--- name: draft-aml-policy description: Use when asked to draft an Anti-Money Laundering (AML) and Know-Your-Customer (KYC) policy for a financial services or fintech business. Covers the mandatory components under FATF Recommendations and jurisdiction-specific frameworks (SAMA/KSA, UAE Federal, DFSA, ADGM/FSRA, DIFC, Lebanon BDL/SIC, EU 6AMLD, US BSA/FinCEN). P0 priority for regulated entities — incomplete AML policies are a regulatory enforcement trigger. license: MIT metadata: id: draft.AML-policy category: draft practice_area: regulatory jurisdictions: [KSA, UAE, DIFC, ADGM, LB, EG, EU, US, GCC] priority: P0 intent: [aml policy, anti money laundering, KYC, MLRO, compliance, fintech] related: [draft-compliance-manual, draft-board-resolution, review-regulatory-compliance] source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal) version: "1.0" --- # Draft — AML / KYC Policy ## When to use this Use this skill when: - A regulated entity (bank, NBFI, payment service, fintech, crypto exchange, law firm, real estate agent) needs an AML/KYC policy to satisfy licensing conditions or regulatory audit. - An existing policy requires updating after a regulatory change (new FATF guidance, local amendment). - A new business line or product triggers fresh AML obligations. - An annual policy review is due. This is a P0 skill. Inadequate AML policies are among the most common triggers for regulatory enforcement action in MENA, EU, and US jurisdictions. ## Required inputs | Input | Why it matters | |---|---| | Entity scope | Which group entities are covered; subsidiaries require separate policies or a consolidated group policy | | Regulatory jurisdiction(s) | Determines the specific framework; FATF baseline + local overlay | | Business model | Transaction types, customer types, geographies — these drive the risk-based approach | | MLRO designation | Money Laundering Reporting Officer identity and reporting line | | Customer segments | Retail, corporate, institutional, PEPs, VASPs (virtual asset service providers) | ## Mandatory components ### 1. Policy statement A clear commitment from the Board of Directors (or equivalent governing body) to: - Comply with applicable AML/CFT (Counter-Financing of Terrorism) laws. - Maintain a risk-based compliance program. - Allocate adequate resources to AML compliance. The policy statement must be signed by the Board or senior management and dated. ### 2. MLRO appointment - Full name, title, and contact information of the Money Laundering Reporting Officer (MLRO) — or equivalent role (Compliance Officer, Designated Compliance Function). - Reporting line: MLRO reports directly to the Board or a Board Committee; must not report through a business line that generates revenue. - Deputy MLRO: designate a deputy for absence/incapacity. - MLRO authority: can refuse a transaction, file an STR, or escalate without commercial pressure. ### 3. Risk-based approach (RBA) The RBA is the foundation of the FATF framework. The policy must describe: - **Business-wide risk assessment (BWRA)**: identify and assess the ML/TF risks inherent in the entity's products, services, customers, delivery channels, and geographic exposure. - **Customer risk categorization**: segment customers into Low, Medium, and High risk tiers with criteria for each. - **Risk scoring model**: document the factors used (customer type, geography, product, transaction behavior, PEP status, sanctions exposure). - Review cycle for the BWRA: at least annually and after any material change to business model. ### 4. Customer Due Diligence (CDD) **Standard CDD** (all customers): - Verify identity using reliable, independent documentary evidence. - For individuals: government-issued photo ID (passport, national ID), date of birth, address. - For entities: certificate of incorporation, memorandum/articles, register of directors, ultimate beneficial owner (UBO) identification. - **UBO threshold**: 25% ownership or control is the FATF standard; some jurisdictions use 10% or 20% — verify local rule. - Understand the nature and purpose of the business relationship. - Obtain source of wealth for high-risk relationships. **Simplified CDD**: available for demonstrably low-risk customers (listed companies on regulated exchanges, regulated financial institutions, government entities) — document the rationale. **Ongoing CDD**: monitor the business relationship; update records when there is a material change; apply periodic review based on risk tier. ### 5. Enhanced Due Diligence (EDD) EDD must be applied to: - **Politically Exposed Persons (PEPs)** — current and former; domestic and foreign; including family members and close associates. - **High-risk geographic jurisdictions** — FATF grey-listed or black-listed jurisdictions; jurisdictions with known ML/TF risk (update list at least quarterly). - **Cash-intensive businesses** — money service businesses, real estate, precious metals/stones. - **Virtual asset service providers (VASPs)** — additional obligations under FATF Recommendation 15 and jurisdictional VASP regimes (VARA in UAE, ADGM FSRA). - **High-value transactions** — above a defined threshold (jurisdiction-specific; commonly $15,000 / equivalent for wire transfers). - **Complex or unusual transaction structures**. EDD measures include: - Additional identity verification. - Senior management approval for account opening. - Source of funds and source of wealth documentation. - Enhanced ongoing monitoring. ### 6. Ongoing transaction monitoring - Systems and processes to monitor customer transactions for patterns inconsistent with the customer's risk profile and stated business. - **Threshold-based alerts**: transaction amounts above defined limits trigger review. - **Pattern-based alerts**: structuring (breaking large transactions into smaller amounts to avoid reporting thresholds), unusual