Legal documents

Chapter 1: Introduction

Definitions

“Money laundering is the generic term used to describe the process by which criminals disguise the original ownership and control of the proceeds of criminal conduct by making such proceeds appear to have derived from a legitimate source.” Source ICA (www.int-comp.org).

“Terrorist financing is the process by which terrorists fund their operations in order to perform terrorist acts. Terrorists need financial support to carry out their activities and to achieve their goals. There is little difference between terrorists and other criminals in their abuse of the financial system. While different from money laundering, terrorists often exploit similar weaknesses in the financial system.” Source ACAMS (acams.org).

“Sanctions – The United Arab Emirates (UAE), as a member of the UN, is committed to implementing the United Nations Security Council Resolutions (UNSCRs), including those related to UN sanctions regimes. Consequently, through the Cabinet Resolution No. 74 of 2020, the UAE is implementing UNSCRs on the suppression and combating of terrorism, terrorist financing & countering the financing of proliferation of weapons of mass destruction, in particular, targeted financial sanctions (TFS) regimes as defined by the UN.

1. CFP Technology FZCO (“FZCO” or the “Firm”) is committed to maintaining effective prevention and detection measures to assist law enforcement authorities in combating financial crime. This handbook sets out the policies and procedures which have been adopted to meet CFP Technology’s legal obligations under UAE anti-money laundering and counter-terrorist legislation.

2. These policies and procedures must always be adhered to.

3. FZCO always seeks to ensure that:

• Clients’ identities are satisfactorily verified in accordance with the firm’s risk-based approach before FZCO does business with them.
• FZCO knows our clients and understands their reasons for doing business with us both at the client acceptance stage and throughout the business relationship.
• Our staff is trained and made aware of both their personal legal obligations and the legal obligations of FZCO.
• Our staff is trained to be vigilant for activities where there are reasonable grounds for suspicion that money laundering could be taking place and to make reports to the MLRO.
• Sufficient records are kept for the required period.
• We establish, maintain and implement appropriate procedures to achieve these objectives.

4. Money laundering, fraud, and market abuse threats are dynamic, and criminals constantly devise new techniques and exploit the easiest targets in the financial services sector. To mitigate the risk of being used as a vehicle for financial crime FZCO will systematically assess, mitigate, and monitor these risks. It will seek to identify fraud, money laundering, and market abuse as well as conduct risk implications at an early stage of the client acceptance process, escalate this to senior management and take appropriate action.

5. A risk-based approach adopted by FZCO drives our overall strategy of fighting financial crime. Through this approach, we identify the areas of greatest vulnerability and focus our resources on those areas. Ultimate responsibility for this approach lies with the senior management but all staff carries a responsibility to maintain the effectiveness of systems and controls.

6. Customer Due Diligence (CDD) is the mid-level risk-based approach and as such, is the entry-level of all measures. Once entered at the CDD level, up-risk or down-risk processes may be applied.

7. Given the continually evolving environment and the nature of the risks involved, It is not possible to cover every possible eventuality in this handbook. Should an issue arise that is not specifically covered in this handbook, employees should refer to the MLRO for further guidance.

1.1 Financial Crime Risk

8. The DFSA as a supervisory authority is committed to maintaining an Anti-Money Laundering (AML), Combating the Financing of Terrorism (CTF) and Counter-Proliferation Financing (CPF) regime that acts as a significant deterrent to any criminal elements. Money laundering is the process by which criminals attempt to hide and disguise the true origin and ownership of the proceeds of their criminal activities, thereby avoiding prosecution, conviction, and confiscation of criminal funds.

9. Money laundering and terrorist financing risks are closely related to the risks of fraud and insider dealing. While these are separate offenses, money laundering involves handling the proceeds of any crime, including the proceeds of these activities.

10. The ability to launder the proceeds of crime through the financial system is vital to the success of criminal operations. London, as one of the world’s major financial centers, has a major role to play in combating money laundering. Firms that become involved in money laundering risk prosecution and damage to their reputation.

11. In recognition of this the procedures that FZCO has adopted, to reduce the incidence of financial crime, focus on knowing our clients, understanding their businesses, carrying out proportionate verification checks, and identifying and reporting suspicious activity.

1.2 Law, Regulation, and Industry Practice

12. FZCO is subject to UAE Federal AML, CTF, and CPF legislation which includes:

1. Federal Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations.
2. Federal Law No. 7 of 2014 on Combating Terrorism Offences.
3. Federal Law No. 5 of 2012 on Combating Cyber Crimes.
4. Central Bank Board of Directors’ Decision No. 59/4/219 regarding procedures for AML and CTF and Illicit organizations.
5. UAE Federal legislation may be accessed via the UAE Ministry of Justice’s Legislation Portal (available in Arabic and English): https://elaws.moj.gov.ae/indexEN.aspx

13. In order to comply with UAE laws, regulations, and guidance, FZCO adopts the following principles.

1.3 Anti-Money Laundering Policies

14. FZCO has implemented policies, procedures, and controls aimed at deterring criminals from using FZCO for the laundering of proceeds of crime. These policies and procedures are tailored to the risk posed by individual clients, in accordance with UAE laws.

1.4 Money Laundering Reporting Officer

15. FZCO has appointed its Money Laundering Reporting Officer (“MLRO”). The MLRO acts as the central point of contact both with law enforcement agencies and internally, in relation to all matters relating to money laundering.

16. The MLRO monitors FZCO’s compliance with anti-money laundering procedures and submits reports to senior management at least on an annual basis.

1.5 Customer Due Diligence (‘CDD’)

17. FZCO has established Customer Due Diligence procedures to identify the users of its services and, in relation to higher-risk clients, the principal beneficial owners and origins of funds. These procedures include knowing the nature of our client’s businesses and being alert to abnormal transactions.

1.6 Suspicious Transactions

18. Suspicious activity includes, but is not limited to, any transactions or account activity that is not customary, routine, or commensurate based upon past or expected transactions or activity, or that is otherwise suspicious or lacking an apparent business or legal purpose.

19. Unexplained or abnormal transactions or activities that are suspected of being linked to criminal activity should be reported to the MLRO in writing without delay using the Suspicious Transaction Reporting Form (Money Laundering) in Appendix 1, reports will be highly confidential and can be made anonymously. The MLRO will determine whether to report the suspicions to the Financial Intelligence Unit (FIU). If the MLRO is absent, reports should be made to the appointed Deputy MLRO. An acknowledgment of receipt should be obtained from the MLRO for every such report.

1.7 Training

20. All personnel must be informed of their individual and collective responsibilities and FZCO ’s anti-money laundering policies. Personnel is provided with training to enable them to understand the vulnerabilities of FZCO ’s business and to recognize and report suspicious activities.

21. Copies of all training material must be kept at all times and referred to by the attendance registers or ad-hoc training as may occur.

1.8 Record-Keeping

22. FZCO keeps records of who has been trained and the timing and form of training sessions. We retain all records verifying the identity of our clients for at least 5 years following the end of the business relationship. We also retain the records of any internal reports of suspicion submitted to the MLRO and any disclosures made to FIU.

23. All changes to this policy must be version controlled and details of changes made are recorded appropriately. This may be used as a defense if any litigation arises from actions by the Firm or its staff.

Chapter 2: Offences

24. There are a number of pieces of legislation that make up the UAE Anti-money laundering/counter-terrorist financing legal framework.

25. A brief summary of the main pieces of legislation is provided below. All employees of FZCO should be aware that it is not only the firm that is subject to the legislation but also the employees within the firm. Failure to comply with certain aspects of the legislation can result in an individual being subject to prosecution with the threat of a custodial sentence or fine.

26. Offences are punishable whether the attempt to launder money was successful or not.

2.1 Criminal Conduct

27. Criminal conduct is conduct that constitutes an offense in any part of UAE (or would constitute an offense in any part of UAE. if it occurred there).

2.2 Criminal property

28. Property is criminal property if it constitutes a person's benefit from criminal conduct or it represents such a benefit (in whole or part and whether directly or indirectly), and the alleged offender knows or suspects that it constitutes or represents such a benefit. It is immaterial:

• who carried out the conduct
• who benefited from it

29. A person benefits from conduct if they obtain property, advantage, or benefit as a result of or in connection with the conduct or any other conduct. Where the property is land, this includes a servitude, right, or interest in relation to that piece of land. Property is all property wherever situated and includes:

• money
• all forms of property, real or personal, heritable or moveable
• things in action and other intangible or incorporeal property

2.3 Arrangements

30. A person commits an offense if he enters into or becomes concerned with an arrangement that he knows or suspects facilitates (by whatever means) the acquisition, retention, use, or control of criminal property by or on behalf of another person.

31. Concealing the source of illicit gains, aiding, abetting money laundering, and inciting and attempting the offense can be considered a criminal offense.

32. This offense is punishable by imprisonment and/or a fine.

2.4 Acquisition, Use, and Possession

33. A person commits this offense if he:

• acquires criminal property
• uses criminal property
• has possession of the criminal property

34. This offense covers any conduct wherever it takes place if it would constitute a criminal offense if committed in UAE. This excludes minor offenses committed overseas where the conduct is lawful in the jurisdiction where the offense in question is committed (for example, bullfighting in Spain). This offense however includes, but is not restricted to, drug trafficking, terrorist activity, corruption, theft, fraud, tax evasion, robbery, forgery, product piracy, illegal deposit taking, blackmail, and extortion.

35. It is a defense to show that a person reported their suspicion to the MLRO (in the case of the MLRO, to a law enforcement agency).

36. This offense is punishable by imprisonment and/or a fine.

2.5 Tipping Off

37. It is a criminal offense that a disclosure has been made to either FIU or the MLRO or that the police or customs authorities are carrying out or intending to carry out a money laundering investigation.

38. It is a defense to show that a person had either lawful authority or a reasonable excuse to make the disclosure. It is also a defense that a person neither knew nor suspected that the disclosure would prejudice an investigation.

39. Tipping off is punishable by imprisonment and/or a fine.

2.6 Failure to Disclose

40. It is a criminal offense for persons working in the regulated sector not to disclose if they have reasonable grounds to know or suspect, in the course of their employment, that another person is engaged in money laundering. The report should be made without undue delay and not later than two business days after the identification of the suspicious activity or transaction. This offense also covers a failure of the MLRO to report a suspicion to FIU without a reasonable excuse.

41. Reporting to the MLRO in accordance with FZCO ’s procedures will satisfy the obligation to report.

42. Legislation protects those reporting suspicions of money laundering from claims in respect of any alleged breach of client confidentiality.

43. Failure to disclose is punishable by imprisonment and an unlimited fine.

2.7 Money Laundering Regulations

44. FZCO’s business activities are within the scope of the Money Laundering Regulations and we, therefore, have in place appropriate policies and procedures covering:

• Customer due diligence
• Reporting
• Record keeping
• Internal control
• Risk assessment and management
• Compliance management; and
• Communication

45. FZCO is aware that they are sanctioned for not having adequate procedures in place.

46. Failure to comply with the Regulations constitutes an offense punishable by imprisonment, a fine, or both.

2.8 US Legal Obligations

47. The US criminal money laundering laws, in particular the USA Patriot Act 2001, have extra-territorial effects. Where FZCO has any established activities in, or linked to the USA, whether through a branch, subsidiary, associated company, or correspondent banking relationship there is a risk that US regulations and sanctions may apply. This includes dealing with clients that are US citizens, whether these legal obligations apply will be determined during the KYC/KYB checks. The MLRO ensures that where this falls into scope procedures are followed to ensure compliance.

2.9 Office of Foreign Assets Control (OFAC)

48. The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC acts under Presidential national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze assets under US jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments.

49. The OFAC Main Page can be found at: https://home.treasury.gov/

50. OFAC Sanctions Lists can be found at:

• Specially Designated Nationals List http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx.
• Consolidated Sanctions List http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/consolidated.aspx.
• Search OFAC’s Sanctions http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/fuzzy_logic.aspx.
• Additional OFAC Sanctions Lists http://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/Other-OFAC-Sanctions-Lists.aspx.

2.10 Sanction Programs

51. Currently there are a number of sanction programs in operation internationally. FZCO is required by law to ensure full compliance and ensure that any links are identified, directly or indirectly. Such links may include:

• Jurisdiction of where an entity is registered;
• Jurisdiction of where an entity is operating;
• Beneficial ownership and control;
• Any other significant link to an individual or entity, which has been identified as a Specially Designated National (“SDN”).

52. In consideration of this, where one of the above criteria is indicated for a prospective client, the AML Compliance Officer should escalate to the MLRO for review, who may seek legal advice from FZCO’s Board members if required.

53. The full list of current programs in operation in UAE, including the list of destinations with trade restrictions and terrorist organizations can be found here: https://www.uaeiec.gov.ae/en-us/un-page?p=2#

54. All new account openings must ensure that all prospective client names are subject to KYC screening which will check applicable international sanction lists. In accordance with the risk matrix, it may be necessary to also check all directors and shareholders, ensuring that they are added to the ongoing screening database when deemed necessary.

55. As a matter of good practice, for high-risk clients the MLRO may deem it necessary to independently review the Sanctions List and run an OFAC search using this source: https://ofac.finra.org/#/

56. If in doubt about the nature of any of the information listed in the sanctions section, speak with the MLRO.

57. The Firm may use external third parties for electronic checking.

58. A breach of the International Sanctions Act carries a fine of up to €400,000.

2.11 Predicate offenses

59. A predicate offense is a crime that is a component of a larger crime. For FZCO this would be predominantly any crime that generates monetary income.

60. The expanded list of predicate offenses:

• Participating in an organized crime group or racketeering
• Human trafficking and migrant smuggling
• Sexual exploitation
• Illicit trafficking in narcotics and psychotropic substances
• Illegal arms trafficking
• Trafficking stolen goods
• Corruption
• Murder and grievous bodily harm
• Fraud
• Counterfeiting currency
• Counterfeiting and piracy of products
• Kidnapping and hostage-taking
• Robbery and theft
• Smuggling
• Tax crime relating to both direct and indirect taxes
• Extortion
• Forgery
• Piracy
• Cybercrime
• Terrorism
• Insider trading and market manipulation

Chapter 3: Internal Communications

3.1 Money Laundering Reporting Officer

61. FZCO has appointed Money Laundering Reporting Officer (“MLRO”). The MLRO has overall responsibility for the establishment and maintenance of effective anti-money laundering systems and controls.
62. The MLRO is a required function. The expects the MLRO to be based in UAE and to be of sufficient seniority within FZCO to be able to act on his own authority. The MLRO must have access to all Know Your Business/Customer information, data, and dashboards. The MLRO’s responsibilities include the following:

• Monitoring of the effectiveness of FZCO ’s anti-money laundering controls;
• Overseeing the firm’s compliance with the DFSA’s rules on anti-money laundering systems and controls;
• Having overall responsibility for the day-to-day operation of such policies, even where these have been delegated;
• Ensuring that client account opening standards are compliant with FZCO ’s policy;
• Receiving and reviewing internal disclosures and submitting external reports to FIU;
• Responding promptly to any reasonable request for information made by the DFSA or law enforcement;
• Liaising with the DFSA, FIU, and other external agencies;
• Ensuring that anti-money laundering training is provided, its standards and scope are appropriate, and that records are kept;
• Reporting to the senior management on at least an annual basis (via MLRO Report) and keeping the management updated on money laundering issues;
• Obtaining and using national and international findings, for example, the findings of the Financial Action Task Force, International Monetary Fund, and World Bank;
• Ensuring there is no padding and abetting activity within the firm.
• Appointing a Deputy MLRO to cover the MLRO’s periods of absence (If the MLRO is temporarily unavailable for 12 weeks or more in any consecutive 12-month period,);
• Ensuring that client and transaction monitoring is being undertaken;
• Assessing the risks of FZCO ’s client base and business activities in relation to money laundering on an ongoing basis;
• Ensuring the firm’s policies and procedures are being communicated effectively to all relevant employees.

