Back to Article

Guidance (Requirements) for the purposes of counteracting the legalisation (laundering) of proceeds from crime and the financing of terrorism, applicable to the Customer Due Diligence in cases when the Astana International Financial Centre Participants (the Relevant Persons) establish non-face to face business relations with customers


Chapter 1. Background

1. This Guidance applicable to the Customer Due Diligence in cases of non-face to face business relations (hereinafter referred to as this Guidance):

a. is aimed at counteracting the legalisation (laundering) of proceeds from crime and the financing of terrorism for financial monitoring entities of the Astana International Financial Centre;

b. is applicable to Astana International Financial Centre Participants (the Relevant Persons);

c. is developed in accordance with the Law of the Republic of Kazakhstan “On counteracting the legalisation (laundering) of proceeds from crime and the financing of terrorism” (hereinafter referred to as “the AML/CFT Law”) and the Recommendations of the Financial Action Task Force (hereinafter referred to as “FATF”); and

d. has been developed by the Astana Financial Services Authority (hereinafter referred to as “the AFSA”) in compliance with the requirements of AML/CFT Law, AIFC AML Rules, and Guidance (Requirements) applicable to the Rules of Internal Control for the purposes of the AML/CFT (hereinafter referred to as “AML Guidance”). 

2. This Guidance aims to promote Relevant Persons’ understanding of risks associated with conducting non-face to face business, specifically with remote customer identification and the required measures for implementing the non-face-to-face customer identification, and aims to prevent involvement or attempted involvement of Relevant Persons in money laundering and terrorist financing (hereinafter referred to as “ML/TF”).

3. A Relevant Person:

a. in its AML policy, controls and procedures (internal control rules) must establish procedures of Customer Due Diligence (CDD) in cases when the Relevant Person is establishing and maintaining non-face to face business relations with its customers; and

b. shall take all reasonable steps to hold and update internal documents and maintain a complete profile of clients.

Chapter 2. Risk assessment, identification and verification, and Customer Due Diligence (CDD)

4. Risk-Based Approach (RBA): In cases of non-face to face business relations, a Relevant Person should take the following steps to identify and assess the risks of money laundering and terrorist financing in compliance with Chapters 4 and 5 of the AIFC AML Rules and Chapter 3 of AML Guidance.

5. Business risk assessment: Chapter 4 of the AIFC AML Rules requires Relevant Persons to take appropriate steps to identify and assess the ML risks to which their businesses are exposed, taking into consideration the nature, size and complexity of their activities. When identifying and assessing these risks, several factors should be considered, including an assessment of the use of new technologies. For example, if an issue is identified in relation to cybersecurity (e.g., when dealing with hot wallets or using cloud computing to store data – being a ‘technology’ risk), the AFSA expects Relevant Persons to consider these risks from all perspectives to establish whether the risk triggers other issues for consideration (including ML/TF risks, technology governance and consumer protection).

6. Customer risk assessment: Relevant Persons should have a process to assess and rate all their Customers according to that customer's risk profile (and taking into consideration the Relevant Person’s RBA). This risk-based assessment is required to be undertaken for each customer prior to transacting any business on behalf of the customer. A Relevant Person must undertake Customer Due Diligence (CDD) for each customer and comply in full with Chapters 6 and 7 of the AIFC AML Rules. For the avoidance of doubt, the AFSA does not consider it appropriate for Relevant Persons to use simplified CDD when conducting the non-face to face business relations with its customers.

7. A Relevant Person shall take a decision on the establishment of non-face to face business relations with its customers independently, considering the results of ML/FT risks assessment by type of customer, country (geographic) risk, risk of product or service and delivery mechanisms, channels and partners.

8. Identification and verification:In cases of non-face to face business relations, a Relevant Person must take the following steps to identify and verify every customer in combination with the application of Chapters 5 and 6 of the AIFC AML Rules and Article 5 of the AML/CFT Law as well as and Chapter 4 of AML Guidance.

9. Politically exposed Persons (PEP):Additional risk factors for PEP should at least include:

a) any particular concern over the country where the particular PEP is from, taking into account his/her position;

b) any unexplained sources of wealth or income (i.e. a value of assets owned not in line with the PEP’s income level);

c) expected receipts of large sums from governmental bodies or state-owned entities;

d) source of wealth described as commission earned on government contracts;

e) request by the PEP to associate any form of secrecy with a transaction; and

f) use of accounts at a government-owned bank or of government accounts as the source of funds in a transaction.

10. Beneficial owners: A Relevant Person must identify and establish any beneficial owner(s) of an entity or thing, beneficial ownership and control of an entity or thing, any person acting on behalf of a customer, and any representative(s) of its customer. A Relevant Person must understand and verify:

a. the customer's and beneficial owner’s sources of funds;

b. the customer's and beneficial owner’s sources of wealth.

11. Risk management: A Relevant Person must identify and establish a ML/FT risk rating for every customer, and considering the results of ML/FT risks assessment a Relevant Person may assign different risk levels which should at least include: Low, Middle and High. In cases of non-face to face business relations, a Low-risk level may be assigned to the governmental bodies or state-owned entities only. Risk management is a continuous process. The risk assessment process is not a one-time exercise, and must be revisited and reviewed on a regular basis.

