Guidance for Licensed Financial Institutions on Risks Related to Proliferation Finance

CBUAE Classification: Public ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM AND ILLEGAL ORGANIZATIONS GUIDANCE FOR LICENSED FINANCIAL INSTITUTIONS ON RISKS RELATED TO PROLIFERATION FINANCE October, 2025.

Page 2 of 59 CBUAE Classification: Public Contents

1. Introduction...........................................................................................................4 1.1. Purpose..........................................................................................................................4 1.2. Applicability ....................................................................................................................5 1.3. Legal Basis ....................................................................................................................5 1.4. Acronyms .......................................................................................................................6
2. Understanding Proliferation Financing ...............................................................7
3. Understanding Risks Related to Proliferation Finance ......................................8 3.1. Threats Related to Proliferation Finance .......................................................................9 3.2. Vulnerabilities Related to Proliferation Finance...........................................................10 3.2.1. Trade Finance ........................................................................................................10 3.2.2. Correspondent Banking .........................................................................................11 3.2.3. Hawala and Other Alternatives to Traditional Banking Products and Services......12 3.2.4. Offshore Accounts..................................................................................................14 3.2.5. Free Trade Zones ..................................................................................................15 3.2.6. Shell Companies, Front Companies, and Complex Ownership Structures............16 3.2.7. Insurance and Reinsurance ...................................................................................18 3.2.8. Real Estate.............................................................................................................20 3.2.9. Dealers in Precious Metals and Stones .................................................................21
4. Assessing and Mitigating Proliferation Financing Risks .................................22 4.1. International Obligations ..............................................................................................22 4.1.1. United Nations Security Council.............................................................................23 4.1.2. Financial Action Task Force...................................................................................24 4.2. Compliance with Local Requirements .........................................................................25 4.3. Proliferation Finance Risk Assessments and Risk-Based Approach ..........................26 4.3.1. Customer Risk........................................................................................................27 4.3.2. Product, Service, and Transaction Risk .................................................................28 4.3.3. Geographic Risk.....................................................................................................29 4.3.4. Delivery Channel Risk............................................................................................30 4.3.5. Operational Risk.....................................................................................................31 4.4. Mitigating Controls .......................................................................................................31 4.4.1. CDD and EDD Measures .......................................................................................31 4.4.2. Transaction Monitoring and Suspicious Transaction/Activity Reporting ................35 4.4.3. Targeted Financial Sanctions Obligations..............................................................36 4.4.4. Governance and Independent Audit ......................................................................38 4.4.5. Training ..................................................................................................................38 4.4.6. Record Keeping .....................................................................................................38

Page 3 of 59 CBUAE Classification: Public 5. Export Controls...................................................................................................39 5.1. General ........................................................................................................................39 5.2. Dual-Use or Controlled Goods.....................................................................................39 Annex 1. Select PF Threats Relevant to LFIs..........................................................41 Annex 2. FATF PF Typologies..................................................................................44 Annex 3. EOCN PF Risk Indicators..........................................................................46 Customer Risk Indicators ......................................................................................................46 Transactional Risk Indicators ................................................................................................47 Maritime Sector Risk Indicators.............................................................................................48 Trade Finance-Related Risk Indicators .................................................................................48 Annex 4. FATF Potential Indicators of Sanctions Evasion Activity (Mentioned in Third￾Party Reports) ...........................................................................................................50 Annex 5. EOCN PF Sanctions Evasion Red Flags and Typologies .......................51 Annex 6. PF-Related Reasons for Reporting ..........................................................52 Annex 7: Synopsis of the Guidance ........................................................................53

Page 4 of 59 CBUAE Classification: Public

1. Introduction The proliferation of weapons of mass destruction (“WMD”) poses a significant threat to global security and stability, as it is regarded not only as a matter of national security for individual countries, but also as a threat to international peace and prosperity. Over the last years, the global community has taken significant steps to prevent the spread of WMD, including through the adoption of a range of international treaties, resolutions, and initiatives. However, the financing of WMD proliferation remains a significant challenge on the world stage, and financial institutions (“FIs") play a critical role in detecting and disrupting illicit financing for proliferation activities. FIs are key players in the countering the financing of proliferation (“CPF”) regime, as they are uniquely positioned to identify, prevent, and disrupt illicit financing for proliferation activities, including by detecting and preventing the collection, storage, movement, and use of funds that may support the development or acquisition of WMD or their delivery systems. It is, therefore, paramount for FIs in the UAE to identify, understand, assess, and mitigate the risks stemming from proliferation financing activities as part of an effective anti-money laundering, counter the financing of terrorism, and countering the financing of proliferation (“AML/CFT/CPF”) regime in the UAE. 1.1. Purpose Article 44.13 of the Cabinet Decision No. (10) of 2019, as amended by Cabinet Decision No. (24) of 2022, Concerning the Implementing Regulation of Decree Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.” The purpose of this Guidance is to assist the understanding and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) licensed financial institutions (“LFIs”) and registered hawala providers (“RHPs”) of their statutory obligations under the legal and regulatory framework in force in the UAE, as detailed in section 1.3 below. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (issued by Notice No. 74/2019 dated 19/06/2019), Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (issued by Notice 3090/2021 dated 29/06/2021) as amended, 1 and Executive Office for Control & Non-Proliferation (“EOCN”) Guidance on Counter Proliferation Financing for Financial Institutions (“FIs”), Designated Non-Financial Businesses and Professions (“DNFBPs”), and Virtual Asset Service Providers (“VASPs”), published in November 2022. 2 As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for LFIs to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will prevail. This Guidance may be supplemented with additional separate guidance materials, circulars, and notices, and outreach sessions and thematic reviews conducted by the Central Bank.