 63. While the MLRO may delegate their duties to another appropriate person, such delegation needs to be documented.

3.2 Contact with Third Parties

64. FZCO’s personnel must not discuss any issues relating to the firm’s anti-money laundering policies and procedures with any third parties without the prior consent of the MLRO. All requests from the DFSA, FIU, Police, or other investigating and enforcement agencies must be referred to the MLRO without delay.

3.3 Orders

65. The following orders may be served on FZCO as part of an ongoing investigation. Should you receive any such order, please give it to the MLRO without delay:

• a disclosure order from any law enforcement organization
• an account monitoring order from any law enforcement organization
• a search and seizure warrant

Chapter 4: The Risk-based Approach

66. FZCO is required to operate a risk-based policy in order to identify, manage and mitigate the risks associated with the firm being used for money laundering or terrorist financing. This approach will identify the most cost-effective and proportionate way to manage and mitigate the risks posed to the firm. It is accepted that a risk-based regime cannot be a zero-failure regime but that it should strike a balance between cost and the realistic threat of being used for money laundering or terrorist financing. The aim is to focus the efforts where they are most needed and will have the most impact.

67. A risk-based approach requires FZCO to undertake the following steps:

• Assess the risks applicable to the firm. In the case of FZCO, these risks will predominantly relate to our customers and the products and or services we provide to them.
• Design and implement controls to manage and mitigate these risks
• Monitor and improve the effective operation of the firm’s controls
• Record what has been done and why.

68. FZCO adopts a risk-based approach to business that enables it to utilize its resources in the most efficient and cost-effective manner. While we will, as far as reasonably practicable, ensure consistent application of our risk-based approach, we recognize that this approach cannot anticipate every eventuality. Therefore in any given case the Compliance Officer or MLRO may exercise their judgment in deciding whether or not to deviate from the written policies. This judgment will be clearly reasoned and documented.

4.1 Geographical location of the client and their business

69. When and if FZCO deals with clients located in countries without adequate anti-money laundering standards it will either obtain additional Customer Due Diligence information or perform more intensive monitoring of the client’s account. Countries presenting a high geographical risk are those where:

• Cash is the normal medium of exchange
• There is a politically unstable regime with high levels of public or private sector corruption
• That is known to be drug-producing or drug-transit countries
• Have been classified as countries with inadequacies in their anti-money laundering strategies

70. A useful source of information on geographical risk is Transparency International: www.transparency.org

71. The Transparency International Corruption Perception Index is attached to the Handbook as Appendix 8. The up-to-date index can be found at http://www.transparency.org/ Downloading the information package provides a host of data and it is subdivided into continents.

72. FZCO’s client base is divided into three risk categories: Low, Medium, and High. The Compliance Officer or MLRO determines to which category a client belongs. They will record the basis of assessment for each client. Given the nature of business undertaken by FZCO, it is expected that the majority of our clients will be assessed as either Low/Medium/High Risk. The entry-level is medium risk and evaluation is performed from that point.

73. The following should be used as guidance when applying a risk-based approach to the assessment of money laundering risk posed by each client. Consideration of the overall information held may alter the risk profile of the client.

4.2 Low Risk

74. Regulated financial institutions based in UAE; those located in EU, FATF, or comparable jurisdictions. A list of comparable jurisdictions and a list of FATF member countries can be found in Appendix 5.

75. Companies or their subsidiaries (50% or more) whose shares are traded on EU regulated market or equivalent exchange. A list of such exchanges can be found in Appendix 5.

76. A third country is identified by credible sources as having a low level of corruption or other criminal activity, such as terrorism, money laundering, and the production and supply of illicit drugs. Furthermore, a third country, on the basis of credible sources, such as evaluations, detailed assessment reports, or published follow-up reports published by the Financial Action Task Force, the International Monetary Fund, the World Bank, the Organisation for Economic Co-operation and Development, or other international bodies or non-governmental organizations:

• has requirements to counter money laundering and terrorist financing that are consistent with the revised Recommendations published by the Financial Action Task Force in February 2012 and updated in October 2016, June 2019, and May 2021; and
• effectively implements those Recommendations.

77. Reputable, well-known organizations, with long histories in their industries or large market capitalization and with substantial public information about them and their principals and/or controllers.

78. Clients represented by those whose appointment is subject to court approval or ratifications (e.g. executors)

4.3 High Risk

79. The following are examples of what would normally be considered High Risk. This list is not exhaustive.

• Relationships where a Politically Exposed Person (“PEP”) or their connected person, have been identified as having a significant involvement. This definition of PEP would include heads of state or of government, senior politicians, senior government, judicial or military officials, senior executives of publicly owned enterprises, and important political party officials. Please consult the MLRO if you think that you may be dealing with PEP or their connected person. (See Chapter 6: Identification Evidence).
• Clients seeking to purchase, or purchasing a “golden passport”, i.e. the client applies for residence rights or citizenship in any country in exchange for capital transfers, purchase of property or government bonds, or investment in corporate entities.
• Complex business ownership structures, such as offshore special-purpose vehicles, make it easier to conceal underlying beneficial owners, especially where there is no legitimate commercial rationale.
• Accounts that involve regular payments to or from unrelated third parties.
• Names that have been previously linked with financial crime.
• Clients based in or conducting business in or through high-risk jurisdictions with a known level of corruption and organized crime, or drug production and distribution.
• Clients engaged in higher-risk business activities, for example where large amounts of cash are involved.
• Companies issuing bearer shares, especially if incorporated in higher-risk jurisdictions.
• Clients that have been subject to a Suspicious Transaction Report.
• Clients that have not been physically present for identification purposes. This does not apply to clients to whom SDD applies.

4.4 Medium Risk

80. All other clients that do not fall within either a low-risk category or a high-risk category including (but not restricted to):

• Subsidiaries of or entities associated with low-risk clients
• Private companies from UAE, EEA, or comparable jurisdictions provided they are not undertaking high-risk business.

4.5 Additional Considerations

81. FZCO will take the following additional considerations into account when determining the risk posed by a client. While these considerations will not determine the risk on their own, they will be considered alongside other factors in judging the overall money laundering risk posed by a particular client.

• Whether FZCO is engaged in a one-off transaction or business relationship
• In relation to the introduced business, the effectiveness of the due diligence carried out by the introducer
• The nature and length of any existing or previous relationship between either FZCO or our employees and the client
• The way in which information is obtained (e.g. from a government department, regulated firm, or other sources)
• The nature and extent of any assurances given by other regulated firms that may be relied upon.
• Any associations the client may have with other entities or jurisdictions, such as headquarters, operating facilities, branches or subsidiaries, and the individuals who may influence its operations.
• Other relevant considerations; such as whether the client has a regulated investment manager or adviser, a prime broker (who have performed due diligence on the client), and other considerations that the Compliance Officer or MLRO may reasonably consider relevant to the client’s risk assessment.
• The type of products or services that FZCO is providing to the client.

4.6 MLRO’s Ongoing Risk Assessment

82. Risk management is a continuous process. The MLRO is responsible for ensuring the firm’s risk assessment is up-to-date and appropriate. This is done by means of an ongoing risk assessment.

83. On an ongoing basis the MLRO will review FZCO ’s business activities, including:

• Appropriate procedures to identify changes in client characteristics, which come to light in the normal course of business
• Ways in which different products and services may be used for money laundering or terrorist financing, and how these ways may change
• Adequacy of staff training and awareness
• Monitoring compliance arrangements (such as internal audit/quality assurance, processes, or external review)
• The balance between technology-based and people-based systems
• Capturing appropriate management information
• Upward reporting and accountability
• Effectiveness of the liaison with regulatory and law enforcement agencies

84. The MLRO will identify any changes to FZCO ’s services that may expose the firm to a higher risk of money laundering. This may also highlight the need for a formal assessment of risks posed by either of our client categories or individual clients. The results of this ongoing assessment will be detailed in the annual MLRO Report to senior management.

Chapter 5: Customer Due Diligence Procedures

85. The Money Laundering Regulations specify the Customer Due Diligence (CDD) measures that are required to be carried out, the timing, as well as actions required if CDD measures are not carried out. The purpose of this chapter is to provide guidance on the following:

• The meaning of CDD measures
• Timing of, and non-compliance with CDD measures
• Application of CDD measures
• Simplified Due Diligence
• Enhanced Due Diligence

86. For lists of the documentation to be obtained and verified in respect of specific business types please refer to Chapter 6 of this handbook.

5.1 What is CDD?

87. CDD is the entry-level approach that the Firm must take. Following this, evidence to ensure SDD or risks identified to raise the level of EDD is then taken.

88. The CDD measures that must be carried out involve:

• Identifying the customer and verifying the identity;
• Identifying any person purporting to act on behalf of the customer, and verifying their identity;
• Identifying the beneficial owner, where relevant, and verifying their identity;
• Obtaining information on the purpose and intended nature of the relationship;
• Conducting ongoing monitoring of the relationship;
• In the case of legal entities, the firm must understand the ownership and control structure.

89. These measures are designed to make it harder for the financial services industry to be used to launder money or fund terrorism.

We will apply CDD to all customers on a risk-sensitive basis, and monitor the service provider to ensure that the measures taken are appropriate.

5.2 Timing of, and non-compliance with, CDD measures

90. FZCO will ensure that it has completed appropriate client due diligence prior to entering into a legally binding agreement with the client to undertake regulated business.

91. The Compliance Officer/MLRO may, at his discretion, allow an account to be opened before all the documentation has been obtained if it is necessary in order not to interrupt the normal conduct of business and there is little risk of money laundering. In these cases, the decision must be fully documented, and all outstanding documentation obtained as soon as possible. In these instances, the firm should not make any payments from that account either to the client or to a third party until such times as the documentation has been obtained and verified.

92. If FZCO is unable to comply with the required CDD measures in relation to a customer, then the firm must not undertake any transactions for that client and should terminate any existing relationship. At this point, it will be necessary to consider making a Suspicious Transaction Report to the MLRO.

93. If the client does not possess the right documents, then the firm should consider whether there are any other ways of being reasonably satisfied with the client’s identity.

94. Where an account is to be terminated due to a lack of CDD the MLRO should be consulted as to the appropriate way to return the funds.

95. If you suspect that any documents have been falsified or are fraudulent you must notify the MLRO immediately.

5.3 Who is the Customer?

96. The term customer is not defined by the Money Laundering Regulations but, in general, will be the party with whom the business relationship would be established. If in doubt as to who should be identified as the customer, please seek guidance from the Compliance Officer or MLRO.

97. Where there is a party purporting to act on behalf of the Customer, the Money Laundering Regulations require that the party’s identity be verified. If in doubt as to how to meet this requirement, please seek guidance from the Compliance Officer or MLRO.

5.4 Who is the beneficial Owner?

98. The Money Laundering Regulations require that anyone owning or controlling 25% or more of a legal entity is identified and that their identity be verified in line with the firm’s risk-based approach.

99. Also, where the actual beneficiary is an individual who, regardless of the size of the share of ownership, makes important decisions regarding the company (for example, on the basis of a shareholder agreement), their identity should be verified in line with the firm’s risk-based approach.

5.5 Existing Customers

100. If a client has already been identified by FZCO, no additional information needs to be obtained in respect of such a client unless the information already available is either out of date; or if the client’s risk profile has changed. This may happen if the firm supplies a different product or service to the client or if FZCO becomes aware of any information that results in a change to the client’s risk profile.

101. If FZCO has any legal duty in a calendar year to contact the client to review their relevant beneficial ownership information, FZCO must apply/reapply CDD on the client.

5.6 Simplified Due Diligence (SDD)

102. SDD can be applied to certain low-risk entities. Whilst this means there is no requirement to perform checks on the client’s identity or beneficial ownership structure it is necessary to prove that they fall within the SDD exemption. SDD can be applied to:

• Financial institutions in UAE, EU, or comparable jurisdictions that are subject to the ML Regulations or equivalent
• Companies listed on a regulated market
• UAE public authorities
• Legal and accountancy firms in UAE that are members of a recognized professional body.
• Community institutions (e.g. Abu Dhabi Department of Community Development, European Investment Bank, Environment Agency, Europol)

103. Further detail on the application of SDD to these entities can be found in Chapter 6: Identification Evidence.

5.7 Enhanced Due Diligence

104. Under the risk-based approach adopted by FZCO, EDD will need to be conducted on any clients falling into the high-risk category. In addition to these clients, the regulations state specific instances where EDD must be applied. These are:

• Where the client is not physically present
• In respect of correspondent banking relationships
• Any relationship or transaction involving a Politically Exposed Person (“PEP”)
• Where the client is located in a high-risk third country
• Transactions relating to cultural artifacts and other items of archaeological, historical, cultural, and religious importance, or of rare scientific value, as well as ivory and protected species

105. Specific guidance on the application of enhanced due diligence is contained in Chapter 6: Identification Evidence.

5.8 Account Opening Process

106. FZCO will use a standard form to open new client accounts.

5.9 Exception to Full Identification

107. While we will use our standard account opening procedure to verify the identity of our clients whenever possible; it may be the case that a client cannot provide standard information, or there are other factors that may influence the client’s risk profile. FZCO ’s procedure cannot accommodate every eventuality and in some cases the Compliance
Officers/MLRO will need to exercise their judgment. This may justify a deviation from the firm’s standard client opening procedure. All such exceptions must be agreed upon and documented by the Compliance Officer or MLRO in accordance with FZCO ’s risk-based approach.

5.10 Client Acting as an Agent

108. When identifying a client that acts on behalf of underlying customers AND is either of
the following:

• A regulated financial sector firm; or
• A non-UAE firm located in a comparable jurisdiction AND regulated by an overseas regulator

109. FZCO will not need to identify the underlying customers, even if their identity is disclosed to us unless we take instruction directly from the underlying customers.

110. In all other cases, FZCO will obtain identification and verification evidence in respect of both an intermediary and an underlying customer in accordance with our risk-based approach.

111. When the client is located in a Non-Comparable Jurisdiction, unless FZCO is satisfied that the client acting as an agent operates client identification procedures equivalent to UAE standards, the underlying customers must be identified or the business declined.

112. When the client is unregulated and located in a Comparable Jurisdiction, unless FZCO is satisfied that the client acting as an agent operates client identification procedures equivalent to UAE standards, the underlying customers must be identified, or the business declined.

5.11 FZCO Acting Solely as an Introducer

113. FZCO may act solely as an introducer between the client and the firm providing a product or service (“Provider Firm”). FZCO will play no part in the actual transaction and have no other relationship with either of the parties.

