4. (i) the other person’s domicile and location (if different);
  5. (ii) its reputation;
  6. (iii) whether the other person is regulated and supervised (at least for AML and CFT purposes) by a regulatory or governmental authority, body or agency equivalent to the Regulator in each jurisdiction in which it operates;
  7. (iv) whether each foreign jurisdiction in which it operates has an effective AML and CFT regime;
  8. (v) its ownership, control and management structure (including whether it is owned, controlled or managed by a politically exposed person).

If the Authorised Firm establishes a correspondent banking relationship with the respondent, the Authorised Firm must:

  1. (a) conduct enhanced ongoing monitoring of the volume and nature of the transactions conducted under the relationship, and if necessary, obtain and record the information on the source of monies for conducted transactions; and
  2. (b) conduct ongoing review of the relationship at least on an annual basis.

An Authorised Firm must:

  1. (i) not enter into a correspondent banking relationship with a Shell Bank; and
  2. (ii) take appropriate measures to ensure that it does not enter into, or continue a correspondent banking relationship with, a bank which is known to permit its accounts to be used by Shell Banks. Guidance on correspondent banking AML 10.2.1 prohibits an Authorised Firm from entering into a correspondent banking relationship with a Shell Bank or a bank which is known to permit its accounts to be used by Shell Banks.

10.3. Prohibition of Shell Banks

A Shell Bank must not be established in, or operate in or from, the AIFC.

10.4. Pay Through Accounts

10.4.1. Pay Through Accounts

  1. (a) a Bank (the correspondent) has a correspondent banking relationship with a financial institution (the respondent) in a foreign jurisdiction; and
  2. (b) under the relationship, a customer of the respondent who is not a customer of the correspondent may have direct access to an account of the correspondent.

(1) The Bank (correspondent) must not allow any of the customers of the respondent to have access to the account of any of its own customers, unless the correspondent is satisfied that the respondent:

  1. (a) has conducted CDD measures for all of its customers and verified their identity;
  2. (b) conducts ongoing monitoring for its customers; and
  3. (c) can provide to the correspondent, on request, the documents, data and information obtained in conducting CDD and ongoing monitoring for any of its customers.

(2) In the event of the correspondent asking the respondent for documents, data or information mentioned in (c) above and the respondent fails to satisfactorily comply with the request, the correspondent must immediately terminate the customer’s access to accounts of the correspondent and consider making a STR to the FIU.

10.5. Payment processing using On-line services

10.5.1. Electronic verification of identification documentation

An Authorised Firm may rely on electronic verification of identification documentation if it complies with the RBA and other requirements of these Rules.

An Authorised Firm must make and keep a record that clearly demonstrates the basis on which it relies on the electronic verification of identification documentation. An Authorised Firm may permit payment processing to take place using on-line services if it ensures that the processing is subject to:

  1. (a) the same monitoring as its other services; and
  2. (b) the same risk-based methodology.

11. WIRE TRANSFERS

11.1. Definitions

11.1.1. Defined terms

In this Chapter:

  1. (a)“beneficiary institution” means the Financial Institution that receives the wire transfer from the ordering institution, whether directly or through an intermediary institution, and makes the funds available to the payee;
  2. (b)“cover payment” means a wire transfer that combines a payment message sent directly by the ordering institution to the beneficiary institution with the routing of the funding instruction from the ordering institution to the beneficiary institution through one or more intermediary institutions;
  3. (c)“cross-border wire transfer” means a wire transfer where the ordering institution and the beneficiary institution are located in different jurisdictions and includes any chain of wire transfers in which at least one of the Financial Institutions involved is located in a different jurisdiction;
  4. (d)“customer identification number” means a number that is different from the unique transaction reference number and:
  5. (i)uniquely identifies the payer to the ordering institution; and
  6. (ii)refers to a record held by the ordering institution that contains at least one of the following: the payer’s address, national identity number or date and place of birth;
  7. (e)“domestic wire transfer” means a wire transfer where the ordering institution and beneficiary institution are located in the same jurisdiction and includes any chain of wire transfers that takes place entirely within a jurisdiction, even if the system used to transfer the payment message is located in another country;
  8. (f)“intermediary institution” means the Financial Institution in a serial payment or cover payment chain that receives and transmits a wire transfer on behalf of the ordering institution and the beneficiary institution, or another intermediary institution;
  9. (g)“ordering institution” means the Financial Institution that transfers the funds upon receiving the request for a wire transfer on behalf of the payer;
  10. (h)“payee” means the natural or legal person or legal arrangement identified by the payer as the recipient of the requested wire transfer;
  11. (i)“payer” means the account holder or originator who allows/instructs the wire transfer from that account or, if there is no account, the natural or legal person that places the wire transfer order with the ordering institution to perform the wire transfer;
  12. (j)“serial payment” means a direct sequential chain of payment where the wire transfer and accompanying payment message travel together from the ordering institution to the beneficiary institution, directly or through one or more intermediary institutions;
  13. (k)“straight-through processing” means payment transactions that are conducted electronically without the need for manual intervention;
  14. (l)“unique transaction reference number” means a combination of letters, numbers or symbols, determined by the Financial Institution in accordance with the protocols of the payment and settlement system or messaging system used for the wire transfer, and which permits the traceability of the wire transfer; and
  15. (m)“wire transfer” includes any value transfer process or arrangement.


11.2. Wire transfer requirements

11.2.1. Obligations in respect of wire transfer

An Authorised Person must:

  1. (a) when it sends or receives funds by wire transfer on behalf of a customer ensure that the wire transfer and any related messages contain payer and payee information;
  2. (b) monitor wire transfers for the purpose of detecting those wire transfers that do not contain payer and payee information and take appropriate measures to identify any money laundering risks;
  3. (c) where there is a suspicion of money laundering:
  4. (i) conduct CDD when carrying out transactions, including occasional transactions, that are wire transfers (cross-border wire transfers and domestic wire transfers, including serial payments, and cover payments); and
  5. (ii) verify the information pertaining to its customer.

11.2.2. Financial Institutions acting on their own behalf

The requirement in AML 11.2.1 does not apply to Financial Institution-to-Financial Institution transfers and settlements, where both the payer and the payee are Financial Institutions acting on their own behalf.

