Please read our Privacy Policy carefully before using our website (“the Website”). In this Policy “we”, “us” and “our” means CFP Technology FZCO (‘FZCO’), and “you” means the individual who is using the website. By using our website, you agree with the collection, use, and disclosure of your personal data in accordance with
this Privacy Policy.
We may change the content or services found on the Website at any time without notice, and consequently, our Privacy Policy may change at any time in the future. Your continued access to or use of the website will mean that you agree to the changes.
Our Privacy Policy, together with the Terms of Business sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. For the purposes of the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (the “Law”), the data controller is FZCO. Also incorporated is the Data Protection Law 2020.
Personal Data: Any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, image, identification number, online identifier, geographical location, or one or more physical, physiological, economic, cultural, or social characteristics.
If any data is stored, you have certain rights regarding that data. These are:
Right of Access to Information
You have the right to obtain information on the categories of personal data being processed, the purpose of the processing, the decisions made upon automated processing, and entities with whom the personal data is shared.
Right to Request Personal Data Portability
You have the right to receive your personal data in a structured and machine-readable format.
Right to Rectification or Erasure of Personal Data
You have the right to rectify inaccurate personal data and the right to delete your personal data and be forgotten.
Right to Restriction of Processing
You have the right to restrict and stop the processing of your data where it is inaccurate or you object to the purpose of the processing.
Right of Processing and Automated Processing
You have the right to object to automated decisions made by automated processing of your personal data.
To make using our website as straightforward as possible and to improve the service we offer you, we use cookies.
What are Cookies?
Cookies are harmless text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognize you when you revisit. There are two main types:
These only exist for your website visit and are deleted on exit. They recognize you as you move between pages, for example, recording items added to an online shopping basket. These cookies also help maintain security.
These stay on your machine until expiry or deletion. Many are built with automatic deletion dates to help ensure your hard drive doesn’t get overloaded. These cookies often store and re-enter your log-in information, so you don’t need to remember membership details.
We use both types of cookies.
Additionally, cookies can be first or third-party cookies. First-party cookies are owned and created by the website you’re viewing- in this case by FZCO. Third-party cookies are owned and created by an independent company, usually a company providing a service to the website owners. In our case, third-party cookies provided by this Website are still subject to the provisions set out below.
Internet cookies are common, do not harm your system, and do not retrieve information about you stored on your hard drive – they just store or gather website information. They help you do things online, like remembering logon details so you don’t have to re-enter them when revisiting a website.
CFPS utilizes various types of cookies including necessary cookies and analytics/advertising cookies.
Necessary cookies are enabled by default but can be turned off on your device, although this may affect your browsing experience. These cookies help us to operate our website and identify any issues. Additionally, we use cookies to remember our users and provide personalized content.
Analytics and advertising cookies help us understand our website and performance and improve it as necessary.
Third-party cookies are used to recognize and count visitors, track user behavior on our website, and show relevant ads. We may share this information with other organizations, such as Google.
Specifically, we use Google Ads to track the effectiveness of our ad campaigns and Google Analytics to understand visitor behavior and track conversions. Google Tag Manager is also utilized to manage cookies on our website.
CFPS only use these cookies for the specific purposes outlined above and we do not use them to collect any personally identifiable information about our users. We take our users and privacy seriously and we are committed to complying with all relevant data protection laws and regulations.
If you wish to disable cookies, you can do so by adjusting your browser settings. Please note, however, that disabling cookies may affect your ability to use certain features on our website.
We use cookies to:
We use both our own (first-party) and partner companies’ (third-party) cookies to support these activities. We don’t use cookies to track people’s Internet usage after leaving our websites and we don’t store personal information in them others could read and understand.
Some of our services may require cookies in your browser to view and use them and to protect your financial and personal information.
You are not obliged to accept cookies that we send to you and you can in fact modify your browser so that it will not accept cookies. To enable or disable cookies, follow the instructions provided by your browser (usually located within the “Help”, “Tools” or “Edit” facility). Alternatively, an external resource is available at www.allaboutcookies.org/manage-cookies providing specific information about cookies and how to manage them to suit your preferences.
Please note that should you choose to set your browser to disable cookies, you may not be able to access secure areas of this Website, for example, any online accounts you may hold.
Most internet browsers accept cookies automatically, but you can change the settings of your browser to erase cookies or prevent automatic acceptance if you prefer.
These links explain how you can control cookies via your browser – remember that if you turn off cookies in your browser then these settings apply to all websites, not just this one:
For more information about the cookie setting, we link the instructions for the most
important browser web:
Internet Explorer™: Link
Safari™: Link
Chrome™: Link
Firefox™: Link
Opera™: Link
For information about the cookies that are installed on your device, about their management, and how to delete them, it is possible to visit the following website: www.youronlinechoices.com/it/
We may collect information about your computer, including where available your IP address, operating system, and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our Website users’ browsing actions and patterns and does not identify any individual.
Any secure online services you subscribe to with us may use cookies to enable information about you and your preferences to be stored and to prevent unauthorized access to your services and information. Cookies must usually be accepted in such circumstances – without them, we cannot ensure your information is secure (and people rejecting cookies can’t use the services).
We will store and process your information on our computers wherever located and in any other medium. By “your information” we mean personal and financial information we:
a) obtain from you or from third parties and other organizations when you apply for an account or any other product or service for which you or they give to us at any other time; or
b) learn from the way you use and manage your account(s), from the transactions made, if any, such as the date, amount, currency, and the name and type of supplier (e.g. supermarket services, medical services, retail
services).
We will use your information to manage your account(s), give you statements, and provide our services, for assessment and analysis (including credit and/or behaviour scoring, market, and product analysis), to identify and tackle fraud, money laundering, and other crimes, carry out regulatory checks, and meet our obligations to any relevant regulatory authority, and to develop and improve our services to you and other customers and protect our interests.
We may use your information to inform you by letter, telephone, text (or similar) messages, digital television, e-mail, and other electronic methods about products and services (including those of others) which may be of interest to you. Where you have neither given your consent to such marketing nor requested to opt out of such marketing, this will be limited to information about products and services similar to those which were the subject of a previous service provided to you.
If you don’t want us to tell you about other products and services please write to us and supply us with your full name and address and details of any products or services you have with us. Please write to us at FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.
We may share your information including how you manage your account or Website visitors with relevant third parties and as permitted by law including but not limited to the following:
If we disclose your information to a service provider (a person, office, or organization) located in another country (including locations outside of the European Economic Area), we will take steps reasonably necessary to ensure that they apply the same levels of protection as we are required to apply to your information and to use your information only for the purpose of providing the service to us. By submitting your personal information, you agree to this transfer.
We will retain information about you after the closure of your account or service provision for as long as it is permitted for legal, regulatory, fraud prevention, business, and financial crime purposes.
Under applicable data protection legislation, you may be entitled, to a copy of the personal information you have provided. If any data is inaccurate it will be corrected without delay. Please write to us at Data Protection Manager, FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.
Please remember that Internet communications are not secure unless the data being sent is encrypted. We cannot accept any responsibility for unauthorized access by a third party and/or the corruption of data being sent by individuals to us. Some countries prohibit the transmission of encrypted data over telephone lines. You should
not encrypt data transmitted if you know doing so would contravene applicable local, national, or international laws. For guidance relating to your specific situation, please contact your legal adviser.
The entire content of the Website is subject to copyright with all rights reserved and it may only be stored, held, or used for your personal use only. You may not download (all or in part) for non-personal use or otherwise reproduce, transmit, or modify the website without our prior permission. However, you may print out part or all of the Website for your own personal use. These permissions are revocable by us at any time. You are granted a non-exclusive license of those rights in order to view this website on a non-commercial basis only, revocable at any time.
It is our policy that if any of our clients are victims of unauthorized access to their accounts we will cover any resulting financial loss which the Client suffers provided that the Client has not breached our security procedures.
You must ensure that viruses, trojans, worms, or equivalent or similar items do not enter your computer system. We assume no responsibility for the loss of whatever nature, howsoever arising, resulting from such viruses, trojans, worms, or equivalent or similar items.
We may record and monitor calls made or received by us to maintain high-quality service standards, to check instructions, and for your protection and ours.
If you have any queries regarding privacy issues then please write to us at Compliance Department, FZCO [email protected]
“Money laundering is the generic term used to describe the process by which criminals disguise the original ownership and control of the proceeds of criminal conduct by making such proceeds appear to have derived from a legitimate source.” Source ICA (www.int-comp.org).
“Terrorist financing is the process by which terrorists fund their operations in order to perform terrorist acts. Terrorists need financial support to carry out their activities and to achieve their goals. There is little difference between terrorists and other criminals in their abuse of the financial system. While different from money laundering, terrorists often exploit similar weaknesses in the financial system.” Source ACAMS (acams.org).
“Sanctions – The United Arab Emirates (UAE), as a member of the UN, is committed to implementing the United Nations Security Council Resolutions (UNSCRs), including those related to UN sanctions regimes. Consequently, through the Cabinet Resolution No. 74 of 2020, the UAE is implementing UNSCRs on the suppression and combating of terrorism, terrorist financing & countering the financing of proliferation of weapons of mass destruction, in particular, targeted financial sanctions (TFS) regimes as defined by the UN.
1. CFP Technology FZCO (“FZCO” or the “Firm”) is committed to maintaining effective prevention and detection measures to assist law enforcement authorities in combating financial crime. This handbook sets out the policies and procedures which have been adopted to meet CFP Technology’s legal obligations under UAE anti-money laundering and counter-terrorist legislation.
2. These policies and procedures must always be adhered to.
3. FZCO always seeks to ensure that:
4. Money laundering, fraud, and market abuse threats are dynamic, and criminals constantly devise new techniques and exploit the easiest targets in the financial services sector. To mitigate the risk of being used as a vehicle for financial crime FZCO will systematically assess, mitigate, and monitor these risks. It will seek to identify fraud, money laundering, and market abuse as well as conduct risk implications at an early stage of the client acceptance process, escalate this to senior management and take appropriate action.
5. A risk-based approach adopted by FZCO drives our overall strategy of fighting financial crime. Through this approach, we identify the areas of greatest vulnerability and focus our resources on those areas. Ultimate responsibility for this approach lies with the senior management but all staff carries a responsibility to maintain the effectiveness of systems and controls.
6. Customer Due Diligence (CDD) is the mid-level risk-based approach and as such, is the entry-level of all measures. Once entered at the CDD level, up-risk or down-risk processes may be applied.
7. Given the continually evolving environment and the nature of the risks involved, It is not possible to cover every possible eventuality in this handbook. Should an issue arise that is not specifically covered in this handbook, employees should refer to the MLRO for further guidance.
8. The DFSA as a supervisory authority is committed to maintaining an Anti-Money Laundering (AML), Combating the Financing of Terrorism (CTF) and Counter-Proliferation Financing (CPF) regime that acts as a significant deterrent to any criminal elements. Money laundering is the process by which criminals attempt to hide and disguise the true origin and ownership of the proceeds of their criminal activities, thereby avoiding prosecution, conviction, and confiscation of criminal funds.
9. Money laundering and terrorist financing risks are closely related to the risks of fraud and insider dealing. While these are separate offenses, money laundering involves handling the proceeds of any crime, including the proceeds of these activities.
10. The ability to launder the proceeds of crime through the financial system is vital to the success of criminal operations. London, as one of the world’s major financial centers, has a major role to play in combating money laundering. Firms that become involved in money laundering risk prosecution and damage to their reputation.
11. In recognition of this the procedures that FZCO has adopted, to reduce the incidence of financial crime, focus on knowing our clients, understanding their businesses, carrying out proportionate verification checks, and identifying and reporting suspicious activity.
12. FZCO is subject to UAE Federal AML, CTF, and CPF legislation which includes:
13. In order to comply with UAE laws, regulations, and guidance, FZCO adopts the following principles.
14. FZCO has implemented policies, procedures, and controls aimed at deterring criminals from using FZCO for the laundering of proceeds of crime. These policies and procedures are tailored to the risk posed by individual clients, in accordance with UAE laws.
