Best Practices for Licensed Financial Institutions on Implementing Role-Based AML/CFT/CPF Training

CBUAE Classification: Public ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM BEST PRACTICES FOR LICENSED FINANCIAL INSTITUTIONS ON IMPLEMENTING ROLE-BASED AML/CFT/CPF TRAINING October, 2025

Page 2 of 21 CBUAE Classification: Public Contents

1. Introduction...........................................................................................................3 1.1. Purpose..........................................................................................................................3 1.2. Applicability ....................................................................................................................4 1.3. Legal Basis ....................................................................................................................5 1.4. Acronyms .......................................................................................................................5
2. Scope of the Role-Based AML/CFT/CPF Training...............................................6 2.1. UAE Regulatory Requirements, Supervisory Guidance, and Global Standards...........6 2.2. Internal Policies, Procedures, and Processes ...............................................................8 2.3. LFI’s Products, Services, Customers, and Geographic Locations ................................8
3. Role-Based Training .............................................................................................9 3.1. Board of Directors/Owners and Senior Management..................................................10 3.2. First Line of Defense....................................................................................................11 3.3. Second Line of Defense ..............................................................................................13 3.4. Third Line of Defense ..................................................................................................14
4. Documenting the AML/CFT/CPF Training Program..........................................15 4.1. Training Plan................................................................................................................15 4.2. Updates to the AML/CFT/CPF Training Program........................................................15 4.3. Methods for Training Delivery......................................................................................17 4.4. Training Records, Documentation, and Assessment ..................................................18
5. Annexure 1: Synopsis of the Best Practice.......................................................19

Page 3 of 21 CBUAE Classification: Public

1. Introduction A comprehensive anti-money laundering (“AML”) and combating the financing of terrorism (“CFT”) and countering proliferation financing (“CPF”) training program is critical to the overall effectiveness of a licensed financial institution’s (“LFI’s”) compliance program. AML/CFT/CPF training helps employees understand their responsibility to combat money laundering (“ML”), terrorist financing (“TF”), and proliferation financing (“PF”) through identifying ML/TF and PF red flags and managing ML/TF and PF risks in the context of their job functions. As such, all employees—spanning from the LFI’s Board of Directors, owners/partners/shareholders, senior management, new employees, to external staff—should receive AML/CFT/CPF training through a combination of the following types of AML/CFT/CPF training: • New hire training (including existing employees who take on new roles or positions); • Annual enterprise-wide AML/CFT/CPF training; • Global mandatory AML/CFT/CPF training (for LFIs that fall under a Group); • Localized training, targeting specific local ML/TF and PF risks; • Board of Directors, owners/partners/shareholders1, and senior management training2; and • Role-based training (including on-the-job training, especially if the risks are specific to a certain role); LFIs should adopt a risk-based approach to their AML/CFT/CPF training programs, ensuring that the content, frequency, and intensity of training is commensurate with the ML/TF/PF risks faced by different roles and functions within the organization. Understanding that there are different types of training that comprise an LFI’s AML/CFT/CPF training program, this Best Practices document specifically focuses on best practices associated with role-based AML/CFT/CPF training. The purpose of role-based AML/CFT/CPF training is to ensure that employees across an LFI’s organization receive training that is tailored to their responsibilities and specific ML/TF and PF risk exposure. Such role-based training provides employees with the relevant expertise and judgement required to meet the specific needs of their different AML/CFT/CPF-related responsibilities. 1.1. Purpose Article 44.11 of the Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.” 1 AML/CFT/CPF training should be required for owners, partners, and shareholders carrying out an active role in the management of the LFI. Training is not mandatory for passive shareholders. 2 For the purposes of this Best Practices document, Board of Directors and senior management training is discussed in the context of role-based training.

Page 4 of 21 CBUAE Classification: Public The purpose of this Best Practices document is to assist the understanding and effective performance and compliance by the United Arab Emirates Central Bank’s (“CBUAE”) LFIs and registered hawala providers (“RHPs”), of their statutory obligations under the legal and regulatory framework in force in the UAE specific to role-based AML/CFT/CPF training. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 79/2019 dated 27/06/2019) and any amendments or updates thereof.3 As such, while this Best Practices document neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for LFIs to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this document and the legal or regulatory frameworks currently in force, the latter will prevail. This Best Practices document may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the CBUAE. It provides additional guidance to help LFIs effectively meet their AML/CFT/CPF training obligations as stipulated in the legal and regulatory frameworks. Furthermore, this Best Practices document takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), as LFIs should ensure that their role-based training programs not only meet local regulatory requirements but also reflect global best practices to enhance their effectiveness. These standards and guidance are not exhaustive and do not set limitations on the measures to be taken by LFIs in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, LFIs should perform their own assessments of the manner in which they should meet their statutory obligations. The CBUAE may issue supplementary guidance materials, such as outreach sessions and thematic reviews, to support LFIs in implementing the role-based training requirements. LFIs should stay informed of any such updates to ensure their training programs remain compliant and effective. This Best Practices document comes into effect immediately upon its issuance by the CBUAE with LFIs expected to demonstrate it has taken concrete efforts to come into compliance with its requirements within one month from its coming into effect (e.g., development of policies, procedures, and training materials). 1.2. Applicability Unless otherwise noted, this Guidance applies to all natural and legal persons, which are Financial Institutions or Licensees, or any other defined term which brings all entities within the scope of licensed and/or supervised entities by the CBUAE, in the following categories: • National banks, branches of foreign banks, exchange houses, finance companies, investment companies, payment service providers, virtual asset service providers (“VASPs”), payment token service providers, registered hawala providers; • Insurance companies, agencies, and brokers; and 3 Available at https://www.centralbank.ae/en/cbuae-amlcft.