geographic patterns, unusually rapid movement of funds. - Alert review process: triage, investigation, escalation to MLRO. - Monitoring should be both automated (transaction monitoring system) and manual (relationship manager observation). ### 7. Sanctions screening - Screen all customers, beneficial owners, and counterparties against applicable sanctions lists. - **Lists to screen**: - UN Security Council Consolidated List. - OFAC (US Specially Designated Nationals) — required for USD transactions and US-connected entities. - EU Consolidated List. - UK HM Treasury Sanctions List. - Local lists (UAE CBUAE list, KSA SAFIU list, Lebanese counterterrorism list, etc.). - **Screening frequency**: at onboarding; at each transaction where feasible; daily batch screening for name-list changes. - **Match handling**: documented escalation procedure; freeze assets and report where required; seek regulatory guidance on complex matches. - **Sanctions violations are strict liability** in most jurisdictions — no mental element required. ### 8. Suspicious Activity Reports (SARs / STRs) - **Filing obligation**: when the MLRO has knowledge or suspicion (or reasonable grounds for suspicion) that a transaction involves proceeds of crime or ML/TF. - **Filing authority**: MLRO is the sole person authorized to file; staff report suspicions internally to MLRO. - **Tipping-off prohibition**: it is a criminal offense in most jurisdictions to disclose to the subject that a SAR has been filed. - **Jurisdiction-specific filing**: - UAE: goAML platform (Central Bank UAE). - KSA: Financial Investigation Unit (FIU), Saudi Ministry of Interior. - DIFC: DFSA. - ADGM: FSRA. - LB: Special Investigation Commission (SIC), Banque du Liban. - EU: national FIU of member state. - US: FinCEN via BSA e-filing. - **Time limits**: typically 30 days from becoming aware of the suspicion; faster for urgent matters. ### 9. Record retention - **Standard period**: 5 years from end of business relationship or transaction (FATF baseline). - **Extended periods**: some jurisdictions require 7–10 years (verify local rule). - **What to retain**: CDD documentation, transaction records, STR/SAR filings, correspondence, training records. - Records must be retrievable within a reasonable time for regulatory inspection. ### 10. Staff training - **Annual mandatory training**: all staff must complete AML/CFT training annually; records maintained. - **Role-specific training**: front-line staff (onboarding, relationship management), compliance team, senior management. - **New hire training**: AML training within first 30 days of employment. - Training must cover: red flags, SAR filing procedure, tipping-off prohibition, sanctions, and the firm's specific risk profile. ### 11. Independent audit and testing - Annual independent review of the AML program (internal audit or external third party). - Testing should cover: CDD quality, transaction monitoring effectiveness, SAR filing completeness, sanctions screening accuracy, training records. - Findings and management responses documented; tracked to remediation. ## Jurisdictional overlay — key specifics | Jurisdiction | Primary framework | Key regulator | Notable requirements | |---|---|---|---| | **KSA** | AML Law (Royal Decree M/20 2003, amended) + SAMA Rules | SAFIU; SAMA | Zakat-based entities have modified requirements; designated non-financial businesses (DNFBPs) regulated | | **UAE Federal** | Federal Decree-Law 20/2018 on AML/CFT + CBUAE regulations | CBUAE; goAML | 60-day registration on goAML required; DNFBP register | | **DIFC** | DFSA AML Module (AMI) | DFSA | Periodic AML returns filed with DFSA; DFSA AML inspections | | **ADGM** | FSRA AML Rulebook | FSRA | Alignment with DIFC/DFSA approach but separate filing | | **LB** | Law 44/2015 (AML/CFT) + BDL circulars | Special Investigation Commission (SIC) | Banks: enhanced CDD on cash transactions; STRs to SIC | | **EU** | 6th AML Directive (6AMLD) + national implementation | National FIU | Cross-border information sharing; criminal liability for legal persons | | **US** | Bank Secrecy Act (BSA) + FinCEN rules + PATRIOT Act | FinCEN; federal banking regulators | CTRs for transactions >$10,000; CIP rules; beneficial ownership rule | ## Critical for fintech and virtual assets - **VARA (UAE)**: Virtual Assets Regulatory Authority in Dubai — VASP license requires dedicated VASP AML policy on top of standard AML program. - **ADGM FSRA**: Virtual Asset Framework — specific CDD and ongoing monitoring for virtual asset businesses. - **FATF Travel Rule (Recommendation 16)**: transfers of virtual assets above USD 1,000 / EUR 1,000 must be accompanied by originator and beneficiary information; the implementing jurisdiction's threshold may differ. Technology implementation (TRISA, OpenVASP, or similar) must be operational. - **Real-time monitoring**: fintech transaction monitoring must handle high velocity and 24/7 operations; static rule-based systems are often insufficient; behavioral analytics expected. ## Implementation checklist - [ ] MLRO appointed, mandate documented, reported to regulator where required - [ ] Board-approved policy in place, signed, dated - [ ] Business-wide risk assessment completed and documented - [ ] CDD procedures in place with UBO identification - [ ] EDD procedures defined for PEPs, high-risk jurisdictions, VASPs - [ ] Sanctions screening tool operational with at minimum UN + OFAC + local lists - [ ] Transaction monitoring system operational (automated alerts + manual review) - [ ] SAR/STR filing procedure documented; MLRO trained - [ ] Staff training delivered; records retained - [ ] Independent annual review scheduled - [ ] Record retention system in place for 5–7 years ## Related skills - [[draft-compliance-manual]] - [[draft-board-resolution]] - [[review-regulatory-compliance]]