15. FZCO has appointed its Money Laundering Reporting Officer (“MLRO”). The MLRO acts as the central point of contact both with law enforcement agencies and internally, in relation to all matters relating to money laundering.
16. The MLRO monitors FZCO’s compliance with anti-money laundering procedures and submits reports to senior management at least on an annual basis.
17. FZCO has established Customer Due Diligence procedures to identify the users of its services and, in relation to higher-risk clients, the principal beneficial owners and origins of funds. These procedures include knowing the nature of our client’s businesses and being alert to abnormal transactions.
18. Suspicious activity includes, but is not limited to, any transactions or account activity that is not customary, routine, or commensurate based upon past or expected transactions or activity, or that is otherwise suspicious or lacking an apparent business or legal purpose.
19. Unexplained or abnormal transactions or activities that are suspected of being linked to criminal activity should be reported to the MLRO in writing without delay using the Suspicious Transaction Reporting Form (Money Laundering) in Appendix 1, reports will be highly confidential and can be made anonymously. The MLRO will determine whether to report the suspicions to the Financial Intelligence Unit (FIU). If the MLRO is absent, reports should be made to the appointed Deputy MLRO. An acknowledgment of receipt should be obtained from the MLRO for every such report.
20. All personnel must be informed of their individual and collective responsibilities and FZCO ’s anti-money laundering policies. Personnel is provided with training to enable them to understand the vulnerabilities of FZCO ’s business and to recognize and report suspicious activities.
21. Copies of all training material must be kept at all times and referred to by the attendance registers or ad-hoc training as may occur.
22. FZCO keeps records of who has been trained and the timing and form of training sessions. We retain all records verifying the identity of our clients for at least 5 years following the end of the business relationship. We also retain the records of any internal reports of suspicion submitted to the MLRO and any disclosures made to FIU.
23. All changes to this policy must be version controlled and details of changes made are recorded appropriately. This may be used as a defense if any litigation arises from actions by the Firm or its staff.
24. There are a number of pieces of legislation that make up the UAE Anti-money laundering/counter-terrorist financing legal framework.
25. A brief summary of the main pieces of legislation is provided below. All employees of FZCO should be aware that it is not only the firm that is subject to the legislation but also the employees within the firm. Failure to comply with certain aspects of the legislation can result in an individual being subject to prosecution with the threat of a custodial sentence or fine.
26. Offences are punishable whether the attempt to launder money was successful or not.
27. Criminal conduct is conduct that constitutes an offense in any part of UAE (or would constitute an offense in any part of UAE. if it occurred there).
28. Property is criminal property if it constitutes a person's benefit from criminal conduct or it represents such a benefit (in whole or part and whether directly or indirectly), and the alleged offender knows or suspects that it constitutes or represents such a benefit. It is immaterial:
29. A person benefits from conduct if they obtain property, advantage, or benefit as a result of or in connection with the conduct or any other conduct. Where the property is land, this includes a servitude, right, or interest in relation to that piece of land. Property is all property wherever situated and includes:
30. A person commits an offense if he enters into or becomes concerned with an arrangement that he knows or suspects facilitates (by whatever means) the acquisition, retention, use, or control of criminal property by or on behalf of another person.
31. Concealing the source of illicit gains, aiding, abetting money laundering, and inciting and attempting the offense can be considered a criminal offense.
32. This offense is punishable by imprisonment and/or a fine.
33. A person commits this offense if he:
34. This offense covers any conduct wherever it takes place if it would constitute a criminal offense if committed in UAE. This excludes minor offenses committed overseas where the conduct is lawful in the jurisdiction where the offense in question is committed (for example, bullfighting in Spain). This offense however includes, but is not restricted to, drug trafficking, terrorist activity, corruption, theft, fraud, tax evasion, robbery, forgery, product piracy, illegal deposit taking, blackmail, and extortion.
35. It is a defense to show that a person reported their suspicion to the MLRO (in the case of the MLRO, to a law enforcement agency).
36. This offense is punishable by imprisonment and/or a fine.
37. It is a criminal offense that a disclosure has been made to either FIU or the MLRO or that the police or customs authorities are carrying out or intending to carry out a money laundering investigation.
38. It is a defense to show that a person had either lawful authority or a reasonable excuse to make the disclosure. It is also a defense that a person neither knew nor suspected that the disclosure would prejudice an investigation.
39. Tipping off is punishable by imprisonment and/or a fine.
40. It is a criminal offense for persons working in the regulated sector not to disclose if they have reasonable grounds to know or suspect, in the course of their employment, that another person is engaged in money laundering. The report should be made without undue delay and not later than two business days after the identification of the suspicious activity or transaction. This offense also covers a failure of the MLRO to report a suspicion to FIU without a reasonable excuse.
41. Reporting to the MLRO in accordance with FZCO ’s procedures will satisfy the obligation to report.
42. Legislation protects those reporting suspicions of money laundering from claims in respect of any alleged breach of client confidentiality.
43. Failure to disclose is punishable by imprisonment and an unlimited fine.
44. FZCO’s business activities are within the scope of the Money Laundering Regulations and we, therefore, have in place appropriate policies and procedures covering:
45. FZCO is aware that they are sanctioned for not having adequate procedures in place.
46. Failure to comply with the Regulations constitutes an offense punishable by imprisonment, a fine, or both.
47. The US criminal money laundering laws, in particular the USA Patriot Act 2001, have extra-territorial effects. Where FZCO has any established activities in, or linked to the USA, whether through a branch, subsidiary, associated company, or correspondent banking relationship there is a risk that US regulations and sanctions may apply. This includes dealing with clients that are US citizens, whether these legal obligations apply will be determined during the KYC/KYB checks. The MLRO ensures that where this falls into scope procedures are followed to ensure compliance.
48. The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under US jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments.
49. The OFAC Main Page can be found at: https://home.treasury.gov/
50. OFAC Sanctions Lists can be found at:
51. Currently there are a number of sanction programs in operation internationally. FZCO is required by law to ensure full compliance and ensure that any links are identified, directly or indirectly. Such links may include:
52. In consideration of this, where one of the above criteria is indicated for a prospective client, the AML Compliance Officer should escalate to the MLRO for review, who may seek legal advice from FZCO’s Board members if required.
53. The full list of current programs in operation in UAE, including the list of destinations with trade restrictions and terrorist organizations can be found here: https://www.uaeiec.gov.ae/en-us/un-page?p=2#
54. All new account openings must ensure that all prospective client names are subject to KYC screening which will check applicable international sanction lists. In accordance with the risk matrix, it may be necessary to also check all directors and shareholders, ensuring that they are added to the ongoing screening database when deemed necessary.
55. As a matter of good practice, for high-risk clients the MLRO may deem it necessary to independently review the Sanctions List and run an OFAC search using this source: https://ofac.finra.org/#/
56. If in doubt about the nature of any of the information listed in the sanctions section, speak with the MLRO.
57. The Firm may use external third parties for electronic checking.
58. A breach of the International Sanctions Act carries a fine of up to €400,000.
59. A predicate offense is a crime that is a component of a larger crime. For FZCO this would be predominantly any crime that generates monetary income.
60. The expanded list of predicate offenses:
61. FZCO has appointed Money Laundering Reporting Officer (“MLRO”). The MLRO has overall responsibility for the establishment and maintenance of effective anti-money laundering systems and controls.
62. The MLRO is a required function. The expects the MLRO to be based in UAE and to be of sufficient seniority within FZCO to be able to act on his own authority. The MLRO must have access to all Know Your Business/Customer information, data, and dashboards. The MLRO’s responsibilities include the following:
63. While the MLRO may delegate their duties to another appropriate person, such delegation needs to be documented.
64. FZCO’s personnel must not discuss any issues relating to the firm’s anti-money laundering policies and procedures with any third parties without the prior consent of the MLRO. All requests from the DFSA, FIU, Police, or other investigating and enforcement agencies must be referred to the MLRO without delay.
65. The following orders may be served on FZCO as part of an ongoing investigation. Should you receive any such order, please give it to the MLRO without delay:
66. FZCO is required to operate a risk-based policy in order to identify, manage and mitigate the risks associated with the firm being used for money laundering or terrorist financing. This approach will identify the most cost-effective and proportionate way to manage and mitigate the risks posed to the firm. It is accepted that a risk-based regime cannot be a zero-failure regime but that it should strike a balance between cost and the realistic threat of being used for money laundering or terrorist financing. The aim is to focus the efforts where they are most needed and will have the most impact.
67. A risk-based approach requires FZCO to undertake the following steps:
68. FZCO adopts a risk-based approach to business that enables it to utilize its resources in the most efficient and cost-effective manner. While we will, as far as reasonably practicable, ensure consistent application of our risk-based approach, we recognize that this approach cannot anticipate every eventuality. Therefore in any given case the Compliance Officer or MLRO may exercise their judgment in deciding whether or not to deviate from the written policies. This judgment will be clearly reasoned and documented.
69. When and if FZCO deals with clients located in countries without adequate anti-money laundering standards it will either obtain additional Customer Due Diligence information or perform more intensive monitoring of the client’s account. Countries presenting a high geographical risk are those where:
70. A useful source of information on geographical risk is Transparency International: www.transparency.org
71. The Transparency International Corruption Perception Index is attached to the Handbook as Appendix 8. The up-to-date index can be found at http://www.transparency.org/ Downloading the information package provides a host of data and it is subdivided into continents.
72. FZCO’s client base is divided into three risk categories: Low, Medium, and High. The Compliance Officer or MLRO determines to which category a client belongs. They will record the basis of assessment for each client. Given the nature of business undertaken by FZCO, it is expected that the majority of our clients will be assessed as either Low/Medium/High Risk. The entry-level is medium risk and evaluation is performed from that point.
73. The following should be used as guidance when applying a risk-based approach to the assessment of money laundering risk posed by each client. Consideration of the overall information held may alter the risk profile of the client.
74. Regulated financial institutions based in UAE; those located in EU, FATF, or comparable jurisdictions. A list of comparable jurisdictions and a list of FATF member countries can be found in Appendix 5.
75. Companies or their subsidiaries (50% or more) whose shares are traded on EU regulated market or equivalent exchange. A list of such exchanges can be found in Appendix 5.
76. A third country is identified by credible sources as having a low level of corruption or other criminal activity, such as terrorism, money laundering, and the production and supply of illicit drugs. Furthermore, a third country, on the basis of credible sources, such as evaluations, detailed assessment reports, or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development, or other international bodies or non-governmental organizations:
77. Reputable, well-known organizations, with long histories in their industries or large market capitalization and with substantial public information about them and their principals and/or controllers.
78. Clients represented by those whose appointment is subject to court approval or ratifications (e.g. executors)
79. The following are examples of what would normally be considered High Risk. This list is not exhaustive.
80. All other clients that do not fall within either a low-risk category or a high-risk category including (but not restricted to):
81. FZCO will take the following additional considerations into account when determining the risk posed by a client. While these considerations will not determine the risk on their own, they will be considered alongside other factors in judging the overall money laundering risk posed by a particular client.
82. Risk management is a continuous process. The MLRO is responsible for ensuring the firm’s risk assessment is up-to-date and appropriate. This is done by means of an ongoing risk assessment.
83. On an ongoing basis the MLRO will review FZCO ’s business activities, including:
84. The MLRO will identify any changes to FZCO ’s services that may expose the firm to a higher risk of money laundering. This may also highlight the need for a formal assessment of risks posed by either of our client categories or individual clients. The results of this ongoing assessment will be detailed in the annual MLRO Report to senior management.