114. In such cases, the identification and verification obligations will lie with the Provider Firm, and not with FZCO, provided that:

• FZCO does not give advice to the client; and
• FZCO does not play any part in the negotiation or execution of the transaction; unless FZCO is acting as an agent of the Provider Firm.

5.12 Client Risk

115. The level of documentation required for each client will vary depending on the risk category of a particular client.

5.13 Financial Sanctions Targets

116. It is a criminal offense to make funds or financial services available to sanctioned entities and people (targets) on the list maintained by the Supreme Council for National Security (Supreme Council ). This would include dealing directly with these targets and dealing with these targets through intermediaries (such as lawyers or accountants).

117. Please contact the MLRO for the Sanctions List (https://www.uaeiec.gov.ae/en-us/un-page).

5.14 Origin of Documents

118. Generally, when identifying a client, a document issued by a government department or agency, or by a court will provide a high level of confidence. FZCO will normally accept non-government-issued documentary evidence verifying identity only if it originates from a public sector body or a regulated financial services firm in a comparable jurisdiction, or is supplemented by the knowledge that FZCO has of the person or entity, which has been documented (please refer to Section B2 box 7 in the NAO Form in Appendix 3).

5.15 Home Visit Evidencing Address

119. No home visits will be permitted.

5.16 Documents in a Foreign Language

120. If documents are in a foreign language, FZCO will take appropriate steps to be reasonably satisfied that the documents do in fact provide evidence of the client’s identity. This is likely to involve the translation of either all or part of a document.

5.17 Documentary and Electronic Evidence

121. FZCO will rely on electronic identification evidence. As we choose to rely on electronic evidence only, we must use data from multiple sources, and across time, or incorporate qualitative checks that assess the strength of the information supplied. We cannot rely exclusively on electronic systems that access data from a single source only
(e.g. a single check against the Electoral Roll). For further information on the use of electronic evidence please consult the Compliance Officer or MLRO.

5.18 Certification of Documents

122. We will not be operating with any requirement to obtain certified copies of identification documents.

5.19 Clients’ Websites

123. FZCO understands that although the information on the websites of its clients or potential clients may be helpful, it is not independently verified. While FZCO may use such information as corroborative evidence, it will not exclusively rely on it; an exception can be made by the Compliance Officer/MLRO for low-risk clients.

5.20 Public Information

124. Listed and some unlisted public companies are subject to a high level of disclosure in relation to ownership and business activities; and may have public filing obligations. Private companies and some partnerships, although not subject to such a level of disclosure, often have public filing obligations. Whenever possible and appropriate, FZCO will seek to use reliable public information in its identification process.

5.21 Signatories

125. On some occasions, and where appropriate, FZCO may be provided with a list of those authorized to give instructions for the movement of funds or assets, along with an appropriate instrument authorizing one or more directors (or equivalent) to give FZCO such instructions. FZCO will use this information in determining whom to identify, using its risk-based approach.

5.22 Non-Face To Face Clients

126. Given FZCO ’s business model, it is unlikely we would not meet our clients face to face.

127. Given our business and the type of service we provide, it is unlikely that clients accepted in such a manner will deliberately avoid face-to-face contact. Therefore, a non-face-to-face business will not in itself magnify a money laundering risk posed by a particular client. However, non-face-to-face identification carries an inherent risk of impersonation fraud. To address this risk FZCO will perform at least one additional verification check for non-face-to-face clients, such as:

• Verifying additional aspects of the client’s identity (or the same or different aspect of identity by electronic means)
• Sending Terms of Business or other applicable documentation to a verified address (to be signed and returned by the client)
• Requiring copy documents to be certified by an appropriate person

5.23 Controller of Funds

128. If it appears that another person may have control over the funds which form or otherwise relate to the relationship with our client, we will seek to identify the controller as well as the client, if and when justified by risk.

• SOW – Statement of Wealth – this can be a certified HNW certificate;
• SOF – Source of Funds – through ongoing transaction monitoring;
• SOW & SOF – definitely required for PEP and High-Risk Customers;

129. Documents evidencing each item declared on SOW are a requirement under the EU 4th Directive on Money Laundering.

130. Each declaration on the SOW or assets owned by the customer must be evidenced by documentation and should be independently verified. A verifiable Chartered Accountant’s letter would be acceptable, ideally categorizing the cash, property, shareholdings and

131. Should the bank decide to take a reduced-risk approach on some PEP customers SOW is required with evidence supporting the wealth taken from publicly available information, transaction records (statements), and searches.

132. domestic PEPs should be initially treated as PEP and when the MLRO or delegated officer is satisfied that there is no other involvement or concern, they can be risk assessed and treated with a lower level of due diligence if appropriate. This de-risking should be recorded in line with the PEP recording process.

5.24 Source of Funds

133. Income from Employment

• An original or certified copy of a recent pay slip- the last pay slip within 3 months
• Written confirmation of salary signed by the employer.

134. Property Sale

• Original or certified copy of the contract of sale
• Written confirmation of sale signed by advocate/solicitor

135. Sale of Investments

• Original or certified copy of contract notes
• Written confirmation of sale/holding signed by accountant/broker

136. Inheritance

• Original or certified copy of will or grant of probate
• Written confirmation of inheritance signed by advocate/ trustee/ executor.

137. The beneficiary of the Life Insurance policy

• Original or certified copy of the policy with the client listed as the beneficiary
• Written confirmation of paid-out policy to the client signed by the insurance company

138. Company Sale

• Original or certified copy of the contract of sale
• Written confirmation of sale signed by advocate/solicitor
• Internet research of Company Registry

139. Divorce Settlement

• Original or certified copy of Court Order
• Written confirmation of settlement signed by advocate/solicitor.

140. Savings

• Statement from the savings institution – 3 months – and inquiry of the source of wealth

141. Lottery / Gambling win

• Evidence from the lottery company
• Cheque
• Winnings receipt

 142. Companies

• Accounts – latest/last annual
• Industry/sector of their clients
• Products or services they offer and the delivery channels
• New ventures
• New products or services / new delivery channels / new client types
• Any other relevant areas considered necessary

5.25 Controllers and Beneficial Owners

143. FZCO must ensure that controllers and Ultimate Beneficial Owners (UBO) of entities are identified and verified.

144. Appropriate identification, verification, and due diligence must be completed. Where required we should take sufficient measures to reach a good understanding of the underlying structure and ownership by considering information such as:

• the legal form of the Entity (for example corporation, limited company, partnership, trust, etc.; and
• the controllers of the company (for example knowledge of who within the Entity is authorized to make major decisions, such as executive management or executors)

145. The standards for identification and verification set out earlier in this Policy must be used to verify and identify controllers or UBOs.

5.26 Other Considerations

146. Passport copies should be clear and of good quality.

147. Clients should be discouraged from sending original valuable documents by post.

148. Consideration should be given as to whether the documents relied upon may have been forged.

Chapter 6: Identification Evidence

149. The purpose of this section of the manual is to provide detailed guidelines to staff in respect of obtaining account opening documentation. The information below covers the types of legal entities that are likely to be clients of FZCO. However, due to the diversity of legal structures in place, it is not possible to cover all possible scenarios below. If a potential new client does not appear to fit into any of the categories detailed below you should seek guidance from the MLRO as to the most appropriate type of documentation to obtain.

150. Refusal by the customer to provide information or documents required for due diligence measures is deemed a fundamental breach of the contract and should be reported to the MLRO immediately.

151. There are five parts to Customer Due Diligence, this chapter covers the first three parts listed below:

• Knowing who the applicant for business is (identification)
• Is the client who they say they are (verification)
• Ascertaining the nature and purpose of the relationship
• Keeping information up to date
• Ongoing monitoring to assess if in line with what is expected

6.1 Clients entitled to Simplified Due Diligence (SDD)

6.1.1 Regulated Financial Institutions

152. Where the new client is a regulated financial institution in UAE, EU, FATF, or comparable jurisdiction there is no requirement to perform identity or verification checks. It is however a requirement that FZCO has reasonable grounds for believing the customer is an institution covered by SDD.

153. Therefore, when dealing with regulated firms FZCO will obtain the following information:

• The evidence of the client’s regulated status; AND
• The evidence of the client’s address

154. The list of regulators provided in Appendix 5 will assist FZCO in identifying such clients.

6.1.2 UAE Public Authorities and Community Institutions

155. In respect of UAE public authorities and community institutions, FZCO may apply SDD.

156. Therefore, when dealing with a UAEpublic authority or community institution FZCO will obtain the following information:

• The evidence of the client’s public status; AND
• The evidence of the client’s address

6.1.3 Companies listed on an EU-regulated market or equivalent exchange

157. Companies listed on an EU-regulated market or equivalent exchange are publicly owned and accountable.

158. For all such customers, FZCO will obtain the evidence of address as well as reliable evidence that the client is either of the following:

• A publicly quoted company (that is subject to public disclosure rules), or
• A 50% (or more) consolidated subsidiary of a publicly quoted company

159. Whilst the SDD standards are lower for the types of clients mentioned above it does not negate the need to obtain and verify further information if the risk assessment of the new clients suggests this may be appropriate.

160. If a regulated market is located within the EEA there is no requirement to undertake checks on the market itself. FZCO will, however, record the steps it has taken to ascertain the status of the market. If the market is outside the EEA but is one which subjects companies whose securities are admitted to trading to disclosure obligations which are
contained in international standards and are equivalent to the specified disclosure obligation in the EU, similar treatment is permitted.

6.1.4 Companies subject to the licensing and prudential regime of a statutory regulator in the EU

161. This would include companies that are subject to regulators such as OFWAT OFGEM or OFCOM or an EU  equivalent e.g. power and telecommunications companies.

6.1.5 Members of recognized professional bodies

162. This will include legal and accountancy firms in the UAE that are members of a recognized professional body. FZCO will obtain appropriate evidence that the firm is a member of the recognized professional body and this will be held on file.

6.2 Clients Subject to Full Identification Requirements

6.2.1 Unregulated Private Companies and Limited Partnerships

163. FZCO, when identifying a company or limited partnership will seek to understand its legal form, ownership structure, and business. The amount of information that we will seek to obtain will depend on the money laundering risk posed by a particular company. Money Laundering Risk is discussed in Chapter 4.

164. Different information requirements in relation to different types of entities are detailed below. For all such clients FZCO as a matter of course will seek to obtain the following Standard Information; that is information required for all clients. Additional information will need to be obtained in relation to Medium and High-Risk clients.

6.2.2 Standard Information for Medium-Risk Clients

165. FZCO will obtain the following standard information in respect of each corporate client. The extent of verification of this information will depend on the risk posed by a particular client. When verifying the identity of a client in accordance with a risk-based approach, we will take into account the below-mentioned examples of documentation that can be used for such verification.

• An official document containing the client’s full name and registered number. Examples: A copy of Certificate of Incorporation or Partnership Agreement (if any), Companies House (or equivalent registry) search
• Evidence of the client’s registered office in the country of its incorporation. Examples: A confirmation of the address by a reputable professional person, Companies House (or equivalent registry) search
• Evidence of client’s business address. Examples: A copy of a utility bill, A government issued document, A record of a visit to the client’s place of business
• Names of all directors
• Names of all direct and indirect beneficial owners owning 25% or more of the entity. Where no beneficial owner has an interest of 25% or more, the Compliance Office will determine whose identity should be verified, taking a risk-based approach.
• Copy of latest audited accounts where available.
• A group/shareholding chart (where relevant)

166. Wherever possible this information must be obtained from an independent source such as Companies House or from a reputable business information provider. Further detail of the standard of evidence is given in Chapter 5.

167. Where any discrepancies are identified between a client’s beneficial ownership information available at the Registrar of Companies (ROC) and the information FZCO obtains through our own compliance checks, we are required to report the discrepancies to the MLRO.

168. The identity of beneficial owners owning 25% or more of the company and the identity of at least one director must be verified in line with the requirements for private individuals.

6.2.3 Limited Partnerships which are Medium Risk Clients

169. Limited Partnerships are treated in the same way as a private company the only difference being a list of partners will be obtained in place of the lists of directors and beneficial owners.

170. The identity of the partners or other beneficial owners with a beneficial interest of 25% or more of the partnership, including the General Partner/Managing Partner, must be verified in line with the requirements for private individuals.

171. If the General Partner/Managing Partner is a corporate entity, the identity of the ultimate beneficial owner of that corporate entity must be verified.

6.2.4 High-Risk Clients

172. In relation to High-risk clients, we will obtain at least the following information, added to both the standard information for Medium risk clients (save for overlapping requirements), or both:

• Identification information for two executive directors (if applicable), in accordance with identification requirements for individuals; AND
• In respect of Politically Exposed Persons (“PEPS”) senior management approval will need to be obtained together with details of the source of funds/wealth involved – see

6.11 Politically Exposed Persons.

173. For an entity, we will also obtain the following information:

• Industry/sector of their clients
• Products or services they offer and the delivery channels
• New ventures
• New products or services / new delivery channels / new client types
• Any other information deemed relevant/necessary

6.2.5 High-risk third countries

174. For clients residing in or nationals of high-risk third countries, Enhanced Due Diligence measures must be applied:

• verification of the identity of the customer or the beneficial owner
• verification of the intended nature of the business relationship, and the source of funds,
• verification of the source of wealth of the customer and the beneficial owner, as well as information on intended or performed transactions

175. The current list of high-risk third countries as defined by the European Commission lists the following 25 countries in 2022:

• Afghanistan
• Barbados
• Bahamas
• Burkina Faso
• Cambodia
• Cayman Islands
• Democratic People’s Republic of Korea
• Haiti
• Iran
• Jamaica
• Jordan
• Mali
• Morocco
• Myanmar
• Nicaragua
• Pakistan
• Panama
• Philippines
• Senegal
• South Sudan
• Syria
• Trinidad and Tobago
• Uganda
• Vanuatu
• Yemen and
• Zimbabwe.

An up-to-date list can be found in High-risk third countries and the International context content of anti-money laundering and countering the financing of terrorism (Europa.eu)

6.2.5 Legal and accountancy firms

176. Firms that are members of a recognized professional body (accountants and lawyers) will often be set up as limited companies or partnerships. As they will be classified as low risk from a money laundering perspective FZCO has decided that there is no need to obtain the various documents that would apply to a private company or partnership that was not a member of a recognized professional body (Medium Risk Clients).

6.3 Partnerships

177. FZCO will treat partnerships and other unincorporated businesses in accordance with the requirements and guidelines set out above for private companies (as noted earlier this will not apply to partnerships that are members of a recognized professional body).
The standard information for all such businesses will consist of:

• Evidence of trading address
• Nature of business activities
• List of all partners
• Copy of partnership deed
• A copy of the latest (audited, where available) financial statements.

178. The identity of the partners or other beneficial owners with a beneficial interest of 25% or more of the partnership must be verified in line with the requirements for private individuals.

179. If any of the partners is a corporate entity, the identity of the ultimate beneficial owner of that corporate entity must be verified in accordance with the requirements for individuals.

6.4 Non-UAE Governments and Public Authorities

180. When accepting a new client that is a government body or public authority in a country other than UAE, the approach to identification and verification has to be tailored. The guidance below should be sufficient to identify and verify most organizations but in the case of any doubt please seek advice from the MLRO.