11.2.3.Wire transfer requirements

  1. (a) An Authorised Person must ensure that information accompanying all cross-border wire transfers less than USD 1,000 contains:
  2. (i) the name of the payer:
  3. (ii) the payer account number where such an account is used to process the transaction (or unique transaction reference number that allows traceability of the transaction if no account exists);
  4. (iii) the name of the payee; and
  5. (iv) the payee account number where such an account is used to process the transaction (or unique transaction reference number that allows traceability of the transaction if no account exists).
  6. (b) For all cross-border wire transfers of USD 1,000 or more an Authorised Person must ensure that, in addition to the information required by AML 11.2.3(a), there is information containing the payer’s address or national identity number (individual identification number or passport number), or customer identification number, or date and place of birth.
  7. (c) If several individual cross-border wire transfers from a single payer are bundled in a batch file for transmission to payees, then an Authorised Person that is an ordering institution must ensure that:
  8. (i) the batch file contains the payer information required under (a) and (b);
  9. (ii) it has verified the payer information referred to in (i); and
  10. (iii) the batch file contains the payee information required under (a) for each payee and that information is fully traceable in each payee’s jurisdiction.
  11. (d) For a domestic wire transfer, an Authorised Person that is an ordering institution must either:
  12. (1) include in the information accompanying the wire transfer the following:
  13. (i) the name of the payer;
  14. (ii) the payer’s account number where such an account is used to process the transaction (or unique transaction reference number that allows traceability of the transaction if no account exists); and
  15. (iii) payer’s address or national identity number (individual identification number or passport number), or customer identification number, or date and place of birth; or
  16. (2) if the payer information set out in (1) can be given by other means, include the payer’s account number or unique transaction reference number if no account exists, provided that:
  17. (i) either number will permit the transaction to be traced back to the payer or the payee; and
  18. (ii) the ordering institution must provide the payer information set out in paragraph (1) within 3 business days of a request for the information by the beneficiary institution or the AFSA or immediately upon request of a law enforcement agency.
  19. (e) An Authorised Person that is an ordering institution must maintain, in accordance with AML 14.5, a record of the payer and payee information it has collected under this Chapter.
  20. (f) An Authorised Person that is an ordering institution must not perform a wire transfer if it is unable to comply with the requirements in AML 11.2.3.

Guidance on wire transfers

  1. (a) [intentionally omitted]
  2. (b) Concealing or removing in a wire transfer any of the information required by AML 11.2.1 would be a contravention of the requirement to ensure that the wire transfer contains payer and payee information.
  3. (c) The information required under AML 11.2.3(a) for all cross-border wire transfers less than USD 1,000 need not be verified for accuracy except if the Relevant Person suspects money laundering.

11.2.4. Requirements for intermediary institution

11.2.5. Requirements for beneficiary institution

  1. (a) An Authorised Person that is a beneficiary institution must take reasonable measures, including post-event monitoring or real-time monitoring where feasible, to identify cross-border wire transfers that lack the required payer or payee information.
  2. (b) For a cross-border wire transfer of USD 1,000 or more, an Authorised Person that is a beneficiary institution must verify the identity of the payee, if the identity has not been previously verified, and maintain this information in accordance with AML 14.5.


11.2.6. Systems and controls concerning wire transfers

An Authorised Person that acts as an intermediary or beneficiary institution must develop, establish and maintain policies, procedures, systems and controls to determine:

  1. (a) when to perform, reject or suspend a wire transfer that lacks the full payer information or required payee information; and
  2. (b) when to take an appropriate follow-up action.


11.2.7. Money or value transfer service operator

  1. (a) An Authorised Person that is a money or value transfer service operator must comply with all of the relevant requirements of AML 11.2 in the jurisdictions in which they operate, directly or through their agents.
  2. (b) In the case of an Authorised Person that is a money or value transfer service operator that controls both the ordering and the payee side of a wire transfer, an Authorised Person must:
  3. (i) take into account all the information from both the ordering and payee sides in order to determine whether a STR has to be filed; and
  4. (ii) file a STR in any country affected by the suspicious wire transfer, and make relevant transaction information available to the FIU.


11-1. TRANSFER OF DIGITIAL ASSETS

11-1.1. Digital Asset transfer

(1) If a Digital Asset Service Provider transfers Digital Assets to another Digital Asset Service Provider:

(a) the originating Digital Asset Service Provider must:

(i) obtain and hold required and accurate originator information and required beneficiary information on the transfer; and

(ii) immediately and securely submit the information in (i) to the beneficiary Digital Asset Service Provider or any other relevant institution as so required by law.

(2) The information in (1) should be stored in a manner such that it cannot be altered and so that it is readily available to AFSA on AFSA’s request.

(3) For the purposes of 1(a), an originating Digital Asset Service Provider must ensure that all transfers of Digital Assets with value equal to or more than USD1,000 involving natural persons are accompanied by:

(a) the name of the originator;

(b) the originator’s digital asset wallet address or account number or (in the absence of an account) unique transaction reference number;

(c) the originator’s physical address, or national identity number, or customer identification, or date and place of birth;

(d) the name of the beneficiary; and

(e) the beneficiary’s digital asset wallet address or account number or (in the absence of an account) unique transaction reference number.

(4) For the purposes of 1(a), an originating Digital Asset Service Provider must ensure that all transfers of Digital Assets with value equal of less than USD 1,000 involving natural persons are accompanied by:

(a) the name of the originator;

(b) the originator’s digital asset wallet address or account number or (in the absence of an account) unique transaction reference number;

(c) the name of the beneficiary; and

(d) the beneficiary’s digital asset wallet address or account number  or (in the absence of an account) unique transaction reference number.

(5) For the purposes of 1(a), an originating Digital Asset Service Provider must ensure that all all transfers of Digital Assets with value equal to or more than USD 1,000 involving Body Corporates are accompanied by:

(a) the registered corporate name or trading name of the originator;

(b) the originator’s digital asset wallet address or account number or (in the absence of an account) unique transaction reference number;

(c) either of the following:

(i) the customer identification number; or

(ii) the registered office address or primary place of business;

(d) the following beneficiary information:

(i) the name of the beneficiary; and

(ii) beneficiary’s digital asset wallet address account number or (in the absence of an account) unique transaction reference number.

(6) For the purposes of 1(a), an originating Digital Asset Service Provider must ensure that all transfers of Digital Assets with value equal of less than USD 1,000 involving Body Corporates are accompanied by:

(a) the name of the originator;

(b) the originator’s account number or (in the absence of an account) unique transaction reference number;

(d) the following required beneficiary information;

(i) the name of the beneficiary; and

(ii) beneficiary’s account number or (in the absence of an account) unique transaction reference number.

(7) The Digital Asset Service Provider should not execute a transaction if it does not comply with requirements set out in (3), (4), (5) or (6), as applicable, and should return the relevant amounts back to the originator. The Digital Asset Service Provider should have appropriate risk-based policies and procedures to determine when to execute, reject or suspend a transfer lacking the required information while at all times complying with these requirements.

(8) In determining the value of a transfer, Digital Asset Service Providers must take a reasonable and justified approach. If multiple transfers from the same originator appear to be linked, they will be aggregated for the purpose of calculating the transfer’s value.

