Entire section

Chapter 2. Risk assessment, identification and verification, and Customer Due Diligence (CDD)

4. Risk-Based Approach (RBA): In cases of non-face to face business relations, a Relevant Person should take the following steps to identify and assess the risks of money laundering and terrorist financing in compliance with Chapters 4 and 5 of the AIFC AML Rules and Chapter 3 of AML Guidance.

5. Business risk assessment: Chapter 4 of the AIFC AML Rules requires Relevant Persons to take appropriate steps to identify and assess the ML risks to which their businesses are exposed, taking into consideration the nature, size and complexity of their activities. When identifying and assessing these risks, several factors should be considered, including an assessment of the use of new technologies. For example, if an issue is identified in relation to cybersecurity (e.g., when dealing with hot wallets or using cloud computing to store data – being a ‘technology’ risk), the AFSA expects Relevant Persons to consider these risks from all perspectives to establish whether the risk triggers other issues for consideration (including ML/TF risks, technology governance and consumer protection).

6. Customer risk assessment: Relevant Persons should have a process to assess and rate all their Customers according to that customer's risk profile (and taking into consideration the Relevant Person’s RBA). This risk-based assessment is required to be undertaken for each customer prior to transacting any business on behalf of the customer. A Relevant Person must undertake Customer Due Diligence (CDD) for each customer and comply in full with Chapters 6 and 7 of the AIFC AML Rules. For the avoidance of doubt, the AFSA does not consider it appropriate for Relevant Persons to use simplified CDD when conducting the non-face to face business relations with its customers.

7. A Relevant Person shall take a decision on the establishment of non-face to face business relations with its customers independently, considering the results of ML/FT risks assessment by type of customer, country (geographic) risk, risk of product or service and delivery mechanisms, channels and partners.

8. Identification and verification:In cases of non-face to face business relations, a Relevant Person must take the following steps to identify and verify every customer in combination with the application of Chapters 5 and 6 of the AIFC AML Rules and Article 5 of the AML/CFT Law as well as and Chapter 4 of AML Guidance.

9. Politically exposed Persons (PEP):Additional risk factors for PEP should at least include:

a) any particular concern over the country where the particular PEP is from, taking into account his/her position;

b) any unexplained sources of wealth or income (i.e. a value of assets owned not in line with the PEP’s income level);

c) expected receipts of large sums from governmental bodies or state-owned entities;

d) source of wealth described as commission earned on government contracts;

e) request by the PEP to associate any form of secrecy with a transaction; and

f) use of accounts at a government-owned bank or of government accounts as the source of funds in a transaction.

10. Beneficial owners: A Relevant Person must identify and establish any beneficial owner(s) of an entity or thing, beneficial ownership and control of an entity or thing, any person acting on behalf of a customer, and any representative(s) of its customer. A Relevant Person must understand and verify:

a. the customer's and beneficial owner’s sources of funds;

b. the customer's and beneficial owner’s sources of wealth.

11. Risk management: A Relevant Person must identify and establish a ML/FT risk rating for every customer, and considering the results of ML/FT risks assessment a Relevant Person may assign different risk levels which should at least include: Low, Middle and High. In cases of non-face to face business relations, a Low-risk level may be assigned to the governmental bodies or state-owned entities only. Risk management is a continuous process. The risk assessment process is not a one-time exercise, and must be revisited and reviewed on a regular basis.

12. Customer Due Diligence including Simplified and Enhanced Due Diligence: In cases of non-face to face business relations, a Relevant Person should undertake CDD in a manner proportionate to the customer’s risks of ML/FT in compliance with Chapters 6, 7 and 8 of the AIFC AML Rules and Articles 5-9 of the AML/CFT Law. A Relevant Person for verification of its customers may use one or more of the following measures and may develop additional measures provided they do not conflict with the AIFC AML Rules and AML Guidance as well as AML/CFT legislation of Kazakhstan:

a) telephone contact (welcome call);

b) sending of communications to a physical address with acknowledgement of receipt;

c) wire transfer made by the customer through a banking and financial intermediary based in Kazakhstan, AIFC jurisdiction or a jurisdiction that is a FATF member or an equivalent jurisdiction;

d) request to send countersigned documentation presented by suitable certifier (lawyer, notary public, actuary or accountant in a jurisdiction that is a FATF member or an equivalent jurisdiction);

e) check on residence, domicile, activity performed, through requests for information to the competent authorities or through on-site meetings;

f) availability of electronic digital signature of an individual/legal entity when submitting any documents;

g) gathering biometric identification:

i) fingerprinting;

ii) retinal/eye scans;

iii) facilities to enable facial recognition.

h) implement facial recognition software to validate the “selfie” against the other uploaded documentation;

j) real-time video conference call and interview with several questions for verification of a customer;

k) request that the first transaction of the customer is a face-to-face transaction

l) completion of online questionnaires for account opening applications that require a wide range of information capable of independent verification (such as confirmation with a government authority) and then conducting the online interview based on the responses indicated in the questionnaire.

13. Where Enhanced Due Diligence measures are applied, a Relevant Person must as far as reasonably possible examine the background and purpose of all complex or unusually large transactions, unusual patterns of transactions and transactions which have no apparent economic or legal purpose. A Relevant Person must also increase the degree and nature of monitoring of the business relationship in which such transactions are made to determine whether those transactions or that relationship appear to be suspicious.

14. Ongoing customer due diligence and monitoring of customer’s activities: In cases of non-face to face business relations, a Relevant Person must establish and maintain appropriate and risk-sensitive policies and procedures to monitor business relationships and transactions on an ongoing basis in compliance with Chapter 10 of the AIFC AML Rules and Articles 5-9 of the AML/CFT Law as well as Chapters 3-5 of AML Guidance.