181. The following information should be obtained:

• Full name of the entity
• Nature and status of the entity
• Address of entity
• Name of home state authority
• Names of directors (or equivalent)

182. The firm will verify the name, address and where possible the home state authority.

183. For higher-risk organizations, the firm will undertake verification of the identity of two directors.

6.5 Trusts, Foundations, and Similar Entities

184. It is unlikely that our client base will include trusts. However, we do not rule out the possibility that we may be dealing with a trust. FZCO will treat trusts in accordance with its risk-based approach. In relation to trusts, we will have regard to the following considerations, as well as the general considerations outlined above in implementing our risk-based approach:

• Transparency of the trust’s activities
• The complexity of the trust’s structure (e.g. the presence of numerous layers of ownership)
• Location of the trust (e.g. in a “tax haven” previously associated with money laundering)

185. In many cases, a trust will not be a separate legal entity but should still be regarded as the customer. The trustees of a trust will be considered the controllers. The purpose and objects of most trusts are set out in a trust deed. Please consult the Compliance Officer or MLRO if you are unsure as to who your client is.

186. Most trusts accepted as clients of FZCO will fall into the Medium risk category. If the trustees of a trust are all regulated entities or publicly listed companies it may be possible to consider them Low risk if there is nothing to suggest they should be treated otherwise.
For each trust, we will seek to obtain the following information:

• Full name of the trust
• Nature and purpose of the trust (e.g., discretionary, testamentary, bare)
• Country of the establishment of the trust
• Names of all trustees
• Names of any beneficial owners (see below-concerning verification)
• Name and address of any protector or controller

187. If the client is to be a low risk then it will be necessary to demonstrate that all trustees (i.e. controllers) are either regulated institutions or listed companies.

6.6 Medium-Risk Trusts

188. Trusts set up under testamentary arrangements and small, local trusts funded by small, individual donations from local communities, serving local needs, will be classified as Medium risk.

189. In addition to verifying information in accordance with procedures for Low-risk clients, we will obtain the following information:

• Either a register search in the country of establishment;
• Or a summary of the instrument establishing the trust.

6.7 High-Risk Trusts

190. Offshore trusts and trusts with complex structures will be classified as High risk. In respect of High-risk trusts FZCO will seek to obtain and, where appropriate, verify some or all the following additional information in addition to the information required for Low and Medium risk clients:

• Names of the donor, settlor, or grantor of the funds (where there are large numbers of small donors, donors of 10% or more only)
• Domicile of business/activity
• Nature of business or activities of the trust
• Operating address of the trust
• Names and/or classes of the trust’s beneficiaries
• Deed of Trust
• Memorandum and Articles of Association
• Certificate of Incorporation
• Registered address and business address
• List of Trustees
• Full ID proof of Trustees, passports, addresses, verification, Thomson Reuters
• Signatures
• Power of Attorney
• In the case of a charitable trust – the Charity Commission Register number
• Name of the settlor or dummy settlor/protector/beneficiary (note – these are often the same person)
• Full ID proof of Trustees, passports, addresses, verification, Thomson Reuters
• Statement of the source of wealth
• Witnessed Mandate to open an account

6.8 UAE & Non-UAE Charities

191. The following information must be obtained for all UAE and non-UAE registered charities – prior to opening the account:

• Full legal name
• Company registered number and charity registration number
• Registered office in the country of incorporation
• Business address
• Nature of the company’s business
• Completion of the Bank’s account opening form
• Latest accounts
• Mandate to open an account
• Statement of the source of wealth (funds-donations, size, and regularity)
• Beneficial owners
• ID, passport, ID card, proof of address
• Statement of source/s of funds

6.9 Beneficial owners

192. For all trusts, the identity of the beneficial owners will need to be verified. These will be:

• The trustees or individuals having control over the trust
• any individual who is entitled to a specified interest (that is, a vested, not a contingent, interest) in at least 25% of the capital of the trust property

193. Following our assessment of the money laundering risk presented by the trust, we may decide to verify the identities of additional trustees, and/or of the settlors.

6.10 Private Individuals

194. In cases where FZCO needs to identify a private individual, it will always seek to obtain the following information:

• Full name
• Residential address
• Date of birth

195. In verifying the individual’s identity, we will obtain:

196. EITHER: A government-issued document that incorporates the client’s full name and photograph AND either their residential address or their date of birth

197. OR: A government-issued document (without a photograph) that incorporates the client’s full name. This must be SUPPORTED BY a second document, either government-issued, or issued by a judicial authority, a public sector body or authority, or another UAE-regulated firm in the AUE financial services sector, or in a comparable jurisdiction, which incorporates the client’s full name AND either their residential address or their date of birth

198. Client identification performed electronically should mirror the above requirements.

199. In the case of private individuals that have not been met by the firm an additional piece of acceptable documentation must be obtained.

200. Please refer to Appendix 4 for a non-exhaustive list of acceptable documents for individual identity verification.

201. If the client has been deemed to be of higher risk, then the following applies:

6.10.1 Verifying the Identity of Higher Risk Individuals

202. Full name, date, and place of birth must be verified using:

203. EITHER a current passport (to include the photograph page and pages containing reference numbers, date country of issue, nationality, and place of birth)

204. OR a national identity card (to include the photograph page and pages containing
reference numbers, date country of issue, nationality, and place of birth).

6.10.2 Verifying the address of higher risk individuals

205. At least one of the following original documentary evidence confirming the individual’s current residential address is required for all relationships classified as medium or high risk.

206. (The documents are listed in order of preference – Not all documents are appropriate in some countries):

• Current national identity card (if not used to verify identity)
• Current photographic driving license
• Correspondence from a central or local government department or agency e.g. tax assessment or notice of tax code (issued during the previous 12 months)
• Social security card (if current residential address is included)
• Council tax demand letter or statement (issued during the previous 12 months)
• Bank statement or credit card statement which shows the individual’s name and address (issued less than 3 months previously);
• Mortgage statement (issued less than 3 months previously);
• Utility bills (but not ones printed off the internet).

207. If an individual has lived at their current residential address for less than 12 months FZCO will require a document that confirms the individual’s previous residential address. Please note – a C/O address or PO Box is not acceptable.

6.11 Politically Exposed Persons (‘PEPS’)

208. It is necessary for enhanced due diligence (“EDD”) to be conducted when a client is a PEP or where one or more of the directors or beneficiary owners of a client is a PEP.

209. A PEP is defined as an individual who has, at any time in the preceding year, been entrusted with prominent public functions and an immediate family member or known close associate of such a person. The risks of Politically Exposed Persons (PEPs) are that they may handle proceeds of corruption and/or may offer, be offered, or expect/demand bribes. A prominent public function could include, but is not limited to:

• Heads of state, heads of government, ministers, and deputy or assistant ministers
• Members of Parliament (MPs)
• Members of supreme courts or other high-level judicial bodies
• Members of courts of auditors or of the boards of central banks
• Ambassadors, chargés d’affaires, and high-ranking officers in the armed forces
• Members of administrative, management, or supervisory boards of state-owned enterprises

210. There is no initial distinction between the locations of a PEP and the Money Laundering Directives identify domestic PEPs to be treated as PEP.

211. Politically Exposed Persons, and family members or known close associates of PEPs, are individuals who by virtue of their position pose an inherently higher money laundering risk, particularly if they are based in a higher-risk country or business. Money Laundering Regulations require us to monitor all PEP relationships due to the likelihood
that they will pose a higher risk.

212. When taking on new customers and updating existing customer Identification and Due Diligence, we must screen customers against publicly available PEP lists in order to determine if they are politically exposed.

213. In respect of PEPs FZCO must have

• Senior management sign off on the NOA
• evidence of the source of wealth and source of funds that are involved in the business relationship or transaction.

6.12 FATCA & Global Intermediary Identification Number (GIIN)

214. The Foreign Account Tax Compliance Act (FATCA) is a 2010 United States federal law to enforce the requirement for United States persons including those living outside the U.S. to file yearly reports on their non-U.S. financial accounts to the Financial Crimes Enforcement Network (FinCEN).

215. GIIN is an abbreviation of the Global Intermediary Identification Number. The FATCA Registration System approves foreign financial institutions (FFI), financial institution (FI) branches, direct reporting non-financial foreign entities (NFFE), sponsoring entities, sponsored entities, and sponsored subsidiary branches. Institutions and entities assigned a GIIN can use it to identify themselves to withholding agents and tax administrators for FATCA reporting purposes.

216. If an individual’s account holds any of the following seven criteria, we may need to request further information or documentation to determine if the customer is a US person under FATCA.

• US citizenship or US residence.
• US place of birth.
• US address including US PO boxes.
• US telephone number.
• Repeating payment instructions to pay amounts to a US address or an account maintained in the US.
• The current power of attorney or signatory authority granted to a person with a US address.
• In the care of or hold mail address which is the sole address for the account holder.

6.13 Other Considerations

217. Passport copies should be clear and of good quality.

218. from sending original valuable documents by post.

219. Consideration should be given as to whether the documents relied upon may have been forged or altered in any way.

Chapter 7: Introductions by Intermediaries

220. FZCO may accept a confirmation from an intermediary that a client’s identity has been appropriately verified. We will take account of the following considerations when deciding whether it is reasonable for us to rely on an intermediary to have properly identified the client:

• The public disciplinary record of the intermediary, to the extent it is available.
• The nature of the client, the product or service sought, and the sums involved.
• Any adverse experience of the intermediary’s general efficiency in business dealings.
• Any other knowledge, whether obtained at the outset of the relationship or subsequently that we have regarding the standing of the intermediary.

7.1 Introducers

7.1.1 Reliance on Third Parties

221. Where the business relies on a third party for compliance with this policy or additional applicable AML requirements, the MLRO must ensure that such reliance is permissible under law and consistent with this policy, and reasonable under the circumstances.

222. When a relevant person relies on a third party to apply customer due diligence measures it:

• must immediately obtain from the third party all the information needed to satisfy the requirements of regulations 28(2) to (6) and (10) in relation to the customer, the customer’s beneficial owner, or any person acting on behalf of the customer;
• must enter into arrangements with the third party which:
• enable the relevant person to obtain from the third party immediately on request copies of any identification and verification data and any other relevant documentation on the identity of the customer, the customer’s beneficial owner, or any person acting on behalf of the customer;
• require the third party to retain copies of the data and documents referred to in line with record keeping policy for the period required by FZCO.

7.1.2 Regulated Financial Sector Firms

223. Provided the introducer satisfies the general criteria above, FZCO will normally be able to rely on an Introduction Certificate from a UAEregulated firm or regulated financial institution in a comparable jurisdiction.

224. An Introduction Certificate states that one regulated entity has conducted appropriate checks to satisfy money laundering requirements for a client. It can be forwarded to another regulated entity and can be relied upon to satisfy money laundering requirements by the entity receiving the Certificate.

7.1.3 Professional Firms

225. FZCO will not accept Introduction Certificates from lawyers, accountants, and other professionals but may rely on the copies of verification documentation supplied by a professional firm to us if these have been assessed by FZCO as satisfactory.

7.1.4 Firms in Non-Comparable Jurisdictions

226. If the introducing firm is located in a non-comparable jurisdiction, FZCO will either:

• Identify the introduced client itself; or
• Rely on an Introduction Certificate if it is accompanied by copies of identification documents certified in accordance with our standards.

7.2 Group Introductions

227. When a client is introduced by one part of a financial sector group to another, it is not necessary for their identity to be re-verified, provided that:

• The client’s identity has been verified by introducing part of the group in line with standards in UAE, EU, or a comparable jurisdiction; and
• A group introduction confirmation is obtained and held with the client’s records (except if FZCO has day-to-day access to all group client information and records)

228. It is the responsibility of the UAE firm to satisfy itself that the standards of identification are acceptable.

7.3 Production of Documents

229. Any Introducer must be able to supply copies of the client’s due diligence documents to FZCO on request. The documentation should be provided within 48 hours unless an extended timeframe is agreed upon between both parties.

230. If at any time you become concerned that an introducer is not obtaining sufficient information on clients and or is unable to provide copies of documents on request, then this matter must be referred to the MLRO.

Chapter 8: Suspicious Transactions

8.1 Internal Reporting

8.1.1 Obligation to Report

231. Every member of FZCO ’s staff is required to make a formal report to the MLRO if, in the course of their employment, they know, suspect, or have reasonable grounds for either knowing or suspecting money laundering or terrorist financing. Reporting in accordance with this requirement will not result in a breach of the General Data Protection Act, confidentiality, or any other contractual or statutory provisions.

232. Remember that a duty to report a suspicion of money laundering exists even if a potential client does not conduct any business through FZCO, or if we decline the business. The obligation to report is in respect of anyone, whether the firm’s client or not. This is different from the obligation to report fraud that applies to FZCO ’s actual, and not potential, clients only.

8.1.2 Objective Test

233. It is important to understand that a person could be found guilty of a failure to report even if they did not actually suspect but ought to have suspected money laundering. The test is whether an honest and reasonable person, working within the financial services industry, would have formed a suspicion based on the facts available at the time.
Generally, to satisfy this test you would have to know your client, their business, and the rationale for their instruction, activity, or transaction. A failure to make adequate inquiries or assess relevant facts will not provide protection against the objective test of reasonable suspicion.

234. A suspicious activity or transaction will often be:

• Any transaction or instruction that is not logical from an economic, financial, or banking point of view.
• Any transaction where the amount, duration, or other specific feature is inconsistent with the customer’s professional or business activities or expected account activity.

235. Reasonable grounds to know or suspect is a negligence test as a deterrent against those in banks and other financial sector banks who fail to act competently, reasonably, and honestly where information before them ought to make them suspect money laundering. It may therefore be considered to cover:

• Wilful blindness i.e. turning a blind eye to the obvious.
• Negligence i.e. failing to make adequate inquiries that an honest and reasonable person would be expected to make in the circumstances.
• Failing to assess adequately the facts and information that is either presented or available would put an honest and reasonable person on inquiry.

8.1.3 Timing of Reporting

236. The obligation is to make a report without undue delay and not later than two business days after the identification of the suspicious activity or transaction.

8.1.4 Discharge of Individual Responsibility

237. By submitting a report to the MLRO you will discharge your individual responsibility, thus protecting yourself from criminal prosecution for the offense of a failure to disclose. Therefore, when reporting a suspicion, you will receive a formal written acknowledgment from the MLRO. Please retain it for your own records.

8.1.5 Consultation with a Colleague or Line Manager

238. It is acceptable to discuss your suspicion with your line manager. However, if after consulting your line manager you remain suspicious, it is your responsibility to ensure that a report is submitted to the MLRO.

239. While a line manager may comment on the proposed report, they do not have the authority to block or attempt to block any report being made to the MLRO. Should you encounter an attempt to prevent a report from being made, you should discuss this with the MLRO directly.

240. In addition, if you consult a colleague, this colleague will have knowledge on the basis of which they must consider whether or not to make a report to the MLRO. To avoid making duplicate reports, the colleague, if suspicious, should only report if they are reasonably satisfied that the employee will not make such a report.

241. To reduce the risk of inadvertently tipping off a client the case should be discussed with as few people as possible.

8.1.6 Continuous Obligation to Report

242. Making a report does not remove the need to notify the MLRO of further suspicions that may arise with the same or different client. If further suspicions arise additional reports must be made to the MLRO.

8.1.7 After Submission of a Report

243. Until the MLRO informs you that no report to FIU is to be made, any further transactions or activity in respect of the suspected client must be reported to the MLRO as soon as they arise.