Page 5 of 21 CBUAE Classification: Public • Other covered financial institutions not specified above, or any other entities that are licensed or registered by the CBUAE and are engaged in financial activities that fall under AML/CFT/CPF regulations. For LFI’s with operations outside the UAE, this guidance applies to their UAE-based activities and should inform group-wide standards, while adhering to applicable regulations in the local jurisdiction. 1.3. Legal Basis This Best Practices document builds upon the provisions of the following laws and regulations: • Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended by Federal Decree Law No. (26) of 2021 (“AML-CFT Law”); • Cabinet Decision No. (10) of 2019 concerning the Implementing Regulation of Federal Decree Law No. 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended by Cabinet Decision 24 of 2022 (“AML-CFT Decision”) and its amendments; • Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (“UNSC”) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution (“Cabinet Decision 74”), and its amendments; and • Cabinet Decision No. (58) of 2020 regulating the Beneficial Owner Procedures (“Cabinet Decision 58”). 1.4. Acronyms Terms Description AML Anti-money laundering CBUAE Central Bank of the United Arab Emirates CFT Combating the financing of terrorism CPF Countering proliferation financing FATF Financial Action Task Force FCC Financial crimes compliance LFI Licensed financial institution ML Money laundering PF Proliferation financing RBA Risk-based approach

Page 6 of 21 CBUAE Classification: Public RHP Registered Hawala Provider TF Terrorist financing UN United Nations 2. Scope of the Role-Based AML/CFT/CPF Training Role-based AML/CFT/CPF training is important as it helps ensure that an employee’s technical knowledge (i.e., understanding specific ML/TF/PF risks associated with different roles, familiarity with regulatory requirements, and the ability to apply internal policies and procedures effectively and understanding of ML/TF and PF risks, global standards, regulatory requirements, and internal policies) and the LFI’s AML/CFT/CPF compliance program are accurate and up to date. It also enables an employee to understand their responsibility to identify ML/TF and PF risks and red flags—both generally and specific to the LFI—in the context of their role within an LFI. As such, unlike other training that provides a general introduction on AML/CFT/CPF requirements and ML/TF/PF red flags, LFI’s role-based training should be tailored to the specific responsibilities of its employees who are exposed to ML/TF and PF risks and are responsible for performing AML/CFT/CPF-related functions within the LFI. Role-based training can also take the form of ad-hoc training, tailored to an LFI’s specific team or department to enhance awareness on specific topics. This Best Practices document discusses the components of role-based AML/CFT/CPF training and how an employee’s responsibilities should be understood in the context of: • UAE regulatory requirements and supervisory guidance; • Financial crimes compliance (“FCC”) global standards; • Internal policies, procedures, and processes; and • LFI’s products, services, customers, and geographic locations. 2.1. UAE Regulatory Requirements, Supervisory Guidance, and Global Standards Educating LFI staff on local regulatory requirements, relevant supervisory guidance and FCC global standards, is a key component of an effective AML/CFT/CPF training program. Accordingly, training content should be appropriately tailored to an LFI’s specific profile (including but not limited to; risk exposure, product offering and size) and cover requirements from the jurisdictions where the LFI operates, including the LFI’s branches and majority-owned subsidiaries. As such, an LFI’s role-based trainings should focus on educating LFI staff, Board members, owners/partners/shareholders4, and senior management on UAE AML/CFT/CPF laws, regulations, and supervisory guidance as well as ML/TF and PF trends and typologies 4 . AML/CFT/CPF training should be required for owners, partners, and shareholders carrying out an active role in the management of the LFI. Training is not mandatory for passive shareholders.