(9) An intermediary Digital Asset Service Provider who participates in transfers of Digital Assets must:

(a) take reasonable measures, consistent with current guidance, to identify transfers of Digital Assets that lack the required originator or beneficiary information;

(b) adopt risk-based policies and procedures to determine when to execute, reject or suspend a transfer lacking the required information; and

(c) keep records for at least 6 years after the completion of the transaction to which it relates.

(10) If several transfers from a single originator are bundled in a batch file for transmission to beneficiaries, they may be exempted from the requirements in respect of originator information, provided that they include the originator’s account number or unique transaction reference number, and the batch file contains required and accurate originator information, and full beneficiary information, that is fully traceable within the beneficiary country.

11-1.2. Digital Asset Transfers to or from self-hosted digital wallets

(1) In case of a transfer of a Digital Asset made to or received from a self-hosted digital wallet, the Digital Asset Service Provider of the originator or beneficiary must obtain and hold information referred to in 11-1.1.(3), (4), (5) or (6) from Clients and ensure that the transfer of Digital Assets can be individually identified.

 

(2) If a Digital Asset transfer exceeds USD 1,000 or there is a suspicion of money laundering or terrorist financing of a transfer to a self-hosted digital wallet, the Digital Asset Service Provider of the originator or beneficiary must take adequate measures on a risk-sensitive basis to mitigate and manage the money laundering and terrorist financing risks associated with the transfer.

Guidance on risk mitigating measures on transfers to or from self-hosted digital wallets

A Digital Asset Service Provider should undertake the following non-exhaustive measures to ensure compliance with AML 11-1.2 (2):

(a) to conduct enhanced monitoring of Digital Asset transfers with self-hosted digital wallets;
(b) to accept Digital Asset transfers from or to self-hosted digital wallets only where the Digital Asset Service Provider has them assessed to be reliable, having regard to the screening results of the Digital Asset transactions and the associated digital wallets and the assessment results on the ownership or control of the self-hosted digital wallet by the originator or beneficiary; and

(c) to impose transaction limits or prohibition.

 

Note: Chapter 11-1. comes into operation 12 months after the commencement date of the AIFC Rules on Digital Asset Activities.

11-2. DIGITAL ASSET TRANSFER COUNTERPARTY DUE DILIGENCE AND ADDITIONAL MEASURES

11-2.1. General requirements

(1) If a Digital Asset Service Provider conducts a Digital Asset transfer referred to in Chapter 11-1, the Digital Asset Service Provider will be exposed to money laundering and terrorist financing risks associated with the institution which may be the ordering institution, intermediary institution or beneficiary institution involved in the Digital asset transfer (“Digital Asset transfer counterparty”).

(2) To avoid sending or receiving a Digital Asset to or from illicit actors or designated parties that had not been subject to appropriate CDD and screening measures of a Digital Asset transfer counterparty and to ensure compliance with the Travel Rule, a Digital Asset Service Provider must conduct due diligence on the Digital Asset transfer counterparty. A Digital Asset Service Provider should identify and assess the money laundering and terrorist financing risks associated with the Digital Asset transfer to or from the Digital Asset transfer counterparty and apply the appropriate risk-based anti-money laundering and countering financing terrorism measures.

(3) A Digital Asset Service Provider must conduct due diligence measures on a Digital Asset transfer counterparty before conducting a Digital Asset transfer or making the transferred Digital Assets available to the recipient.

(4) A Digital Asset Service Provider does not need to undertake the Digital Asset transfer counterparty due diligence process for every individual Digital Asset transfer when dealing with Digital Asset transfer counterparties that it has already conducted counterparty due diligence on previously, unless there is a suspicion of money laundering and terrorist financing.

(5) A Digital Asset Service Provider must undertake reviews of the Digital Asset transfer counterparty due diligence records on a regular basis or upon trigger events (e.g., when it becomes aware of a suspicious transaction or other information such as negative news from credible media, public information that the counterparty has been subject to any targeted financial sanction, money laundering and terrorist financing investigation or regulatory action).

(6) Based on the Digital Asset transfer counterparty due diligence results, a Digital Asset Service Provider must determine if it should continue to conduct Digital Asset transfers with, and submit the required information to, a Digital Asset transfer counterparty, and the extent of anti-money laundering and countering financing terrorism measures that it should apply in relation to a Digital Asset transfer with the Digital Asset transfer counterparty on a risk-sensitive basis.

 

Guidance

Digital Asset transfer counterparty due diligence may involve the following non-exhaustive procedures:

(a) determining whether a Digital Asset transfer is or will be with a Digital Asset transfer counterparty or a self-hosted digital wallet;

(b) where applicable, identifying the Digital Asset transfer counterparty (e.g., by making a reference to a list of licensed or registered Digital Asset Service Providers or financial institutions in different jurisdictions); and

(c) assessing whether a Digital Asset transfer counterparty is an eligible counterparty to deal with and to send the required information to.

11-2.2. Digital Asset transfer counterparty due diligence measures

A Digital Asset Service Provider must apply the following Digital Asset transfer counterparty due diligence measures before it conducts a Digital Asset transfer with a Digital Asset transfer counterparty:

(a) determining if the respondent entity is licensed or registered;

(b) collecting sufficient information about the Digital Asset transfer counterparty to enable it to understand fully the nature of the Digital Asset transfer counterparty’s business;

(c) understanding the nature and expected volume and value of a Digital Asset transfer with the Digital Asset transfer counterparty;

(d) determining from publicly available information the reputation of the Digital Asset transfer counterparty and the quality and effectiveness of the anti-money laundering and countering financing terrorism regulation and supervision over the Digital Asset transfer counterparty by authorities in the relevant jurisdiction;

(e) assessing the anti-money laundering and countering financing terrorism controls of a Digital Asset transfer counterparty and ensure that they are adequate and effective;

(f) assessing whether the Digital Asset transfer counterparty is subject to the Travel Rule similar to that imposed under Chapter 11-1 in the jurisdiction in which the Digital Asset transfer counterparty operates or is incorporated;

(g) assessing the adequacy and effectiveness of the anti-money laundering and countering financing terrorism controls that the Digital Asset transfer counterparty has put in place for ensuring compliance with the Travel Rule;

(h) assessing whether the Digital Asset transfer counterparty can protect the confidentiality and integrity of personal data (e.g., the required originator and recipient information), taking into account the adequacy and robustness of data privacy and security controls of the Digital Asset transfer counterparty; and

(j) obtaining approval from its senior management.

 

Guidance:

(1) While a relationship with a Digital Asset transfer counterparty is different from a cross-border correspondent relationship referred to in Chapter 10, there are similarities in the due diligence approach which can be of assistance to a Digital Asset Service Provider. By virtue of this, the Digital Asset Service Provider should conduct due diligence measures in Chapter 10, with reference to the requirements set out in AML 10.2.