8.1.8 MLRO’s Determination

244. The MLRO will consider the report and surrounding circumstances and decide whether or not to submit an external report to FIU. If the MLRO decides to do so, they must do this as soon as practicable.

245. In order to undertake this investigation, the MLRO may need further information or access to client files. The MLRO must be given free access to all client records. If further information needs to be obtained from the client or from an intermediary, then this should normally be obtained by the employee with the client relationship. This is to
minimize the risk of alerting the client or intermediary that a disclosure of FIU is being considered.

246. The MLRO will record all internal inquiries made in relation to the report of suspicion and the basis for their decision to make or not to make a report to FIU.

247. A failure to make a report when there are reasonable grounds for suspicion may constitute assistance, potentially incriminating you as a party to a crime.

248. If disclosure to the MLRO causes them to acquire knowledge or suspicion of money laundering (or gives them reasonable grounds for such knowledge or suspicion) and the MLRO fails to make a report to FIU, then they will be committing the offense of a failure to disclose.

8.1.9 Pre-Transaction Reporting to FIU

249. If a pre-transaction report is made by the MLRO to FIU, no business may be conducted with or for a client until you receive consent from FIU. FIU has 7 working days, from the working day following the day of the disclosure, in which to respond to the MLRO. Dealing with or advising a client before receiving consent from FIU may constitute one of the offenses, that is concealing, arrangements or acquisition, use, and possession.

250. Note there are no provisions under the Terrorism Act for consent to be given within a specified period. If a report is made to the FIU under this Act no related transaction or activity is allowed to proceed until FZCO has been contacted by FIU or a law enforcement agency.

251. The MLRO will inform you whether FIU consents to you dealing with the client or not. Please liaise directly with the MLRO who will provide guidance on what information may be provided to a client or potential client.

8.1.10 Post-Transaction Reporting to FIU

252. Since FIU cannot provide consent after a transaction or activity has already occurred, it will provide an acknowledgment of receipt of a report to the MLRO. In the absence of an indication to the contrary from the MLRO, you may deal with the client as normal.

However, you must inform the MLRO of every interaction with the client and seek guidance on how to deal with that client.

8.1.11 Contact with Client and Third Parties

253. Any contact from the client questioning the delay in processing their transaction needs to be handled very carefully. In these circumstances, please liaise closely with the MLRO.

254. Whether or not FIU allows you to proceed with a transaction, you may not tip off the client that a disclosure to the authorities has been made. Neither may you disclose that such a disclosure has been made in response to a data protection request.

255. Unless specifically authorized to do so, you must not discuss any reports of suspicions of money laundering with third parties. Any requests for information from third parties, such as the Police or Customs, must be immediately referred to the MLRO.

8.1.12 Court Orders

256. Any evidence to be presented in Court will be obtained under a court order. The following are the types of orders that may be served on FZCO as part of an investigation.

• a disclosure order from any law enforcement organization
• an account monitoring order from any law enforcement organization
• a search and seizure warrant
• All such orders should be passed to the MLRO immediately who will liaise with FZCO ’s legal advisers as appropriate.

8.1.13 Failure to Make a Report

257. FZCO will take disciplinary action against any member of staff who fails to report a suspicion without a reasonable excuse.

8.1.14 Form of Reporting

258. Please make your report to the MLRO on the Suspicious Transaction Reporting Form (Money Laundering) attached as Appendix 1. Please give as much information on this form as possible to assist the MLRO.

8.2 Examples of Suspicious Activity

259. Below is a list of activities that may give rise to a suspicion of money laundering or terrorist financing. This is not an exhaustive list of circumstances; neither will they necessarily give rise to suspicion. However, any of these occurrences are likely to form a basis for further inquiry in most cases. It will be ultimately a matter of your own
consideration to decide whether or not to report a suspicion.

• Transactions with no apparent purpose or that make no economic sense
• Transactions of a size or pattern which is out of line with transactions normally undertaken by the client
• The client refuses to provide the information requested
• Accounts that are used for a short period of time only
• Dormant accounts that get reactivated
• Extensive use of offshore vehicles or structures, especially if they do not make economic sense
• Unnecessary routing of funds through third-party accounts

8.3 Ongoing Relationships with Suspicious Clients

260. FZCO’s policy is not to maintain relationships if the firm believes we may be used for money laundering. Where a client has been involved in a suspicious transaction, the MLRO, together with the senior management, makes a decision regarding the ongoing relationship with that client. If we decide to continue a client relationship, we may implement increased monitoring of the client’s account.

261. Where a client has been the subject of a referral to FIU by the MLRO, the MLRO must be informed before any action is taken to exit the relationship. In such circumstances, the MLRO will consult FIU to obtain permission to terminate the client relationship.

8.4 Data Protection – Subject Assess Requests (SARS)

262. Occasionally SAR will be received in respect of a client where an internal or external suspicious transaction report has been made. Whilst the General Data Protection Regulations (“GDPR”) seeks to ensure all information is included in any response to a SAR request; it does allow to the omission of information that may prejudice the prevention or detection of crime. Any such request will need to be handled sensitively and will require the MLRO to liaise with FIU as well as their legal advisers when deciding whether to omit any information. Any decision in respect of any exemption must be clearly documented.

8.5 Record Keeping

263. Article 5 (e) of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.

264. For Money Laundering purposes, records of all internal and external reports together with any supporting documentation must be retained for 5 years from the date of the report. If, however, the firm is aware of an ongoing investigation in relation to any report it must be retained until the relevant agency has confirmed that the case is now closed.

Chapter 9: Training and Awareness

9.1 Introduction

265. For the purpose of this manual “Awareness” refers to actions taken by FZCO to ensure that on an ongoing basis, personnel is informed of money laundering and associated risks as well as their individual and collective responsibilities.

266. “Training” refers to a more specific process whereby staff is educated on specific areas, their attendance is recorded, and understanding is measured.

267. FZCO has a legal responsibility to ensure that person receives appropriate anti-money laundering training. Failure to provide training may constitute a criminal offense.

9.2 Awareness

268. It is our policy to ensure that all employees are aware and kept up to date with money laundering developments. This Policy serves as the basis for awareness within FZCO. It will be supplemented with additional material as and when necessary.

269. At the start of their employment, every employee must be given a copy of this Handbook and must sign an Anti-Money Laundering Policy Declaration attached as Appendix 6 to confirm that they have read and understood the provisions of this Handbook.

9.3 Training

270. FZCO provides training to relevant staff upon recruitment and on an annual basis. The definition of “relevant staff” is set as widely as possible to encompass all employees who may be able to identify suspicious transactions during the course of their work. The requirement to train relevant staff is also applicable to any part-time, temporary, or consulting staff.

271. Anti-money laundering training will, as a minimum, comprise the following issues:

• The need to obtain sufficient evidence of identity
• Recognition and reporting of suspicions of money laundering via the MLRO to FIU
• The identity and responsibilities of the MLRO
• Anti-money laundering rules, guidance, and regulations
• Effects of breaches of money laundering legislation on FZCO and its Employees

272. Attendance or completion of anti-money laundering training is mandatory for all relevant personnel. If you are unable to attend on a scheduled training date you should contact the course organizer or provider as soon as possible to arrange an alternative date. Repeated failures to attend training courses may result in disciplinary action.

273. If, after attending a training course, you feel that you would benefit from further clarification on certain subjects; please contact the MLRO.

9.4 Screening of Staff

274. FZCO will conduct initial and periodic screening of relevant staff. Relevant staff includes compliance staff, employees in the front office, those who introduce the business, and those who engage with clients.

275. The initial and annual screening will include an assessment of the individual’s skills, knowledge, and expertise in order to ascertain whether they are capable of carrying out their functions effectively, as well as conducting an assessment of the conduct and integrity of the individual.

9.5 Record Keeping

276. FZCO will retain the records of all materials issued to its personnel in relation to anti-money laundering, counter-terrorism, and sanctions training and awareness for at least 5 years from the date of issue of materials.

277. These records will include the names of attendees, dates of all training sessions, the content of courses and presentations, and, where applicable, test results. All staff will be required to sign the Register of Attendees attached as Appendix 2 confirming that they have received training and understood their legal responsibilities.

278. FZCO will retain the records in relation to the screening of staff for at least 5 years from the date of issue of material.

Chapter 10: Monitoring

10.1 Introduction

279. Due to FZCO ’s size and nature of its business, the firm, in monitoring clients’ activities, places reliance on two main factors:

• Having up-to-date client information; and
• Asking pertinent questions to elicit the reasons for unusual transactions

10.2 Up-To-Date Client Information

280. We ensure that the information we keep about our clients is up-to-date through regularly performing client reviews. The frequency of such reviews is determined by the client’s risk category. Apart from the transaction monitoring on each account, we review our clients with the following frequency:

• Low-risk clients are re-assessed every 5 years
• Medium-risk clients are re-assessed every 3 years
• High-risk clients are re-assessed at least annually
• PEPs are re-assessed six monthly

281. The purpose of these reviews is to identify any significant changes to the corporate structure, management, and activities of the client. Unless the MLRO resolves otherwise, it is not always necessary to obtain all the information required for account opening or to re-verify all identification information. These reviews are coordinated by the MLRO. In addition to reviewing changes to the client’s structure, management and profile an overall review of the client’s activity over the period is normally conducted. This will allow FZCO to assess if there have been changes in the client’s activity which could be considered unusual given the information held about the client.

282. Notwithstanding these timescales, should any member of staff become aware of a change in the circumstances of a client, for example, a change of ownership structure or a move into a new business area, this information should be recorded on the client file immediately. If this information could affect the risk assessment of the client then the
MLRO should be informed. The MLRO will then decide if there is a need to re-evaluate the client’s risk assessment.

10.3 Transaction Monitoring

283. We consider that a combination of anti-money laundering training and commercial awareness will enable our staff to monitor for, recognize and report suspicious activities.

284. We will seek to understand the rationale for the client undertaking a particular transaction or activity. When identifying unusual or potentially suspicious activity our staff will use their knowledge of the client and of what would be normal in a given set of circumstances.

285. In general terms, all members of staff should have regard to the following considerations when monitoring client accounts, as well as factors detailed in other chapters of this Policy:

• Whether the financial performance of an enterprise is in line with the nature and scale of its business, and whether the corporate finance services it seeks appear legitimate in the context of those activities
• Whether the transaction has no apparent lawful or economic purpose
• The unusual nature of a transaction: e.g., abnormal size or frequency or complexity for that client or type of client
• The nature of a series of transactions: for example, a number of cash payments, a complex series of transactions
• The geographic destination or origin of payment: for example, to or from a high-risk jurisdiction
• Whether the transactions are in support of a client seeking to purchase, or purchasing a “golden passport”, i.e. the client applies for residence rights or citizenship in any country in exchange for capital transfers, purchase of property or government bonds, or investment in corporate entities
• The parties concerned: for example, a request to make a payment to or from a person on a Sanctions List.

286. However, FZCO recognizes that while staff training is important, it is not a comprehensive substitute for transaction monitoring. Therefore, on a quarterly basis, FZCO will formally review all transactions undertaken each quarter to ensure that no money laundering has been facilitated or taken place.

287. Please refer to the Post-Transaction Review Form contained in Appendix 7 of this Handbook.

10.4 Record Keeping

288. Evidence of all monitoring undertaken by FZCO will be retained for a period of at least 5 years from the date of the review.

Chapter 11: Records Retention

11.1 Introduction

289. This chapter provides guidance on the record-keeping procedures that FZCO needs to meet its obligations in respect of the prevention of money laundering and terrorist financing.

290. Keeping adequate records will ensure that FZCO can:

• Provide an audit trail for all advice given and activity undertaken on a client’s behalf
• Provide adequate information to law enforcement agencies to assist with their investigations
• Undertake to monitor of client activity against expectations
• Identify and report any suspicious activity
• Provide evidence of meeting all statutory and regulatory obligations.

11.2 What records must be kept?

291. The following material must be kept:

• Client information, including evidence of identity
• Details of all transactions made on behalf of each client
• Internal and external reports of suspicion
• Reports sent to ROC of discrepancies in a client’s beneficial ownership information
• MLRO annual report and any other reports
• Information not acted upon
• Training and compliance monitoring
• Information about the effectiveness of training

292. Keeping the required records for the specified time period will not result in FZCO breaching the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data). This information will be made available to the competent authorities in the context of any relevant criminal investigations and prosecutions.

11.3 Identification Records

293. Client identification records must be kept for a period of at least 5 years from the date of the end of a client relationship. That is either the date of the last transaction with the client or the closure of the client’s account, whichever is the latest.

294. The revised FATF Recommendations demonstrate that, in order to be able to cooperate fully and comply swiftly with information requests from competent authorities for the purposes of the prevention, detection, or investigation of money laundering and terrorist financing, obliged entities should maintain, for at least five years, the necessary information obtained through customer due diligence measures and the records on transactions.

295. In order to avoid different approaches and in order to fulfill the requirements relating to the protection of personal data and legal certainty, the retention period should be fixed at five years after the end of a business relationship or of an occasional transaction.
However, if necessary for the purposes of prevention, detection, or investigation of money laundering and terrorist financing, and after carrying out an assessment of the necessity and proportionality, Member States should be able to allow or require the further retention of records for a period not exceeding an additional five years, without prejudice to the national criminal law on evidence applicable to ongoing criminal investigations and legal proceedings.

11.4 Transaction Records

296. Transaction records must be kept for a period of at least 5 years from the date of the transaction. They should be maintained in a form that provides a satisfactory audit trail of all transactions effected via FZCO allowing their reconstruction.

11.5 Third party Record Keeping

297. It is FZCO’s responsibility to ensure the third party complies with the record-keeping obligations. This principle applies to the use of third-party service providers such as introducers or administrators.

11.6 Internal and External Suspicious Transaction Reports

298. We will retain the following records of any reports of suspicions of money laundering regardless of whether the MLRO made a report to FIU. These records will consist of:

• Records of actions taken under the internal and external reporting requirements
• When the MLRO had reviewed an internal report and decided not to make a report to FIU, a record of all the information considered
• Copies of reports of suspicions submitted to FIU

299. These records will be retained for 5 years from the date the report is made. However, if FZCO is aware that either FIU or another law enforcement agency is investigating a client, FZCO will retain all records in relation to that client until the agency confirms that the case is closed. If, within 5 years of a disclosure being made, FZCO has not been advised of an ongoing investigation, it may destroy the records.

11.7 Anti-Money Laundering, Counter Terrorist and Sanctions Training Records

300. We will retain the following records for at least 5 years in relation to Anti-Money Laundering (“AML”) training:

• Date(s) AML training was given
• Nature and content of the training
• Names of people who received the training
• The results of the tests taken, if applicable

11.8 Compliance Monitoring Records

301. The following records are retained for at least 5 years in relation to compliance monitoring:

• Annual MLRO report to the board and any other reports to senior management
• Records of consideration of those reports and of any action taken as a consequence

11.9 Refused Business Records

302. Where a business has been refused because it does not meet our client identification, verification and KYC standards, a record of the refusal will be retained for 5 years.