Page 7 of 21 CBUAE Classification: Public common to the UAE. LFI’s may also consider training material and guidance documents published by international bodies like FATF. • UAE AML/CFT/CPF Framework: The UAE has several laws and regulations that address AML/CFT/CPF, including the AML-CFT Law and AML-CFT Decision. The training provided must ensure that the LFI's employees are aware, and have an appropriate understanding, of their legal and regulatory responsibilities and obligations and the consequences of non-compliance. For example, training should include specific examples such as UAE Federal Decree Law No. 20 of 2018 on Anti-Money Laundering, the CBUAE’s thematic reviews, and sector-specific risk assessments to illustrate regulatory expectations and compliance requirements. Furthermore, the LFI’s AML/CFT/CPF trainings should also cover CBUAE-issued guidance or feedback5 on ML/TF and PF risks, such as thematic reviews. Finally, trainings should be developed in the context of the UAE’s National ML/TF and PF Risk Assessments and the CBUAE’s Sectoral Risk ML/TF and PF Assessments. LFIs should ensure key compliance staff attend the various training and outreach sessions provided by the CBUAE and Executive Office for Control and Non-Proliferation (“EOCN”) on these topics. The schedule of training and outreach sessions can be found at the AML/CFT Supervision website of the CBUAE.6 • FCC Global Standards: Global standards for FCC encompass a collection of standards that originate from intergovernmental organizations and industry groups. These global standards￾setting bodies issue recommendations and guidance for jurisdictions and LFIs to adopt as part of implementing an effective AML/CFT/CPF regime. LFI’s may consider FCC global standards and general ML/TF and PF trends, typologies, and best practices identified by global standards-setting bodies which may be relevant to the LFI. Local compliance training programs should also consider best practices and recommendations set by international standards-settings bodies, when developing training programs and content, as they complement local UAE laws and regulations. FCC global standards-setting bodies include: o The United Nations Security Council (UNSC), is one of the six principal bodies of the United Nations and the only authority issuing resolutions that are binding on member states as mentioned in Article 16 and 28 of Decree Federal Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisation; o The Financial Action Task Force, the leading AML/CFT standards-setter at the international level, established by the Group of Seven (“G7”) to examine and combat ML; o The Basel Committee on Banking Supervision (“BCBS”), a committee of Central Banks and other banking regulatory authorities from 28 jurisdictions and has 45 members; o The Wolfsberg Group, an association of 13 of the world’s largest banks; and 5 Available at: https://www.centralbank.ae/en/cbuae-amlcft 6 Available at: https://www.centralbank.ae/en/cbuae-amlcft

Page 8 of 21 CBUAE Classification: Public o The Egmont Group of Financial Intelligence Units, a body of financial intelligence units (“FIUs”) from around the world. 2.2. Internal Policies, Procedures, and Processes LFIs should provide ongoing training to employees on the LFI’s AML/CFT/CPF policies and procedures. Trainings should address how employees are expected to comply with the LFI’s policies and procedures, consequences for not adhering to these policies and procedures, and where employees can locate policies and procedures and learn more about the LFI’s AML/CFT/CPF compliance program. In addition to covering the policies and procedures relevant to an employee’s day-to-day job function, the training material should also cover the specific systems and controls being utilized by the LFI, including the use of internal and external tools, relevant to the LFI’s AML/CFT/CPF compliance program and the specific work carried out by its employees. An employee should understand how to perform their roles and responsibilities through the use of the LFI’s systems and controls, such as for onboarding customers; updating a customer’s risk rating and customer due diligence/know your customer (“CDD/KYC”) file; performing sanctions screening; transaction monitoring; and investigating and reporting suspicious activity and transactions, including attempted transactions. To be effective, training should include real-life and role-specific scenarios employees may encounter while performing their day-to-day job function and include interactive content wherever possible. In response to any updates to the LFI’s AML/CFT/CPF compliance program, the LFI should also offer refresher training so that the LFI helps promote a culture of compliance and that employees are knowledgeable of any changes to the LFI’s ML/TF and PF risks, policies, and procedures, including gaps identified as part of regulatory examinations, quality assurance review or independent audits. LFIs should have a structured process for distributing and tracking updates to AML/CFT/CPF policies and procedures. Refresher training should be conducted regularly and whenever there are updates to the AML/CFT/CPF compliance program. This training should address any changes to policies, procedures, and systems, as well as any identified gaps from regulatory examinations or audits. In addition to scheduled trainings, an LFI should regularly communicate any changes or updates to the LFI’s AML/CFT/CPF policies, procedures, systems, and controls, to employees via email, notices, or bulletins and where applicable following-up with employees to ensure that the information has been read and understood. Following any updates to policies and procedures, LFIs should implement mechanisms to verify employee understanding. 2.3. LFI’s Products, Services, Customers, and Geographic Locations LFIs are required to identify, assess, and manage ML/TF and PF risks associated with their products, services, customers, and geographic locations as part of implementing a risk-based approach (“RBA”). Under the RBA, institutions that face higher ML/TF and PF risks are expected to develop enhanced measures to mitigate such risks by expanding the range, degree, frequency, and intensity of their mitigating

Page 9 of 21 CBUAE Classification: Public controls. Conversely, institutions that face lower ML/TF and PF risks may choose to implement simplified measures, provided that these measures are consistent with minimum legal and regulatory obligations. Employees should understand how the LFI’s RBA is applied in the context of their roles, how they contribute to assessing and managing the risks that may be present in the LFI’s business activities, and that employees whose job functions expose them to higher ML/TF/PF risks receive training commensurate with the level of risk typically involved. Role-based training should incorporate the principles of the RBA by addressing how employees’ specific roles contribute to managing risks associated with products, services, customers, and geographic locations. Role-based training should highlight how to apply enhanced or simplified measures based on the assessed risk level. An LFI’s employees should be trained on risks associated with: • The size, complexity, and risk profile of the LFI’s sector and business lines; • Characteristics of the LFI’s customer base, including any concentration of customers in high￾risk segments, industries, and professions; • Vulnerabilities of products and services (specifically, generally higher risk services such as private banking or cross-border wire transfers), as informed by the LFI’s enterprise-wide AML/CFT/CPF risk assessment and CBUAE’s ML/TF Sectoral Risk Assessment; and • Countries the LFI’s customers are exposed to and the LFI’s own locations around the world, including the LFI’s nexus to high-risk geographies (For example, countries assessed as high￾risk jurisdictions for ML/TF and PF by the FATF, financial secrecy havens, etc.). Employees handling high-risk customers and jurisdictions should receive specialized training focused on enhanced due diligence and risk management strategies. This would ensure that training is tailored to the specific challenges posed by high-risk scenarios, thereby enhancing the institution's overall risk management framework. LFIs should ensure that training is developed addressing emerging risks and new typologies that are specific to the LFIs business model, customer types, products, services, and geographies. The content should be updated based on internal and external data and sources. 3. Role-Based Training Role-based training should be determined based on factors identified as part of an annual training needs assessment, focusing on areas vulnerable to ML/TF and PF. The training needs assessment identifies areas within an LFI that are vulnerable to ML/TF and PF and require enhanced training. A training needs assessment should be conducted annually and should include a review of the LFI’s risk assessment, regulatory findings, audit results, and feedback from senior management. This assessment will help identify areas that require enhanced role-based training and ensure that training programs are updated accordingly. The factors used to identify the enhanced training needs are, for example, an LFI’s enterprise-wide AML/CFT/CPF risk assessment, regulatory examination or independent audit findings, and feedback from key stakeholders, such as an LFI’s senior management. First line of defense employees and business units

