A. Due Diligence Measures

No: 18318/486

Date(g): 17/11/2019 | Date(h): 20/3/1441

Effective from 2019-11-17 - Nov 16 2019
To view other versions open the versions tab on the right

To establish a solid foundation for applying the risk-based approach, the financial institution shall know its customers and beneficial owners sufficiently to classify customer and business relationship risks from an AML/CTF perspective to direct its necessary resources to high-risk customers and business relationships to mitigate ML/TF risks. To achieve this objective, the financial institution shall classify customers based on the risks associated with them, as mentioned in the ML/TF Risk Assessment Section in this Guide. The information obtained from customers is the main basic tool for classifying customer risks. Therefore, the financial institution shall obtain reliable information from customers, verify such information, and ensure that it is updated and appropriate.
The volume of business that a financial institution is willing to accept should be matched with preventive measures that mitigate the risks associated with it. The financial institution is expected to develop a clear policy on customer and business acceptance and ensure that it has a sufficient level of internal controls to manage and mitigate ML/TF risks. Such preventive measures include the application of due diligence measures to identify and verify a customer, a person acting on his behalf, or a beneficial owner.
Article (7) of the Anti-Money Laundering Law and its Implementing Regulations and Article (17) of the Implementing Regulations of the Law on Combating Terrorism Crimes and Financing include the obligations of the financial institution upon application of due diligence measures.
3.1	The financial institution shall develop a policy for acceptance of new customers and business relationships, which includes due diligence measures to identify and verify a customer, a person acting on his behalf, or a beneficial owner. The policy shall be consistent with the risk assessment results and shall be documented and approved at the level of the board of directors.
3.2	The financial institution shall apply due diligence measures according to the type and level of risk posed by a certain customer, beneficial owner, or business relationship. Such measures shall be implemented in the following cases:
	a)	Prior to starting a new business relationship.
	b)	Prior to making a transaction for a natural or legal person with whom there is no business relationship, whether such transaction is carried out in a single operation or in several operations that appear to be linked.
	a)	Upon suspicion of ML/TF transactions.
	b)	When suspecting the credibility or adequacy of customer information previously obtained.
	c)	When a customer carries out a transaction inconsistent with his behavior or information.
3.3	At a minimum, due diligence measures shall comprise the following:
	a)	The financial institution shall identify the customer and verify the customer’s identity based on documents, data or information received from an authenticated and autonomous source that is well known, reputable and trusted by the financial institution. In all cases, the source of information shall not be the financial institution or the customer, but rather an independent source. For example, information and documents issued by government bodies are considered to be from reliable and independent sources. Moreover, customer identification shall be made as follows³:
		-	Natural Person: The person’s full name according to official documents shall be obtained and verified in addition to the residence or national address, date and place of birth, nationality, and source of income.
		-	Legal Person: The person’s name shall be obtained and verified in addition to the information about its legal status, proof of incorporation, powers regulating and governing the legal person’s work or the legal arrangement, names of all of its managers and senior executives, registered official address, place of business (if different), and the legal person’s sources of revenue.
	b)	The financial institution should identify the person acting on behalf of the customer and verify its identity through an authenticated and autonomous source to ensure that such person is actually authorized to act in this capacity. Adequate measures shall be taken to identify the person acting on behalf of the customer, including the nature of business relationship between that person and the customer in addition to applying the measure set under Item (a).
	c)	The financial institution shall identify the beneficial owner and take adequate measures to verify the identity of the beneficial owner using documents, data or information from an authenticated and independent source as mentioned under the Beneficial Owner Section.
	d)	The financial institution shall understand the purpose and nature of the business relationship and obtain additional related information if needed.
	e)	The financial institution shall understand the ownership and control structure of the (legal person) customer.
3.4	The financial institution shall develop the necessary procedures to collect sufficient information about customers and their expected use of products and services. The details and nature of the information are determined according to the degree and level of risks as high-risk customers and business relationships require greater scrutiny compared to those with lower risk. Therefore, the financial institution shall specify whether it should collect and verify any additional information based on the degree of risk posed by the customer and the business relationship.
3.5	The financial institution may choose not to carry out due diligence measures for each of the customer’s transactions since it can rely on the information previously obtained in this regard, provided that such information is updated, appropriate, and not suspicious.