11.10 Wire Transfer and Electronic Payment Records

303. All electronic payment messages should contain sufficient information to identify the parties involved (i.e. both the party making the payment and the beneficiary). This information should include full names, addresses and account numbers. Where this information cannot be provided in the electronic payment message, full records must be retained.

11.11 Format and Retrieval of Records

304. FZCO aims to reduce the volume and density of records. While still complying with the statutory requirements we may choose to keep records:

• By way of original documents
• By way of photocopies of original documents
• On microfiche
• In scanned form
• In computerized or electronic form

305. FZCO may keep records either offsite or outside UAE but will remain responsible for ensuring that all required records can be made available without undue delay and meet the UAE regulatory requirements. FZCO will ensure that all records, however, kept, are capable of being retrieved within 48 hours. FZCO will, whenever possible, seek to retain all records on the business premises.

11.12 Sanctions and Penalties

306. Where a firm fails to observe the record-keeping requirements either the firm or relevant person(s) or both are open to prosecution.

To view the Appendix, download the full text of the file at the top

Please, read the information about CFPS Fees and Limits on the Fees page.

Introduction

CFP TECHNOLOGY FZCO (“FZCO”) has a responsibility to satisfy itself that it and its outsourced functions are properly run and have appropriate corporate governance. One of the ways in which this is achieved is to set policies for each fundamentally affected area of business, especially those subject to regulatory scrutiny.

It is a fundamental principle of FZCO that it will maintain the level of record-keeping required to comply with the regulatory and statutory requirements applicable to its business activities. This archiving policy sets out FZCO’s approach to archiving its records, which should ensure that FZCO complies with both its legal and regulatory obligations.

For many reasons, FZCO considers it important to provide its staff with clear guidance on its archiving procedure.

The Minimum Compliance Standard

A record is defined as encompassing documents that are essential to us in carrying out our business and serving our customers as well as complying with accounting, financial reporting, legal, tax, Anti-Money Laundering, Customer Due Diligence, and other regulatory requirements as may be required from time to time. It can include any piece of paper relevant to a customer, past or present e.g., customer application forms, letters, memos, reports, hard copies of e-mails, mandate cards, payment advice, etc.

There is a multitude of different statutes and regulatory retention periods depending on the type of product and the type of record in question from 3 to 7 years. Therefore, as FZCO’s customer files will be electronic and could contain a combination of these records, it has been decided that the retention period will be ad infinitum electronically and no less than 10 years, from the last involvement, for all types of records. This approach will ensure that FZCO addresses the requirements of all the various regulatory and statutory requirements applicable to its business. This is in excess of the statutory requirements.

No member of staff, at whatever level, has the authority to conceal, discard, delete, destroy, or alter any document with the intent, or believed intent, of

• violating legal, financial reporting, or compliance obligations, or
• obstructing an investigation or legal proceeding.

If a member of staff feels that he or she is being asked to do something contrary to this policy they have the obligation to refuse, and to report this in accordance with FZCO’s whistle-blowing procedures.

If there is any doubt regarding the archiving of any document, the Compliance Director/Officer
should be contacted for guidance.

Exceptions

Certain company documents (i.e. Certificate of Incorporation and Memorandum and Articles of Association) must be kept indefinitely with the company books at the registered office address. Data protection legislation stipulates that data should not be kept any longer than is necessary and therefore e-mails should be deleted as soon as reasonably practicable after the work stream in question has been concluded. Hard copies should be made of all e-mails that require retention and stored in a secure place. Hard copy e-mails should be scanned to the relevant customer file and archived in accordance with the above.

Annual Review

This policy must be reviewed by FZCO’s Head of Compliance every year to ensure its alignment with appropriate legal and regulatory requirements as well as best practice compliance standards, the local whistle-blowing procedures, and its continued relevance to FZCO’s current and future operations. Every 12 months the Board must issue an up-to-date policy for FZCO. Any interim change to this policy must be proposed to the Board and, if agreed upon, requires the written approval of members of the Board.

APPENDIX 1: USEFUL INFORMATION SOURCES

The New Federal Law No. 15 of 2020 Regarding Consumer Protection – Article 4, s. 5

https:// www.mealc.org/post/the-new-federal-law-no-15-of-2020-regarding-consumer-protection

Protecting the privacy and security of the customer data and not using it for promotional and marketing purposes.

Data Protection Law DIFC Law No. 5 of 2020

https://www.difc.ae/application/files/3016/4664/4540/Data_Protection_Law_final.pdf

Please, read the information about CFPS Fees and Limits on the Fees page.

Introduction

The Board of CFP TECHNOLOGY FZCO (“FZCO”) has a responsibility to satisfy themselves that its operations are being properly run and have appropriate corporate governance. One of the ways in which this is achieved
is to set policies and maintain them on a regular basis. It is the responsibility of each person to ensure that they comply with CFP Technology’s latest approved policies.

It is a fundamental principle of FZCO that it will protect itself against fraud. FZCO, recognizing the importance of safeguarding the assets of both CFP Technology and our clients, acknowledges that the values of quality, honesty, and trustworthiness lie at the heart of our products and reputation. This anti-fraud policy sets out FZCO ‘s approach to preventing fraud.

Definition of Fraud

FZCO defines fraud as:

• Dishonestly obtaining the money or assets (including data, information, or services) of FZCO or its clients; or
• Misusing one’s position within FZCO via unlawful or improper acts with the intention of causing a financial loss to FZCO, its clients, staff or suppliers.

CFP Technology’s Anti-Fraud Approach

FZCO’s anti-fraud approach consists of the following key elements:

Requirements

It is the duty of all employees to protect the business by acting with propriety in the use of FZCO‘s resources and funds and to communicate concerns where potential fraud risks (including control weaknesses that may lead to fraud) are identified.

FZCO has adopted a risk-based approach to fraud prevention and management which reflects the particular risk factors affecting the firm, some examples of which are:

• segregation of duties;
• quality control checking;
• External consultancy file checks;
• External consultancy control checks;
• review of accounts for suspicious transactions;
• review of inactive or spasmodically operated accounts.

These are devised to prevent, deter and detect fraud. All staff and senior managers are tasked with the maintenance of existing procedures and, where required, the implementation of new cost effective procedures to prevent,
deter and detect fraud.

Response to fraud

FZCO will take firm and vigorous action against any individual or group perpetrating, or attempting to perpetrate, fraud against FZCO, its clients, staff or suppliers. Recovery of any losses and costs incurred will also be sought.
Any fraudulent activity by employees may lead to dismissal and prosecution.

FZCO will assist the local police authorities and other appropriate authorities in the investigation and prosecution of those suspected of fraud against FZCO, its clients or its suppliers. FZCO reserves the right to engage third parties to undertake investigations on its behalf.

Role of Employees

All employees are encouraged to be vigilant and to immediately report any suspicion of fraud to their manager, the local Compliance Officer, FZCO’s Head of Compliance, or another Senior Manager. This report can be made either orally or in a written statement.

Staff is expected to act with integrity and in accordance with acceptable behaviors at all times. There is a detailed whistle-blowing procedure that sets out staff’s detailed responsibilities together with advice and guidance in
dealing with suspected fraud which should be brought to all staff members’ attention.

Annual Review

This policy must be reviewed by FZCO’s Head of Compliance every year to ensure its alignment to appropriate legal and regulatory requirements as well as best practice compliance standards and its continued relevance to FZCO
the firm’s current and future operations. Every 12 months the Board must issue an up-to-date policy for FZCO. Any interim change to this policy must be proposed to the Board and, if agreed upon, requires the written approval of
members of the Board.

APPENDIX 1: USEFUL INFORMATION SOURCES

Dubai International Financial Centre
Operating Law No. 7 of 2018 – s.64

https://www.difc.ae/files/8115/9758/9102/Operating_law.pdf

Internet Access Management (IAM) policy

Telecommunications and Digital Government Regulatory Authority (TDRA) implements the Internet Access Management (IAM) policy in the UAE, in coordination with National Media Council and Etisalat and Du, the licensed internet service providers in the UAE. Under this policy, online content that is used for impersonation, fraud and phishing and/or invades privacy can be reported to Etisalat and Du to be taken down.

Please, read the information about CFPS Fees and Limits on the Fees page.

Introduction

The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the UAE and beyond; affording individuals stronger, more consistent rights to access and control
their personal information whether customer or employee.

This policy sets out the basis on which any personal data we collect or that is provided to us, will be processed by us. For the purposes of the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (the “Law”), the data controller is FZCO.

Definitions

Personal data

See Appendix A for the references relating to the policy. The Law applies to ‘personal data’ (see Article 6) meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data, or online identifier, reflecting changes in technology and the way organizations collect information about people.

The Law applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymized – e.g., key-coded – can fall within the scope of the Law depending on how difficult it is to attribute the pseudonym to a particular individual and under Article 22(c) of the Law.

Appendix B displays Articles 9 to 11 of the Law for ease of reference.

Sensitive personal data

The Law refers to sensitive personal data as “special categories of personal data” (see Article 11).

The special categories specifically include race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life; or sexual orientation where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing (see Article 10).

Our Commitment

CFP Technology FZCO (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place that complies with existing law and abides by data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the Law and the UK’s Data Protection Bill.
CFP Technology FZCO is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose, and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and implementation objectives for Law compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.

Lawful Bases For Processing

What are the lawful bases for processing?

There are six lawful bases for the processing which are set out in Article 6 of the Law. At least one of these must apply whenever we process personal data:
(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Documenting Lawful Processes: How we document our lawful basis

The principle of accountability requires that we can demonstrate that we are complying with the Law and have appropriate policies and processes. This means that we need to be able to show that we have properly considered which lawful basis applies to each processing purpose and can justify our decision.

We, therefore, keep a record of which basis we are relying on for each processing purpose, and a justification for why we believe it applies.

It is our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.

See the accountability section of this guide for more on this topic.

Registration:  Our business is registered with the DIFC Commissioner’s Office. Details will be available on the DIFC’s public register.

How We Implemented the Law

CFP Technology FZCO already has a consistent level of data protection and security across our organization, however, it was our aim to be fully compliant with the Law.

Our preparation included:

• Information Audit – we carried out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. We logged this information appropriately and review it when there is any change in reasons for processing.
• Policies & Procedures – we have implemented this new data protection policy and procedures to meet the requirements and standards of the Law and any relevant data protection laws, including:
  – Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the Law. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
  – Data Retention: we have updated our retention policy and schedule to ensure that we meet the ‘data minimization’ and ‘storage limitation’ principles and that personal information is stored, archived, and destroyed compliantly and ethically. We maintain a client’s details for two calendar years and delete the data within 30 days of this.
  – Data Erasure: we have dedicated erasure procedures in place to meet the new ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes, and notification responsibilities.
  – Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate, and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
  – International Data Transfers & Third-Party Disclosures If CFP Technology FZCO stored or transferred personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. We do not currently do this in any way. We will inform clients if this was the case. Our procedures would therefore include a continual review of the countries with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses, or approved codes of conduct for those countries without. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights, and have effective legal remedies for data subjects where applicable.
  – Subject Access Request (SAR) – we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge. Our new procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply, and a suite of response templates to ensure that communications with data subjects are compliant, consistent, and adequate.
• Legal Basis for Processing – we are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the Law and Schedule 1 of the Data Protection Bill are met.
• Privacy Notice/Policy – we have revised our Privacy Notice(s) to comply with the Law, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
• Obtaining Consent – we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it, and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy-to-see and accessible way to withdraw consent at any time.
• Direct Marketing – we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
• Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, involves large-scale processing, or includes special category/criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the Law’s Article 35 requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity, and implement mitigating measures to reduce the risk posed to the data subject(s).
• Processor Agreements – where we use any third party to process personal information on our behalf (i.e. Payroll, Recruitment, Hosting, etc), we have drafted compliant Processor Agreements and due diligence procedures to ensure that they (as well as we), meet and understand their/our Law obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organizational measures in place, and compliance with the Law.
• Special Categories Data – where we obtain and process any special category information, we do so in complete compliance with the Article 9 requirements and have high-level encryptions and protections on all such data. Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, with the right to modify or remove consent being clearly signposted.

Lawfulness, fairness and transparency

Information we hold: Mapping Data Flows

We organized an information audit across our business to identify the data that we process and how it flows into, through, and out of our business.

Having audited our information, we then identified any risks.

We have documented our findings in the Information Asset Register. This register will be reviewed any time a new process or purpose of the data is used.

As we have less than 250 employees then we must keep records of any processing activities that:

• are not occasional;
• could result in a risk to the rights and freedoms of individuals; or
• involve the processing of special categories of data or criminal conviction and offense data.

We may be required to make these records available to the Commissioner on request.

Lawful bases for processing personal data: Our business has identified the lawful bases for processing and appropriately documented them.  Our decision on the lawful bases for processing will have an effect on individual’s rights. For example, if we rely on someone’s consent to process their data, they will have a stronger right to have their data deleted. It is important that we inform individuals how we intend to process their personal data and what our lawful bases are for doing so, for example in our privacy notice(s).

Our Lawful Bases for Processing

Consent: Our business has reviewed how we ask for and record positive consent
Consent is not always required, and we should always assess whether another lawful basis is more appropriate.

Consent means offering people genuine choice and control over how we use their data. We can build trust and enhance our business by using consent properly.

The Law has a standard of consent in several areas and contains much more detail. For example, we must;

• Keep our consent requests separate from other terms and conditions.
• Require a positive opt-in. Use unticked opt-in boxes or similar active opt-in methods.
• Avoid making consent a precondition of service.
• Be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate.
• Name our business and any specific third-party organizations who will rely on this consent.
• Keep records of what an individual has consented to, including what we have told them, and when and how they consented.
• Tell individuals they can withdraw consent at any time and how to do this.

Consent: Our business systems record and manage ongoing consent

We continue to review consent as part of our ongoing relationship with individuals.

We keep our client’s consent under review and refresh it if anything changes. We have a system or process to capture these reviews and record any changes.

Contract: When is the lawful basis for contracts likely to apply?

We have a lawful basis for processing if:

• we have a contract with the individual and we need to process their personal data to comply with our obligations under the contract.
• we haven’t yet got a contract with the individual, but they have asked us to do something as a first step (e.g. provide a quote) and we need to process their personal data to do what they ask.

Legal Obligation: When is the lawful basis for legal obligations likely to apply?

In short, when we are obliged to process personal data to comply with the law.

Article 6(3) requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So, it includes clear common law obligations.

This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that our overall purpose must be to comply with a legal obligation that has a sufficiently clear basis in either common law or statute.

We should be able to easily identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, we can refer to a government website or to industry guidance that explains generally applicable legal obligations.

Vital Interests: What are ‘vital interests’?

It’s clear from Recital 46 of the Law that vital interests are intended to cover only interests that are essential for someone’s life. So, this lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care when anyone needs to process personal data for medical purposes, but the individual is incapable of giving consent to the processing.

This basis does not apply to our company.

Public Task:

This can apply if we are either:

• carrying out a specific task in the public interest which is laid down by law; or
• exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.

This basis does not apply to our company.

Legitimate Interests:
Article 6(1)(f) gives us a lawful basis for processing where:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This can be broken down into a three-part test:

• Purpose test: are we pursuing a legitimate interest?
• Necessity test: is the processing necessary for that purpose?
• Balancing test: do the individual’s interests override the legitimate interest?