85. The Money Laundering Regulations specify the Customer Due Diligence (CDD) measures that are required to be carried out, the timing, as well as actions required if CDD measures are not carried out. The purpose of this chapter is to provide guidance on the following:
86. For lists of the documentation to be obtained and verified in respect of specific business types please refer to Chapter 6 of this handbook.
87. CDD is the entry-level approach that the Firm must take. Following this, evidence to ensure SDD or risks identified to raise the level of EDD is then taken.
88. The CDD measures that must be carried out involve:
89. These measures are designed to make it harder for the financial services industry to be used to launder money or fund terrorism.
We will apply CDD to all customers on a risk-sensitive basis, and monitor the service provider to ensure that the measures taken are appropriate.
90. FZCO will ensure that it has completed appropriate client due diligence prior to entering into a legally binding agreement with the client to undertake regulated business.
91. The Compliance Officer/MLRO may, at his discretion, allow an account to be opened before all the documentation has been obtained if it is necessary in order not to interrupt the normal conduct of business and there is little risk of money laundering. In these cases, the decision must be fully documented, and all outstanding documentation obtained as soon as possible. In these instances, the firm should not make any payments from that account either to the client or to a third party until such times as the documentation has been obtained and verified.
92. If FZCO is unable to comply with the required CDD measures in relation to a customer, then the firm must not undertake any transactions for that client and should terminate any existing relationship. At this point, it will be necessary to consider making a Suspicious Transaction Report to the MLRO.
93. If the client does not possess the right documents, then the firm should consider whether there are any other ways of being reasonably satisfied with the client’s identity.
94. Where an account is to be terminated due to a lack of CDD the MLRO should be consulted as to the appropriate way to return the funds.
95. If you suspect that any documents have been falsified or are fraudulent you must notify the MLRO immediately.
96. The term customer is not defined by the Money Laundering Regulations but, in general, will be the party with whom the business relationship would be established. If in doubt as to who should be identified as the customer, please seek guidance from the Compliance Officer or MLRO.
97. Where there is a party purporting to act on behalf of the Customer, the Money Laundering Regulations require that the party’s identity be verified. If in doubt as to how to meet this requirement, please seek guidance from the Compliance Officer or MLRO.
98. The Money Laundering Regulations require that anyone owning or controlling 25% or more of a legal entity is identified and that their identity be verified in line with the firm’s risk-based approach.
99. Also, where the actual beneficiary is an individual who, regardless of the size of the share of ownership, makes important decisions regarding the company (for example, on the basis of a shareholder agreement), their identity should be verified in line with the firm’s risk-based approach.
100. If a client has already been identified by FZCO, no additional information needs to be obtained in respect of such a client unless the information already available is either out of date; or if the client’s risk profile has changed. This may happen if the firm supplies a different product or service to the client or if FZCO becomes aware of any information that results in a change to the client’s risk profile.
101. If FZCO has any legal duty in a calendar year to contact the client to review their relevant beneficial ownership information, FZCO must apply/reapply CDD on the client.
102. SDD can be applied to certain low-risk entities. Whilst this means there is no requirement to perform checks on the client’s identity or beneficial ownership structure it is necessary to prove that they fall within the SDD exemption. SDD can be applied to:
103. Further detail on the application of SDD to these entities can be found in Chapter 6: Identification Evidence.
104. Under the risk-based approach adopted by FZCO, EDD will need to be conducted on any clients falling into the high-risk category. In addition to these clients, the regulations state specific instances where EDD must be applied. These are:
105. Specific guidance on the application of enhanced due diligence is contained in Chapter 6: Identification Evidence.
106. FZCO will use a standard form to open new client accounts.
107. While we will use our standard account opening procedure to verify the identity of our clients whenever possible; it may be the case that a client cannot provide standard information, or there are other factors that may influence the client’s risk profile. FZCO ’s procedure cannot accommodate every eventuality and in some cases the Compliance
Officers/MLRO will need to exercise their judgment. This may justify a deviation from the firm’s standard client opening procedure. All such exceptions must be agreed upon and documented by the Compliance Officer or MLRO in accordance with FZCO ’s risk-based approach.
108. When identifying a client that acts on behalf of underlying customers AND is either of
the following:
109. FZCO will not need to identify the underlying customers, even if their identity is disclosed to us unless we take instruction directly from the underlying customers.
110. In all other cases, FZCO will obtain identification and verification evidence in respect of both an intermediary and an underlying customer in accordance with our risk-based approach.
111. When the client is located in a Non-Comparable Jurisdiction, unless FZCO is satisfied that the client acting as an agent operates client identification procedures equivalent to UAE standards, the underlying customers must be identified or the business declined.
112. When the client is unregulated and located in a Comparable Jurisdiction, unless FZCO is satisfied that the client acting as an agent operates client identification procedures equivalent to UAE standards, the underlying customers must be identified, or the business declined.
113. FZCO may act solely as an introducer between the client and the firm providing a product or service (“Provider Firm”). FZCO will play no part in the actual transaction and have no other relationship with either of the parties.
114. In such cases, the identification and verification obligations will lie with the Provider Firm, and not with FZCO, provided that:
115. The level of documentation required for each client will vary depending on the risk category of a particular client.
116. It is a criminal offense to make funds or financial services available to sanctioned entities and people (targets) on the list maintained by the Supreme Council for National Security (Supreme Council ). This would include dealing directly with these targets and dealing with these targets through intermediaries (such as lawyers or accountants).
117. Please contact the MLRO for the Sanctions List (https://www.uaeiec.gov.ae/en-us/un-page).
118. Generally, when identifying a client, a document issued by a government department or agency, or by a court will provide a high level of confidence. FZCO will normally accept non-government-issued documentary evidence verifying identity only if it originates from a public sector body or a regulated financial services firm in a comparable jurisdiction, or is supplemented by the knowledge that FZCO has of the person or entity, which has been documented (please refer to Section B2 box 7 in the NAO Form in Appendix 3).
119. No home visits will be permitted.
120. If documents are in a foreign language, FZCO will take appropriate steps to be reasonably satisfied that the documents do in fact provide evidence of the client’s identity. This is likely to involve the translation of either all or part of a document.
121. FZCO will rely on electronic identification evidence. As we choose to rely on electronic evidence only, we must use data from multiple sources, and across time, or incorporate qualitative checks that assess the strength of the information supplied. We cannot rely exclusively on electronic systems that access data from a single source only
(e.g. a single check against the Electoral Roll). For further information on the use of electronic evidence please consult the Compliance Officer or MLRO.
122. We will not be operating with any requirement to obtain certified copies of identification documents.
123. FZCO understands that although the information on the websites of its clients or potential clients may be helpful, it is not independently verified. While FZCO may use such information as corroborative evidence, it will not exclusively rely on it; an exception can be made by the Compliance Officer/MLRO for low-risk clients.
124. Listed and some unlisted public companies are subject to a high level of disclosure in relation to ownership and business activities; and may have public filing obligations. Private companies and some partnerships, although not subject to such a level of disclosure, often have public filing obligations. Whenever possible and appropriate, FZCO will seek to use reliable public information in its identification process.
125. On some occasions, and where appropriate, FZCO may be provided with a list of those authorized to give instructions for the movement of funds or assets, along with an appropriate instrument authorizing one or more directors (or equivalent) to give FZCO such instructions. FZCO will use this information in determining whom to identify, using its risk-based approach.
126. Given FZCO ’s business model, it is unlikely we would not meet our clients face to face.
127. Given our business and the type of service we provide, it is unlikely that clients accepted in such a manner will deliberately avoid face-to-face contact. Therefore, a non-face-to-face business will not in itself magnify a money laundering risk posed by a particular client. However, non-face-to-face identification carries an inherent risk of impersonation fraud. To address this risk FZCO will perform at least one additional verification check for non-face-to-face clients, such as:
128. If it appears that another person may have control over the funds which form or otherwise relate to the relationship with our client, we will seek to identify the controller as well as the client, if and when justified by risk.
129. Documents evidencing each item declared on SOW are a requirement under the EU 4th Directive on Money Laundering.
130. Each declaration on the SOW or assets owned by the customer must be evidenced by documentation and should be independently verified. A verifiable Chartered Accountant’s letter would be acceptable, ideally categorizing the cash, property, shareholdings and
131. Should the bank decide to take a reduced-risk approach on some PEP customers SOW is required with evidence supporting the wealth taken from publicly available information, transaction records (statements), and searches.
132. domestic PEPs should be initially treated as PEP and when the MLRO or delegated officer is satisfied that there is no other involvement or concern, they can be risk assessed and treated with a lower level of due diligence if appropriate. This de-risking should be recorded in line with the PEP recording process.
133. Income from Employment
134. Property Sale
135. Sale of Investments
136. Inheritance
137. The beneficiary of the Life Insurance policy
138. Company Sale
139. Divorce Settlement
140. Savings
141. Lottery / Gambling win
142. Companies
143. FZCO must ensure that controllers and Ultimate Beneficial Owners (UBO) of entities are identified and verified.
144. Appropriate identification, verification, and due diligence must be completed. Where required we should take sufficient measures to reach a good understanding of the underlying structure and ownership by considering information such as:
145. The standards for identification and verification set out earlier in this Policy must be used to verify and identify controllers or UBOs.
146. Passport copies should be clear and of good quality.
147. Clients should be discouraged from sending original valuable documents by post.
148. Consideration should be given as to whether the documents relied upon may have been forged.
149. The purpose of this section of the manual is to provide detailed guidelines to staff in respect of obtaining account opening documentation. The information below covers the types of legal entities that are likely to be clients of FZCO. However, due to the diversity of legal structures in place, it is not possible to cover all possible scenarios below. If a potential new client does not appear to fit into any of the categories detailed below you should seek guidance from the MLRO as to the most appropriate type of documentation to obtain.
150. Refusal by the customer to provide information or documents required for due diligence measures is deemed a fundamental breach of the contract and should be reported to the MLRO immediately.
151. There are five parts to Customer Due Diligence, this chapter covers the first three parts listed below:
6.1.1 Regulated Financial Institutions
152. Where the new client is a regulated financial institution in UAE, EU, FATF, or comparable jurisdiction there is no requirement to perform identity or verification checks. It is however a requirement that FZCO has reasonable grounds for believing the customer is an institution covered by SDD.
153. Therefore, when dealing with regulated firms FZCO will obtain the following information:
154. The list of regulators provided in Appendix 5 will assist FZCO in identifying such clients.
6.1.2 UAE Public Authorities and Community Institutions
155. In respect of UAE public authorities and community institutions, FZCO may apply SDD.
156. Therefore, when dealing with a UAEpublic authority or community institution FZCO will obtain the following information:
6.1.3 Companies listed on an EU-regulated market or equivalent exchange
157. Companies listed on an EU-regulated market or equivalent exchange are publicly owned and accountable.
158. For all such customers, FZCO will obtain the evidence of address as well as reliable evidence that the client is either of the following:
159. Whilst the SDD standards are lower for the types of clients mentioned above it does not negate the need to obtain and verify further information if the risk assessment of the new clients suggests this may be appropriate.
160. If a regulated market is located within the EEA there is no requirement to undertake checks on the market itself. FZCO will, however, record the steps it has taken to ascertain the status of the market. If the market is outside the EEA but is one which subjects companies whose securities are admitted to trading to disclosure obligations which are
contained in international standards and are equivalent to the specified disclosure obligation in the EU, similar treatment is permitted.
6.1.4 Companies subject to the licensing and prudential regime of a statutory regulator in the EU
161. This would include companies that are subject to regulators such as OFWAT OFGEM or OFCOM or an EU equivalent e.g. power and telecommunications companies.
6.1.5 Members of recognized professional bodies
162. This will include legal and accountancy firms in the UAE that are members of a recognized professional body. FZCO will obtain appropriate evidence that the firm is a member of the recognized professional body and this will be held on file.
6.2.1 Unregulated Private Companies and Limited Partnerships
163. FZCO, when identifying a company or limited partnership will seek to understand its legal form, ownership structure, and business. The amount of information that we will seek to obtain will depend on the money laundering risk posed by a particular company. Money Laundering Risk is discussed in Chapter 4.