3.6	The financial institution shall not accept customers or business relationships or carry out transactions without knowing the name and verifying the information of the customer or beneficial owner. The financial institution shall not accept customers, establish business relationships, or carry out transactions under names consisting of numbers or codes or using anonymous or fictitious names.
3.7	The financial institution shall continuously apply due diligence measures to customers, business relationships, and beneficial owners based on the type and level of risk. It shall also verify transactions conducted throughout the business relationship in order to:
	a)	Ensure that the information of the customer or beneficial owner and their activities are consistent with the risks they pose.
	b)	Ensure that the documents, data and information obtained under the due diligence measures are up-to-date, appropriate, and consistent with the customer's activity and transactions.
	c)	Consider reporting a suspicious transaction to the SAFIU when there are sufficient grounds for the suspicion.
	d)	Reassess customers’ risks based on their transactions and activities.
	e)	Verify business relationships and transactions of beneficial owners on a continuous basis.
	f)	Verify whether the customer is a politically exposed person (PEP).
3.8	The financial institution shall determine the number of times of reviewing and updating customer information based on the level and degree of risk posed by the customer, provided that due diligence measures are carried out continuously and more frequently for high-risk customers along with the appropriate enhanced measures.
3.9	The customer is not required to come to the financial institution when updating and reviewing their information for identity verification as long as electronic authentication services approved by the National Information Center are used. However, the financial institution shall determine the need for further documentation or the customer’s presence based on the level of risk posed by the customer.
3.10	When using reliable and independent electronic services to verify a customer’s identity, the financial institution shall determine if more documentation is required based on the level of risk posed by the customer. In addition, it must implement the necessary preventive measures to mitigate business relationship risks and set the necessary procedures and measures to verify and review the customer information obtained, including the information provided by the customer, using reliable and independent electronic services.
3.11	The financial institution shall take all the measures required to update and review information of customers and beneficial owners. If its preventive measures are found to be unsuccessful, this shall be clarified and documented as stated in Paragraph (6.6) in the Record Keeping Section. If the financial institution is unable to comply with the due diligence requirements, it must not establish a business relationship or execute a transaction for a customer. If an existing business relationship or customer is involved, the financial institution shall terminate the related business relationship and consider reporting suspicious transactions to the SAFIU.
3.12	The financial institution shall develop effective procedures to verify all the names of customers and beneficial owners, including all managers, senior executives, owners, and persons acting on behalf of customers, and compare them with those included in the sanction lists by local authorities and the United Nations before or during a business relationship or a transaction, taking into account Paragraph (8.15) in the Reporting of Suspicious Transactions Section.
3.13	The financial institution shall follow up on the available sanction lists of other countries⁴, verify all transactions and transfers, and use these lists for comparison in order to avoid potential legal problems that the financial institution or any other local or international parties might face and to avoid freezing of customer transactions or transfers.
3.14	In the event of suspicion of a ML/TF operation and when the financial institution has strong justifications and reasonable grounds that the customer may become aware of the suspicion upon application of the due diligence measures, the financial institution shall decide, at its discretion, not to carry out due diligence, provided that it shall comply with Paragraph (8.8) in the Reporting of Suspicious Transactions Section.
3.15	The financial institution shall use the best technologies to identify and record information in accordance with the due diligence requirements, so that changes in the data and their dates can be monitored and identified. Recorded and entered information shall be correct and consistent with the information provided by the customer after being verified. This shall include:
	a)	Information of customers.
	b)	Information of beneficial owners.
	c)	Information of owners and all managers and senior executives of the customer.
	d)	Information of the person acting on behalf of the customer.
3.16	The financial institution may accept the execution of a transaction for an occasional customer who does not have a business relationship with it. This applies to individuals (citizens and residents) and visitors with a visa of temporary residence, taking into consideration Paragraph (4.4) in the Enhanced Due Diligence Section.

³ Financial institutions must implement due diligence measures according to Paragraph (3.3) in addition to the relevant provisions in the Implementing Regulations of the Law on Supervision of Cooperative Insurance Companies, the Insurance Market Code of Conduct Regulations, the Implementing Regulations of the Finance Companies Control Law, the Implementing Regulations of the Financial Leasing Law, the Rules for Bank Accounts, the Rules Regulating Banking Agency in Saudi Arabia, the Regulations for Issuance and Operations of Credit and Charge Cards, the Regulatory Rules for the Prepaid Payment Services, and the Rules Regulating Money Changing Business.
⁴ Such as the sanctions lists of the European Union, the Office of Foreign Assets Control (OFAC) of the US Treasury Department, the US State Department, Interpol, etc.