1 Available at: https://www.centralbank.ae/en/cbuae-amlcft 2 Available at: https://www.uaeiec.gov.ae/API/Upload/DownloadFile?FileID=1852fefa-f0a7-4629-9515-78c13fd7354e

Page 5 of 59 CBUAE Classification: Public Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”)3 , other competent authorities and international best practices. These are not exhaustive and do not set limitations on the measures to be taken by LFIs in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, LFIs and RHPs should perform their own assessments of the manner in which they should meet their statutory obligations consistent with their risk exposure. This Guidance comes into effect immediately upon its issuance by the CBUAE with LFIs expected to demonstrate compliance with its requirements within one month from its coming into effect. 1.2. Applicability Unless otherwise noted, this Guidance applies to all natural and legal persons, which are Financial Institutions or Licensees, or any other defined term which brings all entities within the scope of licensed and/or supervised entities by the CBUAE, in the following categories: • National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, payment token service providers, registered hawala providers; and • Insurance companies, agents, and brokers. CBUAE reaffirms its unwavering commitment to combating Proliferation Financing (“PF”), violations and any instances of non-compliance associated with this Guidance document with respect to PF and other related laws and regulations in the UAE pertaining to counter-illicit finance-related efforts may be subject to the measures outlined in Articles 13 and 14 of the AML-CFT Law. 1.3. Legal Basis This Guidance builds upon the provisions of the following laws and regulations: (i) Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and its amendments (“AML-CFT Law”); (ii) Cabinet Decision No. (10) of 2019, as amended by Cabinet Decision No. (24) of 2022, Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organisations (“AML-CFT Decision”) and its amendments; (iii) Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (UNSC) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution (“Cabinet Decision 74”), and its amendments; (iv) Cabinet Resolution No. (50) of 2020, concerning the control list annexed to Federal Law No. 13 for 2007 relating to commodities subject to import and export control; and (v) Federal Decree Law No. (43) of 2021 on the commodities subject to non-proliferation; and

3 For example, please see: https://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-virtual-assets-2021.html

Page 6 of 59 CBUAE Classification: Public (vi) Notice No.: CBUAE/BIS/2023/5960, which mandates all LFIs to take steps to identify, assess, understand, and mitigate PF risks on an institutional level. 1.4. Acronyms Terms Description AML Anti-money laundering CBUAE Central Bank of the UAE CDD Customer due diligence CFP Countering proliferation financing CFT Countering the financing of terrorism CFZ Commercial Free Zone DNFBP Designated Non-Financial Business Profession DPMS Dealers in precious metals and stones DPRK Democratic People’s Republic of Korea (North Korea) EDD Enhanced due diligence EOCN Executive Office for Control and Non-Proliferation FATF Financial Action Task Force FANR Federal Authority for Nuclear Regulation FCA Federal Customs Authority FDI Foreign direct investment FI Financial institution FFI Foreign financial institution FFR Funds freeze report FIU Financial Intelligence Unit FTZ Free trade zone GCC Gulf Cooperation Council HIO Heads of international organizations ICP Federal Authority of Identity, Citizenship, Customs and Port Security KYC Know Your Customer LFI Licensed financial institution ML Money laundering MOCD Ministry of Community and Development MOD Ministry of Defence MVTS Money Value Transfer Services NPO Nonprofit organizations PEP Politically exposed person PF Proliferation financing

Page 7 of 59 CBUAE Classification: Public PNMR Partial name match report RBA Risk-Based Approach RFR Reasons for reporting RHP Registered hawala providers SAR Suspicious activity report SIRA Security Industry Regulatory Agency STR Suspicious transaction report TBML Trade-based money laundering TCSP Trust and company services providers TF Terrorism financing TFS Targeted financial sanctions UHP Unlicensed Hawala Providers UN United Nations UNSC United Nations Security Council UNSCR United Nations Security Council Resolution VA Virtual assets VASP Virtual Asset Services Providers WMD Weapons of Mass Destruction 2. Understanding Proliferation Financing PF is providing financial services for the transfer and export of nuclear, chemical, radiological, or biological weapons and their means of delivery. It involves, in particular, the financing of trade in proliferation sensitive goods, but could also include other financial support to individuals or entities engaged in proliferation. For the purposes of this Guidance, it is also important to understand the difference between proliferation financing (“PF”), money laundering (“ML”), and terrorist financing (“TF”), as each of these forms of illicit finance have distinct objectives and methods. PF, as defined by the FATF, refers to the “risk of raising, moving, or making available funds, other assets or economic resources, or financing, in whole or in part, to persons or entities for purposes of WMD proliferation, including the proliferation of their means of delivery or related material (including both dual￾use technologies and dual-use goods for non-legitimate purposes).” PF-related funding might occur at several stages and by various means, including through raising, moving, and using funds. ML, on the other hand, is the process of disguising the proceeds of illicit activity as legitimate funds, which is further defined in Article 2 of the AML-CFT Law, and takes place across three stages—placement, layering, and integration. ML has a number of characteristics in common with PF, as the methods used to conceal funds, such as the use of shell and front companies and complex ownership structures, may be similar to the methods used in ML. In addition, the proceeds of crime might also be used to finance proliferation activities.

Page 8 of 59 CBUAE Classification: Public Finally, TF is the act of providing funds or financial services to support terrorist activities, which consists of any of the acts mentioned in Articles 29 and 30 of Federal Law No. (7) of 2014 on Combating Terrorism Offences, as amended. Similar to PF, TF-related funding occurs across the stages of raising, moving, and using funds. 3. Understanding Risks Related to Proliferation Finance The FATF’s Guidance on Proliferation Financing Risk Assessment and Mitigation4 defines PF risk as a function of three factors: threat, vulnerability, and consequence. In the context of proliferation financing, these concepts can be understood as follows: • Threat refers to a person or group of people, object, or activity with the potential to cause harm to, for example, the state, society, the economy, or the international order, including persons or entities designated under PF-related targeted financial sanctions (“TFS”) (“PF-TFS”), their facilitators, their funds, as well as past, present, or future PF activities. • Vulnerability refers to something that can be exploited by a threat or that may support or facilitate the breach, non-implementation, or evasion of PF-TFS. For a country, vulnerabilities may include weaknesses in the laws or regulations that comprise a country’s national CPF regime, or contextual features of a country that may provide opportunities for designated persons and entities to raise or move funds or other assets. For private sector firms, vulnerabilities may include features of a particular sector or a financial product or type of service that make them attractive to a person or entity engaged or seeking to engage in the breach, non-implementation, or evasion of PF-TFS. • Consequence refers to the impact or harm that PF may cause, including the effect of the underlying proliferation activity on financial systems and institutions as well as the economy and society more generally. Specific consequences may include outcomes where funds or assets are made available to designated persons and entities, which could ultimately allow them to obtain materials or systems for developing and maintaining illicit nuclear, chemical, radiological, or biological weapons (or their means of delivery), or where the frozen assets of designated persons or entities are used without authorization for proliferation financing. The breach, non-implementation, or evasion of PF-TFS may also cause reputational damages to the country, relevant sector(s), or private sector firms, and may lead to sanction designations by the UN and/or national authorities. To be in a position to effectively understand and mitigate PF risks, LFIs should, first, identify the extent to which state and non-state actors attempt to abuse their institutions to procure or raise funds for the procurement or development of WMD and the corresponding systems of delivery. Second, LFIs should assess the policies, procedures, and controls in place to counteract those threats and undertake remedial actions where they identify gaps or weaknesses in the design or operating effectiveness of their CPF program. Finally, LFIs should continually monitor for emerging risks associated with PF, identifying trends, new methods used, and actors involved in potential PF activity, and should monitor for changes in applicable regulations and typologies so as to update and adjust their CPF programs accordingly. Please note, Annex 2 presents a detailed list of PF typologies identified by the FATF; Annex 3 presents PF-related risk indicators concerning customer risk, transactional risk, and risks specific to the maritime