164. Different information requirements in relation to different types of entities are detailed below. For all such clients FZCO as a matter of course will seek to obtain the following Standard Information; that is information required for all clients. Additional information will need to be obtained in relation to Medium and High-Risk clients.
6.2.2 Standard Information for Medium-Risk Clients
165. FZCO will obtain the following standard information in respect of each corporate client. The extent of verification of this information will depend on the risk posed by a particular client. When verifying the identity of a client in accordance with a risk-based approach, we will take into account the below-mentioned examples of documentation that can be used for such verification.
166. Wherever possible this information must be obtained from an independent source such as Companies House or from a reputable business information provider. Further detail of the standard of evidence is given in Chapter 5.
167. Where any discrepancies are identified between a client’s beneficial ownership information available at the Registrar of Companies (ROC) and the information FZCO obtains through our own compliance checks, we are required to report the discrepancies to the MLRO.
168. The identity of beneficial owners owning 25% or more of the company and the identity of at least one director must be verified in line with the requirements for private individuals.
6.2.3 Limited Partnerships which are Medium Risk Clients
169. Limited Partnerships are treated in the same way as a private company the only difference being a list of partners will be obtained in place of the lists of directors and beneficial owners.
170. The identity of the partners or other beneficial owners with a beneficial interest of 25% or more of the partnership, including the General Partner/Managing Partner, must be verified in line with the requirements for private individuals.
171. If the General Partner/Managing Partner is a corporate entity, the identity of the ultimate beneficial owner of that corporate entity must be verified.
6.2.4 High-Risk Clients
172. In relation to High-risk clients, we will obtain at least the following information, added to both the standard information for Medium risk clients (save for overlapping requirements), or both:
6.11 Politically Exposed Persons.
173. For an entity, we will also obtain the following information:
6.2.5 High-risk third countries
174. For clients residing in or nationals of high-risk third countries, Enhanced Due Diligence measures must be applied:
175. The current list of high-risk third countries as defined by the European Commission lists the following 25 countries in 2022:
An up-to-date list can be found in High-risk third countries and the International context content of anti-money laundering and countering the financing of terrorism (Europa.eu)
6.2.5 Legal and accountancy firms
176. Firms that are members of a recognized professional body (accountants and lawyers) will often be set up as limited companies or partnerships. As they will be classified as low risk from a money laundering perspective FZCO has decided that there is no need to obtain the various documents that would apply to a private company or partnership that was not a member of a recognized professional body (Medium Risk Clients).
177. FZCO will treat partnerships and other unincorporated businesses in accordance with the requirements and guidelines set out above for private companies (as noted earlier this will not apply to partnerships that are members of a recognized professional body).
The standard information for all such businesses will consist of:
178. The identity of the partners or other beneficial owners with a beneficial interest of 25% or more of the partnership must be verified in line with the requirements for private individuals.
179. If any of the partners is a corporate entity, the identity of the ultimate beneficial owner of that corporate entity must be verified in accordance with the requirements for individuals.
180. When accepting a new client that is a government body or public authority in a country other than UAE, the approach to identification and verification has to be tailored. The guidance below should be sufficient to identify and verify most organizations but in the case of any doubt please seek advice from the MLRO.
181. The following information should be obtained:
182. The firm will verify the name, address and where possible the home state authority.
183. For higher-risk organizations, the firm will undertake verification of the identity of two directors.
184. It is unlikely that our client base will include trusts. However, we do not rule out the possibility that we may be dealing with a trust. FZCO will treat trusts in accordance with its risk-based approach. In relation to trusts, we will have regard to the following considerations, as well as the general considerations outlined above in implementing our risk-based approach:
185. In many cases, a trust will not be a separate legal entity but should still be regarded as the customer. The trustees of a trust will be considered the controllers. The purpose and objects of most trusts are set out in a trust deed. Please consult the Compliance Officer or MLRO if you are unsure as to who your client is.
186. Most trusts accepted as clients of FZCO will fall into the Medium risk category. If the trustees of a trust are all regulated entities or publicly listed companies it may be possible to consider them Low risk if there is nothing to suggest they should be treated otherwise.
For each trust, we will seek to obtain the following information:
187. If the client is to be a low risk then it will be necessary to demonstrate that all trustees (i.e. controllers) are either regulated institutions or listed companies.
188. Trusts set up under testamentary arrangements and small, local trusts funded by small, individual donations from local communities, serving local needs, will be classified as Medium risk.
189. In addition to verifying information in accordance with procedures for Low-risk clients, we will obtain the following information:
190. Offshore trusts and trusts with complex structures will be classified as High risk. In respect of High-risk trusts FZCO will seek to obtain and, where appropriate, verify some or all the following additional information in addition to the information required for Low and Medium risk clients:
191. The following information must be obtained for all UAE and non-UAE registered charities – prior to opening the account:
192. For all trusts, the identity of the beneficial owners will need to be verified. These will be:
193. Following our assessment of the money laundering risk presented by the trust, we may decide to verify the identities of additional trustees, and/or of the settlors.
194. In cases where FZCO needs to identify a private individual, it will always seek to obtain the following information:
195. In verifying the individual’s identity, we will obtain:
196. EITHER: A government-issued document that incorporates the client’s full name and photograph AND either their residential address or their date of birth
197. OR: A government-issued document (without a photograph) that incorporates the client’s full name. This must be SUPPORTED BY a second document, either government-issued, or issued by a judicial authority, a public sector body or authority, or another UAE-regulated firm in the AUE financial services sector, or in a comparable jurisdiction, which incorporates the client’s full name AND either their residential address or their date of birth
198. Client identification performed electronically should mirror the above requirements.
199. In the case of private individuals that have not been met by the firm an additional piece of acceptable documentation must be obtained.
200. Please refer to Appendix 4 for a non-exhaustive list of acceptable documents for individual identity verification.
201. If the client has been deemed to be of higher risk, then the following applies:
6.10.1 Verifying the Identity of Higher Risk Individuals
202. Full name, date, and place of birth must be verified using:
203. EITHER a current passport (to include the photograph page and pages containing reference numbers, date country of issue, nationality, and place of birth)
204. OR a national identity card (to include the photograph page and pages containing
reference numbers, date country of issue, nationality, and place of birth).
6.10.2 Verifying the address of higher risk individuals
205. At least one of the following original documentary evidence confirming the individual’s current residential address is required for all relationships classified as medium or high risk.
206. (The documents are listed in order of preference – Not all documents are appropriate in some countries):
207. If an individual has lived at their current residential address for less than 12 months FZCO will require a document that confirms the individual’s previous residential address. Please note – a C/O address or PO Box is not acceptable.
208. It is necessary for enhanced due diligence (“EDD”) to be conducted when a client is a PEP or where one or more of the directors or beneficiary owners of a client is a PEP.
209. A PEP is defined as an individual who has, at any time in the preceding year, been entrusted with prominent public functions and an immediate family member or known close associate of such a person. The risks of Politically Exposed Persons (PEPs) are that they may handle proceeds of corruption and/or may offer, be offered, or expect/demand bribes. A prominent public function could include, but is not limited to:
210. There is no initial distinction between the locations of a PEP and the Money Laundering Directives identify domestic PEPs to be treated as PEP.
211. Politically Exposed Persons, and family members or known close associates of PEPs, are individuals who by virtue of their position pose an inherently higher money laundering risk, particularly if they are based in a higher-risk country or business. Money Laundering Regulations require us to monitor all PEP relationships due to the likelihood
that they will pose a higher risk.
212. When taking on new customers and updating existing customer Identification and Due Diligence, we must screen customers against publicly available PEP lists in order to determine if they are politically exposed.
213. In respect of PEPs FZCO must have
214. The Foreign Account Tax Compliance Act (FATCA) is a 2010 United States federal law to enforce the requirement for United States persons including those living outside the U.S. to file yearly reports on their non-U.S. financial accounts to the Financial Crimes Enforcement Network (FinCEN).
215. GIIN is an abbreviation of the Global Intermediary Identification Number. The FATCA Registration System approves foreign financial institutions (FFI), financial institution (FI) branches, direct reporting non-financial foreign entities (NFFE), sponsoring entities, sponsored entities, and sponsored subsidiary branches. Institutions and entities assigned a GIIN can use it to identify themselves to withholding agents and tax administrators for FATCA reporting purposes.
216. If an individual’s account holds any of the following seven criteria, we may need to request further information or documentation to determine if the customer is a US person under FATCA.
217. Passport copies should be clear and of good quality.
218. from sending original valuable documents by post.
219. Consideration should be given as to whether the documents relied upon may have been forged or altered in any way.
220. FZCO may accept a confirmation from an intermediary that a client’s identity has been appropriately verified. We will take account of the following considerations when deciding whether it is reasonable for us to rely on an intermediary to have properly identified the client:
7.1.1 Reliance on Third Parties
221. Where the business relies on a third party for compliance with this policy or additional applicable AML requirements, the MLRO must ensure that such reliance is permissible under law and consistent with this policy, and reasonable under the circumstances.
222. When a relevant person relies on a third party to apply customer due diligence measures it:
7.1.2 Regulated Financial Sector Firms
223. Provided the introducer satisfies the general criteria above, FZCO will normally be able to rely on an Introduction Certificate from a UAEregulated firm or regulated financial institution in a comparable jurisdiction.
224. An Introduction Certificate states that one regulated entity has conducted appropriate checks to satisfy money laundering requirements for a client. It can be forwarded to another regulated entity and can be relied upon to satisfy money laundering requirements by the entity receiving the Certificate.
7.1.3 Professional Firms
225. FZCO will not accept Introduction Certificates from lawyers, accountants, and other professionals but may rely on the copies of verification documentation supplied by a professional firm to us if these have been assessed by FZCO as satisfactory.
7.1.4 Firms in Non-Comparable Jurisdictions
226. If the introducing firm is located in a non-comparable jurisdiction, FZCO will either:
227. When a client is introduced by one part of a financial sector group to another, it is not necessary for their identity to be re-verified, provided that:
228. It is the responsibility of the UAE firm to satisfy itself that the standards of identification are acceptable.
229. Any Introducer must be able to supply copies of the client’s due diligence documents to FZCO on request. The documentation should be provided within 48 hours unless an extended timeframe is agreed upon between both parties.
230. If at any time you become concerned that an introducer is not obtaining sufficient information on clients and or is unable to provide copies of documents on request, then this matter must be referred to the MLRO.
8.1.1 Obligation to Report
231. Every member of FZCO ’s staff is required to make a formal report to the MLRO if, in the course of their employment, they know, suspect, or have reasonable grounds for either knowing or suspecting money laundering or terrorist financing. Reporting in accordance with this requirement will not result in a breach of the General Data Protection Act, confidentiality, or any other contractual or statutory provisions.
232. Remember that a duty to report a suspicion of money laundering exists even if a potential client does not conduct any business through FZCO, or if we decline the business. The obligation to report is in respect of anyone, whether the firm’s client or not. This is different from the obligation to report fraud that applies to FZCO ’s actual, and not potential, clients only.
8.1.2 Objective Test
233. It is important to understand that a person could be found guilty of a failure to report even if they did not actually suspect but ought to have suspected money laundering. The test is whether an honest and reasonable person, working within the financial services industry, would have formed a suspicion based on the facts available at the time.
Generally, to satisfy this test you would have to know your client, their business, and the rationale for their instruction, activity, or transaction. A failure to make adequate inquiries or assess relevant facts will not provide protection against the objective test of reasonable suspicion.
234. A suspicious activity or transaction will often be:
235. Reasonable grounds to know or suspect is a negligence test as a deterrent against those in banks and other financial sector banks who fail to act competently, reasonably, and honestly where information before them ought to make them suspect money laundering. It may therefore be considered to cover:
8.1.3 Timing of Reporting
236. The obligation is to make a report without undue delay and not later than two business days after the identification of the suspicious activity or transaction.