(2) When assessing money laundering and terrorist financing risks posed by a Digital Asset transfer counterparty, a Digital Asset Service Provider should take into account the relevant factors that may indicate a higher money laundering and terrorist financing risk. Examples of such risk are where a Digital Asset transfer counterparty:

(i) operates or is incorporated in a jurisdiction posing a higher risk or with a weak anti-money laundering and countering financing terrorism regime;
(ii) is not (or yet to be) licensed or registered and supervised for anti-money laundering and countering financing terrorism purposes in the jurisdiction in which it operates or is incorporated by the relevant authorities;
(iii) does not have in place adequate and effective anti-money laundering and countering financing terrorism systems, including measures for ensuring compliance with the Travel Rule;
(iv) does not implement adequate measures or safeguards for protecting the confidentiality and integrity of personal data; or
(v) is associated with money laundering and terrorist financing or other illicit activities.

 

Note: Chapter 11-2. comes into operation 12 months after the commencement date of the AIFC Rules on Digital Asset Activities.

12. SANCTIONS

12.1. Relevant United Nations resolutions and sanctions

12.1.1. Sanctions systems and controls

A Relevant Person must establish and maintain effective systems and controls to ensure that on an on-going basis it is properly informed as to, and takes reasonable measures to comply with, relevant resolutions or sanctions issued by the UNSC or by the Republic of Kazakhstan.

A Relevant Person must comply with prohibitions from conducting transactions with designated persons and entities, in accordance with the obligations set out in the relevant resolutions or sanctions issued by the UNSC or by the Republic of Kazakhstan.

A Relevant Person must freeze without delay and without prior notice, the funds or other assets of designated persons and entities pursuant to relevant resolutions or sanctions issued by the UNSC or by the Republic of Kazakhstan.

12.1.2. Notification obligation

A Relevant Person must report to the FIU any assets frozen or actions taken in compliance with the prohibition requirements of the relevant resolutions or sanctions issued by the UNSC or by the Republic of Kazakhstan, including attempted transactions. A Relevant Person must immediately notify the AFSA when it becomes aware that it is:

  1. (a) carrying on or about to carry on an activity;
  2. (b) holding or about to hold money or other assets; or
  3. (c) undertaking or about to undertake any other business whether or not arising from or in connection with (a) or (b), for or on behalf of a person, where such carrying on, holding or undertaking constitutes or may constitute a contravention of a relevant sanction or resolution issued by the UNSC or by the Republic of Kazakhstan.

12.1.3. Notification requirements

A Relevant Person must ensure that the notification stipulated in AML 12.1.2 above includes the following information:

  1. (a) a description of the relevant activity in AML 12.1.2; and
  2. (b) the action proposed to be taken or that has been taken by the Relevant Person regarding the matters specified in the notification.

  3. Guidance on sanctions
  4. (a) In AML 12.1.1 taking reasonable measures to comply with a resolution or sanction may mean that a Relevant Person cannot undertake a transaction for or on behalf of a person or that it may need to conduct further due diligence in respect of a person.
  5. (b) Relevant resolutions or sanctions mentioned in AML 12.1.1 may, among other things, relate to money laundering or otherwise be relevant to the activities carried on by the Relevant Person.
  6. (c) A Relevant Person should exercise due care to ensure that it does not provide services to, or otherwise conduct business with, a person engaged in money laundering.
  7. (d) When making a notification to the AFSA in accordance with AML 12.1.2, a Relevant Person should have regard to the requirements of the AML Law in relation to freezing assets and blocking transactions and must also consider whether it is necessary to file a STR.
  8. (e) An Authorised Market Institution should exercise due care to ensure that it does not facilitate fund raising activities or listings by persons engaged in money laundering.
  9. (f) Relevant Persons must perform checks on an on-going basis against their customer databases and records for any names appearing in resolutions or sanctions issued by the UNSC as well as to monitor transactions accordingly.
  10. (g) A Relevant Person may use a database maintained elsewhere for an up-to-date list of resolutions and sanctions, or to perform checks of customers or transactions against that list. For example, it may wish to use a database maintained by its head office or a Group member. However, the Relevant Person retains responsibility for ensuring that its systems and controls are effective to ensure compliance with these Rules.

12.2. Government, Regulatory and International Findings

12.2.1. Compliance with Findings

A Relevant Person must establish and maintain systems and controls to ensure that on an ongoing basis it is properly informed as to, and takes reasonable measures to comply with, any findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions (each of which is referred to in this Rule as a "Finding") issued by:

  1. (a) the government of the Republic of Kazakhstan;
  2. (b) the National Bank of Kazakhstan;
  3. (c) Kazakhstan state agencies;
  4. (d) the AFSA; and
  5. (e) the FATF, concerning the matters in AML 12.2.2.

12.2.2. Relevant matters

For the purposes of AML 12.2.1, the relevant matters are:

  1. (a) arrangements for preventing money laundering, in a particular country or jurisdiction, including any assessment of material deficiency against relevant countries in adopting international standards; and
  2. (b) the names of persons, groups, organisations or entities or any other body where suspicion of money laundering exists.

12.2.3. Notification obligations

A Relevant Person must immediately notify the AFSA in writing if it becomes aware of noncompliance by a person with a Finding and provide the AFSA with sufficient details of the person concerned and the nature of the non-compliance.

12.2.4. Additional measures

A Relevant Person should be able to independently apply countermeasures that are effective, appropriate and proportionate (including EDD measures) to AML and CFT risks, whether or not called upon to do so for the purposes of AML 12.2.1, including by the FATF.