4 Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Guidance-Proliferation-Financing-Risk-Assessment￾Mitigation.pdf.coredownload.pdf

Page 9 of 59 CBUAE Classification: Public sector and trade finance activity identified by the EOCN; Annex 4 presents potential indicators of sanctions evasion activity identified by the FATF, and Annex 5 presents PF sanctions evasion red flags and typologies issued by the EOCN. The following sections expand on a variety of specific threats and vulnerabilities associated with PF. 3.1. Threats Related to Proliferation Finance PF threats and related sources of funding mainly derive from three categories, i.e., financial products directly related to trade in PF-sensitive goods; revenue-raising activities; and the use of financial and corporate structures to support movement of funds and cash. • Regarding financial products directly related to trade in PF-sensitive goods, the main threats derive from trade finance-related financing, the use or misuse of financial products and services, and trades related to persons or entities subject to United Nations Security Council (“UNSC”) Resolutions (“UNSCRs”). • Second, revenue-raising activities may include the use of UAE-based front companies to raise revenue for sale of oil and petroleum-based products, cross-border smuggling of cash, gold or other high value goods to support state PF activities, real estate industry and/or related trades owned or operated by or on behalf of persons or entities subject to UNSCRs, cybercrime, restaurants or small to medium businesses which are largely cash-based businesses, wildlife trafficking, and drug trafficking. • Finally, financial and corporate structures to support movement of finances and cash may also be sources of PF, including the use of cryptocurrencies, use of local branches of banks and financial institutions based in countries of PF concern, use of hawala or bartering systems of value transfer, ease of use of front companies and shell corporations, use of Money Services Businesses for cash transfers for procurement of goods, and use of professional intermediaries and firms to mask end users. PF threats can be posed by state and non-state actors attempting to obtain WMD and their delivery systems or raising, moving, or using funds to procure such items. Under the FATF Standards, PF threats and CPF requirements are provided under the following UNSCRs: • UNSCR 1540 (2004), regarding non-state actors; • UNCSRs 1718 (2006), 2087 (2013), 2094 (2013). and 2270 (2016), regarding the Democratic People’s Republic of North Korea (“DPRK” or “North Korea”); and • UNCSR 2231 (2015), regarding the Islamic Republic of Iran (“Iran”). 5

5 On 18 October 2023, the FATF communicated to all member countries that UNSCR 2231 (2015) related to Iran has ceased to apply, which means FATF Rec. 7 no longer requires countries to apply TFS to individuals and entities designated under said Resolution, and FATF Rec. 1 no longer requires countries to assess and mitigate risks related to individuals and entities subject to said Resolution as they related to the breach, non-implementation and evasion of PF-TFS.

Page 10 of 59 CBUAE Classification: Public For the purpose of identifying, understanding, and assessing PF risks facing their own institutions, LFIs can include other applicable threats distinct from designated person and entities, such as key sectors, products, and services that are prone to abused for PF purposes. Annex 1 presents a detailed list of potential threats related to products and services that LFIs might offer, or that otherwise can be used for PF purposes. 3.2. Vulnerabilities Related to Proliferation Finance 3.2.1. Trade Finance Trade-based money laundering (“TBML”) and other forms of trade-based illicit finance involve the manipulation of trade transactions to disguise the true nature of the underlying financial activity and/or the identities of trade participants. In the context of PF, TBML may be used to facilitate the purchase or transfer of goods and services that are relevant to the development or acquisition of WMDs. This may involve the use of false invoices, undervalued or overvalued goods, or misrepresentations of the nature or purpose of the transaction. Notably, PF is often difficult to detect because illicit procurement looks like international trade, and the relevant networks must interact with the legitimate financial system. Figure 1 – This figure illustrates factoring a trade finance product utilized in a trade transaction. In this example, the exporter assigns the invoices issued to the importer to a financial institution that pays the exporter and will get paid by the importer when the invoices are due. In this case, the financial institution lacks visibility of the trade transaction between the importer and the third-party trader. LFIs involved in trade-finance activities may be at a heightened risk for PF activity, given the magnitude of funds involved in international transactions, the volume of international trade (especially that associated porter I porter E porter ships widgets worth AED million. E porter issues invoices to importer for AED million. Importer sells the widgets to a trader who then ree ports the widgets to a country where those widgets will be used for developing MDs. E porter assigns its outstanding invoices to bank A for AED , . The invoices provide a generic description of the widgets. Financial Institution

