AML Compliance Guidelines: Saudi Arabia

Saudi Arabia, possessing the second highest oil reserves, is the leading oil exporter of the world, and the largest economy in the Middle East. The Kingdom has experienced rapid changes in recent years, especially a drastic increase in digital transactions, resulting from its Vision 2030 to diversify its economy and decrease reliance on oil exports.

The country also hosts one of the highest expat workforce, paving the way for the largest remittance sector only behind the USA. As per 2018’s mutual evaluation report, the scale of illicit funds in Saudi Arabia is estimated to be between $12 to $30 billion annually, and 70 to 80 percent of these funds are flown out of the country.

Factors like significant inflows from oil exports, the second largest remittance sector, proximity to conflict-prone regions, and roots of extremist ideologies give rise to significant risks of money laundering and terrorism financing.

To counter these risks and protect the integrity of the Kingdom, Saudi Arabia has implemented a strong AML/CFT regulatory framework incorporating international standards set by the Financial Action Task Force (FATF). After completing the process of a mutual evaluation report in 2018, Saudi Arabia became a full member of the FATF in 2019.

Overview of AML Regulatory Framework

AML/CFT legal framework in Saudi Arabia is governed by the specialized laws for money laundering and terrorism financing and their implementing regulations. The implementation of this legal framework for AML/CFT is overseen by and enforced by several supervisory authorities both in the financial and non-financial sector.

Anti-Money Laundering Permanent Committee (AMLPC)

The AMLPC, a high-level committee, consisting of representatives from all relevant ministries and competent authorities including supervisory bodies, is headquartered in the Saudi Central Bank (SAMA) head office in Riyadh. Since its formation, AMLPC has been working to build, improve and develop a legal and institutional framework to ensure the Kingdom is compliant with the updated FATF recommendations.

Saudi Arabia Financial Intelligence Unit (SAFIU)

The SAFIU is a national body with sufficient operational independence it reports to the President of the State Security. It is responsible for receiving reports of suspected cases of money laundering and terrorism financing. It analyzes these reports to identify trends and particular areas of concern and submitting verified reports to the competent authorities for further investigation and action.

Saudi Arabia’s Anti-Corruption Commission (NAZAHA)

In order to promote transparency in the Kingdom and ensure compliance with internal national conventions on corruption, Saudi Arabia has implemented a comprehensive national strategy to protect integrity and combat corruption. The Anti-Corruption Authority is responsible for implementing this strategy in the Kingdom. Its core functions include collecting and analyzing data and reports, identifying loopholes, and proposing required systems and policies to combat corruption. It is also responsible to collect periodic reports under financial disclosure obligations and to establish a direct whistle-blowing channel for the public against suspected corrupt activities.

AML/CFT Regulatory Authorities in Saudi Arabia

Capital Market Authority (CMA)

CMA is an independent government body responsible for developing and regulating the capital market in the Kingdom. CMA regulates companies operating in the capital market and issues specific rules, guidelines, and instructions to assist and ensure their compliance with the applicable laws. One such specific rule for capital market operators issued by the CMA is a prohibition on accepting cash from clients, whether it’s for investment purposes or payment of any service fees.

Saudi Arabian Monetary Authority (SAMA)

SAMA is the central bank of Saudi Arabia and plays a significant role in AML regulations. It issues AML rules and instructions, sets regulatory standards, and supervises financial institutions’ compliance with AML and CFT regulations.

Ministry of Commerce and Investment (MOCI)

The Ministry of Commerce and Investment licenses and oversees the commercial activities in the Kingdom. It also supervises activities of certain DNFBP sectors, including real estate agents, chartered accountants, and dealers in precious metals and stones. MOCI also issues guidelines for the regulated entities to ensure their compliance with AML/CFT regulations.

Ministry of Justice (MoJ)

MOJ issues manuals and guidelines related to AML and Counter-Terrorism Financing (CFT). These manuals provide practical guidance to entities subject to AML regulations.

Ministry of Labor and Social Development

The Ministry of Labor and Social Development oversees non-profit organizations (NPOs) and ensures their operations comply with AML/CFT obligations.

Key AML/CFT Laws

Law on Combating Terrorism Crimes and Financing (CFT Law of 2017)

The CFT Law of 2017 is the primary piece of legislation that criminalizes acts of terrorism and terrorism financing. It stipulates measures to combat terrorism and its financing and sets penalties for any violation of this law and its implementing regulations. CFT Law also sets out the obligations of the FIs and DNFBPs to counter the acts of terrorism and its financing.