Guidance on Government, Regulatory and International Findings

  1. (a)The purpose of these Rules is to ensure that a Relevant Person takes into consideration the broad range of tools used by competent authorities and international organisations to communicate AML and CFT risks to stakeholders.
  2. (b)A Relevant Person should examine and pay special attention to any transactions or business relationship with persons located in countries or jurisdictions mentioned by the entities in AML 12.2.1(a) to (e).
  3. (c)Relevant Persons considering transactions or business relationships with persons located in countries or jurisdictions that have been identified as deficient, or against which the Republic of Kazakhstan or the AFSA have outstanding advisories, should be aware of the background against which the assessments, or the specific recommendations have been made. These circumstances should be taken into account in respect of introduced business from such jurisdictions, and when receiving inward payments for existing customers or in respect of inter-bank transactions.
  4. (d)The Relevant Person’s MLRO is not obliged to report all transactions from these countries or jurisdictions to the Kazakhstan state agencies if they do not qualify as suspicious. See Chapter 13 on STRs.
  5. (e)Transactions with counterparties located in countries or jurisdictions which have been but are no longer identified as deficient or have been relieved from special scrutiny may nevertheless require attention which is higher than normal.
  6. (f)In order to assist Relevant Persons, the AFSA will, from time to time, publish findings, guidance, directives, or sanctions made by FATF, the UNSC, or the government of the Republic of Kazakhstan. However, a Relevant Person must take its own steps to acquire relevant information from various available sources. For example, a Relevant Person may obtain relevant information from the FIU, European Union, the United Kingdom (HM Treasury) lists, and the United States of America (Office of Foreign Assets Control of the Department of Treasury).
  7. (g)In addition, the systems and controls set out in AML 12.1.1 should be established and maintained by a Relevant Person, taking into account the risk assessments under Chapters 5 and 6. In AML 12.1.1, taking reasonable measures to comply with a finding may mean that a Relevant Person cannot undertake a transaction for or on behalf of a person or that it may need to conduct further due diligence in respect of such a person.
  8. (h)A Relevant Person should be proactive in obtaining and appropriately using available national and international information, for example, suspect lists or databases from credible public or private sources regarding money laundering, including obtaining relevant information from sources mentioned in (f) above. Relevant Persons should perform checks against their customer databases and records for any names appearing on such lists and databases as well as to monitor transactions accordingly. As set out in the Guidance, a Relevant Person may use a database maintained elsewhere for an up-to date list of sanctions or to conduct checks of customers or transactions against the list.
  9. However, it retains responsibility for ensuring the effectiveness of its systems and controls
  10. (i)The risk of terrorists entering the financial system can be reduced if Relevant Persons apply effective AML strategies, particularly in respect of CDD. Relevant Persons should assess which countries carry the highest risks and should conduct an analysis of transactions from countries or jurisdictions known to be a source of terrorist financing.
  11. (j)The AFSA may require Relevant Persons to take any special measures it may prescribe with respect to certain types of transactions or accounts where the AFSA reasonably believes that any of the above may pose a risk of money laundering.


13. MONEY LAUNDERING REPORTING OFFICER, SUSPICIOUS TRANSACTIONS AND TIPPING OFF

13.1. Money Laundering Reporting Officer

13.1.1. Who can act as Money Laundering Reporting Officer

The MLRO function must be carried out by an individual who is a Director, Partner, Principal Representative, or Senior Manager of an Authorised Person and who has responsibility for the implementation and oversight of an Authorised Person's AML policies, procedures, systems and controls.

13.1.2. Appointment of Money Laundering Reporting Officer

A Relevant Person must appoint an individual as MLRO, with responsibility for implementationand oversight of its compliance with the AML Rules, who has an appropriate level of seniority and independence to act in the role.

An Authorised Firm, other than a Representative Office, must appoint an individual to act as a deputy MLRO of the Authorised Firm to fulfil the role of the MLRO in his or her absence.

13.1.3. Residency Requirement

The MLRO must be resident in the Republic of Kazakhstan except in the case of the MLRO for a Registered Auditor.

Guidance on appointment of Money Laundering Reporting Officer

  1. (a) Under GEN 2.1.2, the MLRO function is a mandatory appointment.
  2. (b) A Relevant Person other than an Authorised Firm should make adequate arrangements to ensure that it remains in compliance with these Rules in the event that its MLRO is absent. Adequate arrangements would include appointing a temporary MLRO for the period of the MLRO's absence or making sure that the Relevant Person’s AML systems and controls allow it to continue to comply with these Rules when the MLRO is absent.

13.2. [Intentionally omitted]

13.2.1. [Intentionally omitted]

[Intentionally omitted]

13.3. Dealing with the Regulator

13.3.1. Obligation of co-operation

A Relevant Person’s MLRO must deal with the AFSA in an open, responsive, and co-operative manner and must disclose appropriately any information of which the AFSA would reasonably be expected to be notified.

13.4. Outsourcing the role of Money Laundering Reporting Officer

13.4.1. Outsourcing permitted

A Relevant Person may outsource the role of MLRO to an individual outside the Relevant Person if the relevant individual under the outsourcing agreement is and remains suitable to perform the MLRO role.

13.4.2. Responsibility for compliance

Where a Relevant Person outsources specific AML tasks of its MLRO to another individual or a third-party provider, including within a corporate Group, the Relevant Person remains responsible for ensuring compliance with the responsibilities of the MLRO. The Relevant Person should satisfy itself of the suitability of anyone who acts for it.

13.5. Qualities of Money Laundering Reporting Officer

13.5.1. Organisational standing

A Relevant Person must ensure that its MLRO has:

  1. (a) direct access to its senior management;
  2. (b) a level of seniority and independence within the Relevant Person to enable him to act on his own authority and to act independently in carrying out his responsibility;
  3. (c) sufficient resources, including appropriate staff and technology; and
  4. (d) timely and unrestricted access to information sufficient to enable him to carry out his responsibilities in AML 13.6.1.

Guidance on qualities of Money Laundering Reporting Officer

A Relevant Person will need to consider AML 13.5.1. when appointing an outsourced MLRO. Any external MLRO that is appointed will need to have the actual or effective level of seniority that the role requires.

13.6. Responsibilities of Money Laundering Reporting Officer

13.6.1. Oversight responsibility

A Relevant Person must ensure that its MLRO implements and has oversight of, and is responsible for, the following matters:

  1. (a) the day-to-day operations for compliance by the Relevant Person with its AML policies, procedures, systems and controls;
  2. (b) acting as the point of contact to receive notifications from the Relevant Person’s employees under AML 13.7.3;
  3. (c) taking appropriate action under AML 13.8.1 following the receipt of a notification from an employee;
  4. (d) making STRs in accordance with applicable Kazakhstan law;
  5. (e) acting as the point of contact within the Relevant Person for the AFSA, and any other competent authority regarding money laundering issues;
  6. (f) responding promptly to any request for information made by the AFSA, and any other competent authority;
  7. (g) receiving and acting upon any relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions described in Chapter 12; and
  8. (h) establishing and maintaining an appropriate money laundering training programme and adequate awareness arrangements under Chapter 14.

13.7. Reporting

A Relevant Person must complete the AFSA's AML Return form on an annual basis and submit such form to the AFSA within two months after the end of each year.

13.7.1. Defined terms

In this Chapter, a reference to a criminal offence for "money laundering" is as set out in the Kazakhstan criminal law.

13.7.2. Threshold Transactions Controls

A Relevant Person must establish and maintain policies, procedures, systems and controls to monitor and detect transactions above defined thresholds and submit threshold transactions reports (“TTRs”) to the FIU in accordance with the AML Law.

13.7.3. Suspicious Activity and Transactions Controls

A Relevant Person must establish and maintain policies, procedures, systems and controls to monitor and detect suspicious activity or transactions in relation to potential money laundering.

A Relevant Person must register in the FIU reporting system for submitting TTRs before the commencement of its business activities.