4

Page 11 of 59 CBUAE Classification: Public with prominent port facilities), and the ability of illicit actors to hide dual-use or restricted goods within shipments or to deliberately mis-identify them in accompanying trade documentation. As such, techniques involved in the exploitation of trade finance transactions for PF may resemble other types of illicit finance such as TBML, including over and under-invoicing and, perhaps most importantly in the PF context, the substitution of controlled or restricted goods for similar non-controlled or restricted goods. 3.2.2. Correspondent Banking Correspondent banking relationships involve the provision of financial services by one FI, the correspondent institution, to another, the respondent institution. In this capacity, the correspondent institution may provide an array of services including cash management, international wires, check clearing, and letters of credit. Correspondent banking services may present heightened risk insofar as it can involve the rapid and repeated transfers of large quantities of funds on behalf of parties that are not the direct customers of the correspondent institution. In the PF context, risks associated with facilitating international wires, check clearing, or providing trade facilities for dual-use, sensitive, or restricted goods underscore the importance of customer due diligence (“CDD”)/know-your-customer (“KYC”) measures, including the application of CDD/KYC as well as specific and enhanced due diligence (“EDD”) measures, as appropriate, to respondent institutions. Correspondent relationships can introduce additional illicit financing risk when one or more of the conditions below are present: • Foreign jurisdictions, including high-risk jurisdictions. Correspondent relationships involving provision of financial services to foreign financial institutions (“FFIs”) present heightened risks, as FFIs may not be subject to the same or equivalent laws, regulations, and supervisory expectations as domestic FIs, specifically for FFIs located in high-risk jurisdictions, as determined by the LFI. Accordingly, such FFIs may not have adequate CDD/KYC controls in place to detect PF. These risks can be heightened when involving foreign non-bank FIs, where compliance, transaction monitoring functions, and screening systems may be less robust. As such, it is important to know and understand the CDD/KYC controls of FFIs and foreign non-bank FIs in order to appropriately assess the risk posed by these correspondent relationships. • Foreign transfers. Correspondent banking relationships enable foreign transfers or the cross￾border movement of funds between FIs across different jurisdictions. In this case, proliferators can exploit correspondent banking relationships to engage in complex layering schemes, involving multiple intermediary banks across different jurisdictions or conducting circuitous transactions across different jurisdictions, thereby making it difficult to trace the source and end use of these funds. • Third-party transactions. Correspondent relationships involving the execution of payments or the provision of other services for the respondent institutions’ customers may allow a respondent FI’s customers access to the international financial system without first obtaining—or ensuring that the respondent FI has obtained—an adequate understanding of the customer’s identity and risk profile or ensuring the application of appropriate controls to manage such risks. As such, it is important to know and understand the location of those respondent institution customers, along with their business lines, and the underlying business relationship to determine whether such transactions are at a heightened risk for PF.

Page 12 of 59 CBUAE Classification: Public • Nested relationships. A correspondent FI may not be aware that the respondent FI is permitting other FIs to transact through the primary respondent FI’s correspondent account or relationship. These “downstream” or “nested” relationships place additional layers of intermediation between the correspondent FI and the underlying customer. This further increases the risk of a respondent FI allowing a customer access to the financial system without a proper understanding of the customer and/or adequate controls in place to manage that customer’s risk. Figure 2 – This figure illustrates a correspondent banking payment flow. In this transaction, the sender’s bank does not maintain a relationship with the receiver’s bank. Therefore, to transfer the funds, the sender’s bank uses a correspondent bank to transfer the funds to the receiver’s bank. 3.2.3. Hawala and Other Alternatives to Traditional Banking Products and Services The FATF defines hawala providers (and other similar service providers) as money transmitters, particularly those with ties to specific geographic regions or ethnic communities, that arrange for the transfer and receipt of funds or equivalent value and settle through trade, cash, and net settlement over a long period of time. While hawala providers—also known as hawaladars—may often use banking channels to settle between them, what makes them distinct from other money transmitters is their use of other methods, including trade, cash, and other methods that do not include the actual transfer of funds. 3.2.3.1. Registered Hawala Providers ender s ank in ountr Recei er s ank in ountr ender Sender s Bank and Receiver s Bank do not have a direct relationship. orrespondent ank in ountr The correspondent bank does not have access to the KYC information of the sender or receiver and as such does not know that the sender might be acting on behalf of an entity that is subject to targeted financial sanctions in Country B. Recei er Transfers AED 4. million to the receiver. Sender is a director of a company that is subject to targeted financial sanctions in Country B due to development of unconventional arms. Receives AED 4. million from the sender.

4

Page 13 of 59 CBUAE Classification: Public CBUAE permits legitimate hawala activity as an important element in its support of financial inclusion, and hawala activity is regulated by the Registered Hawala Providers Regulation issued by CBUAE (Circular No. 24/2019). 6 Under the Regulation, it is not permitted to carry out hawala activity without being registered with the CBUAE. While registration requirements mandate that such entities maintain compliance with all UAE-related AML/CFT laws and regulations, RHPs may service jurisdictions or customer segments (or “end-users”) that may present heighted PF risks. Moreover, similar to money value transfer services (“MVTS”) and exchange houses, RHP are considered high-risk despite the relatively small size of the sub-sector and should therefore be subject to enhanced procedures and controls as laid out in this Guidance and in the CBUAE’s Guidance for Registered Hawala Providers and Licensed Financial Institutions Providing Services to Registered Hawala Providers. 7 3.2.3.2. Unlicensed or Unregistered Hawala Providers Unlicensed hawala providers (“UHP”) are not permitted to operate in the UAE as they may service customer populations or jurisdictions without maintaining controls or compliance functions/reporting requirements, putting their transactional activity outside the purview of competent authorities such as supervisors and law enforcement. To the extent that actors involved in PF may seek to obscure the origins, destinations, and characteristics and details surrounding their transactions, UHP may provide an attractive vehicle for the transfer of illicit funds to high-risk PF jurisdictions, or for the purchase and payment of dual-use, sensitive, or restricted goods. LFIs should therefore have in place policies, procedures, and controls to detect and prevent relationships or transactions with or for UHP and, where appropriate, file a suspicious transaction report (“STR”) or suspicious activity report (“SAR”) with the UAE FIU. 3.2.3.3. Other Alternative Remittance Systems and New Technologies Other alternatives to banking products and services—such as those facilitated by online MVTSs, money services businesses, exchange houses, and VASPs—can be used by individuals and entities that seek to abuse the financial system to further WMD goals. Illicit actors typically aim to exploit institutions that are perceived as having little or no AML/CFT/CPF controls for the purposes of transferring value to proliferation actors, and certain payment channels, discussed below, are vulnerable to abuse by PF actors, largely due to their rapid money transmission services across international borders. • Money Services Businesses and Exchange Houses: As part of proliferation networks, illicit actors may exploit money services businesses and exchange houses to transfer, domestically or cross-border, cash to individuals or entities owned or controlled by proliferation actors. Illicit actors also exchange currency to procure or assist in procuring dual-use, controlled, or prohibited goods and services on behalf of proliferation networks. This can also involve structured payments to organised crime networks involved in revenue-raising activities.