8.1.4 Discharge of Individual Responsibility
237. By submitting a report to the MLRO you will discharge your individual responsibility, thus protecting yourself from criminal prosecution for the offense of a failure to disclose. Therefore, when reporting a suspicion, you will receive a formal written acknowledgment from the MLRO. Please retain it for your own records.
8.1.5 Consultation with a Colleague or Line Manager
238. It is acceptable to discuss your suspicion with your line manager. However, if after consulting your line manager you remain suspicious, it is your responsibility to ensure that a report is submitted to the MLRO.
239. While a line manager may comment on the proposed report, they do not have the authority to block or attempt to block any report being made to the MLRO. Should you encounter an attempt to prevent a report from being made, you should discuss this with the MLRO directly.
240. In addition, if you consult a colleague, this colleague will have knowledge on the basis of which they must consider whether or not to make a report to the MLRO. To avoid making duplicate reports, the colleague, if suspicious, should only report if they are reasonably satisfied that the employee will not make such a report.
241. To reduce the risk of inadvertently tipping off a client the case should be discussed with as few people as possible.
8.1.6 Continuous Obligation to Report
242. Making a report does not remove the need to notify the MLRO of further suspicions that may arise with the same or different client. If further suspicions arise additional reports must be made to the MLRO.
8.1.7 After Submission of a Report
243. Until the MLRO informs you that no report to FIU is to be made, any further transactions or activity in respect of the suspected client must be reported to the MLRO as soon as they arise.
8.1.8 MLRO’s Determination
244. The MLRO will consider the report and surrounding circumstances and decide whether or not to submit an external report to FIU. If the MLRO decides to do so, they must do this as soon as practicable.
245. In order to undertake this investigation, the MLRO may need further information or access to client files. The MLRO must be given free access to all client records. If further information needs to be obtained from the client or from an intermediary, then this should normally be obtained by the employee with the client relationship. This is to
minimize the risk of alerting the client or intermediary that a disclosure of FIU is being considered.
246. The MLRO will record all internal inquiries made in relation to the report of suspicion and the basis for their decision to make or not to make a report to FIU.
247. A failure to make a report when there are reasonable grounds for suspicion may constitute assistance, potentially incriminating you as a party to a crime.
248. If disclosure to the MLRO causes them to acquire knowledge or suspicion of money laundering (or gives them reasonable grounds for such knowledge or suspicion) and the MLRO fails to make a report to FIU, then they will be committing the offense of a failure to disclose.
8.1.9 Pre-Transaction Reporting to FIU
249. If a pre-transaction report is made by the MLRO to FIU, no business may be conducted with or for a client until you receive consent from FIU. FIU has 7 working days, from the working day following the day of the disclosure, in which to respond to the MLRO. Dealing with or advising a client before receiving consent from FIU may constitute one of the offenses, that is concealing, arrangements or acquisition, use, and possession.
250. Note there are no provisions under the Terrorism Act for consent to be given within a specified period. If a report is made to the FIU under this Act no related transaction or activity is allowed to proceed until FZCO has been contacted by FIU or a law enforcement agency.
251. The MLRO will inform you whether FIU consents to you dealing with the client or not. Please liaise directly with the MLRO who will provide guidance on what information may be provided to a client or potential client.
8.1.10 Post-Transaction Reporting to FIU
252. Since FIU cannot provide consent after a transaction or activity has already occurred, it will provide an acknowledgment of receipt of a report to the MLRO. In the absence of an indication to the contrary from the MLRO, you may deal with the client as normal.
However, you must inform the MLRO of every interaction with the client and seek guidance on how to deal with that client.
8.1.11 Contact with Client and Third Parties
253. Any contact from the client questioning the delay in processing their transaction needs to be handled very carefully. In these circumstances, please liaise closely with the MLRO.
254. Whether or not FIU allows you to proceed with a transaction, you may not tip off the client that a disclosure to the authorities has been made. Neither may you disclose that such a disclosure has been made in response to a data protection request.
255. Unless specifically authorized to do so, you must not discuss any reports of suspicions of money laundering with third parties. Any requests for information from third parties, such as the Police or Customs, must be immediately referred to the MLRO.
8.1.12 Court Orders
256. Any evidence to be presented in Court will be obtained under a court order. The following are the types of orders that may be served on FZCO as part of an investigation.
8.1.13 Failure to Make a Report
257. FZCO will take disciplinary action against any member of staff who fails to report a suspicion without a reasonable excuse.
8.1.14 Form of Reporting
258. Please make your report to the MLRO on the Suspicious Transaction Reporting Form (Money Laundering) attached as Appendix 1. Please give as much information on this form as possible to assist the MLRO.
259. Below is a list of activities that may give rise to a suspicion of money laundering or terrorist financing. This is not an exhaustive list of circumstances; neither will they necessarily give rise to suspicion. However, any of these occurrences are likely to form a basis for further inquiry in most cases. It will be ultimately a matter of your own
consideration to decide whether or not to report a suspicion.
260. FZCO’s policy is not to maintain relationships if the firm believes we may be used for money laundering. Where a client has been involved in a suspicious transaction, the MLRO, together with the senior management, makes a decision regarding the ongoing relationship with that client. If we decide to continue a client relationship, we may implement increased monitoring of the client’s account.
261. Where a client has been the subject of a referral to FIU by the MLRO, the MLRO must be informed before any action is taken to exit the relationship. In such circumstances, the MLRO will consult FIU to obtain permission to terminate the client relationship.
262. Occasionally SAR will be received in respect of a client where an internal or external suspicious transaction report has been made. Whilst the General Data Protection Regulations (“GDPR”) seeks to ensure all information is included in any response to a SAR request; it does allow to the omission of information that may prejudice the prevention or detection of crime. Any such request will need to be handled sensitively and will require the MLRO to liaise with FIU as well as their legal advisers when deciding whether to omit any information. Any decision in respect of any exemption must be clearly documented.
263. Article 5 (e) of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.
264. For Money Laundering purposes, records of all internal and external reports together with any supporting documentation must be retained for 5 years from the date of the report. If, however, the firm is aware of an ongoing investigation in relation to any report it must be retained until the relevant agency has confirmed that the case is now closed.
265. For the purpose of this manual “Awareness” refers to actions taken by FZCO to ensure that on an ongoing basis, personnel is informed of money laundering and associated risks as well as their individual and collective responsibilities.
266. “Training” refers to a more specific process whereby staff is educated on specific areas, their attendance is recorded, and understanding is measured.
267. FZCO has a legal responsibility to ensure that person receives appropriate anti-money laundering training. Failure to provide training may constitute a criminal offense.
268. It is our policy to ensure that all employees are aware and kept up to date with money laundering developments. This Policy serves as the basis for awareness within FZCO. It will be supplemented with additional material as and when necessary.
269. At the start of their employment, every employee must be given a copy of this Handbook and must sign an Anti-Money Laundering Policy Declaration attached as Appendix 6 to confirm that they have read and understood the provisions of this Handbook.
270. FZCO provides training to relevant staff upon recruitment and on an annual basis. The definition of “relevant staff” is set as widely as possible to encompass all employees who may be able to identify suspicious transactions during the course of their work. The requirement to train relevant staff is also applicable to any part-time, temporary, or consulting staff.
271. Anti-money laundering training will, as a minimum, comprise the following issues:
272. Attendance or completion of anti-money laundering training is mandatory for all relevant personnel. If you are unable to attend on a scheduled training date you should contact the course organizer or provider as soon as possible to arrange an alternative date. Repeated failures to attend training courses may result in disciplinary action.
273. If, after attending a training course, you feel that you would benefit from further clarification on certain subjects; please contact the MLRO.
274. FZCO will conduct initial and periodic screening of relevant staff. Relevant staff includes compliance staff, employees in the front office, those who introduce the business, and those who engage with clients.
275. The initial and annual screening will include an assessment of the individual’s skills, knowledge, and expertise in order to ascertain whether they are capable of carrying out their functions effectively, as well as conducting an assessment of the conduct and integrity of the individual.
276. FZCO will retain the records of all materials issued to its personnel in relation to anti-money laundering, counter-terrorism, and sanctions training and awareness for at least 5 years from the date of issue of materials.
277. These records will include the names of attendees, dates of all training sessions, the content of courses and presentations, and, where applicable, test results. All staff will be required to sign the Register of Attendees attached as Appendix 2 confirming that they have received training and understood their legal responsibilities.
278. FZCO will retain the records in relation to the screening of staff for at least 5 years from the date of issue of material.
279. Due to FZCO ’s size and nature of its business, the firm, in monitoring clients’ activities, places reliance on two main factors:
280. We ensure that the information we keep about our clients is up-to-date through regularly performing client reviews. The frequency of such reviews is determined by the client’s risk category. Apart from the transaction monitoring on each account, we review our clients with the following frequency:
281. The purpose of these reviews is to identify any significant changes to the corporate structure, management, and activities of the client. Unless the MLRO resolves otherwise, it is not always necessary to obtain all the information required for account opening or to re-verify all identification information. These reviews are coordinated by the MLRO. In addition to reviewing changes to the client’s structure, management and profile an overall review of the client’s activity over the period is normally conducted. This will allow FZCO to assess if there have been changes in the client’s activity which could be considered unusual given the information held about the client.
282. Notwithstanding these timescales, should any member of staff become aware of a change in the circumstances of a client, for example, a change of ownership structure or a move into a new business area, this information should be recorded on the client file immediately. If this information could affect the risk assessment of the client then the
MLRO should be informed. The MLRO will then decide if there is a need to re-evaluate the client’s risk assessment.
283. We consider that a combination of anti-money laundering training and commercial awareness will enable our staff to monitor for, recognize and report suspicious activities.
284. We will seek to understand the rationale for the client undertaking a particular transaction or activity. When identifying unusual or potentially suspicious activity our staff will use their knowledge of the client and of what would be normal in a given set of circumstances.
285. In general terms, all members of staff should have regard to the following considerations when monitoring client accounts, as well as factors detailed in other chapters of this Policy:
286. However, FZCO recognizes that while staff training is important, it is not a comprehensive substitute for transaction monitoring. Therefore, on a quarterly basis, FZCO will formally review all transactions undertaken each quarter to ensure that no money laundering has been facilitated or taken place.
287. Please refer to the Post-Transaction Review Form contained in Appendix 7 of this Handbook.
288. Evidence of all monitoring undertaken by FZCO will be retained for a period of at least 5 years from the date of the review.
289. This chapter provides guidance on the record-keeping procedures that FZCO needs to meet its obligations in respect of the prevention of money laundering and terrorist financing.
290. Keeping adequate records will ensure that FZCO can:
291. The following material must be kept:
292. Keeping the required records for the specified time period will not result in FZCO breaching the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data). This information will be made available to the competent authorities in the context of any relevant criminal investigations and prosecutions.
293. Client identification records must be kept for a period of at least 5 years from the date of the end of a client relationship. That is either the date of the last transaction with the client or the closure of the client’s account, whichever is the latest.
294. The revised FATF Recommendations demonstrate that, in order to be able to cooperate fully and comply swiftly with information requests from competent authorities for the purposes of the prevention, detection, or investigation of money laundering and terrorist financing, obliged entities should maintain, for at least five years, the necessary information obtained through customer due diligence measures and the records on transactions.
295. In order to avoid different approaches and in order to fulfill the requirements relating to the protection of personal data and legal certainty, the retention period should be fixed at five years after the end of a business relationship or of an occasional transaction.
However, if necessary for the purposes of prevention, detection, or investigation of money laundering and terrorist financing, and after carrying out an assessment of the necessity and proportionality, Member States should be able to allow or require the further retention of records for a period not exceeding an additional five years, without prejudice to the national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings.