Page 10 of 21 CBUAE Classification: Public should also be able to engage an LFI’s Compliance team to request additional AML/CFT/CPF trainings if required. Training programs can also gather feedback from current and past participants to gauge the effectiveness of the training and if participants felt training helped prepare them to carry out their job function with respects towards the AML/CFT/CPF controls. Further, the CBUAE has a mailbox where LFIs can request and submit information feedback regarding the LFI’s training needs. Additionally, the LFI should utilize the CBUAE’s mailbox for submitting feedback and requesting guidance on training needs. This helps ensure that training programs are responsive to emerging risks and regulatory expectations. Requests and feedback can be submitted to amlcfttraining@cbuae.gov.ae. CBUAE will review and monitor requests and feedback submissions from LFIs in order to improve and provide tailored outreach and training sessions. Generally, employees with increased exposure to ML/TF and PF risk should receive specific role-based training, including review of real-world case studies (such as trade finance and correspondent banking functions and tellers handling cash transactions). At a minimum, however, a comprehensive training program should ensure that role-based training is provided to the following groups: • Board of Directors, owners/partners/shareholders, and senior management; • First line of defense employees with heightened exposure to ML/TF and PF risk (For example, bank tellers, relationship managers, executives); • Second line of defense employees (i.e., employees in an LFI’s compliance department); • Third line of defense employees (i.e., independent testing function); and • Staff responsible for testing, tuning and validation of the LFIs financial crime compliance framework including systems and model. 3.1. Board of Directors/Owners and Senior Management An LFI’s Board of Directors, including an LFI’s owners/partners/shareholders, acts as an independent body that exercises oversight of an LFI, including its AML/CFT/CPF compliance program. Meanwhile senior management functions under the mandate of the Board of Directors and ensures that an LFI’s AML/CFT/CPF compliance program has policies, processes, systems, and controls needed to effectively manage the LFI’s ML/TF and PF risks. Board of Directors, owners/partners/shareholders, and senior management require ongoing training to enhance their knowledge and understanding the LFI’s ML/TF and PF risk profile and applicable regulatory requirements. It is critical that an LFI’s leaders are familiar with AML/CFT/CPF regulatory expectations in order to effectively direct the LFI’s AML/CFT/CPF strategy, make informed decisions about the LFI’s risk appetite, and oversee an LFI’s AML/CFT/CPF compliance program. Additionally, training for the Board of Directors, owners/partners/shareholders, and senior management should emphasize how they foster a culture of compliance within the LFI. To this end, an LFI’s Board of Directors, owners/partners/shareholders, and senior management should receive periodic training that, at a minimum, covers:

Page 11 of 21 CBUAE Classification: Public • Their responsibility for overseeing the AML/CFT/CPF compliance program, including that the LFI has appropriate policies, processes, systems, and controls to mitigate ML/TF and PF risks; • Findings from the LFI’s enterprise-wide AML/CFT/CPF risk assessment and the impact of the LFI’s business operations on its ML/TF and PF risk profile; • Emerging ML/TF/PF trends; • Their role in monitoring and ensuring that recommendations from internal AML/CFT/CPF audits are effectively and timeously implemented; • Any new developments with respect to FCC global standards, any UAE AML/CFT/CPF regulatory updates, and supervisory expectations for AML/CFT/CPF compliance; and • Their role in fostering a culture of compliance, specifically of communicating and reinforcing the compliance culture established by the Board of Directors or owners/partners/shareholders, and senior management’s role in implementing and enforcing the Board-approved AML/CFT/CPF compliance program. Training should include specific strategies for fostering a culture of compliance, such as setting a tone at the top through visible commitment, integrating compliance into business strategies, and encouraging open communication about compliance issues among staff. Training for the Board of Directors, owners/partners/shareholders, and senior management should be conducted on a need basis or at least annually and a record of attendance and material discussed should be kept; however, it is important that the Board of Directors, owners/partners/shareholders, and senior management receive ongoing updates and communications regarding the status of AML/CFT/CPF regulatory issues and ML/TF and PF risks posed to the LFI. Such updates and communications could be included as part of periodic Board Meeting packs, which should include Management Information on Key Risk Indicators reporting on the strengths of the LFI’s control framework and other relevant metrics. 3.2. First Line of Defense First line of defense employees (for example, customer-facing staff, tellers, relationship managers, and business executives) play a critical role in the management of customer risk and the timely escalation of potentially suspicious activity or transactions. One of the core duties of the first line of defense is the implementation of due diligence processes to identify and verify customers and assess their risk profiles, as first line of defense employees are on the front line for detecting and preventing ML/TF and PF. First line of defense training should be tailored to address the varying risk levels within different functions. For example, higher-risk roles such as those in private banking or trade finance should receive more intensive training on red flags and reporting requirements compared to lower-risk roles. Therefore, it is essential for first line of defense employees to be cognizant of red flags associated with their specific function and understand their obligations to not “tip off” a customer. For example, bank tellers should understand red flags associated with a customer’s efforts to avoid cash reporting requirements. Similarly, a relationship manager should understand red flags associated with false, insufficient, or misleading CDD/KYC

