Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 4.2 Due Diligence

    Principle 
         		 
    Member Organisations should define, approve and implement standards for assessing the fraud risk associated with employees, customers and third parties to prevent the establishment of relationships outside risk appetite and manage fraud risks throughout the duration of the relationship. 
         		 
    Control Requirements 
         		 
    a.Due Diligence standards should be defined, communicated, and implemented.
         		 
    b.Due Diligence standards should be approved by individuals of appropriate responsibility (e.g., Employee Due Diligence in HR).
         		 
    c.Due Diligence standards should consider employees, customers and third parties.
         		 
    d.Due Diligence standards should be aligned to the risks identified in the Fraud Risk Assessment.
         		 
    e.Member Organisations should review and update Due Diligence standards on a periodic basis and in response to material changes to the fraud landscape, the Member Organisation Fraud Risk Assessment, customer groups serviced by the Member Organisation or changes to the products or services it offers.
         		 
    f.The effectiveness of the fraud Due Diligence standards should be measured and periodically evaluated.
         		 
    g.Due Diligence standards should include:
         		 
     1.The Due Diligence checks and requirements that should be conducted to provide an informed understanding of fraud risk.
     
     2.When Due Diligence should be conducted.
     
     3.The role(s) responsible for conducting and approving Due Diligence.
     
     4.Red flags or warning signs which may indicate increased fraud risk and result in the requirement for escalation or further checks to be completed.
     
     5.Red flags or warning signs which indicate an employee, customer or third party is outside risk appetite and the relationship should be declined or exited.
     
     6.Steps to be taken to exit relationships outside risk appetite.
     

    • 4.2.1 Employee Due Diligence

      Principle 
             		 
      Member Organisations should ensure background checks are conducted on employees, including contractors, to reduce the exposure to internal fraud risks and reputational damage resulting from the actions of staff of the Member Organisation. 
             		 
      Control Requirements 
             		 
      a.Employee Due Diligence measures should reflect the risks of internal fraud impacting the Member Organisation.
             		 
      b.Employee Due Diligence should have the objective of establishing the identity, integrity, and verifying the credentials of the employee, enabling the Member Organisation to determine whether they are suitable for the position.
             		 
      c.Employee Due Diligence should consist of screening and background checks on the employee, including but not limited to:
             		 
       1.Confirmation of identity.
       
       2.Criminal background checks.
       
       3.Conflict of interest checks.
       
       4.Verification of qualifications claimed.
       
       5.Previous employment checks.
       
      d.Employee Due Diligence should be:
             		 
       1.Conducted as part of the hiring process.
       
       2.Reassessed when an existing employee moves to a new role.
       
       3.Reperformed periodically on a risk-based approach (e.g., re-performance of screening for criminal or fraudulent behaviour to validate that employees remain suitable for the position).
       
      e.Member Organisations should assess roles which represent a high risk of fraud and document any enhanced checks required.
             		 
      f.The outcome of Employee Due Diligence checks should be retained in line with the Member Organisation’s record management policies for personal information.
             		 

    • 4.2.2 Customer Due Diligence

      Principle 
             		 
      Member Organisations should establish controls to capture and validate the identity of customers to reduce the exposure to external fraud losses. 
             		 
      Control Requirements 
             		 
      a.When establishing a new customer relationship, Member Organisations should check and verify the identity of the customer to reasonably ensure that it is not exposed to fraud risk.
             		 
      b.Customer Due Diligence should align with the Member Organisation’s policies on Anti Money Laundering (AML) and Countering Terrorist Financing (CTF).
             		 
      c.Customer Due Diligence should be conducted as a part of the onboarding process and at appropriate times in the ongoing relationship with the customer (e.g., addition of new credit product).
             		 
      d.Customer Due Diligence should be enhanced with additional checks for higher risk customers or in response to a perceived increased fraud threat (e.g., if impersonation is suspected or there is a concern on the validity or legitimacy of documents provided to prove identity or evidence financial history).
             		 
      e.Where a customer relationship is initiated on a remote basis (e.g., online), Member Organisations should assess the risk of impersonation and the set-up of mule accounts, implementing appropriate controls to mitigate the risk, including but not limited to:
             		 
       1.Ensuring a phone number or National ID/Iqama is linked to one customer application only. In the event an exception is identified (e.g., dependent family member), additional due diligence checks should be conducted to validate the authenticity of the application and monitoring use cases should be developed.
       
       2.Authentication of the account opening request via the National Single Sign-On portal using Biometric based authentication (e.g., facial identification from national trusted party).
       
       3.Verification that the ownership of the phone number is registered to the same user through a trusted party (i.e., the name of the account applicant and national ID match).
       
       4.Including a one-time-password mechanism (OTP) explaining that a new account is being opened as a form of verification. The OTP must be sent to the verified phone number.
       
       5.Notification of the completion of account opening should be sent to verified phone number that is registered for the account as well as to the phone number that is registered in the national single sign-on portal.
       
       6.Requiring the use of a registered National Address.
       
       7.Where a physical card is to be provided, this should be:
       
        a.Sent to the registered National Address of the customer only; or
             		 
        b.Collected from an ATM with the customer verified using biometric authentication.
             		 
       8.Following initial set up, restrictions should be placed on the account (e.g., reduced transaction value limit) until such time as the Member Organisation validates that the customer is genuine (e.g., use of biometric authentication mechanism through facial identification from national trusted party periodically, physical presence in a branch or kiosk supported by biometrics, regular pattern of account activity over a period of time).
       
       9.Developing comprehensive use cases to proactively identify potential mule accounts and implementing monitoring of the use cases through detection software (e.g., value of incoming funds, high transaction frequency, transaction patterns that do not fit expected behaviours, sudden increase in activity following dormancy).
       
       10.Measuring and periodically evaluating the effectiveness of controls to mitigate the risk of impersonation and set-up of mule accounts.
       

    • 4.2.3 Third Party Due Diligence

      Principle 
       
      Member Organisations should ensure proportionate Due Diligence is conducted on third parties to develop an understanding of fraud risk associated with business relationships and ensure third parties are appropriately managed to mitigate the risk. 
       
      Control Requirements 
       
      a.Third Party Due Diligence should consist of checks and vetting procedures on a risk-based approach to allow an assessment of the fraud risks presented by the relationship.
       
      b.Third Party Due Diligence should be conducted prior to entering into a commitment for a new relationship
       
      c.Third Party Due Diligence should be reviewed periodically or following a trigger which indicates increased fraud risk (e.g., concerns on the conduct of a third party or its employees; or negative media articles).
       
      d.Third Party Due Diligence should be enhanced for:
       
       1.Higher risk third parties or their representatives
       
       2.Third parties providing critical services to the Member Organisation.
       
      e.Enhanced Third Party Due Diligence checks should include additional steps to assess the fraud risks presented by the relationship (e.g., additional vetting or assessing the third party approach to managing the risk of fraud).
       
      f.Where a Member Organisation outsources services to a third party organisation, that third party should comply with the Member Organisation’s Counter-Fraud Policy or apply an equivalent approach.