296. Transaction records must be kept for a period of at least 5 years from the date of the transaction. They should be maintained in a form that provides a satisfactory audit trail of all transactions effected via FZCO allowing their reconstruction.
297. It is FZCO’s responsibility to ensure the third party complies with the record-keeping obligations. This principle applies to the use of third-party service providers such as introducers or administrators.
298. We will retain the following records of any reports of suspicions of money laundering regardless of whether the MLRO made a report to FIU. These records will consist of:
299. These records will be retained for 5 years from the date the report is made. However, if FZCO is aware that either FIU or another law enforcement agency is investigating a client, FZCO will retain all records in relation to that client until the agency confirms that the case is closed. If, within 5 years of a disclosure being made, FZCO has not been advised of an ongoing investigation, it may destroy the records.
300. We will retain the following records for at least 5 years in relation to Anti-Money Laundering (“AML”) training:
301. The following records are retained for at least 5 years in relation to compliance monitoring:
302. Where a business has been refused because it does not meet our client identification, verification and KYC standards, a record of the refusal will be retained for 5 years.
303. All electronic payment messages should contain sufficient information to identify the parties involved (i.e. both the party making the payment and the beneficiary). This information should include full names, addresses and account numbers. Where this information cannot be provided in the electronic payment message, full records must be retained.
304. FZCO aims to reduce the volume and density of records. While still complying with the statutory requirements we may choose to keep records:
305. FZCO may keep records either offsite or outside UAE but will remain responsible for ensuring that all required records can be made available without undue delay and meet the UAE regulatory requirements. FZCO will ensure that all records, however, kept, are capable of being retrieved within 48 hours. FZCO will, whenever possible, seek to retain all records on the business premises.
306. Where a firm fails to observe the record-keeping requirements either the firm or relevant person(s) or both are open to prosecution.
Please, read the information about CFPS Fees and Limits on the Fees page.
CFP TECHNOLOGY FZCO (“FZCO”) has a responsibility to satisfy itself that it and its outsourced functions are properly run and have appropriate corporate governance. One of the ways in which this is achieved is to set policies for each fundamentally affected area of business, especially those subject to regulatory scrutiny.
It is a fundamental principle of FZCO that it will maintain the level of record-keeping required to comply with the regulatory and statutory requirements applicable to its business activities. This archiving policy sets out FZCO’s approach to archiving its records, which should ensure that FZCO complies with both its legal and regulatory obligations.
For many reasons, FZCO considers it important to provide its staff with clear guidance on its archiving procedure.
A record is defined as encompassing documents that are essential to us in carrying out our business and serving our customers as well as complying with accounting, financial reporting, legal, tax, Anti-Money Laundering, Customer Due Diligence, and other regulatory requirements as may be required from time to time. It can include any piece of paper relevant to a customer, past or present e.g., customer application forms, letters, memos, reports, hard copies of e-mails, mandate cards, payment advice, etc.
There is a multitude of different statutes and regulatory retention periods depending on the type of product and the type of record in question from 3 to 7 years. Therefore, as FZCO’s customer files will be electronic and could contain a combination of these records, it has been decided that the retention period will be ad infinitum electronically and no less than 10 years, from the last involvement, for all types of records. This approach will ensure that FZCO addresses the requirements of all the various regulatory and statutory requirements applicable to its business. This is in excess of the statutory requirements.
No member of staff, at whatever level, has the authority to conceal, discard, delete, destroy, or alter any document with the intent, or believed intent, of
If a member of staff feels that he or she is being asked to do something contrary to this policy they have the obligation to refuse, and to report this in accordance with FZCO’s whistle-blowing procedures.
If there is any doubt regarding the archiving of any document, the Compliance Director/Officer
should be contacted for guidance.
Certain company documents (i.e. Certificate of Incorporation and Memorandum and Articles of Association) must be kept indefinitely with the company books at the registered office address. Data protection legislation stipulates that data should not be kept any longer than is necessary and therefore e-mails should be deleted as soon as reasonably practicable after the work stream in question has been concluded. Hard copies should be made of all e-mails that require retention and stored in a secure place. Hard copy e-mails should be scanned to the relevant customer file and archived in accordance with the above.
This policy must be reviewed by FZCO’s Head of Compliance every year to ensure its alignment with appropriate legal and regulatory requirements as well as best practice compliance standards, the local whistle-blowing procedures, and its continued relevance to FZCO’s current and future operations. Every 12 months the Board must issue an up-to-date policy for FZCO. Any interim change to this policy must be proposed to the Board and, if agreed upon, requires the written approval of members of the Board.
The New Federal Law No. 15 of 2020 Regarding Consumer Protection – Article 4, s. 5
https:// www.mealc.org/post/the-new-federal-law-no-15-of-2020-regarding-consumer-protection
Protecting the privacy and security of the customer data and not using it for promotional and marketing purposes.
Data Protection Law DIFC Law No. 5 of 2020
https://www.difc.ae/application/files/3016/4664/4540/Data_Protection_Law_final.pdf
Please, read the information about CFPS Fees and Limits on the Fees page.
The Board of CFP TECHNOLOGY FZCO (“FZCO”) has a responsibility to satisfy themselves that its operations are being properly run and have appropriate corporate governance. One of the ways in which this is achieved
is to set policies and maintain them on a regular basis. It is the responsibility of each person to ensure that they comply with CFP Technology’s latest approved policies.
It is a fundamental principle of FZCO that it will protect itself against fraud. FZCO, recognizing the importance of safeguarding the assets of both CFP Technology and our clients, acknowledges that the values of quality, honesty, and trustworthiness lie at the heart of our products and reputation. This anti-fraud policy sets out FZCO ‘s approach to preventing fraud.
FZCO defines fraud as:
FZCO’s anti-fraud approach consists of the following key elements:
It is the duty of all employees to protect the business by acting with propriety in the use of FZCO‘s resources and funds and to communicate concerns where potential fraud risks (including control weaknesses that may lead to fraud) are identified.
FZCO has adopted a risk-based approach to fraud prevention and management which reflects the particular risk factors affecting the firm, some examples of which are:
These are devised to prevent, deter and detect fraud. All staff and senior managers are tasked with the maintenance of existing procedures and, where required, the implementation of new cost effective procedures to prevent,
deter and detect fraud.
FZCO will take firm and vigorous action against any individual or group perpetrating, or attempting to perpetrate, fraud against FZCO, its clients, staff or suppliers. Recovery of any losses and costs incurred will also be sought.
Any fraudulent activity by employees may lead to dismissal and prosecution.
FZCO will assist the local police authorities and other appropriate authorities in the investigation and prosecution of those suspected of fraud against FZCO, its clients or its suppliers. FZCO reserves the right to engage third parties to undertake investigations on its behalf.
All employees are encouraged to be vigilant and to immediately report any suspicion of fraud to their manager, the local Compliance Officer, FZCO’s Head of Compliance, or another Senior Manager. This report can be made either orally or in a written statement.
Staff is expected to act with integrity and in accordance with acceptable behaviors at all times. There is a detailed whistle-blowing procedure that sets out staff’s detailed responsibilities together with advice and guidance in
dealing with suspected fraud which should be brought to all staff members’ attention.
This policy must be reviewed by FZCO’s Head of Compliance every year to ensure its alignment to appropriate legal and regulatory requirements as well as best practice compliance standards and its continued relevance to FZCO
the firm’s current and future operations. Every 12 months the Board must issue an up-to-date policy for FZCO. Any interim change to this policy must be proposed to the Board and, if agreed upon, requires the written approval of
members of the Board.
Dubai International Financial Centre
Operating Law No. 7 of 2018 – s.64
https://www.difc.ae/files/8115/9758/9102/Operating_law.pdf
Internet Access Management (IAM) policy
Telecommunications and Digital Government Regulatory Authority (TDRA) implements the Internet Access Management (IAM) policy in the UAE, in coordination with National Media Council and Etisalat and Du, the licensed internet service providers in the UAE. Under this policy, online content that is used for impersonation, fraud and phishing and/or invades privacy can be reported to Etisalat and Du to be taken down.
Please, read the information about CFPS Fees and Limits on the Fees page.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the UAE and beyond; affording individuals stronger, more consistent rights to access and control
their personal information whether customer or employee.
This policy sets out the basis on which any personal data we collect or that is provided to us, will be processed by us. For the purposes of the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (the “Law”), the data controller is FZCO.
Personal data
See Appendix A for the references relating to the policy. The Law applies to ‘personal data’ (see Article 6) meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data, or online identifier, reflecting changes in technology and the way organizations collect information about people.
The Law applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymized – e.g., key-coded – can fall within the scope of the Law depending on how difficult it is to attribute the pseudonym to a particular individual and under Article 22(c) of the Law.
Appendix B displays Articles 9 to 11 of the Law for ease of reference.
Sensitive personal data
The Law refers to sensitive personal data as “special categories of personal data” (see Article 11).
The special categories specifically include race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life; or sexual orientation where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing (see Article 10).
CFP Technology FZCO (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place that complies with existing law and abides by data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the Law and the UK’s Data Protection Bill.
CFP Technology FZCO is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose, and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and implementation objectives for Law compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.
What are the lawful bases for processing?
There are six lawful bases for the processing which are set out in Article 6 of the Law. At least one of these must apply whenever we process personal data:
(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The principle of accountability requires that we can demonstrate that we are complying with the Law and have appropriate policies and processes. This means that we need to be able to show that we have properly considered which lawful basis applies to each processing purpose and can justify our decision.
We, therefore, keep a record of which basis we are relying on for each processing purpose, and a justification for why we believe it applies.
It is our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.
See the accountability section of this guide for more on this topic.
Registration: Our business is registered with the DIFC Commissioner’s Office. Details will be available on the DIFC’s public register.
CFP Technology FZCO already has a consistent level of data protection and security across our organization, however, it was our aim to be fully compliant with the Law.
We organized an information audit across our business to identify the data that we process and how it flows into, through, and out of our business.
Having audited our information, we then identified any risks.
We have documented our findings in the Information Asset Register. This register will be reviewed any time a new process or purpose of the data is used.
As we have less than 250 employees then we must keep records of any processing activities that:
We may be required to make these records available to the Commissioner on request.
Lawful bases for processing personal data: Our business has identified the lawful bases for processing and appropriately documented them. Our decision on the lawful bases for processing will have an effect on individual’s rights. For example, if we rely on someone’s consent to process their data, they will have a stronger right to have their data deleted. It is important that we inform individuals how we intend to process their personal data and what our lawful bases are for doing so, for example in our privacy notice(s).
Our Lawful Bases for Processing
Consent: Our business has reviewed how we ask for and record positive consent
Consent is not always required, and we should always assess whether another lawful basis is more appropriate.
Consent means offering people genuine choice and control over how we use their data. We can build trust and enhance our business by using consent properly.
The Law has a standard of consent in several areas and contains much more detail. For example, we must;
Consent: Our business systems record and manage ongoing consent
We continue to review consent as part of our ongoing relationship with individuals.
We keep our client’s consent under review and refresh it if anything changes. We have a system or process to capture these reviews and record any changes.
Contract: When is the lawful basis for contracts likely to apply?
We have a lawful basis for processing if:
Legal Obligation: When is the lawful basis for legal obligations likely to apply?
In short, when we are obliged to process personal data to comply with the law.
Article 6(3) requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So, it includes clear common law obligations.
This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that our overall purpose must be to comply with a legal obligation that has a sufficiently clear basis in either common law or statute.
We should be able to easily identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, we can refer to a government website or to industry guidance that explains generally applicable legal obligations.
It’s clear from Recital 46 of the Law that vital interests are intended to cover only interests that are essential for someone’s life. So, this lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care when anyone needs to process personal data for medical purposes, but the individual is incapable of giving consent to the processing.
This basis does not apply to our company.
This can apply if we are either:
This basis does not apply to our company.
