Alert!
Compliance Guidelines:
Oman
Simplifying the complexities of AML/CFT compliance
Regulatory Body in Oman
The regulatory body responsible for overseeing the implementation and adherence to the Anti-Money Laundering regulations and Combating the Financing of Terrorism (AML/CFT) Law in Oman is National Committee for Anti-Money Laundering and Combating the Financing of Terrorism (NAC). This committee typically serves as the primary coordinating and oversight body in countries that have it, ensuring the effective implementation of AML and CFT measures in accordance with international standards. The NAC’s role includes formulating policies, fostering inter-agency collaboration, and directing strategic efforts to combat money laundering and terrorist financing, thereby safeguarding the financial system’s integrity.
Royal Decree No. 30/2016
Risk Assessment
- Institutions must evaluate money laundering and terrorism financing risks, documenting them clearly.
- Risk factors include customer risk, countries of operation, nature of products/services, etc.
- Risk levels can vary, leading to different due diligence measures. Simplified measures are allowed under specific conditions, while enhanced measures are needed for higher risks.
Developing a Risk-Based Approach and Customer Classification
- Financial institutions must maintain a risk profile for each customer, categorizing them into various risk categories.
- Risk classifications include Low, Normal, and High risk.
Due Diligence Measures
Prohibition on Anonymous Accounts
- Opening or maintaining anonymous, fictitious, or coded accounts is prohibited.
Circumstances for Due Diligence
- When Due Diligence is Required:
- Before starting a business relationship.
- Before transactions of OMR 6000+.
- Before wire transfers of OMR 400+.
- Suspicion of illegal activities.
- Doubts about previously obtained ID info.
- Verification Sources: Reliable, independent documents issued by public authorities.
- Person Operating on Behalf of Customer: Proof of authenticity required.
- Documentary Requirements: Includes civil card, passports, commercial licenses, court orders, etc.
Identifying Representatives and Beneficial Owners
Verification of a person representing a customer and verification of beneficial owners.
- Obligation also applies to lawyers/law offices opening accounts on behalf of clients.
- Exclusions: Companies listed on stock exchanges with adequate transparency.
Identification Measures for Natural Persons and Beneficial Owners
- Information Requirements: Legal name, address, contact details, date/place of birth, nationality, occupation, ID numbers, account details, purpose of business relationship, and signature.
- Verification Methods: Official documents, utility bills, HR letters, etc.
Identification Measures for Legal Persons
- Information Requirements: Name, legal form, powers, address, contact details, purpose of business relationship, and signatures.
- Verification Methods: Good standing certificates, partnership agreements, memos, annual reports, bank references, etc.
Understanding Business and Ownership Structures
- Understanding the customer’s business nature and its ownership/control structure.
- Identify and verify:
- Natural persons with controlling ownership.
- Persons exercising control other than ownership.
- Senior managing official in absence of natural persons with control.
Account Opening for Trusts or Legal Arrangements
- Identification Measures Required: Financial institutions must obtain:
- Name, legal form, and evidence of trust or legal arrangement existence;
- The trust deed or related document detailing the powers;
- Names of all trustees;
- Mailing address, contact number, fax, and email of trustees;
- Official identification number for the trust and trustees (e.g., tax ID);
- Purpose or activities of the trust;
- Intended purpose and nature of the business relationship;
- Trustee’s signature.
- Verification Process: Verification should be through an authenticated copy of the trust agreement. Additional verification methods include:
- Undertaking from reputable lawyers or accountants;
- Prior bank references;
- Access to public or private databases.
Customer Due Diligence on Trusts or Legal Arrangements
- Entities to Identify and Verify:
- Trustees, managers, directors, or similar;
- Settlors, founders, or similar;
- The trust itself and those settling assets;
- Protectors or those with ultimate control;
- Beneficiaries;
- Signatories.
- Beneficiary Specifications: If beneficiaries aren’t defined during the business relationship establishment, they must be identified before any disbursement by the financial institutions.
Maintenance of Collected Data
- Financial institutions must ensure that all collected data is regularly updated, especially for higher risk categories.