Page 12 of 21 CBUAE Classification: Public information during the onboarding process and beyond. LFI’s must provide adequate training to first line of defense employees on ML/TF and PF red flags and their responsibility to identify and report potentially suspicious activity. Training programs should incorporate real-life and role specific case studies and scenarios to illustrate ML/TF and PF risks, enhancing the practical understanding of employees and bridge the gap between theoretical knowledge and practical application, thereby improving the effectiveness of training. The LFI may consider incorporating case studies relevant to the staff day-to-day responsibilities, such as conducting customer due diligence or identifying suspicious transactions. Role-play or simulation exercises may help employees understand and react better to potential real-world situations. Appropriately trained employees are well-placed to identify suspicious transactions and activity. Role￾based AML/CFT/CPF training is especially important for employees in higher-risk lines of business, such as private banking, lending, foreign correspondent banking, and trade finance, and for employees or agents in risk-sensitive areas, such as those that handle cash and are involved in customer transaction activities. To this end, first line of defense employees should receive periodic training which at a minimum covers: • The definition of a suspicious activity or transaction and the nature and importance of the suspicious transaction or activity reporting requirement; • How to implement an LFI’s due diligence processes to verify the identity of customers and assess their risk profiles; • Examples of ML/TF and PF that enable employees to identify red flags associated with customers, products, services, delivery channels, and geographies; • Best practices in investigating and dispositioning name screening, transaction screening and transaction monitoring alerts, using case studies and practical scenarios where possible to help application of knowledge and skills learned; • Identification of ML, TF, and PF red flags and typologies, as well as information on key financial crime compliance regulatory and industry developments both globally and locally; • Information on the LFI’s procedures to escalate suspicious activity to management and specific compliance personnel; • Specific staff responsibilities (first/second/third line of defense) and roles of relevant individuals with responsibility for AML/CFT/CPF, including the Money Laundering Reporting Officer (“MLRO”); • Specific information, typologies, and controls tailored to employees in higher risk lines of business, e.g., analysts focusing on trade finance should receive in-depth training on Trade-Based Money Laundering; • UAE specific AML/CFT/CPF regulatory requirements (existing and upon issuance/ update of regulations or guidance’s); and

Page 13 of 21 CBUAE Classification: Public • ML/TF and PF risks posed to their business line and associated vulnerability of products and services offered by the business line, as informed by the LFI’s enterprise-wide AML/CFT/CPF risk assessment. Training programs should also include mechanisms for collecting and integrating feedback from first line employees. This feedback can provide insights into emerging risks, practical challenges, and effectiveness of current training materials, allowing for continuous improvement of the training program. 3.3. Second Line of Defense Employees within the second line of defense (For example, MLRO/Compliance Personnel) are responsible for implementing an LFI’s AML/CFT/CPF compliance program. As part of this role, second line of defense employees are expected to provide advisory support to the lines of business—ranging from queries on the LFIs policies to payment advice—and thus should be aware of AML/CFT/CPF regulatory requirements and ongoing developments. In this capacity, the second line of defense is also charged with monitoring risks facing the LFI, such as non-compliance with UAE laws and regulations, and reporting directly to senior management on the LFI’s risk exposure. Notably, it is particularly important the Compliance Officer/ MLRO has sufficient knowledge and understanding of the UAE’s AML/CFT/CPF statutory and regulatory requirements in addition to the ML/TF and PF risks arising from the LFI’s business. To this end, second line of defense employees should receive periodic training which covers: • Any new developments in FCC global standards and emerging ML/TF and PF risks, trends, and typologies, ensuring that training is tailored to the employee group’s jurisdiction; • Information sharing efforts and the resulting intelligence between the LFI, its peers, and law enforcement; • UAE AML/CFT/CPF regulatory requirements, supervisory expectations for AML/CFT/CPF compliance, and information from relevant law enforcement advisories; • Best practices in investigating and adjudicating sanctions screening and transaction monitoring alerts; authoring strong suspicious activity and transaction reports; potential interaction with law enforcement; information sharing efforts; and identifying red flags and other issues or inconsistencies in a customer’s CDD/KYC file; and • The importance of the compliance function in implementing and maintaining an effective AML/CFT/CPF compliance program • Emerging technologies related to financial crime compliance. Please note, as part of receiving the abovementioned training, second line of defense employees may seek to obtain professional certifications (For example, ACAMS certifications) and participate in industry webinars or attend professional events to further deepen and expand their specific skillsets and expertise in the field of financial crimes compliance. Providing ongoing professional development and continuing

