Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • Section 3: Due Diligence Measures

    • A. Due Diligence Measures

      To establish a solid foundation for applying the risk-based approach, the financial institution shall know its customers and beneficial owners sufficiently to classify customer and business relationship risks from an AML/CTF perspective to direct its necessary resources to high-risk customers and business relationships to mitigate ML/TF risks. To achieve this objective, the financial institution shall classify customers based on the risks associated with them, as mentioned in the ML/TF Risk Assessment Section in this Guide. The information obtained from customers is the main basic tool for classifying customer risks. Therefore, the financial institution shall obtain reliable information from customers, verify such information, and ensure that it is updated and appropriate. 
      The volume of business that a financial institution is willing to accept should be matched with preventive measures that mitigate the risks associated with it. The financial institution is expected to develop a clear policy on customer and business acceptance and ensure that it has a sufficient level of internal controls to manage and mitigate ML/TF risks. Such preventive measures include the application of due diligence measures to identify and verify a customer, a person acting on his behalf, or a beneficial owner.
             		 
      Article (7) of the Anti-Money Laundering Law and its Implementing Regulations and Article (17) of the Implementing Regulations of the Law on Combating Terrorism Crimes and Financing include the obligations of the financial institution upon application of due diligence measures. 

      3.1
      The financial institution shall develop a policy for acceptance of new customers and business relationships, which includes due diligence measures to identify and verify a customer, a person acting on his behalf, or a beneficial owner. The policy shall be consistent with the risk assessment results and shall be documented and approved at the level of the board of directors.
             		 
      3.2The financial institution shall apply due diligence measures according to the type and level of risk posed by a certain customer, beneficial owner, or business relationship. Such measures shall be implemented in the following cases:
             		 
       a)Prior to starting a new business relationship.
       
       b)Prior to making a transaction for a natural or legal person with whom there is no business relationship, whether such transaction is carried out in a single operation or in several operations that appear to be linked.
       
       a)Upon suspicion of ML/TF transactions.
       
       b)When suspecting the credibility or adequacy of customer information previously obtained.
       
       c)When a customer carries out a transaction inconsistent with his behavior or information.
       
      3.3At a minimum, due diligence measures shall comprise the following:
             		 
       a)The financial institution shall identify the customer and verify the customer’s identity based on documents, data or information received from an authenticated and autonomous source that is well known, reputable and trusted by the financial institution. In all cases, the source of information shall not be the financial institution or the customer, but rather an independent source. For example, information and documents issued by government bodies are considered to be from reliable and independent sources. Moreover, customer identification shall be made as follows3:
       
        -Natural Person: The person’s full name according to official documents shall be obtained and verified in addition to the residence or national address, date and place of birth, nationality, and source of income.
             		 
        -Legal Person: The person’s name shall be obtained and verified in addition to the information about its legal status, proof of incorporation, powers regulating and governing the legal person’s work or the legal arrangement, names of all of its managers and senior executives, registered official address, place of business (if different), and the legal person’s sources of revenue.
             		 
       b)The financial institution should identify the person acting on behalf of the customer and verify its identity through an authenticated and autonomous source to ensure that such person is actually authorized to act in this capacity. Adequate measures shall be taken to identify the person acting on behalf of the customer, including the nature of business relationship between that person and the customer in addition to applying the measure set under Item (a).
       
       c)The financial institution shall identify the beneficial owner and take adequate measures to verify the identity of the beneficial owner using documents, data or information from an authenticated and independent source as mentioned under the Beneficial Owner Section.
       
       d)The financial institution shall understand the purpose and nature of the business relationship and obtain additional related information if needed.
       
       e)The financial institution shall understand the ownership and control structure of the (legal person) customer.
       
      3.4The financial institution shall develop the necessary procedures to collect sufficient information about customers and their expected use of products and services. The details and nature of the information are determined according to the degree and level of risks as high-risk customers and business relationships require greater scrutiny compared to those with lower risk. Therefore, the financial institution shall specify whether it should collect and verify any additional information based on the degree of risk posed by the customer and the business relationship.
             		 
      3.5The financial institution may choose not to carry out due diligence measures for each of the customer’s transactions since it can rely on the information previously obtained in this regard, provided that such information is updated, appropriate, and not suspicious.
             		 
      3.6The financial institution shall not accept customers or business relationships or carry out transactions without knowing the name and verifying the information of the customer or beneficial owner. The financial institution shall not accept customers, establish business relationships, or carry out transactions under names consisting of numbers or codes or using anonymous or fictitious names.
             		 
      3.7The financial institution shall continuously apply due diligence measures to customers, business relationships, and beneficial owners based on the type and level of risk. It shall also verify transactions conducted throughout the business relationship in order to:
             		 
       a)Ensure that the information of the customer or beneficial owner and their activities are consistent with the risks they pose.
       
       b)Ensure that the documents, data and information obtained under the due diligence measures are up-to-date, appropriate, and consistent with the customer's activity and transactions.
       
       c)Consider reporting a suspicious transaction to the SAFIU when there are sufficient grounds for the suspicion.
       
       d)Reassess customers’ risks based on their transactions and activities.
       
       e)Verify business relationships and transactions of beneficial owners on a continuous basis.
       
       f)Verify whether the customer is a politically exposed person (PEP).
       