Anti-Money Laundering Law (AML Law of 2017)

The AML Law of 2017 of Saudi Arabia is the primary legislation that outlines the country’s AML framework. It provides obligations of the reporting entities to detect, prevent and mitigate risks of money laundering. The AML Law also empowers supervisory authorities to issue guidelines and instructions, to conduct onsite and offsite inspections, and to enforce penalties in case of any detected violations of the AML laws, its implementing regulations or any instructions.

Other relevant Laws:

In addition to above AML/CFT Laws, reporting entities are regulated by the relevant laws of their sectors. The Finance Companies Control Law regulates finance companies, the Banking Control Law regulates the banking sector, and the Law of Payments and Payment Services regulates PSPs.

Entities subject to AML/CFT Laws in Saudi Arabia:

• Banks
• Credit Institutions
• Payment Institutions
• Investment Companies
• Investment management companies
• Foreign Exchange Companies
• Financial Services Companies
• Insurance Companies and Intermediaries
• Financial Leasing Companies
• Issuers of means of payment (like Credit/Debit Cards or travels cheques)
• Safe Deposit Box Providers
• Dealers in Gold, Precious Metals and Stones
• Notaries, Accountants and Legal Professionals
• Trust and Company Service Providers
• Real Estate Brokers
• Key Obligations under AML/CFT Laws in Saudi Arabia

What is risk assessment?

The foundation of a risk-based approach (RBA) is the risk assessment process. Obliged entities should understand and document its money laundering and terrorism financing risks and identify vulnerabilities that could be exploited for ML/TF purposes. This process should also take in account risks emanating from:

• Different categories of transactions, customers and beneficial owners
• Nature of products and services offered
• Geographical regions and countries
• Delivery channel used to provide products, services and transactions
• Adoption of new technologies, products or services
• Any other factors identified by the obliged entities

Internal Policies, Procedures and Controls

Obliged entities should develop internal policies, procedures and controls in accordance with their risk assessment to mitigate risks of money laundering and terrorism financing.

Due Diligence Measures

Obliged entities are required to apply due diligence measures when establishing a business relationship, carrying out an occasional transaction, ML/TF risks are detected, or doubts arise about the identification information obtained previously. The due diligence measures must be proportionate to identified risks and at a minimum include policies and procedures to:

• Identify customer and beneficial owners and verify their identity
• Verify if anyone claiming to act on behalf of a customer is authorized to so, and verify their identity
• Assess and obtain details on ownership and control structure of legal persons or legal arrangements
• Assess and if required, obtain additional information on the nature and purpose of the business relationship

Enhanced Due Diligence Measures

FIs and DNFBPs should apply enhanced due diligence measures where a customer or beneficial owner is

• Assessed to have higher ML/TF risks
• Classified as high risk in the risk assessment process
• Associated with a country present on the high risk country list
• Politically exposed person (PEP), a family member or close associate of a PEP

EDD measures should be appropriate to the identified risks and include:

• Obtaining additional information about customer’s profession or activity
• Obtaining and verifying source of funds/wealth/income of the customer
• Obtaining information about expected frequency and size of transactions
• Onsite visit to verify the nature of the customer’s business activity
• Obtaining senior management approval to establish or continue a business relationship

Politically Exposed Persons (PEP)

Under the Article 8 of the AML Law, a PEP is defined as a person assigned with a prominent public function within the Kingdom or abroad or a senior management position in an international organization, whereas implementing regulations extend this definition to family members and close associates of PEP.

Reporting entities are required to determine if any of their customers or beneficial owner is a PEP, a family member, or a close associate of PEP at the time of establishing a business relationship, or has become one during the course of business relationship, and apply enhanced due diligence measures.

SAMA AML/CFT Guide encourages obliged entities to have effective PEP identification systems as part of their due diligence process. It recommends using a combination of different PEP screening tools and measures including searching through publicly available sources and opting for credible databases, including the use of programs or information systems (AML screening solutions) for PEP identification.

Simplified Due Diligence Measures

FIs and DNFBPs are allowed to apply simplified due diligence measures in cases of low ML/TF risks. However, minimum customer due diligence measures are applicable in all cases, but obliged entities have liberty to decide the nature and extent of the information to be obtained, frequency of periodic reviews or delaying the verification of identity necessary to avoid disruption of usual business processes.

Record Keeping

Obliged entities should document and retain records of due diligence activities, transactions, and any communications with customers or FIU for at least 10 years after terminating the business relationship with a client.

