Entire Act

9. RELIANCE AND OUTSOURCING

9.1. Reliance on a third party

9.1.1. Permitted reliance

A Relevant Person may rely on the following third parties to conduct one or more elements of CDD on its behalf:

  1. (a) an Authorised Person;
  2. (b) a law firm, notary, or other independent legal business, accounting firm, audit firm or insolvency practitioner or an equivalent person in another jurisdiction;
  3. (c) a Regulated Financial Institution; or
  4. (d) a member of the Relevant Person’s Group.

9.1.2. Reliance on information previously obtained

In AML 9.1.1, a Relevant Person may rely on the information previously obtained by a third party which covers one or more elements of CDD.

9.1.3 Extent of reliance

Where a Relevant Person seeks to rely on a person in AML 9.1.1, it may only do so if and to the extent that:

  1. (a) it immediately obtains the necessary CDD information including customer and beneficial owner identification and verification documents, and information on the purpose and nature of the business relationship or transaction from the third party in AML 9.1.1;
  2. (a-a) the third parties in AML 9.1.1 have taken necessary measures within the scope of CDD, particularly, customer identification and record keeping;
  3. (b) it takes adequate steps to satisfy itself that certified copies of the documents used to undertake the relevant elements of CDD will be available from the third party on request without delay. It is deemed sufficient that the third party certifies the customer identification documents as “the true copy of the original”;
  4. (b-a) regular assurance testing is carried out in respect of the third party arrangements, to ensure that the CDD documents can be retrieved without undue delay and that the documentation received is sufficient;
  5. (c) the person in AML 9.1.1(b) to (d) is subject to regulation, including AML regulation, by a Financial Services Regulator or other competent authority in a country with AML regulations which are equivalent to the standards set out in the FATF Recommendations and it is supervised for compliance with such regulations;
  6. (d) the person in AML 9.1.1 has not relied on any exception from the requirement to conduct any relevant elements of CDD which the Relevant Person seeks to rely on; and
  7. (e) in relation to AML 9.1.2, the information is up to date.

9.1.4. Reliance on Group member

Where a Relevant Person relies on a member of its Group, such Group member need not meet the condition in AML 9.1.3(c) if:

  1. (a) the Group applies and implements a Group-wide policy on CDD and record keeping which is equivalent to the standards set by the FATF;
  2. (b) where the effective implementation of those CDD and record keeping requirements and AML programmes are supervised at Group level by a Financial Services Regulator or other competent authority in a country with AML regulations which are equivalent to the standards set out in the FATF Recommendations; and
  3. (c) the Group’s AML policies adequately mitigate any high geographical risk factors.

9.1.5. Obligation to remedy deficiencies

If a Relevant Person is not reasonably satisfied that a customer or beneficial owner has been identified and verified by a third party in a manner consistent with these Rules, the Relevant Person must immediately perform the CDD itself with respect to any deficiencies identified.

9.1.6. Responsibility for compliance

Notwithstanding the Relevant Person’s reliance on a person in AML 9.1.1, the Relevant Person remains responsible for compliance with, and liable for any failure to meet the CDD requirements in these Rules.

A Relevant Person must ensure that:

(a)a third party in AML 9.1.1 performed all appropriate CDD and record-keeping measures;

(b)the third party has an existing business relationship with the customer and that relationship is independent from the relationship to be formed by the customer with the Relevant Person; and

(c)the information provided by the third party satisfies the Relevant Person’s own CDD requirements.


Guidance on reliance

  1. (a) [intentionally omitted]
  2. (b) In complying with AML 9.1.3(a) “immediately obtaining the necessary CDD information" means obtaining all relevant CDD information, and not just basic information such as name and address of the customer or beneficial owner. Compliance can be achieved by having that relevant information sent by fax, email or other appropriate means. For the avoidance of doubt, a Relevant Person is not required automatically to obtain the underlying certified documents used by the third party to conduct its CDD. A Relevant Person must, however, under AML 9.1.3(b) ensure that the certified documents are readily available from the third party on request.
  3. (c) A Relevant Person, in complying with AML 9.1.5, should fill any gaps in the CDD process as soon as it becomes aware that a customer or beneficial owner has not been identified and verified in a manner consistent with these Rules.
  4. (d) If a Relevant Person acquires another business, either in whole or in part, the Relevant Person may rely on the CDD conducted by the business it is acquiring but would expect the Relevant Person to have done the following:
  5. (i) as part of its due diligence for the acquisition, to have taken a reasonable sample of the prospective customers to assess the quality of the CDD conducted; and
  6. (ii) to conduct CDD on all the customers to cover any deficiencies identified in (i) as soon as possible following the acquisition, prioritising high risk customers.
  7. (e) Where a jurisdiction’s laws (such as secrecy or data protection legislation) would prevent a Relevant Person from having access to CDD information upon request without delay as referred to in AML 9.1.3(b) the Relevant Person should conduct the relevant CDD itself and should not seek to rely on the relevant third party.
  8. (f) If a Relevant Person relies on a third party located in a foreign jurisdiction including Kazakhstan to conduct one or more elements of CDD, the Relevant Person must ensure that such other jurisdiction has AML regulations that are equivalent to the standards set out in the FATF Recommendations (see AML 9.1.3(c)).
  9. (g) When assessing if AML regulations in another jurisdiction are equivalent to FATF standards, a Relevant Person may consider a number of factors including, but not limited to: FATF membership, FATF Mutual Evaluation reports, FATF-style or IMF/World Bank evaluations, membership of an international or regional 'group', contextual factors such as political stability or the level of corruption, evidence of relevant criticism of a jurisdiction including FATF advisory notices or independent and public assessments of the jurisdiction's overall AML regime such as IMF/World Bank or other reports by reputable NGOs or specialised commercial agencies. A Relevant Person should, in making its assessment, rely only on sources that are up-to-date and that include the latest AML developments from a reliable and competent source. The assessment may also consider whether adequate arrangements exist for co-operation between the AML regulator in that jurisdiction and the AIFC. A Relevant Person must retain sufficient records of the sources and materials considered when undertaking this AML assessment.

9.2. Outsourcing

9.2.1. Responsibility for service providers

A Relevant Person which outsources any one or more elements of its CDD to a service provider (including within its Group) remains responsible for compliance with, and liable for any failure to meet, such obligations.

Guidance on outsourcing

A Relevant Person should conduct appropriate due diligence to assure itself of the suitability of a service provider and should ensure that the provider’s obligations are clearly documented in a binding agreement.

For general requirements regarding outsourcing refer to GEN 5.2.