      3.8The financial institution shall determine the number of times of reviewing and updating customer information based on the level and degree of risk posed by the customer, provided that due diligence measures are carried out continuously and more frequently for high-risk customers along with the appropriate enhanced measures.
             		 
      3.9The customer is not required to come to the financial institution when updating and reviewing their information for identity verification as long as electronic authentication services approved by the National Information Center are used. However, the financial institution shall determine the need for further documentation or the customer’s presence based on the level of risk posed by the customer.
             		 
      3.10When using reliable and independent electronic services to verify a customer’s identity, the financial institution shall determine if more documentation is required based on the level of risk posed by the customer. In addition, it must implement the necessary preventive measures to mitigate business relationship risks and set the necessary procedures and measures to verify and review the customer information obtained, including the information provided by the customer, using reliable and independent electronic services.
             		 
      3.11The financial institution shall take all the measures required to update and review information of customers and beneficial owners. If its preventive measures are found to be unsuccessful, this shall be clarified and documented as stated in Paragraph (6.6) in the Record Keeping Section. If the financial institution is unable to comply with the due diligence requirements, it must not establish a business relationship or execute a transaction for a customer. If an existing business relationship or customer is involved, the financial institution shall terminate the related business relationship and consider reporting suspicious transactions to the SAFIU.
             		 
      3.12The financial institution shall develop effective procedures to verify all the names of customers and beneficial owners, including all managers, senior executives, owners, and persons acting on behalf of customers, and compare them with those included in the sanction lists by local authorities and the United Nations before or during a business relationship or a transaction, taking into account Paragraph (8.15) in the Reporting of Suspicious Transactions Section.
             		 
      3.13The financial institution shall follow up on the available sanction lists of other countries4, verify all transactions and transfers, and use these lists for comparison in order to avoid potential legal problems that the financial institution or any other local or international parties might face and to avoid freezing of customer transactions or transfers.
             		 
      3.14In the event of suspicion of a ML/TF operation and when the financial institution has strong justifications and reasonable grounds that the customer may become aware of the suspicion upon application of the due diligence measures, the financial institution shall decide, at its discretion, not to carry out due diligence, provided that it shall comply with Paragraph (8.8) in the Reporting of Suspicious Transactions Section.
             		 
      3.15The financial institution shall use the best technologies to identify and record information in accordance with the due diligence requirements, so that changes in the data and their dates can be monitored and identified. Recorded and entered information shall be correct and consistent with the information provided by the customer after being verified. This shall include:
             		 
       a)Information of customers.
       
       b)Information of beneficial owners.
       
       c)Information of owners and all managers and senior executives of the customer.
       
       d)Information of the person acting on behalf of the customer.
       
      3.16The financial institution may accept the execution of a transaction for an occasional customer who does not have a business relationship with it. This applies to individuals (citizens and residents) and visitors with a visa of temporary residence, taking into consideration Paragraph (4.4) in the Enhanced Due Diligence Section.
             		 

      3 Financial institutions must implement due diligence measures according to Paragraph (3.3) in addition to the relevant provisions in the Implementing Regulations of the Law on Supervision of Cooperative Insurance Companies, the Insurance Market Code of Conduct Regulations, the Implementing Regulations of the Finance Companies Control Law, the Implementing Regulations of the Financial Leasing Law, the Rules for Bank Accounts, the Rules Regulating Banking Agency in Saudi Arabia, the Regulations for Issuance and Operations of Credit and Charge Cards, the Regulatory Rules for the Prepaid Payment Services, and the Rules Regulating Money Changing Business.
      4 Such as the sanctions lists of the European Union, the Office of Foreign Assets Control (OFAC) of the US Treasury Department, the US State Department, Interpol, etc.

    • B. Beneficial Owner

      To implement the risk-based approach, the financial institution shall be certain of the identity of the beneficial owner or any person controlling the business relationship. The beneficial owner may not be a legal person, but rather a natural person who owns or controls the legal person directly or indirectly. 
       
      Concealing ownership information related to business and operations is one of the methods used for ML/TF. Therefore, collecting the necessary information and verifying the identity of the beneficial owner or anyone controlling the business relationship is important in combating ML/TF. 
       
      Article (7/3) of the Implementing Regulations of the Anti-Money Laundering Law and Article (17) of the Implementing Regulations of the Law on Combating Terrorism Crimes and Financing stipulate the measures that must be taken by the financial institution to identify and know the beneficial owner.

      3.17
      The financial institution shall know the identity of the beneficial owner and take sufficient and appropriate measures to verify that identity, using documents, data or information from an authenticated and independent source. In order to verify the beneficial owner’s identity, the financial institution shall obtain and review all necessary details and information, provided that the due diligence measures taken by the financial institution shall be consistent with the degree and level of risk.
       