Page 14 of 21 CBUAE Classification: Public education opportunities to the second line of defense, such as advanced courses and workshops in financial crime compliance, is critical for staff to stay abreast of the latest trends and best practices in the field. Second line of defense employees should also be provided with resources and access to current information on global standards, emerging trends, and best practices. This can include subscriptions to industry journals, participation in relevant webinars, and engagement with professional networks. 3.4. Third Line of Defense The independent testing or internal audit function is responsible for evaluating the design and operational effectiveness of an LFI’s AML/CFT/CPF compliance program controls, including technical compliance with AML/CFT/CPF policies and procedures. This function serves as a “third line of defense” to identify gaps and weaknesses in controls owned or overseen by an LFI’s business, operations, and compliance function, and should report to an LFI’s Board of Directors or owners/partners/shareholders. An LFI’s independent testing or internal audit function is typically overseen by a Head of Internal Audit/Chief Internal Auditor. Depending on the size of the LFI, an LFI’s Internal Audit Department may be organized by global, regional, and country-specific teams. An LFI may also have an Internal Audit Department with internal auditors or teams of internal auditors that have specific specializations (credit, operations, IT/systems audits). The third line of defense also supports compliance functions by validating the closure of audit findings through an LFI’s implementation of remedial actions and internal control enhancements. To this end, third line of defense employees should receive training that covers: • Improvements and current developments in internal audit standards, procedures, and techniques in response to emerging ML/TF/PF risks; • The LFI’s Internal Audit Charter, Manual, Methodology, and Plan; • UAE AML/CFT/CPF regulatory requirements and supervisory expectations for AML/CFT/CPF compliance; • Methods on how to test an LFI’s compliance with policies and procedures related to AML/CFT/CPF; and • Cross-functional training covering all aspects of the AML/CFT/CPF program. As part of receiving the abovementioned training, third line of defense employees should also complete external training and obtain professional certifications and designations (For example, such as designations offered by the Institute of Internal Auditors (IIA)), as appropriate, in order to understand industry expectations and best practices for independent testing. Third line of defense training should emphasize the need to continuously update internal audit methodologies and procedures in response to emerging ML/TF and PF risks. This includes adopting new audit techniques and revising audit plans to address identified vulnerabilities and regulatory changes.

Page 15 of 21 CBUAE Classification: Public 4. Documenting the AML/CFT/CPF Training Program 4.1. Training Plan LFIs should develop and document an annual plan for their AML/CFT/CPF training program. An LFI’s training plan should cover how the LFI intends to deliver AML/CFT/CPF training to employees, including employees in departments like IT and other support functions, which provide support to AML/CPF/CFT systems and any external staff performing AML/CFT/CPF functions on the LFI’s behalf. External staff includes an LFI’s vendors, temporary staff, contractors, and third parties (especially those sourcing new business). The training plan should be approved by the LFI’s Board of Directors, owners/partners/shareholders, or senior management annually and tracked through a designated training coordinator or platform to ensure timely completion by all required training participants. Regular updates on training completion should be reported to senior management to ensure oversight and accountability. Specifically, the training plan should contain the following information: • Training participants (i.e., individuals required to complete the training, along with their respective departments or business functions); • Training topics and any relevant materials: • Methods for training delivery; • Objectives for each training; • Minimum training standards (For example, timing and material covered) by department and role; • Frequency and dates for delivering training; and • Whether and how employees will be assessed following the training. LFIs must maintain records of training and report training attendance and completion (passing or failing) of requisite post-training assessments to the appropriate managers. LFIs should also implement mechanisms to verify employees' understanding of the training content. This may include quizzes, acknowledgment forms, or briefings designed to confirm that employees have read and comprehended the updated information. 4.2. Updates to the AML/CFT/CPF Training Program In order to determine the training participants, topics, and training delivery methods, the annual training plan should be informed by the LFI’s training needs assessment performed by staff responsible for the LFI’s AML/CFT/CPF training program. The training needs assessment assesses an LFI’s training needs, including the overall risk profile of the LFI and the relevant skills and experience of the LFI’s employees, such as areas of increased risk exposure within the LFI or areas where an LFI’s personnel have indicated the requirement for additional guidance or support. The training needs assessment also considers regulatory examination or independent audit findings concerning training-related gaps in order to identify