Ongoing Monitoring

FIs and DNFBPs should have policies and procedures in place to monitor documents, data, and transactions to ensure they match the risk profile, obliged entity’s knowledge of the customer, business activity or, where applicable, source of funds of the customer. Reporting entities should investigate any unusually large or complex transactions or transactions which lack clear economic or legal purpose. In case, any new developments or risks are detected, the risk profile of the customer should be updated accordingly.

Reporting of Suspicious Transactions

An obliged entity that suspects or has reasonable grounds to suspect that funds are proceeds of crime or part of a money laundering scheme, including any attempted transactions, shall report such transactions to FIU without delay with all the available information about such transactions and parties involved.

AML/CFT Compliance Function

Having an AML/CFT compliance function means arranging and allocating necessary human and technological resources and having policies, procedures, and systems in place to ensure compliance with AML/CFT obligations, including the appointment of a senior management-level officer responsible for ensuring institution compliance with AML/CFT obligations.

Independent Audit Function

FIs should have an independent audit function to test the effectiveness of internal controls, policies, and procedures to mitigate ML/TF risks.

Correspondent Relationship

FIs should apply enhanced due diligence measures when establishing cross-border correspondent relationships. FIs are prohibited from establishing correspondent relationships with a shell bank or a respondent institution that allows its account to be used by shell banks.

Wire Transfer

FIs are required to obtain and pass on originator and beneficiary information in all domestic and cross-border wire transfers, and ensure information remains with the payment chain at all times. If an FI is unable to obtain the required information, the transfer should not be processed.

Penalties

Supervisory authorities are empowered to impose penalties ranging from issuing a warning to fines worth SAR 5,000,000 for any violation of AML/CFT laws, its implementing regulations, or relevant circulars or instructions. Whereas a person convicted of a money laundering offense can face imprisonment for up to fifteen years or a fine of up to seven million riyals or both, as provided by laws in force.

Regulatory Guidance and Best Practices for AML/CFT

The MoCI, CMA, SAMA, and MoJ each have published separate guidance for sectors regulated by them. Detailed guidance can be reviewed on the website of each supervisory authority.

Adverse Media Screening:

In order to detect or prevent ML risks, it’s crucial to understand the concept that proceeds generated from predicate offenses (acts punishable under law) derive the need of money laundering offenses. Reporting entities should monitor the involvement of their existing or new clients in any illegal activities. This can be achieved by checking records of law enforcement agencies, regulatory enforcement, courts, official watchlists, press releases, news agencies, or other credible sources. Adverse media screening not only facilitates the risk assessment process at the onboarding stage but periodic checks ensure the risk profile is up to date to meet the obligation of ongoing monitoring. Adopting a reliable AML solution would be a wise approach to safeguard operations and simplify AML compliance.

Sanctions Compliance Requirements in Saudi Arabia

A permanent committee was formed under royal decree no. (7753 ‏/‏ M B) of 29-10-1427 A.H. for implementation of sanctions measures imposed by United Nations Security Council Resolutions for restoring peace and security under Chapter VII of the UN Charter. A mechanism for implementing UNSC Resolutions has been published by the Ministry of Foreign Affairs on its website. It defines the roles and responsibilities of the permanent committee as well as the obligations and responsibilities of FIs, DNFBPs, and all relevant persons in relation to implementing UN Resolutions.

Sanctions lists and Enforcement Authorities

Supervisory bodies entrusted with the monitoring compliance of the AML-obliged entities are also responsible for supervising their compliance with local lists as well as UN Sanctions.

Prohibitions or restrictive measures

FIs and DNFBPs should freeze funds, assets, or transactions linked directly or indirectly to persons listed on applicable sanctions lists. Reporting entities are also prohibited from dealing with or providing any financial services or advice to such persons designated or listed.

Screening and Reporting

FIs and DNFBPs should have effective procedures to check their customers, counterparties in a transaction, and beneficial owners, including senior managers, executives, directors, owners, and persons representing the customer, against the sanctions lists of local authorities and the United Nations before establishing a business relationship or processing a transaction.

FIs and DNFBPs are required to screen existing customers on an ongoing basis and at-least daily against the applicable sanctions list. If a match against a designated entity is identified, it must be reported to the FIU with the available details.

Other International Sanctions

FIs and DNFBPs should also consider the risk of other international sanctions (such as those issued by OFAC of the US Department of Treasury, OFSI of the UK HM Treasury, and EU Sanction of the European Union) depending on currencies and counterparties involved, and the geographical links of its cross-border operations.

•  Implementing Regulations to AML Law
• MOCI AML/CTF Guide
•  MOJ AML/CTF Guide
• Implementing Regulations to CTF Law
•  Mechanism of Implementing UN Sanctions
• CMA AML/CTF Rules