      3.18The financial institution shall know the identity of the natural person who owns or controls (25%) or more of the legal person’s shares and take sufficient and reasonable measures to verify that identity, taking into account that a natural person who controls (25%) of the shares may not necessarily be the beneficial owner. In this case or when there is no natural person who owns or controls (25%) or more of the legal person’s ownership, or if there is suspicion that the owner of the controlling share is not the beneficial owner, the financial institution may take the following preventive measures:
       
       a)Identifying the natural persons who occupy senior management positions with the legal person, so that the financial institution becomes sufficiently satisfied that these persons control the legal person.
       
       b)Identifying the owners who control less than (25%) of the shares if it becomes clear to the financial institution that these owners are the beneficial owners or controlling the legal person.
       
       c)Identifying the natural person who holds the position of senior management officer.
       
       d)Identifying the high-risk customer and taking preventive measures, including enhanced due diligence measures and continuous monitoring of the customer.
       
       e)Keeping records of the measures and procedures taken by the financial institution in addition to the reasons for suspecting that the owner of the controlling share is not the beneficial owner.
       
      3.19The financial institution shall not rely primarily on the written statement of a customer to identify the beneficial owner; it shall take reasonable and adequate measures to verify the beneficial owner by understanding the ownership and control structure of the legal person. In order to understand that structure, the financial institution can refer to any of the following documents:
       
       a)The data of joint stock companies listed on the Capital market.
       
       b)The stockholders register.
       
       c)The memorandum of association.
       
       d)Minutes of board meetings.
       
       e)The company’s commercial register.
       
       f)The articles of association.
       
      3.20The financial institution shall maintain records and documents related to the identification and verification of the beneficial owner as mentioned in Paragraph (6.1) of the Record Keeping Section.
       
      3.21If the customer of the financial institution is an individual, it shall ensure that the business relationship with that customer is used for the benefit of the individual whose name is registered and for the purposes specified (and determine whether the customer is acting in his own interest). In the event that there is a suspicion that the customer is acting in the interest of others, the financial institution must specify the capacity in which the customer, or anyone acting on his behalf, acts. The beneficial owner is then identified to the satisfaction of the financial institution. It shall also ensure that any person claiming to act on behalf of a customer is authorized and shall identify and verify that person's identity.
       

    • C. Reliance on a Third Party to Implement Due Diligence Measures

      The financial institution may rely on another financial institution or any of the owners of DNFBPs to implement the due diligence measures. However, when a financial institution carries out the due diligence measures itself, it will be in a better position to identify and assess customer risks, especially when such measures involve meeting customers in person. 
       
      In all cases, in accordance with the obligations mentioned in the Anti- Money Laundering Law, the Law on Combating Terrorism Crimes and Financing, and their Implementing Regulations, the responsibility for implementing due diligence measures shall rest with the financial institution seeking assistance from another party as such financial institution is fully responsible for complying with the regulatory requirements relating to due diligence and SAMA’s Instructions for Outsourcing.
      Article (7/10) of the Implementing Regulations of the Anti-Money Laundering Law allows the financial institution to rely on another financial institution or any of the owners of DNFBPs to carry out the due diligence measures, including entities that are part of the same financial group. Articles (7/11) and (7/13) of the Implementing Regulations specify the conditions that must be fulfilled by the financial institution prior to reliance on another party.

      3.22
      The financial institution may rely on a third party, whether it is a financial institution or any of the owners of DNFBPs, to implement the due diligence measures, in accordance with the following:
       
       a)The financial institution shall ensure that the third party is subject to regulation and supervision and that it applies due diligence and record-keeping measures as stated in the Anti-Money Laundering Law, the Law on Combating Terrorism Crimes and Financing, and their Implementing Regulations.
       
       b)The financial institution shall take actions to ensure that due diligence information is provided by the third party upon request and without delay.
       
       c)The financial institution shall immediately obtain all information related to due diligence, including simplified and enhanced due diligence measures, from the third party.
       
       d)The financial institution shall take into consideration the information available to the AMLPC, the PCCT, and the SAFIU on high-risk countries when determining the countries in which the third party may be conducting business.
       
      3.23The financial institution shall assess the ML/TF risks associated with reliance on a third party and, therefore, it shall develop and apply appropriate policies and procedures for risk management. Such procedures may include the following:
       
       a)Identification of the minimum due diligence requirements to be met by the third party.
       
       b)Conduct frequent examination of obtained information and documents to apply the due diligence measures, including enhanced or simplified due diligence.
       
       c)Monitoring of customers and business relationships established them through reliance on a third party as well as application of intensive control measures towards them in accordance with the ML/TF risk assessment results.
       
      3.24The financial institution shall periodically verify (at least annually) that the third party has the sufficient capabilities and powers required to fulfill the due diligence requirements in a professional manner. The financial institution shall also continuously assess the third party's compliance with such requirements.
       
      3.25The financial institution has the right to directly obtain the customer due diligence information from the third party relied upon to perform due diligence, if such party has previously implemented due diligence measures for the same customer when dealing with another financial institution, taking into account that the required information shall be complete and that due diligence measures are constantly applied according to the requirements mentioned in Paragraph (3.7) in the Due Diligence Section.