Versions Compared

Version Old Version 8 New Version Current
Changes made by

Chris Michael

Chris Michael

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleMENU
Table of Contents
stylenone

Author

CBUAE

Version

1.0 - June 1

Publication Date

Classification

Public

Note

These AML and Fraud Guidelines are provisional and subject to change.

1. LFIs' Responsibilities Related to AML

...

/ Fraud

...

Prevention

LFIs and TPPs must follow rigorous procedures to detect, prevent, and their established protocols to manage AML / fraud effectivelyfor Open Finance transactions.

  • LFIs should manage AML / Fraud Monitoring and Prevention - covers monitoring transactions for risk indicators, identifying unusual patterns, and educating customers on fraud prevention

  • AML / Fraud Detection Process - involves identifying suspicious transactions, verifying activities with customers, and collecting supporting documentation

  • AML / Fraud Response - includes freezing transactions, conducting investigations, resolving issues, and reporting to authorities

  • Liability for Fraud - addresses determining liability according to standards and ensuring proper record retention

2. Monitoring and Prevention

2.1 Monitoring Transactions for Risk Indicators

  • LFIs should continuously monitor transactions for potential AML / fraud indicators

  • Conduct standard screening for payments, including assessing risk based on the provided transaction data, OF Risk Data Block, customer behavior, and device information

2.2 Key Risk Indicators

  • Unusual transaction patterns or amounts

  • Transactions from new or unverified devices

  • High-risk locations or merchants

2.3 Data Points to be Monitored

  • Transaction Data: ID, date and time, location, type, LFI name, TPP name, amount, merchant, receiving bank, authentication method, status

  • Customer/Account Data: Account holder name, account number, contact information, device type

2.4 Customer Education

  • Promote customer awareness  about potential fraudulent activities (e.g., not to share OTPs with third parties)

3. Detection Process

3.1 Initial Detection

  • Both LFIs and TPPs should identify suspicious transactions using automated systems and manual reviews

  • Verify unusual activities with customers directly

3.2 Verification Steps

  • Confirm recent activity patterns with the customer

  • Verify device information and other authentication methods

3.3 Supporting Documentation

  • Collect receipts of invoices and proof of service delivery from the customer

  • Request user agreements and other relevant documents

  • Request source of funds (for AML)

4. Response

4.1 Immediate Actions

  • Freeze the suspicious transactions and accounts

  • Notify the customer and involved parties about the potential fraud

4.2 Investigation

  • Conduct a detailed investigation using the collected data and supporting documents

  • Collaborate with other LFIs and TPPs to gather more information if necessary

4.3 Resolution

  • Identify the liable party for fraudulent transactions

  • Resolve the issue by reversing fraudulent transactions in case the customer is not liable

  • Update the customer and involved parties on the resolution status

4.4 Reporting

  • Report the fraud case to the relevant authorities and regulatory bodies

  • Document the entire process for future reference and compliance

  • For TPPs retain appropriate records with customer and transaction data, including customer consent

5. Liability

5.1 General

  • LFI's and TPP's liability in case of fraudulent transaction is determined according to the liability model developed as part of the Open Finance standards and available on Confluence

5.2 Additional TPP's Responsibility

  • TPPs must provide the listed fraud indicators to the LFI as part of the risk/fraud assessment process

  • If a TPP fails to provide the necessary indicators and the indicators are part of the LFI's risk/fraud assessment process, the TPP will be liable in the event of fraudand fraud for Open Finance initiated transactions in the same manner as they do for other transactions

  • LFIs should develop real-time fraud / AML capabilities for all transactions, if they don’t have them, including those initiated by TPPs

  • There is no need to develop additional Open Finance-specific procedures

  • LFIs should seek to utilize and analyze risk indicators provided by TPPs

1.1 AML / Fraud Monitoring and Prevention

Including:

  • Monitoring transactions for risk indicators

  • Utilizing risk indicators from TPPs

  • Educating customers on fraud prevention

1.2 AML / Fraud Detection Process

Including:

  • Identifying suspicious transactions

  • Verifying activities, including step up authentication

  • Collecting supporting documentation

1.3 AML / Fraud Response

Including:

  • Conducting investigations

  • Deciding on resolution option

  • Reporting to authorities

2. TPPs' Responsibilities Related to AML / Fraud Prevention

TPPs must follow robust authentication processes and report risky activities to manage AML/Fraud

2.1 Customer Authentication

  • Ensure robust customer authentication in compliance with Open Finance standards for services where TPP is responsible for authentication (e.g., delegated SCA)

  • Prevent Fraud, via TPP App access, by making it secure and employing MFA / biometric access

2.2 Suspicious Transactions Monitoring

  • Monitor transactions and identify potential Fraud risks

  • Report any suspicious activities via the AML GO portal of CBUAE

2.3 Risk Indicators

  • Accurately populate risk indicators defined in the Open Finance Standards to be provided to LFIs