13.7.4. Immunity from liability for disclosure of information relating to money laundering transactions

  1. (a) The disclosure by a Relevant Person to the competent authorities of information relating to money laundering is not a contravention of any obligation of secrecy or non- disclosure or (where applicable) of any enactment by which that obligation is imposed.
  2. (b) The sharing by the Authorised Persons where this is required by Chapters 9, 10 and 11 of information relating to money laundering is not a contravention of any obligation of financial institution secrecy laws or non-disclosure or (where applicable) of any enactment by which that obligation is imposed.

13.7.5. Employee reporting to Money Laundering Reporting Officer

A Relevant Person must have policies, procedures, systems and controls to ensure that whenever any employee, acting in the ordinary course of his employment, either:

  1. (a) knows;
  2. (b) suspects; or
  3. (c) has reasonable grounds for knowing or suspecting, that a person is engaged in or attempting money laundering or terrorist financing, that employee promptly notifies the Relevant Person’s MLRO and provides the MLRO with all relevant information within the employee's knowledge.

Guidance on Suspicious Transaction Reports

  1. (a) Circumstances that might give rise to suspicion or reasonable grounds for suspicion include:
  2. (i) Transactions which have no apparent purpose, which make no obvious economic sense, or which are designed or structured to avoid detection;
  3. (ii) Transactions requested by a person without reasonable explanation, which are out of the ordinary range of services normally requested or are outside the experience of a Relevant Person in relation to a particular customer;
  4. (iii) where the size or pattern of transactions, without reasonable explanation, is out of line with any pattern that has previously emerged or are deliberately structured to avoid detection;
  5. (iv) where a customer refuses to provide the information requested without reasonable explanation;
  6. (v) where a customer who has newly entered into a business relationship uses the relationship for a single transaction or for only a very short period of time;
  7. (vi) an extensive use of offshore accounts, companies or structures in circumstances where the customer's economic needs do not support such requirements;
  8. (vii) unnecessary routing of funds through third party accounts;
  9. (viii) the proffering of documents that appear fraudulent, unofficial, or are otherwise suspicious; or
  10. (ix) unusual transactions without an apparently profitable motive.
  11. (b) The requirement for employees to notify the Relevant Person’s MLRO should include situations when no business relationship was developed because the circumstances were suspicious.
  12. (c) A Relevant Person may allow its employees to consult with their line managers before sending a report to the MLRO. Such consultation does not prevent the making of a report whenever an employee has stated that he has knowledge, suspicion or reasonable grounds for knowing or suspecting that a person may be involved in money laundering. Whether or not an employee consults with his line manager or other employees, the responsibility remains with the employee to decide for himself/herself whether a notification to the MLRO should be made.
  13. (d) An employee, including the MLRO, who considers that a person is engaged in or engaging in activity that he knows or suspects to be suspicious would not be expected to know the exact nature of the criminal offence or that the particular funds were definitely those arising from the crime of money laundering.
  14. (e) CDD measures form the basis for recognising suspicious activity. Sufficient guidance must therefore be given to the Relevant Person’s employees to enable them to form a suspicion or to recognise when they have reasonable grounds to suspect that money laundering is taking place. This should involve training that will enable relevant employees to seek and assess the information that is required for them to judge whether a person is involved in suspicious activity related to money laundering.
  15. (f) A transaction that appears unusual is not necessarily suspicious. Even customers with a stable and predictable transaction profile may have occasional transactions that are unusual for them. Many customers will, for perfectly good reasons, have an erratic pattern of transactions or account activity. Unusual behaviour is, in the first instance, only a basis for further inquiry, which may in turn require judgement as to whether it is suspicious. A transaction or activity may not be suspicious at the time, but if suspicions are raised later, an obligation to report then arises.
  16. (g) Effective CDD measures may provide the basis for recognising unusual and suspicious activity. Where there is a customer relationship, suspicious activity will often be one that is inconsistent with a customer's known legitimate activity, or with the normal business activities for that type of account or customer. Therefore, the key to recognising 'suspicious activity' is knowing enough about the customer and the customer's normal expected activities to recognise when their activity is abnormal.
  17. (h) A Relevant Person should implement policies and procedures whereby disciplinary action (including, but not limited to, a requirement of further training) is taken against an employee who fails to notify the Relevant Person’s MLRO.

13.8. Responsibilities of Money Laundering Reporting Officer on receipt of a Suspicious Transaction Report

13.8.1. Activity upon notification

A Relevant Person must ensure that where the Relevant Person's MLRO receives a notification under AML 13.7.3,the MLRO, without delay:

(a) enquires into and documents the circumstances in relation to which the notification made under AML 13.7.3 was made;

(b) determines whether in accordance with the AML Law a STR must be made to the FIU and documents such determination; and

(c) if required, submits a STR to the FIU and promptly notifies the AFSA of such a submission.

13.8.2. Recording reasons for not making a Suspicious Transaction Report

Where, following a notification to the MLRO under AML 13.7.3, no STR is made, a Relevant Person must record the reasons for not making a STR.

13.8.3. Independence of Money Laundering Reporting Officer decision

(a) A Relevan tPerson must ensure that whether the MLRO decides to make or not to make a STR, his/her decision is made independently and is not subject to the consent or approval of any other person.

(b) Where a Relevant Person’s MLRO has a suspicion of money laundering, and reasonably believes that performing the CDD process will tip-off the customer, he/she must not pursue the CDD process, and must submit a STR to the FIU.

Guidance on making Suspicious Transaction Reports

  1. (a) In most cases, before deciding to make a report, the MLRO is likely to need access to the relevant business information. A Relevant Person must therefore take reasonable steps to give its MLRO access to such information. Relevant business information may include details of:
  2. (i) the financial circumstances of a customer or beneficial owner, or any person on whose behalf the customer has been or is acting;
  3. (ii) the features of the transactions, including, where appropriate, the jurisdiction in which the transaction took place; and
  4. (iii) the underlying CDD information, and copies of the actual source documentation in respect of the customer.
  5. (b) In addition, the MLRO may wish:
  6. (i) to consider the level of identity information held on the customer, and any information on his personal circumstances that might be available to the firm; and
  7. (ii) to review other transaction patterns and volumes through the account or accounts in the same name, the length of the business relationship and identification records held.
  8. (c) Relevant Persons are reminded that the failure to report suspicions of money laundering may constitute a criminal offence.
  9. (c-a) The AFSA may provide guidance and recommendations as it considers appropriate in assisting Relevant Persons in the detection and reporting of suspicious transactions to the FIU, in support of the FIU’s objectives under the AML Law.
  10. (d) STRs should be sent to the FIU in accordance with these Rules and AML Law. In the preparation of a STR, if a Relevant Person knows or assumes that the funds which form the subject of the report do not belong to a customer but to a third party, this fact and the details of the Relevant Person’s proposed course of further action in relation to the case should be included in the report.
  11. (e) If a Relevant Person has reported a suspicion to the FIU, the FIU may instruct the Relevant Person on how to continue its business relationship, including effecting any transaction with a person. If the customer in question expresses his wish to move the funds before the Relevant Person receives instruction from the FIU on how to proceed, the Relevant Person should immediately contact the FIU for further instructions.