6 Available at: https://www.centralbank.ae/media/qv1loqzu/registered-hawala-providers-regulation_0.pdf 7 Available at: https://centralbank.ae/media/b50eai4u/amlcft-guidance-for-registered-hawala-providers-and-lfis-providing-services-to￾registered-hawala-providers.pdf

Page 14 of 59 CBUAE Classification: Public • Virtual Asset Service Providers:8 Illicit actors are also increasingly exploiting VASPs and using VAs to transfer value and hide the identity of proliferation actors. Illicit actors can exploit VASPs based in jurisdictions with little or no regulatory oversight to provide products to designated persons and entities. Illicit actors use falsified or fake documents and identifiers to move and access funds, or employ obfuscating techniques, including using mixers, tumbler services, and anonymity￾enhanced VAs. • New Technologies: PF remains a global threat, with actors constantly adapting their methods to evade sanctions and export controls. New technologies like VAs and online fundraising platforms pose unique challenges due to their anonymity, ease of cross-border transactions, and difficulty in monitoring suspicious activity. Proliferators can exploit these platforms to raise funds and move them across jurisdictions, bypassing AML/CFT controls of regulated LFIs. Figure 3 – This figure illustrates a transaction involving an RHP. Sender in Country A sends value to the receiver in Country B through an RHP related to an unannounced project for the development of WMD in a third country. 3.2.4. Offshore Accounts Offshore accounts can be attractive for various financial activities, including legitimate business operations and wealth management. These features also make offshore accounts susceptible to abuse by leveraging the opacity and complexity of cross-jurisdictional regulations and the use of multiple FIs, accounts and corporate vehicles to obscure the trail of funds. Moreover, offshore financial centers may have regulatory

8 For more information on the risks related to VAs/VASPs, see the relevant CBUAE Guidance at: https://www.centralbank.ae/media/avwlktgy/cbuae-guidance-for-lfis-on-risks-related-to-virtual-assets-and-virtual-assets-providers_final￾clean-version1.pdf Sender in Country A Receiver in Country B The receiver in this case is paid for the work provided related to an unannounced project for the development of MD in a third country. Hawaladar A in Country A Hawaladar B in Country B Sends AED, provides passcode, and the name and city of the receiver. Recipient receives the AED funds converted into Pakistani Rupees after Hawaladar B deducts a commission. Hawaladar A contacts Hawaladar B and provides the information from the Sender. Receiver provides the passcode. No physical money is transferred, so Hawaladars A and B settle accounts periodically.

4

Page 15 of 59 CBUAE Classification: Public frameworks that are not fully aligned with international standards to combat PF, in addition to anonymity and secrecy often offered by some offshore jurisdictions. Proliferators and their networks may engage in cross-jurisdictional arbitrage and exploit regulatory gaps and AML/CFT/CPF deficiencies within specific financial sectors to transfer funds under the guise of legitimate businesses to procure WMDs or fund the procurement of WMDs. Figure 4 – This figure illustrates the way in which offshore accounts may be abused for PF purposes, including through using complex corporate structures to obscure a beneficial owner’s identity. In this scenario, the beneficial owner takes advantage of Country B with strong bank secrecy laws. The beneficial owner resides in Country A and sends funds to an offshore account in Country B where the corporate vehicle is registered. 3.2.5. Free Trade Zones Free trade zones (“FTZs”) are designated areas within countries in which incentives are offered to support the development of exports, foreign direct investment (“FDI”), and local employment. Incentives include exemptions from certain taxes, simplified administrative procedures, and the duty-free importation of raw materials, machinery, parts, and equipment. These conditions and the following factors internationally may also make such areas attractive to potential illicit actors: • Inadequate AML/CFT/CPF safeguards; • Relaxed oversight by competent domestic authorities; • Weak procedures to inspect goods and register legal entities, including inadequate record-keeping and information technology systems; and ffshore ccount in ountr eneficial ner in ountr Country B has strong secrecy laws that safeguard the identities of account holders. olding o pan Illicit Funds

4

Page 16 of 59 CBUAE Classification: Public • Lack of adequate coordination and cooperation between a FTZ and customs authorities.9 Commercial Free Zones (“CFZs”) may present opportunities for regulatory arbitrage whereby illicit actors seek to register in those jurisdictions where controls are perceived to be weak. Port facilities located within these jurisdictions may make certain zones potentially even more attractive to potential PF actors, especially if these facilities are less well-staffed with customs inspectors and related personnel when compared to mainland facilities or port facilities in larger CFZs. Figure 5 – This figure is an example of how FTZs could be used as a point of transshipment. In this case, the manufacturer in Country A exported widgets to the FTZ in Country B. A trader located in Country B keeps the widgets in the FTZ and reexports them to Country C. The importer in Country C pays the trader in Country B who then pays the manufacturer in Country A. In this case, the manufacturer does not know its widgets are sent to Country C. 3.2.6. Shell Companies, Front Companies, and Complex Ownership Structures Shell and front companies are ideal vehicles for nefarious actors to conduct illicit activities and conceal their true identities. Per FATF’s Concealment of Beneficial Ownership report published in 2018,10 shell and front companies are defined as follows:

9 FATF Report, Money Laundering vulnerabilities for Free Trade Zones, March 2010. https://www.fatf￾gafi.org/en/publications/Methodsandtrends/Moneylaunderingvulnerabilitiesoffreetradezones.html 10 Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/reports/FATF-Egmont-Concealment-beneficial-ownership-Executive￾summary.pdf Free rade one in ountr idget anufacturer in ountr idgets are e ported to an FTZ in Country B. idgets are e ported from FTZ to Country C. rader in F of ountr I porter in ountr