Page 16 of 21 CBUAE Classification: Public high-risk areas of the LFI that require targeted training. LFIs should document the methodology, findings, and outcomes of their training needs assessment. Updates to the training needs assessment should be documented in a report that is reviewed and approved by the MLRO or their designee to ensure that updates are aligned with the LFI’s risk profile. In addition to the training needs assessment, an LFI’s MLRO or designee should be responsible for annually evaluating the adequacy of an LFI’s AML/CFT/CPF training program to determine if the program meets designated training objectives and that the trainings are commensurate with the LFI’s risk exposure. LFIs should implement a process to regularly review and update their training materials to reflect the latest changes in UAE AML/CFT/CPF laws, regulations, and supervisory guidance. This review should occur at least annually or more frequently if significant regulatory changes occur. Accordingly, an LFI should regularly review its AML/CFT/CPF training program to reflect the following, which should be used as a basis for providing refresher trainings for employees to remain up to date with changes to ML/TF and PF risks, updates to policies and procedures, and the UAE’s legal framework: • Changes to the LFI’s ML/TF and PF risk profile and business model (including when a new product, service or technology is introduced); • Findings from the LFI’s enterprise-wide AML/CFT/CPF risk assessment; • Information on emerging ML/TF and PF risks, trends, and typologies; • Regulatory developments and updates to FCC global standards and CBUAE supervisory guidance; • Regulatory examination or independent audit findings concerning training-related gaps; and • Changes to the LFI’s internal policies, procedures, processes, systems, and controls. In addition to an LFI regularly reviewing and updating its AML/CFT/CPF training program, certain events may also trigger an employee’s training requirements, such as: • An employee moves between jobs or responsibilities within an LFI; • New ML/TF and PF risk indicators relevant to a particular business line emerge, including information about ML/TF and PF risks in the sector; • An employee fails to comply with requirements and expectations specific to the LFI’s AML/CFT/CPF program (such as repeatedly failing to report suspicious activity or tipping off a customer); and • CBUAE issues guidance on ML/TF and PF risks in the sector. An LFI may also consider instituting a dynamic, continuous feedback loop from employees and stakeholders throughout the year, which would complement the annual assessment and help ensure that training needs are proactively recognized as new risks and regulatory changes occur. This approach can provide practical insights and reinforce the training importance in shaping and implementing the AML/CFT/CPF strategy.

Page 17 of 21 CBUAE Classification: Public 4.3. Methods for Training Delivery Based on the training needs assessment, methods for providing AML/CFT/CPF training should be tailored to suit the LFI’s specific training needs. An LFI’s training plan should describe the training methods and include a course abstract or description that addresses what the training intends to achieve. Methods of delivery include: • Instructor-led training: Instructors can be employees of the LFI or an external third-party service provider who provides training to employees either in person or virtually. • Self-directed learning: Self-directed learning provides training where employees register for on￾line courses or use other materials to guide them through the training. Self-directed learning could take place on e-learning platforms that add simulations and gamification. Such platforms can also leverage data analytics to monitor and evaluate how effective training modules are, how many times employees take the modules, and how long it takes, on average, to complete the module. The choice of training method should be guided by the employee's responsibilities, exposure to ML/TF risks, and learning preferences. Instructor-led training may be suitable for positions with high ML/TF/PF risk exposures, while self-directed learning may be effective for lower-risk roles or refresher courses. If the LFI chooses to use a third-party service provider for instructor-led training, the LFI should ensure that the service provider has appropriate qualifications to provide sufficiently rigorous training and that the content of this training is tailored to the LFI and audience being trained. Before engaging a third-party service provider, it is best practice to conduct appropriate due diligence to ensure that the third-party service provider has sufficient AML/CFT/CPF experience and expertise to conduct the training in accordance with the LFI’s expectations. Due diligence should also investigate if the third-party provider will track attendance and conduct post-training assessment and ensure that the provider will share the information with the LFI. The Compliance function should vet and approve the training content to ensure that the third-party service provider sufficiently adapts training content to UAE regulatory requirements; the LFI’s internal AML/CFT/CPF policies, procedures, processes, systems, and controls; and the LFI’s AML/CFT/CPF risk assessment. The LFI should also seek to monitor the third-party service provider as part of the LFI’s overall governance arrangements, which could include regular reviews of the third-party service provider’s training content. Best practices include checking the provider’s track record, reviewing their training content for relevance and quality, and assessing their ability to customize training for the LFI’s specific needs. The Compliance function should also regularly review and evaluate the provider’s performance and training effectiveness. Formal instructor-led and self-directed training should be supplemented with on-the-job training where more experienced employees provide guidance to junior staff on best practices in implementing AML/CFT/CPF measures and controls specific to their role. LFIs are encouraged to consider using multiple delivery methods to enhance effectiveness and engagement.