A wide range of interests may be legitimate interests. They can be our own interests or the interests of third parties, commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.

We will complete a legitimate interest assessment if we have to rely on this basis.

This basis is not likely to apply to our company.

Special Category Data: What’s different about special category data?

We must still have a lawful basis for our processing under Article 6, in exactly the same way as for any other personal data. The difference is that we will also need to satisfy a specific condition under Article 9. See the definition above

This is because special category data is more sensitive, and so needs more protection.

Criminal Offence Data:

This means we must either be processing the data in an official capacity or have specific legal authorization – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill.

Individual’s Rights

Data Subject Rights

In addition to the policy and procedures mentioned above that ensure individuals can enforce their data protection rights, we operate a system of data retention that easily accommodates any request the data subject may make.

• If a verbal request is received, we will confirm the request by email or text message to their recorded contact address or number.
• If a written request is made, we will confirm receipt of the request by return.

We provide easy-to-access information via [our website, in the office, during induction, etc of an individual’s right to access any personal information that CFP Technology FZCO processes about them.

The individual may request information about:

• What personal data do we hold about them
• The purposes of the processing
• The categories of personal data concerned
• The recipients to whom the personal data has/will be disclosed
• How long do we intend to store their personal data for
• If we did not collect the data directly from them, information about the source
• The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
• The right to request the erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as objecting to any direct marketing from us and to be informed about any automated decision-making that we use
• The right to lodge a complaint or seek judicial remedy and who to contact in such instances

Right to be informed including privacy notices:

When we provide privacy notices to individuals.

Individuals need to know that their data is collected, why it is processed, and who it is shared with.

We publish this information in our privacy notice on our website and within any forms or letters we send to individuals.

The information will be:

• concise, transparent, intelligible, and easily accessible;
• written in clear and plain language, particularly if addressed to a child; and
• free of charge.

The information we supply is determined by whether or not we obtained the personal data directly from the individual or from a third party. The only exception is that third-party provider does not require “details of whether individuals are under a statutory or contractual obligation to provide the personal data”.

Right of Access to Information

You have the right to obtain information on the categories of personal data being processed, the purpose of the processing, the decisions made upon automated processing, and entities with whom the personal data is shared. Individuals have the right to obtain:

• confirmation that their data is being processed;
• access to their personal data; and
• other supplementary information – this largely corresponds to the information that we provide in a privacy notice.

We provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request:

• is manifestly unfounded or excessive, particularly if it is repetitive unless the client refuses to respond; or
• is for further copies of the same information (that’s previously been provided). This does not mean that we can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information. See Article 33(8) of the Law.

Responding to a Subject Access Request:

The information must be provided without delay and at least within one calendar month of receipt. We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).

We must verify the identity of the person making the request, using “reasonable means”.

If the request is made electronically, we should provide the information in a commonly used electronic format.

Right to Rectification and Erasure of Personal Data:

How we ensure personal data held by us remains accurate and up to date

Under Article 33(1) of the Law, individuals have the right to have personal data rectified if it is inaccurate or incomplete.

We will always respond to a request without delay and at least within one month of receipt.

We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). If we have disclosed the personal data to a data processor (third party) we must inform them of the rectification where possible.

We will regularly review the information we process or store to identify when we need to do things like correct inaccurate records. We will maintain a Records Management Policy, with rules for creating and keeping records (including email addresses) if our records grow or are above 500 names.

Right to erasure including retention and disposal:

We securely dispose of personal data that is no longer required or where an individual has asked us to erase it.

Individuals have the right to be forgotten and can request the erasure of personal data when:

• it is no longer necessary in relation to the purpose for which it was originally collected/processed;
• the individual withdraws consent;
• the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
• it was unlawfully processed (are otherwise in breach of the Law);
• it has to be erased in order to comply with a legal obligation; or

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• to exercise the right of freedom of expression and information;
• to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
• for public health purposes in the public interest;
• archiving purposes in the public interest, scientific research historical research, or statistical purposes; or
• the exercise or defense of legal claims.

We will keep data as explained in “How We Implemented The Law” above

Right to Restriction of Processing:

Article 35 states we should maintain adequate procedures to respond to an individual’s request to restrict the processing of their personal data, subject to the legal basis for processing as discussed above.

Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.

If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.

Right to Request Data Portability:

We maintain adequate and proportional processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to effective usability, if applicable.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

They can receive personal data or move, copy, or transfer that data from one business to another in a safe and secure way, without hindrance.

The right to data portability only applies:

• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract; and
• where the processing is carried out by automated means. The information must be provided without delay and at least within one month of receipt. We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation).

We must provide the personal data in a structured, commonly used, and machine-readable format. Examples of appropriate formats include CSV and XML files.

We must provide the information free of charge.

If the individual requests it, we may be required to transmit the data directly to another business where this is technically feasible.

Right to Object to Processing and Automated Processing:

We have adequate procedures to handle an individual’s objection to automated decisions made by automated processing of your personal data.

Individuals have the right to object to:

• processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); and
• processing for purposes of scientific/historical research and statistics.

Individuals must have an objection on “grounds relating to his or her particular situation”.

However, for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority or for purposes of scientific/historical research and statistics, we must stop processing personal data unless:

• we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the individual; or
• the processing is for the establishment, exercise, or defense of legal claims.

Individuals also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). We will stop processing for direct marketing as soon as we receive an objection. There are no exemptions or grounds to refuse.

Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.

If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.

We will inform individuals of their right to object “at the point of first communication” and clearly lay this out in our privacy notice.

Rights related to automated decision-making including profiling:

We have identified whether any of our processing operations constitute automated decision-making and have procedures in place to deal with the requirements.

The Law provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

Individuals have the right not to be subject to a decision when:

• it is based on automated processing; and
• it produces a legal effect or a similarly significant effect on the individual.

The right does not apply if the decision:

• is necessary for entering into or performing a contract between us and the individual;
• is authorized by law (e.g. for the purposes of fraud or tax evasion prevention); or
• is based on the individual’s explicit consent, and our business has put in place suitable measures to safeguard the individual’s rights, freedoms, and legitimate interests.

If suitable measures to safeguard the rights of data subjects are required, these must include at least:

• obtain human intervention;
• express their point of view;
• obtain an explanation of the decision and challenge it.

The Law defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyze or predict their:

• performance at work;
• economic situation;
• health;
• personal preferences;
• reliability;
• behavior;
• location; or
• movements.

If the decision involves the processing of special categories of personal data, then the exceptions available to justify the processing are more limited.

Processing can only take place if:

• we have the explicit consent of the individual and suitable measures to safeguard their rights, freedoms, and legitimate interests are in place; or
• the processing is necessary for reasons of substantial public interest, proportionate to the aim pursued.

We will exercise particular caution if using automated decision-making in relation to a child.

Non-Discrimination

Under Article 39 of the Law, we do not discriminate against any data subject, which provides certain conditions.

Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.

If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the

Processing at the request of the Data Subject, then the Controller may continue. Processing the Personal Data in the same manner, subject to this Law in all other respects.

Accountability:

Our business has this data protection policy to permit all staff access to understand how data is processed within the business.

The Law requires us to show how we comply with the principles.

Our business monitors our compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

Documenting policies alone is often not enough to provide assurances that staff is adhering to the processes they cover. We will ensure that we have a process to monitor compliance with data protection and security policies.

Measures that are detailed within the policies should be regularly tested to provide assurances as to their continued effectiveness.

Where relevant our business provides data protection awareness training for all staff.

We brief all staff handling personal data on their data protection responsibilities when they join our company.

Data processor contracts:

Whenever we use a processor, we will have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The Law sets out what needs to be included in the contract.

In the future, standard contractual clauses may be provided by the Ruler or the Commissioner and may form part of certification schemes. However, at the moment no standard clauses have been drafted.

We are liable for our processor’s compliance with the Law and must only appoint processors who can provide “sufficient guarantees” that the requirements of the Law will be met and the rights of data subjects protected. In the future, using a processor that adheres to an approved code of conduct or certification scheme may help us to satisfy this requirement.

Processors must only act on our documented instructions. They will however have some direct responsibilities under the Law and may be subject to sanctions if they don’t comply.

Information risks:

We actively manage information risks in a structured way so that management understands the business impact of personal data-related risks and manages them effectively.

We set out how we (and any of our data processors) manage information risk. We employ strategies to help manage the risk, such as:

• assessing what can go wrong (how, how often, how much damage)
• keeping staff up-to-date and agile with new technology
• taking special care of sensitive information and transfer arrangements
• ensuring staff are able to identify risks and escalate them

Data Protection by Design:

We have implemented appropriate technical and organizational measures to integrate data protection into our processing activities.

Under the Law, we have a general obligation to implement appropriate technical and organizational measures to show that we have considered and integrated data protection into our processing activities. Under the Law, this is referred to as data protection by design and by default.

Data Protection Impact Assessments (DPIA):

We understand when we must conduct a DPIA we have appropriate processes in place to action this. We currently do not hold any sensitive data that would require a DPIA.

DPIAs help us to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy.

An effective DPIA will allow us to identify and fix problems at an early stage, reducing the associated costs and damage to our reputation which might otherwise occur.

We must carry out a DPIA when:

• using new technologies; and
• when the processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes but is not limited to:

• systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals;
• large-scale processing of special categories of data or personal data related to criminal convictions or offenses; and
• large-scale systematic monitoring of public areas.

The DPIA should contain the following information:

• a description of the processing operations and the purposes including, where applicable, the legitimate interests pursued by our business;
• an assessment of the necessity and proportionality of the processing in relation to the purpose;
• an assessment of the risks to individuals; and
• controls that we put in place to address any risks we’ve identified (including security)

Data Protection Impact Assessments (DPIA):

We have a DPIA framework that links to our existing risk management and project management processes.

A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context, and purposes of the processing.

We will start to assess the situations where it will be necessary to conduct one, including:

• Who will do it?
• Who else needs to be involved?
• Will the process be run centrally or locally?

If the processing is wholly or partly performed by a data processor, then that processor must assist us in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.

Information Security & Technical and Organisational Measures

CFP Technology FZCO takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we process.

We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction and have several layers of security measures, including SSL, access controls, password policy, encryptions, pseudonymization, practices, restriction, IT, authentication, etc.

Law Roles and Employees

Due to the size of our company, we do not have an appointed Data Protection Officer, and the principal will be the point of contact for all inquiries.

CFP Technology FZCO understands that continuous employee awareness and understanding is vital to the continued compliance of the Law and has involved our employees in our implementation plans. We have implemented an employee training program specific to the which will be provided to all employees and form part of our induction and annual training program.

If there are any questions about our implementation of the Law, please contact [Data Protection Officer (DPO)/Appointed Person].

Data Protection Officers

Subject to Article 16 (3) we have nominated a data protection lead or Data Protection Officer (DPO).

It is important to make sure that someone in our business, or an external data protection advisor, takes responsibility for data protection compliance.

We may need to appoint a DPO if we:

• carry out large-scale systematic monitoring of individuals (e.g. online behaviour tracking); or
• carry out large-scale processing of special categories of data or data relating to criminal convictions and offenses.

The DPO should work independently, report to the highest management level, and have adequate resources to enable our organization to meet its obligations under the Law.

The DPO’s minimum tasks are to:

• inform and advise the organization and its employees about their obligations to comply with the Law and other data protection laws.
• monitor compliance with the Law and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments; training staff and conducting internal audits.
• be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers, etc).

Management Responsibility:

Our decision-makers and key people are keen to demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

We will make sure that decision-makers and key people in our business are aware of the requirements under the Law.

Decision makers and key people should lead by example, demonstrating accountability for compliance with the Law and promoting a positive culture, within our business, for data protection.

They should take the lead when assessing any impacts on our business and encourage a privacy-by-design approach.

They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.

Data security, international transfers, and breaches

Security policy:

Our business uses this information security policy supported by appropriate security measures.

We must process personal data in a manner that ensures appropriate security.

Before we can decide what level of security is right for us, we will need to assess the risks to the personal data we hold and choose security measures that are appropriate to our needs.

Keeping our IT systems safe and secure can be a complex task and does require time, resources, and (potentially) specialist expertise.

If we are processing personal data within our IT system(s) we recognize the risks involved and take appropriate technical measures to secure the data.

The measures we have put in place fit our business’s needs.

We have a separate Information Security policy that details our approach to information security, the technical and organizational measures that we will implement, and the roles and responsibilities staff have in relation to keeping information secure.

These restrictions are in place to ensure that the level of protection of individuals afforded by the Law is not undermined.

Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the Law.

Breach notification:

We have effective processes to identify, report, manage, and resolve any personal data breaches.

The Law introduces a duty on all organizations to report certain types of personal data breaches to the Commissioner and, in some cases, to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data.

We understand that we only have to notify the Commissioner of a breach where it is likely to result in a risk to the rights and freedoms of individuals and in that event, we must notify those concerned directly and without undue delay.

In all cases, we will maintain records of personal data breaches, whether or not they were notifiable to the Commissioner.

A notifiable breach has to be reported to the Commissioner within 72 hours of the business becoming aware of it. The Law recognizes that it will often be impossible to investigate a breach fully within that time period and allows us to provide additional information in phases.

We make sure that our staff understands what constitutes a personal data breach, and that this is more than a loss of personal data. We have an internal breach reporting procedure in place. This will facilitate decision-making about whether we need to notify the relevant supervisory authority or the public.

To view the Appendix, download the full text of the file at the top

Please, read the information about CFPS Fees and Limits on the Fees page.

BRIBERY, FACILITATION, and UNETHICAL PAYMENTS

1.1 It is the policy of CFP TECHNOLOGY FZCO (“CFP TechnologyFZCO”} to conduct all of our business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly, and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery.

1.2 We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate. However, we remain bound by the laws of the UAE, including Federal Law No. 31/2021, in respect of our conduct both at home and abroad.

1.3 The purpose of this policy is to:

(a) set out our responsibilities, and the responsibilities of those working for us, in observing and upholding our position on bribery and corruption; and
(b) provide information and guidance to those working for us on how to recognize and deal with bribery and corruption issues.

1.4 Bribery and corruption are punishable for individuals by up to five years' imprisonment and a fine to be no less than five thousand dirhams. if the company is found to have taken part in corruption, we could face civil and criminal liabilities and serious reputational damage. We, therefore, take our legal responsibilities very seriously.

1.5 In this policy, the third party means any individual or organization you come into contact with during the course of your work for us and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.

WHO IS COVERED BY THE POLICY?

1.6 This policy applies to all individuals working at all levels and grades, including senior managers, officers, directors, employees (whether permanent, fixed-term, or temporary), consultants, contractors, trainees, seconded staff, homeworkers, casual workers and agency staff, volunteers, interns, agents, sponsors, or any other person associated with us, or any of our subsidiaries or their employees, wherever located (collectively referred to as workers in this policy).

WHAT IS BRIBERY?

1.7 A bribe is an inducement or reward offered, promised, or provided in order to gain any commercial, contractual, regulatory, or personal advantage.

GIFTS AND HOSPITALITY

1.8 This policy does not prohibit normal and appropriate hospitality (given and received) to or from third parties.

1.9 Employees of The Company may not offer to, or accept from, third parties, any gifts, hospitality, rewards, benefits, or other incentives that could affect either party’s impartiality, influence a business decision, or lead to the improper performance of an official duty.