Guidance on tipping-off

  1. (a) Relevant Persons are reminded that in accordance with the AML Law, Relevant Persons or any of their employees must not tip-off any person, that is, inform any person that he/she is being scrutinised for possible involvement in suspicious activity related to money laundering, or that any other competent authority is investigating his/her possible involvement in suspicious activity relating to money laundering. In addition, the Relevant Persons must not disclose information contained in a STR or the fact that a STR may be or has been filed with the FIU or a suspicious transaction is being investigated.
  2. (b) If a Relevant Person reasonably believes that conducting CDD measures will tip-off a customer or potential customer, it may choose not to pursue that process and should file a STR. Relevant Persons should ensure that their employees are aware of and sensitive to these issues when considering CDD measures.

14. GENERAL OBLIGATIONS

14.1. Training and Awareness

14.1.1. Training and Other Obligations

A Relevant Person must implement screening procedures to ensure high standards when hiring employees.

A Relevant Person must take appropriate measures to ensure that its employees:

  1. (a) are made aware of the law relating to money laundering;
  2. (b) are regularly given training in how to recognise and deal with transactions and other activities which may be related to money laundering;
  3. (c) understand its policies, procedures, systems and controls related to money laundering and any changes to these;
  4. (d) understand the types of activity that may constitute suspicious activity in the context of the business in which an employee is engaged and that may warrant a notification to the MLRO under AML 13.7.3;
  5. (e) understand its arrangements regarding the making of a notification to the MLRO under AML 13.7.3;
  6. (f) are aware of the prevailing techniques, methods and trends in money laundering relevant to the business of the Relevant Person;
  7. (g) understand the risk of tipping-off and how to avoid informing a customer or potential customer that it is or may be the subject of a STR;
  8. (h) understand the roles and responsibilities of employees in combating money laundering, including the identity and responsibility of the Relevant Person’s MLRO and deputy, where applicable; and
  9. (i) understand the relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions described in Chapter 13.

14.1.2. Appropriate measures

In determining what measures are appropriate under AML 14.1.1 Relevant Person must take account of:

  1. (a) the nature of its business;
  2. (b) its size; and
  3. (c) the nature and extent of the risks of money laundering to which its business is subject. The AFSA may impose additional training requirements in respect of all, or certain, relevant employees of a Relevant Person.

Guidance on training and awareness

  1. (a) All relevant employees of a Relevant Person be given appropriate AML training as soon as reasonably practicable after commencing employment with the Relevant Person. A relevant employee means a member of the senior management or operational staff, any employee with customer contact, or any employee who handles (or may handle) customer monies or assets, and any other employee who might encounter money laundering in the business.
  2. (b) Relevant Persons should take a RBA to AML training. AML training should be provided by a Relevant Person to each of its relevant employees at intervals appropriate to the role and responsibilities of the employee. In the case of an Authorised Firm, training should be provided to each relevant employee at least annually.
  3. (c) AML training provided by a Relevant Person need not be in a formal classroom setting, rather it may be via an online course or any other similarly formal and documented manner.

14.2. Groups, branches and subsidiaries

14.2.1. Application of policies to Group entities

A Relevant Personwhich is a Centre Participant (excluding recognised or registered entities that are branches) must ensure that its policies, procedures, systems and controls required by AML 4.1.1 apply to:

  1. (a) all of its branches or Subsidiaries established in a jurisdiction other than the AIFC; and
  2. (b) all of its Group entities that are Centre Participants.

14.2.2. Equality of other jurisdictions

The requirement in AML 14.2.1 does not apply if the Relevant Person can satisfy the AFSA that the relevant branch, Subsidiary or Group entity is subject to regulation, including AML, by a Financial Services Regulator or other competent authority in a country with AML regulations which are equivalent to the standards set out in the FATF Recommendations and is supervised for compliance with such regulations. Where the law of another jurisdiction does not permit the implementation of policies, procedures, systems and controls consistent with those of the Relevant Person, the Relevant Person must:

  1. (a) inform the AFSA in writing; and
  2. (b) apply appropriate additional measures to manage the money laundering risks posed by the relevant branch or Subsidiary.

14.2.3. Communication and documentation

In relation to the Group entities referred to in AML 14.2.1, a Relevant Person must:

  1. (a) communicate the policies and procedures (and RBA where relevant) which it establishes and maintains in accordance with these Rules to its Group entities, branches and Subsidiaries; and
  2. (b) document the basis for its satisfaction that the requirement in AML 14.1.1(b) is met.

14.2.4. Enforcement

In relation to an Authorised Firm, if the AFSA is not satisfied in respect of AML compliance of its branches and Subsidiaries in a particular jurisdiction, it may take action, including making it a condition on the Authorised Firm’s Licence that it must not operate a branch or Subsidiary in that jurisdiction.

14.3. Group policies

14.3.1. Group policy compliance

A Relevant Person which is part of a Group must ensure that it:

  1. (a) includes the provisions in policies and procedures of the Group concerning information sharing between Group entities on the Group’s compliance, audit and AML functions. The information that is being shared should include CDD information that had been reviewed for money laundering risk mitigation purposes and analysis (if any) of transactions or activities which appear unusual;
  2. (a-a) understands the policies and procedures covering the sharing of information between Group entities, particularly when sharing CDD information;
  3. (b) has in place adequate safeguards on the prevention of tipping-off and the confidentiality and use of information exchanged  between Group entities;
  4. (c) remains aware of the money laundering risks of the Group as a whole and of its exposure to the Group and takes active steps to mitigate such risks;
  5. (d) contributes to a Group-wide risk assessment to identify and assess money laundering risks for the Group;
  6. (e) provides its Group-wide compliance, audit and AML functions with customer account and transaction information from branches and subsidiaries for AML purposes; and
  7. (f) ensures that its branches and majority-owned subsidiaries in host countries implement the requirements of the AIFC, to the extent that host country laws and regulations permit. If the host country does not permit the proper implementation of the measures above, financial groups should apply appropriate additional measures to manage the money laundering risks, and inform the AFSA of such measures.

14.4. Notifications

14.4.1. Notification obligation

A Relevant Person must inform the AFSA in writing as soon as possible if, in relation to its activities carried on as part of the AIFC or in relation to any of its branches or Subsidiaries, it:

  1. (a) receives a request for information from a regulator or agency responsible for AML, CFT, or sanctions compliance in connection with potential money laundering or sanctions contravention;
  2. (b) becomes aware, or has reasonable grounds to believe, that a money laundering event has occurred or may have occurred in or through its business;
  3. (c) becomes aware of any money laundering or sanctions matter in relation to the Relevant Person or a member of its Group which could result in adverse reputational consequences to the Relevant Person; or
  4. (d) becomes aware of a significant contravention of these Rules or a contravention of the relevant Kazakhstan legislation by the Relevant Person or any of its employees.