Automated Systems for Monitoring
- Financial institutions should use automated systems to constantly monitor customer transactions and relationships, focusing particularly on high-risk cases.
Ongoing Preventive Measures
- Banks must apply Customer Due Diligence (CDD) measures to all existing business relationships, considering their risk and materiality.
Enhanced CDD for Non-Face-to-Face Relationships
- Financial institutions should use enhanced CDD measures for non-face-to-face relationships, such as document certification, additional document requests, and other verification measures.
Compliance with Identification and Verification
- If compliance isn’t met, financial institutions should not start or continue the business relationship and must file a report. Financial institutions can delay verification under certain conditions, and should have risk management procedures in place.
Correspondent Banking Relationships
- Financial institutions must have written documentation for correspondent banking relationships, especially those formed before these regulations.
Examination of Complex and Unusual Transactions
- Financial institutions should scrutinize complicated and unusual large transactions and apply enhanced CDD measures for higher risks, such as increased monitoring.
Transactions and Relations with High-Risk Countries
- Financial institutions should scrutinize transactions with high-risk countries and apply the prescribed enhanced due diligence measures.
Maintenance of Financial Records
- Retention of Customer Due Diligence Information: Financial institutions are to keep copies of all records, information, and documents gathered from customer due diligence, which includes proof of identities of customers and beneficial owners, account files, and business correspondence. These should be maintained for a minimum of ten years after ending the business relationship or conducting a transaction with a customer without an established relationship.
- Transaction Records: All records of domestic and international transactions should be stored for at least ten years post the transaction execution. These records should detail each transaction and be stored in line with a regular accounting system.
- Transaction Reports: Copies of transaction reports and relevant documents should be kept for a minimum of ten years since the report was sent to the Centre.
- Risk Assessment Records: The risk assessment and its underlying information should be stored for ten years from the date of its last update.
- Financial institutions must ensure immediate accessibility of these records to judicial authorities, the Center, and supervisory bodies upon demand.
Internal Policies, Controls, and Procedures
Development and Implementation of AML/CFT Policies
- Financial institutions should create and apply AML/CFT policies, controls, and procedures in compliance with the Law, relevant Central Bank of Oman decisions, and the Center’s instructions. These policies and procedures should:
- Address risk evaluation of customers and transactions.
- Establish identification and verification procedures for customers and beneficial owners.
- Create systems for record maintenance of customer information and transactions.
- Outline suspicious transaction reporting as per Article 47 of the Law.
- Feature an independent audit function.
- Implement a senior management-level compliance officer.
- Have recruitment screening procedures to maintain high standards.
- Provide ongoing training for stakeholders about AML/CFT requirements and new developments.
- Share and protect confidential information within the banking group.
- Include other arrangements as directed by the Central Bank of Oman.
Appointment of a Compliance Officer
- Financial institutions should appoint a senior management-level compliance officer responsible for AML/CFT obligations.
Compliance Reporting
- The compliance officer must frequently report to the Board of Directors, highlighting activities, measures taken, and the overall effectiveness of the AML/CFT program. The Central Bank of Oman can request these reports.
Independent Audit Function
- An independent audit should assess the institution’s compliance with AML/CFT policies and the Law.
Ongoing Employee Training
- Regular training is essential to keep employees updated on new developments and obligations related to AML/CFT.
Hiring and Conduct Policies
- Financial institutions should set a code of conduct and hiring criteria ensuring competence, integrity, and the absence of past offenses involving dishonest acts.
Immediate Reporting of Suspected Illicit Funds
- Entities associated with financial institutions should notify the Center immediately if they suspect illicit fund activities. All related documentation should be provided.
Responding to Requests from the Center
- Upon the Center’s request, financial institutions must provide all relevant data within the specified timeframe.
High ML/TF Risks
Identifying High ML/TF Risks
- Financial institutions should apply enhanced due diligence for cases with higher money laundering or terrorism financing risks. Various indicators, including customer risk factors, country risk factors, and product or service risk factors, are provided.
Enhanced Due Diligence for High-Risk Customers
- Financial institutions should employ enhanced measures for high-risk scenarios, including obtaining additional information, updating data more frequently, getting senior management’s approval, and other listed measures.