Page 18 of 21 CBUAE Classification: Public 4.4. Training Records, Documentation, and Assessment LFIs should document their training programs, track and record attendance for every participant, and follow￾up on instances of non-completion. An LFI should evaluate what method to employ for appropriately tracking and identifying employees who attend each training. As part of this tracking process, an LFI should determine a timeline by when specific trainings (for example, new hire training and role-based training) should be completed and develop a mechanism for following-up with employees and escalating non￾compliant employees who fail to complete a mandatory training within required timelines. If an employee fails to complete training within the required timeline, the LFI should implement a follow-up process that includes additional training sessions and re-assessment. Records of these follow-up actions should be maintained, including reasons for delays and corrective measures taken. An LFI should also institute consequences for non-compliance with an LFI’s training requirements, which could ultimately lead to an employee’s termination from the LFI. Consequences for continued non-compliance should be clearly outlined and communicated to employees as part of the training policy. Specifically, the LFI should maintain: • A record of the training that has been delivered (for example, the date the training took place, a list of the participants who received the training, and the topics that were covered as part of the training). Training records should be available for independent audit or regulatory examinations. • Documentation related to employees who failed to take the required training in a timely manner and a record of any corrective actions taken. Training effectiveness should be assessed through various methods, such as feedback surveys, post￾training assessments, and performance evaluations. As part of tracking an employee’s training attendance, an LFI should determine which AML/CFT/CPF trainings should include some form of assessment upon completion. These assessments should measure employees' understanding of key concepts and their ability to apply knowledge in practice. The results of these assessments should be used to determine specific training needs for individual employees or used to refine training content and delivery methods to better address identified gaps and improve overall training outcomes. Assessment opportunities help cement understanding of new concepts and ensure that participants do not receive credit for an AML/CFT/CPF training unless they have mastered the respective AML/CFT/CPF-related concepts. Should participants fail the assessment, appropriate measures, like additional training, must be implemented to ensure that employees properly understand the specific training, before re-assessment. LFIs should retain training-related documents including records, training needs assessments, and any other relevant materials, for the duration specified by UAE recordkeeping requirements. The integration of digital tools may be considered for enhancing the efficiency of tracking and retaining training records and documentation. LFIs should demonstrate compliance with this Best Practices document by providing evidence of their role-based training programs, including training materials, attendance records, and assessment results. Regular internal and external audits should be conducted to verify adherence to the guidelines outlined in this document.

Page 19 of 21 CBUAE Classification: Public 5. Annexure 1: Synopsis of the Best Practice Introduction Purpose and Scope of the Best Practices The purpose of this Best Practices is to assist the understanding and effective performance by CBUAE licensed financial institutions (LFIs) of their statutory obligations under the legal and regulatory framework in force in the UAE. Applicability This Best Practices applies to all natural and legal persons, which are Financial Institutions or Licensees, or any other defined term which brings all entities within the scope of licensed and/or supervised entities by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, virtual asset service providers, registered hawala providers; and insurance and re￾insurance companies, agencies, and brokers. Legal Basis • Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and its amendments; • Cabinet Decision No. (10) of 2019, as amended by Cabinet Decision No. (24) of 2022, Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organizations and its amendments; • Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (“UNSC”) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution and its amendments; • Cabinet Decision No. (58) of 2020 regulating the Beneficial Owner Procedures (“Cabinet Decision 58”). Definitions and Acronyms • Several frequently used terms and phrase are defined, and a list of acronyms used in the Best Practices is provided. Role-Based Training Introduction • An annual training needs assessment determines how role￾based training is conducted and which groups (e.g., board of directors, first line of defense) receive certain types of training. • A reminder to LFIs that CBUAE welcomes requests for training guidance and feedback via an email mailbox.

Page 20 of 21 CBUAE Classification: Public Board of Directors/Owners and Senior Management • This section notes the responsibilities of the board of directors and senior management to ensure the LFI’s compliance with AML/CFT/CPF regulatory requirements and to foster a culture of compliance. • The section also gives examples of training that an LFI’s Board of Directors, owners/partners/shareholders, and senior management should receive. First Line of Defense • This section discusses the employees who are typically considered part of the first line of defense (e.g., bank tellers, relationship managers) and the kind of training they should receive to enable them to identify and report red flags and suspicious activity. • The section also includes several examples of specific training that can be conducted for first line staff. Second line of Defense • This section discusses the employees who are typically considered part of the second line of defense (e.g., MLRO, compliance personnel) and the kind of training they should receive to enable them to provide advisory support to an LFIs lines of business. • The section also includes several examples of specific training that can be conducted for second line staff. • The section also notes the external resources and certifications that are available for external staff to enhance staff competency regarding AML/CFT/CPF topics. Third Line of Defense • This section discusses how an LFIs independent testing or internal audit function is typically considered the third line of defense and the kind of training the associated personnel (e.g., Chief Internal Auditor) should receive to enable them to perform their function in an AML/CFT/CPF context. • The section also includes several examples of specific training that can be conducted for third line staff to efficiently test an LFIs AML/CFT/CPF policies and procedures. Documenting the AML/CFT/CPF Training Program Training Plan • This section discusses how an LFI can develop and document a training plan, and that it should require approval from the board of directors. • Several examples are given of what information should be included in a training plan. Updates to the AML/CFT/CPF Training Program • LFIs must regularly review and update their training program based on an updated training needs assessment. • The section discusses what is included in a training needs assessment (e.g., audit findings, regulatory examinations, LFI staff requests for additional training).

Page 21 of 21 CBUAE Classification: Public • The section also gives examples of sources an LFI should use to update its training program as well as examples of triggers events that would trigger staff training requirements (e.g., issuance of new CBUAE guidance on ML/TF/PF sector risks). Methods for Training Delivery • This section details the methods an LFI can use to deliver training, specifically discussing the instructor-led training and self-directed learning methods. • The section provides guidance to LFIs on leveraging third￾parties for training development and delivery, emphasizing the need to thoroughly vet the company and material provided. Training Records, Documentation, and Assessment • LFIs must document training programs and show that staff attendance is recorded and tracked and that the LFI follows up with staff who do not complete training requirements, with escalation and disciplinary measures in place for staff who are continually non-compliant. • The training programs must include mechanisms to measure staff understanding of training concepts and their ability to apply the material in practice. • The section discusses the importance of evaluating the effectiveness of training sessions/material and the evaluations and staff feedback used to enhance future training.