Legitimate Interests:
Article 6(1)(f) gives us a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
A wide range of interests may be legitimate interests. They can be our own interests or the interests of third parties, commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
We will complete a legitimate interest assessment if we have to rely on this basis.
This basis is not likely to apply to our company.
We must still have a lawful basis for our processing under Article 6, in exactly the same way as for any other personal data. The difference is that we will also need to satisfy a specific condition under Article 9. See the definition above
This is because special category data is more sensitive, and so needs more protection.
This means we must either be processing the data in an official capacity or have specific legal authorization – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill.
Data Subject Rights
In addition to the policy and procedures mentioned above that ensure individuals can enforce their data protection rights, we operate a system of data retention that easily accommodates any request the data subject may make.
We provide easy-to-access information via [our website, in the office, during induction, etc of an individual’s right to access any personal information that CFP Technology FZCO processes about them.
The individual may request information about:
When we provide privacy notices to individuals.
Individuals need to know that their data is collected, why it is processed, and who it is shared with.
We publish this information in our privacy notice on our website and within any forms or letters we send to individuals.
The information will be:
The information we supply is determined by whether or not we obtained the personal data directly from the individual or from a third party. The only exception is that third-party provider does not require “details of whether individuals are under a statutory or contractual obligation to provide the personal data”.
You have the right to obtain information on the categories of personal data being processed, the purpose of the processing, the decisions made upon automated processing, and entities with whom the personal data is shared. Individuals have the right to obtain:
We provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request:
The fee must be based on the administrative cost of providing the information. See Article 33(8) of the Law.
The information must be provided without delay and at least within one calendar month of receipt. We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).
We must verify the identity of the person making the request, using “reasonable means”.
If the request is made electronically, we should provide the information in a commonly used electronic format.
How we ensure personal data held by us remains accurate and up to date
Under Article 33(1) of the Law, individuals have the right to have personal data rectified if it is inaccurate or incomplete.
We will always respond to a request without delay and at least within one month of receipt.
We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). If we have disclosed the personal data to a data processor (third party) we must inform them of the rectification where possible.
We will regularly review the information we process or store to identify when we need to do things like correct inaccurate records. We will maintain a Records Management Policy, with rules for creating and keeping records (including email addresses) if our records grow or are above 500 names.
We securely dispose of personal data that is no longer required or where an individual has asked us to erase it.
Individuals have the right to be forgotten and can request the erasure of personal data when:
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
We will keep data as explained in “How We Implemented The Law” above
Article 35 states we should maintain adequate procedures to respond to an individual’s request to restrict the processing of their personal data, subject to the legal basis for processing as discussed above.
Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.
If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.
We maintain adequate and proportional processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to effective usability, if applicable.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
They can receive personal data or move, copy, or transfer that data from one business to another in a safe and secure way, without hindrance.
The right to data portability only applies:
We must provide the personal data in a structured, commonly used, and machine-readable format. Examples of appropriate formats include CSV and XML files.
We must provide the information free of charge.
If the individual requests it, we may be required to transmit the data directly to another business where this is technically feasible.
We have adequate procedures to handle an individual’s objection to automated decisions made by automated processing of your personal data.
Individuals have the right to object to:
Individuals must have an objection on “grounds relating to his or her particular situation”.
However, for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority or for purposes of scientific/historical research and statistics, we must stop processing personal data unless:
Individuals also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). We will stop processing for direct marketing as soon as we receive an objection. There are no exemptions or grounds to refuse.
Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.
If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.
We will inform individuals of their right to object “at the point of first communication” and clearly lay this out in our privacy notice.
We have identified whether any of our processing operations constitute automated decision-making and have procedures in place to deal with the requirements.
The Law provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Individuals have the right not to be subject to a decision when:
The right does not apply if the decision:
If suitable measures to safeguard the rights of data subjects are required, these must include at least:
The Law defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyze or predict their:
If the decision involves the processing of special categories of personal data, then the exceptions available to justify the processing are more limited.
Processing can only take place if:
We will exercise particular caution if using automated decision-making in relation to a child.
Under Article 39 of the Law, we do not discriminate against any data subject, which provides certain conditions.
Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.
If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the
Processing at the request of the Data Subject, then the Controller may continue. Processing the Personal Data in the same manner, subject to this Law in all other respects.
Our business has this data protection policy to permit all staff access to understand how data is processed within the business.
The Law requires us to show how we comply with the principles.
Our business monitors our compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
Documenting policies alone is often not enough to provide assurances that staff is adhering to the processes they cover. We will ensure that we have a process to monitor compliance with data protection and security policies.
Measures that are detailed within the policies should be regularly tested to provide assurances as to their continued effectiveness.
Where relevant our business provides data protection awareness training for all staff.
We brief all staff handling personal data on their data protection responsibilities when they join our company.
Whenever we use a processor, we will have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The Law sets out what needs to be included in the contract.
In the future, standard contractual clauses may be provided by the Ruler or the Commissioner and may form part of certification schemes. However, at the moment no standard clauses have been drafted.
We are liable for our processor’s compliance with the Law and must only appoint processors who can provide “sufficient guarantees” that the requirements of the Law will be met and the rights of data subjects protected. In the future, using a processor that adheres to an approved code of conduct or certification scheme may help us to satisfy this requirement.
Processors must only act on our documented instructions. They will however have some direct responsibilities under the Law and may be subject to sanctions if they don’t comply.
We actively manage information risks in a structured way so that management understands the business impact of personal data-related risks and manages them effectively.
We set out how we (and any of our data processors) manage information risk. We employ strategies to help manage the risk, such as:
We have implemented appropriate technical and organizational measures to integrate data protection into our processing activities.
Under the Law, we have a general obligation to implement appropriate technical and organizational measures to show that we have considered and integrated data protection into our processing activities. Under the Law, this is referred to as data protection by design and by default.
We understand when we must conduct a DPIA we have appropriate processes in place to action this. We currently do not hold any sensitive data that would require a DPIA.
DPIAs help us to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy.
An effective DPIA will allow us to identify and fix problems at an early stage, reducing the associated costs and damage to our reputation which might otherwise occur.
We must carry out a DPIA when:
Processing that is likely to result in a high risk includes but is not limited to:
The DPIA should contain the following information:
We have a DPIA framework that links to our existing risk management and project management processes.
A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context, and purposes of the processing.
We will start to assess the situations where it will be necessary to conduct one, including:
If the processing is wholly or partly performed by a data processor, then that processor must assist us in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.
CFP Technology FZCO takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we process.
We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction and have several layers of security measures, including SSL, access controls, password policy, encryptions, pseudonymization, practices, restriction, IT, authentication, etc.
Due to the size of our company, we do not have an appointed Data Protection Officer, and the principal will be the point of contact for all inquiries.
CFP Technology FZCO understands that continuous employee awareness and understanding is vital to the continued compliance of the Law and has involved our employees in our implementation plans. We have implemented an employee training program specific to the which will be provided to all employees and form part of our induction and annual training program.
If there are any questions about our implementation of the Law, please contact [Data Protection Officer (DPO)/Appointed Person].
Subject to Article 16 (3) we have nominated a data protection lead or Data Protection Officer (DPO).
It is important to make sure that someone in our business, or an external data protection advisor, takes responsibility for data protection compliance.
We may need to appoint a DPO if we:
The DPO should work independently, report to the highest management level, and have adequate resources to enable our organization to meet its obligations under the Law.
The DPO’s minimum tasks are to:
Our decision-makers and key people are keen to demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
We will make sure that decision-makers and key people in our business are aware of the requirements under the Law.
Decision makers and key people should lead by example, demonstrating accountability for compliance with the Law and promoting a positive culture, within our business, for data protection.
They should take the lead when assessing any impacts on our business and encourage a privacy-by-design approach.
They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.
Our business uses this information security policy supported by appropriate security measures.
We must process personal data in a manner that ensures appropriate security.
Before we can decide what level of security is right for us, we will need to assess the risks to the personal data we hold and choose security measures that are appropriate to our needs.
Keeping our IT systems safe and secure can be a complex task and does require time, resources, and (potentially) specialist expertise.
If we are processing personal data within our IT system(s) we recognize the risks involved and take appropriate technical measures to secure the data.
The measures we have put in place fit our business’s needs.
We have a separate Information Security policy that details our approach to information security, the technical and organizational measures that we will implement, and the roles and responsibilities staff have in relation to keeping information secure.
These restrictions are in place to ensure that the level of protection of individuals afforded by the Law is not undermined.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the Law.
We have effective processes to identify, report, manage, and resolve any personal data breaches.
The Law introduces a duty on all organizations to report certain types of personal data breaches to the Commissioner and, in some cases, to the individuals affected.
A personal data breach means a breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data.
We understand that we only have to notify the Commissioner of a breach where it is likely to result in a risk to the rights and freedoms of individuals and in that event, we must notify those concerned directly and without undue delay.
In all cases, we will maintain records of personal data breaches, whether or not they were notifiable to the Commissioner.
A notifiable breach has to be reported to the Commissioner within 72 hours of the business becoming aware of it. The Law recognizes that it will often be impossible to investigate a breach fully within that time period and allows us to provide additional information in phases.
We make sure that our staff understands what constitutes a personal data breach, and that this is more than a loss of personal data. We have an internal breach reporting procedure in place. This will facilitate decision-making about whether we need to notify the relevant supervisory authority or the public.
To view the Appendix, download the full text of the file at the top
Please, read the information about CFPS Fees and Limits on the Fees page.
1.1 It is the policy of CFP TECHNOLOGY FZCO (“CFP TechnologyFZCO”} to conduct all of our business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly, and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery.
1.2 We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate. However, we remain bound by the laws of the UAE, including Federal Law No. 31/2021, in respect of our conduct both at home and abroad.
1.3 The purpose of this policy is to:
(a) set out our responsibilities, and the responsibilities of those working for us, in observing and upholding our position on bribery and corruption; and
(b) provide information and guidance to those working for us on how to recognize and deal with bribery and corruption issues.
1.4 Bribery and corruption are punishable for individuals by up to five years' imprisonment and a fine to be no less than five thousand dirhams. if the company is found to have taken part in corruption, we could face civil and criminal liabilities and serious reputational damage. We, therefore, take our legal responsibilities very seriously.
1.5 In this policy, the third party means any individual or organization you come into contact with during the course of your work for us and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
1.6 This policy applies to all individuals working at all levels and grades, including senior managers, officers, directors, employees (whether permanent, fixed-term, or temporary), consultants, contractors, trainees, seconded staff, homeworkers, casual workers and agency staff, volunteers, interns, agents, sponsors, or any other person associated with us, or any of our subsidiaries or their employees, wherever located (collectively referred to as workers in this policy).
1.7 A bribe is an inducement or reward offered, promised, or provided in order to gain any commercial, contractual, regulatory, or personal advantage.
1.8 This policy does not prohibit normal and appropriate hospitality (given and received) to or from third parties.
1.9 Employees of The Company may not offer to, or accept from, third parties, any gifts, hospitality, rewards, benefits, or other incentives that could affect either party’s impartiality, influence a business decision, or lead to the improper performance of an official duty.
Employees must, at all times, consider the following guidelines and must ensure that the gift or benefit:
In cases of uncertainty, employees must seek advice from the compliance officer beforehand.
Employees must seek prior approval from the compliance officer for all gifts or benefits received or offered with a value of more than AED 918.00 or equivalent prior to final acceptance.
Approval must be given in writing and records of gifts received or given must be recorded in a specific log for such a purpose and be overseen by compliance.
1.10 We appreciate that the practice of giving business gifts varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift or hospitality is reasonable and justifiable. The intention behind the gift should always be considered.