Employees must, at all times, consider the following guidelines and must ensure that the gift or benefit:

• Is being provided openly and transparently, and is of a nature that will not cause the Company embarrassment, if publicly reported;
• Complies with local laws and regulations;
• Meets the value limits set by The Company and has all required approvals.

In cases of uncertainty, employees must seek advice from the compliance officer beforehand.

Employees must seek prior approval from the compliance officer for all gifts or benefits received or offered with a value of more than AED 918.00 or equivalent prior to final acceptance.

Approval must be given in writing and records of gifts received or given must be recorded in a specific log for such a purpose and be overseen by compliance.

1.10 We appreciate that the practice of giving business gifts varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift or hospitality is reasonable and justifiable. The intention behind the gift should always be considered.

WHAT IS NOT ACCEPTABLE?

1.11 It is not acceptable for you (or someone on your behalf) to:

(a) give, promise to give, or offer, a payment, gift, or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage is already given;
(b) give, promise to give, or offer, a payment, gift, or hospitality to a government official, agent, or representative to “facilitate” or expedite a routine procedure;
(c) accept payment from a third party that you know or suspect is offered with the expectation that it will obtain a business advantage for them;
(d) accept a gift or hospitality from a third party if you know or suspect that it is offered or provided with an expectation that a business advantage will be provided by us in return;
(e) threaten or retaliate against another worker who has refused to commit a bribery offense or who has raised concerns under this policy; or
(f) engage in any activity that might lead to a breach of this policy.

FACILITATION PAYMENTS AND KICKBACKS

1.12 We do not make, and will not accept, facilitation payments or “kickbacks” of any kind.

1.13 If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt that details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment you should raise these with the compliance officer.

1.14 Kickbacks are typically payments made in return for a business favor or advantage. All workers must avoid any activity that might lead to, or suggest, that a facilitation payment or kickback will be made or accepted by us.

DONATIONS

1.15 We do not make contributions to political parties.

1.16 We do not make charitable donations.

YOUR RESPONSIBILITIES

1.17 You must ensure that you read, understand and comply with this policy.

1.18 The prevention, detection, and reporting of bribery and other forms of corruption are the responsibility of all those working for us or under our control. All workers are required to avoid any activity that might lead to, or suggest, a breach of this policy.

1.19 You must notify the compliance officer as soon as possible if you believe or suspect that a conflict with this policy has occurred, or may occur in the future. For example, if a client or potential client offers you something to gain a business advantage with us, or indicates to you that a gift or payment is required to secure their business. Further “red flags” that may indicate bribery or corruption are set out in Schedule 1.

1.20 Any employee who breaches this policy will face disciplinary action, which could result in dismissal for gross misconduct. We reserve our right to terminate our contractual relationship with other workers if they breach this policy.

RECORD-KEEPING

1.21 We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties.

1.22 You must declare and keep a written record of all hospitality or gifts accepted or offered, which will be subject to managerial review.

1.23 You must ensure all expense claims relating to hospitality, gifts, or expenses incurred to third parties are submitted in accordance with our expenses policy and specifically record the reason for the expenditure.

1.24 All accounts, invoices, memoranda, and other documents and records relating to dealings with third parties, such as clients, suppliers, and business contacts, should be prepared and maintained with strict accuracy and completeness. No accounts must be kept “off-book” to facilitate or conceal improper payments.

HOW TO RAISE A CONCERN

You are encouraged to raise concerns about any issue or suspicion of malpractice at the earliest possible stage. If you are unsure as to whether a particular act constitutes bribery or corruption, or if you have any other queries, you should speak to your compliance officer.

WHAT TO DO IF YOU ARE A VICTIM OF BRIBERY OR CORRUPTION

1.25 It is important that you tell the compliance officer as soon as possible if you are offered a bribe by a third party, are asked to make one, suspect that this may happen in the future, or believe that you are a victim of another form of unlawful activity.

PROTECTION

1.26 Workers who refuse to accept or offer a bribe, or those who raise concerns or report another’s wrongdoing, are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.

1.27 We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offense has taken place or may take place in the future. Detrimental treatment includes dismissal,
disciplinary action, threats, or other unfavorable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the compliance officer immediately. If the matter is not remedied, and you are an employee, you should raise it formally using our Grievance Procedure.

TRAINING AND COMMUNICATION

1.28 Training on this policy forms part of the induction process for all new workers. All existing workers will receive regular, relevant training on how to implement and adhere to this policy.

1.29 Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors, and business partners at the outset of our business relationship with them and as appropriate thereafter.

WHO IS RESPONSIBLE FOR THE POLICY?

1.30 The board of directors has overall responsibility for ensuring this policy complies with our legal and ethical obligations, and that all those under our control comply with it.

1.31 The compliance officer has primary and day-to-day responsibility for implementing this policy and for monitoring its use and effectiveness. Management at all levels is responsible for ensuring those reporting to them are made aware of and understand this policy and are given adequate and regular training on it.

MONITORING AND REVIEW

1.33 The compliance officer will monitor the effectiveness and review the implementation of this policy, regularly considering its suitability, adequacy, and effectiveness. Any improvements identified will be made as soon as possible. Internal control systems and procedures will be subject to regular audits to provide assurance that they are
effective in countering bribery and corruption.

1.34 All workers are responsible for the success of this policy and should ensure they use it to disclose any suspected danger or wrongdoing.

1.35 Workers are invited to comment on this policy and suggest ways in which it might be improved. Comments, suggestions, and queries should be addressed to the compliance manager.

1.36 This policy does not form part of any employee's contract of employment and it may be amended at any time.

Schedule 1 – Red Flags

POTENTIAL RISK SCENARIOS: “RED FLAGS”

The following is a list of possible red flags that may arise during the course of your working for us and which may raise concerns under various anti-bribery and anti-corruption laws. The list is not intended to be exhaustive and is for illustrative purposes only.

If you encounter any of these red flags while working for us, you must report them promptly the Managing Director:

(a) you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
(b) you learn that a third party has a reputation for paying bribes or requiring that bribes are paid to them, or has a reputation for having a “special relationship” with foreign government officials;
(c) a third party insists on receiving a commission or fee payment before committing to sign up to a contract with us, or carrying out a government function or process for us;
(d) a third-party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
(e) some third-party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
(f) a third party requests an unexpected additional fee or commission to “facilitate” a service;
(g) a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
(h) some third-party requests that a payment is made to "overlook" potential legal violations;
(i) some third-party requests that you provide employment or some other advantage to a friend or relative;
(i) You receive an invoice from a third party that appears to be non-standard or customized;
(k) a third party insists on the use of side letters or refuses to put terms agreed in writing;
(I) you notice that we have been invoiced for a commission or fee payment that appears large given the service stated to have been provided;
(m) a third-party requests or requires the use of an agent, intermediary, consultant, distributor, or supplier that is not typically used by or known to us;
(n) you are offered an unusually generous gift or offered lavish hospitality by a third party.

To view the Appendix, download the full text of the file at the top.

Please, read the information about CFPS Fees and Limits on the Fees page.

Cookies

To make using our website as straightforward as possible and to improve the service we offer you, we use cookies.

What are Cookies?
Cookies are harmless text files that web servers can store on your computer’s hard drive when you visit a website. They allow the server to recognize you when you revisit. There are two main types:

• Transient (or per-session) cookies

These only exist for your website visit and are deleted on exit. They recognize you as you move between pages, for example, recording items added to an online shopping basket. These cookies also help maintain security.

• Persistent (or permanent) cookies

These stay on your machine until expiry or deletion. Many are built with automatic deletion dates to help ensure your hard drive doesn’t get overloaded. These cookies often store and re-enter your log-in information, so you don’t need to remember membership details.

We use both types of cookies.

Additionally, cookies can be first or third-party cookies. First-party cookies are owned and created by the website you’re viewing- in this case by FZCO. Third-party cookies are owned and created by an independent company, usually a company providing a service to the website owners.  In our case, third-party cookies provided by this Website are still subject to the provisions set out below.

What do we use cookies for

Internet cookies are common, do not harm your system, and do not retrieve information about you stored on your hard drive – they just store or gather website information. They help you do things online, like remembering logon details so you don’t have to re-enter them when revisiting a website.

CFPS utilizes various types of cookies including necessary cookies and analytics/advertising cookies.

Necessary cookies are enabled by default but can be turned off on your device, although this may affect your browsing experience. These cookies help us to operate our website and identify any issues. Additionally, we use cookies to remember our users and provide personalized content.

Analytics and advertising cookies help us understand our website and performance and improve it as necessary.
Third-party cookies are used to recognize and count visitors, track user behavior on our website, and show relevant ads. We may share this information with other organizations, such as Google.

Specifically, we use Google Ads to track the effectiveness of our ad campaigns and Google Analytics to understand visitor behavior and track conversions. Google Tag Manager is also utilized to manage cookies on our website.

CFPS only use these cookies for the specific purposes outlined above and we do not use them to collect any personally identifiable information about our users. We take our users and privacy seriously and we are committed to complying with all relevant data protection laws and regulations.

If you wish to disable cookies, you can do so by adjusting your browser settings. Please note, however, that disabling cookies may affect your ability to use certain features on our website.

We use cookies to:

• Gather customer journey information across our websites
• Ensure your privacy on our secure websites
• Store login details for our secure websites
• Temporarily store details input into our calculators, tools, illustrations, and demonstrations
• Store details of your marketing, product, and business unit preferences to improve our targeting and enhance your journey through our websites
• Evaluate our websites and advertising and promotional effectiveness.

We use both our own (first-party) and partner companies’ (third-party) cookies to support these activities. We don’t use cookies to track people’s Internet usage after leaving our websites and we don’t store personal information in them others could read and understand.

No cookies used by FZCO store personally identifiable data such as:

• Names
• Phone numbers
• Email addresses
• Mailing addresses
• Bank Account Numbers

Services requiring enabled cookies

Some of our services may require cookies in your browser to view and use them and to protect your financial and personal information.

Changing your cookie settings

You are not obliged to accept cookies that we send to you and you can in fact modify your browser so that it will not accept cookies. To enable or disable cookies, follow the instructions provided by your browser (usually located within the “Help”, “Tools” or “Edit” facility). Alternatively, an external resource is available at www.allaboutcookies.org/manage-cookies providing specific information about cookies and how to manage them to suit your preferences.

Please note that should you choose to set your browser to disable cookies, you may not be able to access secure areas of this Website, for example, any online accounts you may hold.

Most internet browsers accept cookies automatically, but you can change the settings of your browser to erase cookies or prevent automatic acceptance if you prefer.

These links explain how you can control cookies via your browser – remember that if you turn off cookies in your browser then these settings apply to all websites, not just this one:

For more information about the cookie setting, we link the instructions for the most
important browser web:

Internet Explorer™: Link

Safari™: Link

Chrome™: Link

Firefox™: Link

Opera™: Link

For information about the cookies that are installed on your device, about their management, and how to delete them, it is possible to visit the following website: www.youronlinechoices.com/it/

Other information relating to your computer

We may collect information about your computer, including where available your IP address, operating system, and browser type, for system administration and to report aggregate information to our advertisers. This is statistical data about our Website users’ browsing actions and patterns and does not identify any individual.

Secure online services

Any secure online services you subscribe to with us may use cookies to enable information about you and your preferences to be stored and to prevent unauthorized access to your services and information. Cookies must usually be accepted in such circumstances – without them, we cannot ensure your information is secure (and people rejecting cookies can’t use the services).

How will we use the information we collect about you?

We will store and process your information on our computers wherever located and in any other medium. By “your information” we mean personal and financial information we:

a) obtain from you or from third parties and other organizations when you apply for an account or any other product or service for which you or they give to us at any other time; or

b) learn from the way you use and manage your account(s), from the transactions made, if any, such as the date, amount, currency, and the name and type of supplier (e.g. supermarket services, medical services, retail
services).

We will use your information to manage your account(s), give you statements, and provide our services, for assessment and analysis (including credit and/or behavior scoring, market, and product analysis), to identify and tackle fraud, money laundering, and other crimes, carry out regulatory checks, and meet our obligations to any relevant regulatory authority, and to develop and improve our services to you and other customers and protect our interests.

We may use your information to inform you by letter, telephone, text (or similar) messages, digital television, e-mail, and other electronic methods about products and services (including those of others) which may be of interest to you. Where you have neither given your consent to such marketing nor requested to opt out of such marketing, this will be limited to information about products and services similar to those which were the subject of a previous service provided to you.

If you don’t want us to tell you about other products and services please write to us and supply us with your full name and address and details of any products or services you have with us. Please write to us at FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.

Will we share your information with anyone else?

We may share your information including how you manage your account or Website visitors with relevant third parties and as permitted by law including but not limited to the following:

• People who provide a service to us or are acting as our agents, on the understanding that they will keep the information confidential.
• Anyone to whom we transfer or may transfer all or any part of our business or assets, from whom we acquire any business or assets, or who acquires substantially all of the assets of FZCO PLC.
• Credit reference and fraud prevention agencies.
• We may also give out information about you if we have a duty to do in order to comply with any legal obligation, in order to enforce or apply our terms of use, or if the law allows us to do so.

If we disclose your information to a service provider (a person, office, or organization) located in another country (including locations outside of the European Economic Area), we will take steps reasonably necessary to ensure that they apply the same levels of protection as we are required to apply to your information and to use your information only for the purpose of providing the service to us. By submitting your personal information, you agree to this transfer.

How long will we keep your personal information on file?

We will retain information about you after the closure of your account or service provision for as long as it is permitted for legal, regulatory, fraud prevention, business, and financial crime purposes.

Under applicable data protection legislation, you may be entitled, to a copy of the personal information you have provided. If any data is inaccurate it will be corrected without delay. Please write to us at Data Protection Manager, FZCO, Dubai Silicon Oasis, DDP, Building A2, Dubai, United Arab Emirates.

Electronic communications

Please remember that Internet communications are not secure unless the data being sent is encrypted. We cannot accept any responsibility for unauthorized access by a third party and/or the corruption of data being sent by individuals to us. Some countries prohibit the transmission of encrypted data over telephone lines. You should
not encrypt data transmitted if you know doing so would contravene applicable local, national, or international laws. For guidance relating to your specific situation, please contact your legal adviser.

Intellectual Property

The entire content of the Website is subject to copyright with all rights reserved and it may only be stored, held, or used for your personal use only. You may not download (all or in part) for non-personal use or otherwise reproduce, transmit, or modify the website without our prior permission. However, you may print out part or all of the Website for your own personal use. These permissions are revocable by us at any time. You are granted a non-exclusive license of those rights in order to view this website on a non-commercial basis only, revocable at any time.

Security

It is our policy that if any of our clients are victims of unauthorized access to their accounts we will cover any resulting financial loss which the Client suffers provided that the Client has not breached our security procedures.

You must ensure that viruses, trojans, worms, or equivalent or similar items do not enter your computer system. We assume no responsibility for the loss of whatever nature, howsoever arising, resulting from such viruses, trojans, worms, or equivalent or similar items.

Calls

We may record and monitor calls made or received by us to maintain high-quality service standards, to check instructions, and for your protection and ours.

Your Queries

If you have any queries regarding privacy issues then please write to us at Compliance Department, FZCO [email protected]

You can see CFPS fees here.