4

Page 17 of 59 CBUAE Classification: Public • Shell companies are incorporated entities with no independent operations, significant assets, ongoing business activities, or employees. LFIs should be aware that many offshore accounts are held by shell companies. • Front companies are fully functioning companies with the characteristics of a legitimate business, serving to disguise and obscure illicit financial activity. In addition to shell and front companies, proliferators exploit complex ownership structures in order to disguise their proliferation activities. Specifically, the FATF11 has indicated that designated persons and entities, including those persons and entities acting on their behalf, hide their beneficial ownership through opaque legal entities or arrangements and the use of nominee shareholders. 12 Proliferators have been found to engage in schemes through a combination of complex ownership structures, front companies, and shell companies located across different jurisdictions to eventually transfer funds to designated persons and entities for the purposes of obtaining funding or financing for WMD program activities or dual-use or proliferation sensitive goods. As in the AML/CFT context, conducting CDD/KYC and risk-based EDD measures from a CPF perspective is critical to identify, manage, and mitigate risk associated with PF. Specifically, LFIs should identify and verify the identity of beneficial owners of legal entity customers on a risk-sensitive basis (e.g., legal persons with complex ownership structures or from high-risk jurisdictions), including by lowering ownership percentage thresholds in line with a customer’s perceived risks and application of the risk-based approach (“RBA”). LFIs should also consider requiring the customer to provide the names of all individuals who own or control any share in the customer—without requiring them to undergo CDD—in order to conduct sanctions screening or negative news checks. Further information regarding beneficial ownership identification and verification can be found in the CBUAE’s AML/CFT Guidelines for Financial Institutions, sections 6.3.1 and 6.3.3, and Guidance for LFIs Providing Services to Legal Persons and Arrangements. 13

11 Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/Guidance-Proliferation-Financing-Risk-Assessment￾Mitigation.pdf.coredownload.pdf 12 Nominee shareholders are individuals who hold shares on behalf of the true beneficial owner. 13 Available at: https://www.centralbank.ae/en/cbuae-amlcft

Page 18 of 59 CBUAE Classification: Public Figure 6 – This figure shows how a criminal organization may use a front or shell company to conceal the illicit activity from an LFI by mixing licit and illicit earnings and depositing these proceeds into the LFI’s account. 3.2.7. Insurance and Reinsurance In the context of PF, insurance and reinsurance may be susceptible to abuse by illicit actors insofar as they are seeking to move goods and funds, insure illicit activities and goods, or manipulate insurance claims to obtain funds for PF purposes. Various methods of abusing the insurance sector exist, including by acquiring insurance or reinsurance policies for fictitious vessels, providing coverage for shipments involving high-risk goods, such as dual-use items, obscuring the true contents of an insured vessel, or falsifying information related to goods, shipments, or their intended use. Insurance and reinsurance companies, insurance agents and brokers, should be aware of the vulnerabilities of these products and implement effective measures to prevent illicit actors from abusing them to conduct PF activities. To mitigate the PF risks related to insurance and reinsurance products, including sanctions evasion risk, LFIs should consider: • Implementing EDD measures as appropriate for higher risk customers; • Conducting periodic refreshes on customers posing elevated levels of PF and sanctions evasion risk; and • Tailoring transaction monitoring and name screening scenarios to PF risks related to the insurance and reinsurance of goods. rade olutions onsulting Fir ( hell o pan ) ell or Procure ent of Prohibited or Dual Use oods

Uses shell company to obscure his identity as BO ank Licit and illicit earnings are deposited into the bank accounts of proliferator

4 eneral rading

(Front o pan ) ri inal rgani ation

Comingles licit funds earned by front company operations with with PF related funds

Page 19 of 59 CBUAE Classification: Public Specifically, insurers and reinsurers should review CDD and transactional information for the following red flag indicators:14 • Vessels that are registered under different “flags of convenience” while operating in the vicinity of high-risk PF jurisdictions; • Complex corporate structures, as well as the lack of due diligence into the third parties chartering vessels; and • Vessels with links to other vessels identified as involved in sanctions violations or sanctions evasion schemes. For further information on how to mitigate the PF risks related to the insurance sector, LFIs should consult the CBUAE’s Guidance on AML/CFT for the Insurance Sector, 15 and the EOCN’s Targeted Financial Sanctions Guidance for the Insurance Sector.16 Figure 7 – This figure illustrates the role of insurance companies in a trade transaction. Specifically, an insurance company may insure a vessel registered under a flag of convenience, where the beneficial owner’s identity is not disclosed to the insurance company. In this case, the beneficial owner may be a nefarious actor with ties to a sanctioned country (Country A) and who is seeking to use the goods transported on the vessel for PF activities.

14 See RUSI, Sanctions Evasion, Proliferation Finance, and the Insurance Industry (July 2018), available at: https://static.rusi.org/20180710_underwriting_proliferation_web.pdf 15 Available at: https://centralbank.ae/media/eyeeyagu/cbuae-aml_cft-guidance-for-the-insurance-sector.pdf 16 Available at: https://www.uaeiec.gov.ae/en-us/un-page?p=7#

Page 20 of 59 CBUAE Classification: Public 3.2.8. Real Estate The real estate sector may be susceptible to abuse by nefarious actors seeking to conceal illicit funds or finance proliferation-related activities. Real estate agents and brokers, in particular, may facilitate PF schemes through their involvement in property transactions which can involve substantial capital flows and asset transfers that can be exploited for PF activities. LFIs involved in financing real estate transactions or providing mortgage services are at risk of inadvertently facilitating PF through their indirect involvement via loans, credits, or other financial services linked to real estate. These vulnerabilities fall into two main categories: transactional methods and ownership structures. (1) Transactions Methods: • Cash Transactions: Like any other large transaction in cash, real estate transactions in cash pose a significant risk, as cash holds no record of its source or owner, and the purchase of real estate can be abused by proliferators to place large sums of cash into the financial system. • Over or Under-valuation of Properties: Proliferators may over- or under-value properties to facilitate PF. Manipulating the value of real estate properties (either inflating or deflating values) is a method to move funds under the guise of legitimate transactions. A buyer of under-valued property is able to receive value (profit) from the seller. A buyer of over-valued property is able to transfer value (profit) to the seller, which could be used as a means of payment for goods that are relevant to the development or acquisition of WMDs. • Use of Intermediaries: Real estate brokers and agents can be unwittingly used to mask the identities of buyers and sellers, thereby facilitating transactions that could support proliferation. The involvement of intermediaries adds layers of complexity that can hinder the tracing of illicit funds intended for PF activities. (2) Ownership Structure: • Shell Companies: Proliferators may use shell companies and business establishments to conceal the identity of beneficial owners when purchasing and selling real estate. The opaqueness of shell companies hinders the identification of individuals who may be linked to PF activities. • Complex Ownership Structures: Complex ownership structures in the real estate sector often involve the use of corporate vehicles (such as companies, trusts, and foundations) to hold property rights, often layered across multiple jurisdictions. These structures can obscure the true ownership of assets and the source and destination of funds, presenting challenges to detecting and preventing illicit financial flows. • Luxury Real Estate Market: Investing in high-value properties enables proliferators to move and store large sums of illicit funds and often requires multiple types of financing, further complicating efforts to identify the source of funds and ultimate beneficial owner. The luxury real-estate market also involves both high transaction values and international clientele, which can reduce the transparency within real estate transactions and the incentive for implementing appropriate CDD/KYC controls. Purchasing luxury real estate is often an investment strategy that can generate a large return, thus enabling proliferators to hide behind a legitimate premise for acquiring and selling property.