14.5. Record keeping

14.5.1. Obligation to keep records

A Relevant Person must maintain the following records:

  1. (a) a copy of all documents and information obtained in conducting initial and on-going CDD;
  2. (b) the supporting records (consisting of the original documents or certified copies) in respect of the customer business relationship, including transactions;
  3. (c) notifications made under AML 13.7.3;
  4. (d) STRs and any relevant supporting documents and information, including internal findings and analysis;
  5. (e) any relevant communications with the FIU; and
  6. (f) the documents in AML 14.5.2,
  7. for at least six years from the date on which the notification or report was made, the business relationship ends or the transaction is completed, whichever occurs last.

14.5.2. Documentation obligation

A Relevant Person must document, and provide to the AFSA on request, any of the following:

  1. (a) the risk assessments of its business undertaken under AML 4.1.1;
  2. (b) how the assessments in (a) were used for the purposes of complying with AML 5.1.1</a>(a);
  3. (c) the risk assessments of the customer undertaken under AML 5.1.1; and
  4. (d) the determinations made under AML 5.1.1.

14.5.3. Location of Records

Where the records referred to in AML 14.5.1 are kept by the Relevant Person in the care of an entity that is not a Centre Participant, a Relevant Person must:

  1. (a) take reasonable steps to ensure that the records are held in a manner consistent with these Rules;
  2. (b) ensure that the records are easily accessible to the Relevant Person; and
  3. (c) upon request by the AFSA, ensure that the records are available for inspection within a reasonable period.

14.5.4. Data protection legislation

A Relevant Person must:

  1. (a) verify if there is secrecy or data protection legislation that would restrict access withoutdelay to the records referred to in AML 14.5.1 by the Relevant Person, the AFSA, or applicable Kazakhstan law; and
  2. (b) where such legislation exists, obtain without delay certified copies of the relevant records and keep such copies in a jurisdiction which allows access by those persons identified in (a).

14.5.5.Training records

A Relevant Person must be able to demonstrate that it has complied with the training and awareness requirements in Chapter 14 through appropriate measures, including the maintenance of relevant training records.

Guidance on record keeping

  1. (a)The records required to be kept under AML 14.5 may be kept in electronic format, if such records are readily accessible and available to respond promptly to any AFSA requests for information. Authorised Persons are reminded of their obligations in GEN 5.9.
  2. (b)If the date on which the business relationship with a customer has ended remains unclear, it may be taken to have ended on the date of the completion of the last transaction.
  3. (c)The records maintained by a Relevant Person should be kept in such a manner that:
  4. (i)the AFSA, or another competent authority are able to assess the Relevant Person’s compliance with legislation applicable in the AIFC;
  5. (ii)any transaction which was processed by or through the Relevant Person on behalf of a customer or other third party can be reconstructed;
  6. (iii)any customer or third party can be identified; and
  7. (iv)the Relevant Personcan satisfy any regulatory enquiry or court order to disclose information within the time indicated in such enquiry or court order.
  8. (d)In complying with AML 14.5.3, Authorised Persons are reminded of their obligations in GEN 5.9.
  9. (e)"Appropriate measures" in AML 14.5.5 may include the maintenance of a training log setting out details of:
  10. (i)the dates when the training was given;
  11. (ii)the nature of the training; and
  12. (iii)the names of employees who received the training.

14.6. Audit

14.6.1. Audit obligation

An Authorised Person must ensure that its audit function, established under GEN 5.5.1 includes regular reviews and assessments of the effectiveness of the Authorised Person's AML policies, procedures, systems and controls, and its compliance with its obligations in these Rules. Guidance on audit

  1. (a) The review and assessment undertaken for the purposes of AML 14.6.1 may be undertaken:
  2. (i) internally by the Authorised Person's internal audit function; or
  3. (ii) by a competent firm of independent auditors or compliance professionals.
  4. (b) The review and assessment undertaken for the purposes of AML 14.6.1 should cover at least the following:
  5. (i) sample testing of compliance with the Authorised Person's CDD arrangements;
  6. (ii) an analysis of all notifications made to the MLRO to highlight any area where procedures or training may need to be enhanced; and
  7. (iii) a review of the nature and frequency of the dialogue between the senior management and the MLRO.

14.7. Communication with the Regulator

14.7.1. Communication obligation

A Relevant Person must:

  • (a) be open and cooperative in all its dealings with the Regulator; and
  • (b) ensure that any communication with the Regulator is conducted in the English language.

14.8. Employee Disclosures

14.8.1. Protection

A Relevant Person must ensure that it does not prejudice a person who discloses any information on behalf of the Relevant Person regarding money laundering to the AFSA or to any other relevant body involved in the prevention of money laundering.

A Relevant Person and a person, who submits a STR on behalf of the Relevant Person, are not subject to any civil liability or criminal prosecution under the Kazakhstan law resulting from the submission of the STR, even if they did not know precisely what the criminal activity was, and regardless of whether illegal activity actually occurred.

Guidance on Protection for Disclosures

A "relevant body" in AML 14.8.1 would include the FIU.

Figure 1 – The Risk Based Approach


Conducting a Business Risk Assessment

Consider risk factors relating to:

Customers

Countries and geographic areas of operations

Products or services

Transactions

Delivery mechanisms, channels and partners

Development of new products and new business practices

Use of new or developing technologies for both new and preexisting products and services


Develop and maintain policies, procedures, systems and controls

Proportionate with regard to the size and nature of the business

Approved by senior management

Monitored, reviewed and updated at appropriate intervals


The Business Risk Assessment informs:

Customer Risk Assessment (Chapter 5)

Customer Due Diligence (Chapter 6)

Training (Chapter 14)

Figure 2 – Customer Risk Assessment



Conducting a Customer Risk Assessment Consider the following risk factors

The nature of the customer, its ownership and control structure, and its beneficial ownership

The nature of the business relationship

The customer's origin, residence, nationality, place of incorporation or place of business

The nature of the relevant product, service or transaction

The outcomes of the Business Risk Assessment



Risk factors indicating that customer may pose a higher risk of money laundering

The business relationship is conducted in unusual circumstances

The customer is resident in a geographical area considered to be an area of high risk

The customer is a legal person or arrangement that is a vehicle for holding personal assets

The customer is a company that has nominee shareholders or shares in bearer form

The customer is a business that is cash intensive

The corporate structure of the customer is unusual or excessively complex given the nature of the company's business



Allocation of an appropriate rating to the customer of low, medium or high risk


The Customer Risk Assessment informs the nature and extent of the Customer Due Diligence measures (Chapter 6)