12. Customer Due Diligence including Simplified and Enhanced Due Diligence: In cases of non-face to face business relations, a Relevant Person should undertake CDD in a manner proportionate to the customer’s risks of ML/FT in compliance with Chapters 6, 7 and 8 of the AIFC AML Rules and Articles 5-9 of the AML/CFT Law. A Relevant Person for verification of its customers may use one or more of the following measures and may develop additional measures provided they do not conflict with the AIFC AML Rules and AML Guidance as well as AML/CFT legislation of Kazakhstan:

a) telephone contact (welcome call);

b) sending of communications to a physical address with acknowledgement of receipt;

c) wire transfer made by the customer through a banking and financial intermediary based in Kazakhstan, AIFC jurisdiction or a jurisdiction that is a FATF member or an equivalent jurisdiction;

d) request to send countersigned documentation presented by suitable certifier (lawyer, notary public, actuary or accountant in a jurisdiction that is a FATF member or an equivalent jurisdiction);

e) check on residence, domicile, activity performed, through requests for information to the competent authorities or through on-site meetings;

f) availability of electronic digital signature of an individual/legal entity when submitting any documents;

g) gathering biometric identification:

i) fingerprinting;

ii) retinal/eye scans;

iii) facilities to enable facial recognition.

h) implement facial recognition software to validate the “selfie” against the other uploaded documentation;

j) real-time video conference call and interview with several questions for verification of a customer;

k) request that the first transaction of the customer is a face-to-face transaction

l) completion of online questionnaires for account opening applications that require a wide range of information capable of independent verification (such as confirmation with a government authority) and then conducting the online interview based on the responses indicated in the questionnaire.

13. Where Enhanced Due Diligence measures are applied, a Relevant Person must as far as reasonably possible examine the background and purpose of all complex or unusually large transactions, unusual patterns of transactions and transactions which have no apparent economic or legal purpose. A Relevant Person must also increase the degree and nature of monitoring of the business relationship in which such transactions are made to determine whether those transactions or that relationship appear to be suspicious.

14. Ongoing customer due diligence and monitoring of customer’s activities: In cases of non-face to face business relations, a Relevant Person must establish and maintain appropriate and risk-sensitive policies and procedures to monitor business relationships and transactions on an ongoing basis in compliance with Chapter 10 of the AIFC AML Rules and Articles 5-9 of the AML/CFT Law as well as Chapters 3-5 of AML Guidance.

Chapter 3. Reliance on a third party

15. A Relevant Person may rely on the following third parties to conduct one or more elements of CDD, identification and verification on its behalf in cases of non-face to face business relations in compliance with Chapter 9 of the AIFC AML Rules:

a) an Authorised Person[1];

b) a law firm, notary, or other independent legal business, accounting firm, audit firm or insolvency practitioner or an equivalent person in another jurisdiction;

c) a Regulated Financial Institution;

d) a member of the Relevant Person’s Group; or

e) databases of government authorities[2].

The Relevant Person, however, retains responsibility for any failure to comply with a requirement of the AIFC AML Rules, as this responsibility cannot be delegated.

16. The existence of the consent of the customer to the gathering, processing, storage and provision, including, if necessary, to third parties, of his/her personal data, confirmed by an identification tool is obligatory for Relevant Persons.


[1] Either an Authorised Firm or an Authorised Market Institution as defined in the AIFC Glossary

[2] Government authorities of Kazakhstan and jurisdictions that are the FATF member or the equivalent jurisdictions

Chapter 4. Prohibitions and sanction lists

17. In cases of non-face to face business relations, a Relevant Person must not establish or maintain a business relationship with a Shell Bank and anonymous accounts or accounts in obviously fictitious names.

18. Prohibitions indicated in paragraph 6.6 of Chapter 6 of the AIFC AML Rules are applicable in cases of non-face to face business relations.

19. A Relevant Person must not establish non-face to face business relations with an individual/legal entity included in at least the following lists:

a) Kazakhstan lists:

i) list of persons involved in terrorist activity;

ii) list of persons and organisations associated with the financing of terrorism and extremism;

iii) list of persons and organisations associated with the financing of proliferation of weapons of mass destruction.

b) UN sanctions and resolutions;

c) UNSC sanctions and resolutions;

d) FATF high-risk jurisdictions list.

Chapter 5. Reporting, record keeping and data protection

20. Reporting to Financial monitoring authority: In cases of non-face to face business relations a Relevant Person should familiarise themselves with their reporting obligations under Chapter 13 of AIFC AML Rules, Article 13 of the AML/CFT Law and Chapter 5 of Guidance (Requirements) applicable to the Rules of Internal Control for the purposes of the AML/CFT, in particular in relation to the reporting of suspicious activities/transactions and threshold transactions.

21. Record keeping: A Relevant Person must keep all records in cases of non-face to face business relations in compliance with Chapter 14 of the AIFC AML Rules. As proper documentation is one of the main pillars of ensuring AML/CFT compliance, a Relevant Person is required to have policies and procedures in place to ensure proper record-keeping practices. It is expected that a Relevant Person will maintain up to date records in accordance with the CDD obligations applicable to it and be prepared to provide the records upon request from the AFSA.

22. Data protection: A Relevant Person is required to establish data protection systems to keep all records relating to CDD, risk assessment, reporting and customer profile in compliance with the requirements of the Law of the Republic of Kazakhstan on personal data protection dated May 21, 2013, and AIFC Data Protections Regulations and Rules.