Page 21 of 59 CBUAE Classification: Public Figure 9 – This figure illustrates how real estate can be over-valued in order to use the profit gained from a sale for PF-related activities. In this case, the identity of the beneficial owner is obscured through corporate structures, and the beneficial owner uses the funds from the real estate sale to procure WMD materials. 3.2.9. Dealers in Precious Metals and Stones Precious metals and stones dealers, particularly those involved in gold trade are particularly exposed to PF risks given their intrinsic characteristics, such as high value, ease of trade, mutability, portability, liquidity, transferability, anonymity and availability in the UAE. As such, these items are particularly susceptible of being used in international trade transactions to obfuscate the BOs or as means of payment in order to fund the procurement or procure WMDs by State actors, particularly DPRK, and non-State actors, as highlighted by the UN Panel of Experts in 2019.17 LFIs providing services to dealers in precious metals and stones (“DPMSs”) or financing precious metals and stones (“PMS”) transactions might be unwittingly involved in PF activity by facilitating trade finance transactions or servicing customers dealing with these high-value goods. LFIs should implement commensurate EDD measures to understand the nature and business of a DPMS (e.g., whether the DPMS is involved in producing or mining, is a buyer or seller, refiner, intermediary, jewelry manufacturer, retailer, or dealer in the secondary market), including the DPMS’s customers, and should identify the origin and destination of the PMSs and how the PMSs are being financed or liquidated. In addition, LFIs should analyze and understand the DPMS’s policies, procedures and controls, as mandated for all DNFBPs, to assess whether a DPMS customer has in place appropriate measures to ensure their transactions are not being abused for PF purposes.

17 UN Panel Experts Report to President 2019; S/2019/171, available at: https://www.securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27- 4E9C-8CD3-CF6E4FF96FF9%7D/s_2019_171.pdf

Page 22 of 59 CBUAE Classification: Public Figure 10 – This figure illustrates how an illicit actor can finance PF-related activities by selling gold as part of international trade transactions. In this case, the beneficial owner of a mining company in Country A uses the funds from the sale of gold to a dealer of precious metals in Country B to procure WMD materials. 4. ssessing and itigating Proliferation Financing Risks 4.1. International Obligations The global CPF regime was first developed through United Nations Security Council Resolutions, with Resolution 1540 (2004) introducing the first global expectations on states to counter the financing of proliferation given concerns regarding non-state actors and WMD. 18 Subsequent resolutions created new requirements related to specific countries of proliferation concern, such as North Korea and Iran. At the same time, leading jurisdictions pushed for the FATF to become a forum for leadership and intergovernmental coordination, since the organization’s leading role on AML/CFT issues positioned it to address the financial flows that were still facilitating WMD proliferation despite expanding export control regimes. 19 The FATF has been a CPF standard-setter since 2008, with FATF Recommendations 1, 2, and 7 covering CPF issues, 20 as addressed in greater detail in following sections on this Guidance.

18 Andrea Berger and Anagha Joshi, Countering Proliferation Finance: Implementation Guide and Model Law for Governments, RUSI Guidance Paper (July 2017), available at https://rusi.org/explore-our-research/publications/special-resources/countering-proliferation-finance￾implementation-guide-and-model-law-governments. 19 Idem. 20 “International Standards on Combating Money Laundering and the Financing Of Terrorism & Proliferation: The FATF Recommendations,” Updated February 2023, available at https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html.

Page 23 of 59 CBUAE Classification: Public 4.1.1. United Nations Security Council The global framework to control PF includes UNSCRs and relevant national legislation and regulation that establish unilateral sanctions or export-control measures. All UN Member States are obliged to implement UNSCRs, but in practice not all jurisdictions have the necessary domestic legislation in place to do so comprehensively, and fewer enforce such legislation effectively. Even fewer still have published guidance for their respective financial sectors. All UN Security Council sanctions regimes include provisions for exceptions on humanitarian grounds, and jurisdictional requirements in these respects vary globally, which may give rise to additional complications in implementation. 4.1.1.1. Non-State Actors UNSCR 1540 (2004) constitutes the overarching global requirement related to PF. It focuses on malign activities and is not a state-specific sanctions resolution. There are no requirements, for example, to freeze assets of named individuals or entities under this Resolution. Rather, it mandates that states refrain from providing any form of support to non-state actors that attempt to develop acquire, manufacture, possess, transport, transfer, or use nuclear, chemical, radiological, or biological weapons and their means of delivery, particularly for terrorist purposes. In addition, it requires states to adopt and enforce appropriate laws. 4.1.1.2. North Korea Sanctions against North Korea under the UN Security Council’s 7 8 Committee combine targeted financial sanctions, activity-based sanctions, and sectoral sanctions. Resolution 1718 (2006) was issued in the aftermath of North Korea’s first nuclear test. The UNSC has issued nine subsequent sanctions resolutions, the most recent in 2017. Before 2016, measures were narrowly limited to prohibiting conduct connected to weapons proliferation and were enforced through targeted financial sanctions and a luxury goods ban. Since 2016, measures have included significant increases in the scope and nature of prohibitions, including a variety of sectoral and activity-based measures in addition to targeted financial sanctions. The Security Council’s Panel of E perts’ annual or bi-annual reports include details of attempts by North Korean actors to raise revenue by hacking into banks (including through vulnerabilities in the SWIFT network) and into cryptocurrency exchanges. As noted above, in the case of North Korea, revenue generation is generally categorized as PF, and if cryptocurrencies become commonly used for trade finance, they can be expected to become a significant element of PF in this respect as well. The UAE does not house a North Korean embassy or maintain diplomatic ties with the DPRK. However, there may be potential vulnerabilities especially for those FIs processing or facilitating transactions associated with trade finance (see section 2.2.1 above). The DPRK is known to “re-flag” vessels and engage in ship-to-ship transfers, especially of petroleum products, to obscure their ultimate destination and/or origins. As of the date of this Guidance, the DPRK is listed on the FATF List of Jurisdictions Subject to a Call for Action, also known as the FATF “Black List,” due to serious strategic deficiencies in the country’s AML/CFT/CPF regime. The DPRK is also included on the EU’s list of high-risk third countries having strategic deficiencies in their regime on AML/CFT. 4.1.1.3. Iran