1.11 It is not acceptable for you (or someone on your behalf) to:
(a) give, promise to give, or offer, a payment, gift, or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage is already given;
(b) give, promise to give, or offer, a payment, gift, or hospitality to a government official, agent, or representative to “facilitate” or expedite a routine procedure;
(c) accept payment from a third party that you know or suspect is offered with the expectation that it will obtain a business advantage for them;
(d) accept a gift or hospitality from a third party if you know or suspect that it is offered or provided with an expectation that a business advantage will be provided by us in return;
(e) threaten or retaliate against another worker who has refused to commit a bribery offense or who has raised concerns under this policy; or
(f) engage in any activity that might lead to a breach of this policy.
1.12 We do not make, and will not accept, facilitation payments or “kickbacks” of any kind.
1.13 If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt that details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment you should raise these with the compliance officer.
1.14 Kickbacks are typically payments made in return for a business favor or advantage. All workers must avoid any activity that might lead to, or suggest, that a facilitation payment or kickback will be made or accepted by us.
1.15 We do not make contributions to political parties.
1.16 We do not make charitable donations.
1.17 You must ensure that you read, understand and comply with this policy.
1.18 The prevention, detection, and reporting of bribery and other forms of corruption are the responsibility of all those working for us or under our control. All workers are required to avoid any activity that might lead to, or suggest, a breach of this policy.
1.19 You must notify the compliance officer as soon as possible if you believe or suspect that a conflict with this policy has occurred, or may occur in the future. For example, if a client or potential client offers you something to gain a business advantage with us, or indicates to you that a gift or payment is required to secure their business. Further “red flags” that may indicate bribery or corruption are set out in Schedule 1.
1.20 Any employee who breaches this policy will face disciplinary action, which could result in dismissal for gross misconduct. We reserve our right to terminate our contractual relationship with other workers if they breach this policy.
1.21 We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.
1.22 You must declare and keep a written record of all hospitality or gifts accepted or offered, which will be subject to managerial review.
1.23 You must ensure all expense claims relating to hospitality, gifts, or expenses incurred to third parties are submitted in accordance with our expenses policy and specifically record the reason for the expenditure.
1.24 All accounts, invoices, memoranda, and other documents and records relating to dealings with third parties, such as clients, suppliers, and business contacts, should be prepared and maintained with strict accuracy and completeness. No accounts must be kept “off-book” to facilitate or conceal improper payments.
You are encouraged to raise concerns about any issue or suspicion of malpractice at the earliest possible stage. If you are unsure as to whether a particular act constitutes bribery or corruption, or if you have any other queries, you should speak to your compliance officer.
1.25 It is important that you tell the compliance officer as soon as possible if you are offered a bribe by a third party, are asked to make one, suspect that this may happen in the future, or believe that you are a victim of another form of unlawful activity.
1.26 Workers who refuse to accept or offer a bribe, or those who raise concerns or report another’s wrongdoing, are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
1.27 We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offense has taken place or may take place in the future. Detrimental treatment includes dismissal,
disciplinary action, threats, or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the compliance officer immediately. If the matter is not remedied, and you are an employee, you should raise it formally using our Grievance Procedure.
1.28 Training on this policy forms part of the induction process for all new workers. All existing workers will receive regular, relevant training on how to implement and adhere to this policy.
1.29 Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.
1.30 The board of directors has overall responsibility for ensuring this policy complies with our legal and ethical obligations, and that all those under our control comply with it.
1.31 The compliance officer has primary and day-to-day responsibility for implementing this policy and for monitoring its use and effectiveness. Management at all levels is responsible for ensuring those reporting to them are made aware of and understand this policy and are given adequate and regular training on it.
1.33 The compliance officer will monitor the effectiveness and review the implementation of this policy, regularly considering its suitability, adequacy, and effectiveness. Any improvements identified will be made as soon as possible. Internal control systems and procedures will be subject to regular audits to provide assurance that they are
effective in countering bribery and corruption.
1.34 All workers are responsible for the success of this policy and should ensure they use it to disclose any suspected danger or wrongdoing.
1.35 Workers are invited to comment on this policy and suggest ways in which it might be improved. Comments, suggestions, and queries should be addressed to the compliance manager.
1.36 This policy does not form part of any employee's contract of employment and it may be amended at any time.
The following is a list of possible red flags that may arise during the course of your working for us and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for us, you must report them promptly the Managing Director:
(a) you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
(b) you learn that a third party has a reputation for paying bribes or requiring that bribes are paid to them, or has a reputation for having a “special relationship” with foreign government officials;
(c) a third party insists on receiving a commission or fee payment before committing to sign up to a contract with us, or carrying out a government function or process for us;
(d) a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
(e) some third-party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
(f) a third party requests an unexpected additional fee or commission to “facilitate” a service;
(g) a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
(h) some third-party requests that a payment is made to "overlook" potential legal violations;
(i) some third-party requests that you provide employment or some other advantage to a friend or relative;
(i) You receive an invoice from a third party that appears to be non-standard or customized;
(k) a third party insists on the use of side letters or refuses to put terms agreed in writing;
(I) you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
(m) a third-party requests or requires the use of an agent, intermediary, consultant, distributor, or supplier that is not typically used by or known to us;
(n) you are offered an unusually generous gift or offered lavish hospitality by a third party.
To view the Appendix, download the full text of the file at the top.
Please, read the information about CFPS Fees and Limits on the Fees page.
To make using our website as straightforward as possible and to improve the service we offer you, we use cookies.
What are Cookies?
Cookies are harmless text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognize you when you revisit. There are two main types:
These only exist for your website visit and are deleted on exit. They recognize you as you move between pages, for example, recording items added to an online shopping basket. These cookies also help maintain security.
These stay on your machine until expiry or deletion. Many are built with automatic deletion dates to help ensure your hard drive doesn’t get overloaded. These cookies often store and re-enter your log-in information, so you don’t need to remember membership details.
We use both types of cookies.
Additionally, cookies can be first or third-party cookies. First-party cookies are owned and created by the website you’re viewing- in this case by FZCO. Third-party cookies are owned and created by an independent company, usually a company providing a service to the website owners. In our case, third-party cookies provided by this Website are still subject to the provisions set out below.
Internet cookies are common, do not harm your system, and do not retrieve information about you stored on your hard drive – they just store or gather website information. They help you do things online, like remembering logon details so you don’t have to re-enter them when revisiting a website.
CFPS utilizes various types of cookies including necessary cookies and analytics/advertising cookies.
Necessary cookies are enabled by default but can be turned off on your device, although this may affect your browsing experience. These cookies help us to operate our website and identify any issues. Additionally, we use cookies to remember our users and provide personalized content.
Analytics and advertising cookies help us understand our website and performance and improve it as necessary.
Third-party cookies are used to recognize and count visitors, track user behavior on our website, and show relevant ads. We may share this information with other organizations, such as Google.
Specifically, we use Google Ads to track the effectiveness of our ad campaigns and Google Analytics to understand visitor behavior and track conversions. Google Tag Manager is also utilized to manage cookies on our website.
CFPS only use these cookies for the specific purposes outlined above and we do not use them to collect any personally identifiable information about our users. We take our users and privacy seriously and we are committed to complying with all relevant data protection laws and regulations.
If you wish to disable cookies, you can do so by adjusting your browser settings. Please note, however, that disabling cookies may affect your ability to use certain features on our website.
We use cookies to:
We use both our own (first-party) and partner companies’ (third-party) cookies to support these activities. We don’t use cookies to track people’s Internet usage after leaving our websites and we don’t store personal information in them others could read and understand.
Some of our services may require cookies in your browser to view and use them and to protect your financial and personal information.
You are not obliged to accept cookies that we send to you and you can in fact modify your browser so that it will not accept cookies. To enable or disable cookies, follow the instructions provided by your browser (usually located within the “Help”, “Tools” or “Edit” facility). Alternatively, an external resource is available at www.allaboutcookies.org/manage-cookies providing specific information about cookies and how to manage them to suit your preferences.
Please note that should you choose to set your browser to disable cookies, you may not be able to access secure areas of this Website, for example, any online accounts you may hold.
Most internet browsers accept cookies automatically, but you can change the settings of your browser to erase cookies or prevent automatic acceptance if you prefer.
These links explain how you can control cookies via your browser – remember that if you turn off cookies in your browser then these settings apply to all websites, not just this one:
For more information about the cookie setting, we link the instructions for the most
important browser web:
Internet Explorer™: Link
Safari™: Link
Chrome™: Link
Firefox™: Link
Opera™: Link
For information about the cookies that are installed on your device, about their management, and how to delete them, it is possible to visit the following website: www.youronlinechoices.com/it/
We may collect information about your computer, including where available your IP address, operating system, and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our Website users’ browsing actions and patterns and does not identify any individual.
Any secure online services you subscribe to with us may use cookies to enable information about you and your preferences to be stored and to prevent unauthorized access to your services and information. Cookies must usually be accepted in such circumstances – without them, we cannot ensure your information is secure (and people rejecting cookies can’t use the services).
We will store and process your information on our computers wherever located and in any other medium. By “your information” we mean personal and financial information we:
a) obtain from you or from third parties and other organizations when you apply for an account or any other product or service for which you or they give to us at any other time; or
b) learn from the way you use and manage your account(s), from the transactions made, if any, such as the date, amount, currency, and the name and type of supplier (e.g. supermarket services, medical services, retail
services).
We will use your information to manage your account(s), give you statements, and provide our services, for assessment and analysis (including credit and/or behavior scoring, market, and product analysis), to identify and tackle fraud, money laundering, and other crimes, carry out regulatory checks, and meet our obligations to any relevant regulatory authority, and to develop and improve our services to you and other customers and protect our interests.
We may use your information to inform you by letter, telephone, text (or similar) messages, digital television, e-mail, and other electronic methods about products and services (including those of others) which may be of interest to you. Where you have neither given your consent to such marketing nor requested to opt out of such marketing, this will be limited to information about products and services similar to those which were the subject of a previous service provided to you.
If you don’t want us to tell you about other products and services please write to us and supply us with your full name and address and details of any products or services you have with us. Please write to us at FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.
We may share your information including how you manage your account or Website visitors with relevant third parties and as permitted by law including but not limited to the following:
If we disclose your information to a service provider (a person, office, or organization) located in another country (including locations outside of the European Economic Area), we will take steps reasonably necessary to ensure that they apply the same levels of protection as we are required to apply to your information and to use your information only for the purpose of providing the service to us. By submitting your personal information, you agree to this transfer.
We will retain information about you after the closure of your account or service provision for as long as it is permitted for legal, regulatory, fraud prevention, business, and financial crime purposes.
Under applicable data protection legislation, you may be entitled, to a copy of the personal information you have provided. If any data is inaccurate it will be corrected without delay. Please write to us at Data Protection Manager, FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.
Please remember that Internet communications are not secure unless the data being sent is encrypted. We cannot accept any responsibility for unauthorized access by a third party and/or the corruption of data being sent by individuals to us. Some countries prohibit the transmission of encrypted data over telephone lines. You should
not encrypt data transmitted if you know doing so would contravene applicable local, national, or international laws. For guidance relating to your specific situation, please contact your legal adviser.
The entire content of the Website is subject to copyright with all rights reserved and it may only be stored, held, or used for your personal use only. You may not download (all or in part) for non-personal use or otherwise reproduce, transmit, or modify the website without our prior permission. However, you may print out part or all of the Website for your own personal use. These permissions are revocable by us at any time. You are granted a non-exclusive license of those rights in order to view this website on a non-commercial basis only, revocable at any time.
It is our policy that if any of our clients are victims of unauthorized access to their accounts we will cover any resulting financial loss which the Client suffers provided that the Client has not breached our security procedures.
You must ensure that viruses, trojans, worms, or equivalent or similar items do not enter your computer system. We assume no responsibility for the loss of whatever nature, howsoever arising, resulting from such viruses, trojans, worms, or equivalent or similar items.
We may record and monitor calls made or received by us to maintain high-quality service standards, to check instructions, and for your protection and ours.
If you have any queries regarding privacy issues then please write to us at Compliance Department, FZCO [email protected]
You can see CFPS fees here.