Page 24 of 59 CBUAE Classification: Public FIs should be aware of the potential vulnerabilities associated with processing or facilitating Iran transactions associated with trade finance (see section 2.2.1 above), and should put in place controls to mitigate the PF risks. With the passage of UNSCR 2231 (2015) and implementation of the Joint Comprehensive Plan of Action (“JCPOA”), also known as the Iran Nuclear Deal, on January 16, 2016, most United Nations sanctions relating to Iran’s nuclear activities were formally lifted. The few outstanding sanctions were lifted on the transition date in October of 2023. However, unilateral and multilateral sanctions relating to Iran’s conventional weapons or ballistic missile activities remain in place. Moreover, Iran remains on the FATF list of High-Risk Jurisdictions subject to a Call for Action. While UAE entities are not bound by the sanction regimes of other countries, there may be potential secondary sanctions implications for engaging in significant transactions violating U.S. sanctions. 4.1.2. Financial Action Task Force The FATF plays an important role in assessing countries’ technical compliance with and effective implementation of targeted financial sanctions pursuant to UNSCRs relating to the prevention, suppression, and disruption of proliferation of WMD and its financing. 4.1.2.1. Recommendations 1, 2, and 7 Recommendation 1 (Assessing National Risks) and its interpretive note were updated in 2020 and requires countries, FIs, DNFBPs, and virtual asset service providers (“VASPs”) to identify, assess, understand, and mitigate their PF risks.21 Recommendation 2 (National Cooperation and Coordination) requires countries to adopt risk-based policies to combat illicit financing threats (including PF) and to designate an authority to review and update policies and ensure that all relevant competent authorities can cooperate and exchange information regarding the development and implementation of policies and activities to combat PF. Recommendation 7 (TFS related to Proliferation Financing) requires countries to implement TFS relating to the prevention, suppression, and disruption of proliferation and its financing. Generally speaking, countries are required to immediately freeze the funds or other financial assets of any person or entity designated by a UNSCR related to PF and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of such a person or entity (including through persons providing support for, acting on behalf of, or owned or controlled by designated parties or assisting them in evading sanctions requirements). 22 4.1.2.2. Immediate Outcome 11 To demonstrate an effective CPF system under Immediate Outcome (“IO”) 11, persons and entities designated by the UNSCRs on proliferation of WMD must be identified, deprived of resources, and

21 FATF’s revised Recommendation 1 and Interpretative Note 1 require countries, financial institutions, DNFBPs, and VASPs to identify, assess, understand, and mitigate PF risks. For more information, please refer to: https://www.fatf￾gafi.org/en/publications/Financingofproliferation/Proliferation-financing-risk-assessment￾mitigation.html#:~:text=The%20FATF%20recently%20revised%20its,mitigate%20their%20proliferation%20financing%20risks. 22 For more information related to specific measures related to TFS for DPRK and Iran, refer to Recommendation 7 of the “International Standards on Combating Money Laundering and the Financing Of Terrorism & Proliferation: The FATF Recommendations,” Updated February 2023, available at https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html.

Page 25 of 59 CBUAE Classification: Public prevented from raising, moving, and using funds or other assets for PF. TFS must be fully and properly implemented without delay and monitored for compliance, and countries must establish adequate cooperation and coordination between the relevant authorities to prevent sanctions evasion and develop and implement policies and activities to combat the financing of PF.23 4.1.2.3. Related FATF Guidance The FATF’s 2018 Guidance on Counter Proliferation Financing24 assists jurisdictions in understanding and identifying the threat from PF. The guidance extends to UNSCR sanctions on North Korea and Iran not covered by Recommendation 7, such as activity-based and sectoral sanctions. The FATF’s 2021 Guidance on Proliferation Financing Risk Assessment25 complements the above and contains guidelines for countries, FIs, DNFBPs, and VASPs to conduct national or institutional PF risk assessments. The FATF’s 2008 Proliferation Financing Report26 lays out red flag indicators related to PF, provided in Annex 2 of this Guidance. 4.2. Compliance with Local Requirements The UAE legal and regulatory framework counters PF through the implementation of targeted financial sanctions related to PF, export controls, and AML/CFT preventive and detective measures that assist public authorities and private sector entities in preventing, suppressing, and disrupting the proliferation of WMD and its financing. Key elements of the UAE CPF framework include: • Federal Decree Law No. (20) of 2018, Article 16.e.1 specifies that FIs and DNFBPs shall undertake “Prompt application of the directives when issued by the competent authorities in the state for implementing the decisions issued by the UN Security Council under Chapter (7) of UN Convention for the Prohibition and Suppression of the Financing of Terrorism and Proliferation of eapons of Mass Destruction, and other related directives”. • Federal Decree-Law No. (20) of 2018, Article (28) of which provides for a penalty of imprisonment of no less than a year and no more than (7) years, or a fine of no less than AED 50,000 for anyone who violates any of the directives of Chapter 7 of the UN Convention for the Suppression of the Financing of Terrorism and Proliferation of WMD and other related directives. • UAE Cabinet Decision No. (74) of 2020, concerning the implementation of UNSCRs on the suppression and combating of terrorism, terrorist financing, and countering the proliferation of WMD, is central to the UAE’s framework for countering the proliferation of WMD.

23 Immediate Outcome 11 of the “International Standards on Combating Money Laundering and the Financing Of Terrorism & Proliferation: The FATF Recommendations,” Updated February 2023, available at https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf￾recommendations.html. 24 Available at: https://www.fatf-gafi.org/en/publications/Financingofproliferation/Guidance-counter-proliferation-financing.html 25 Available at: https://www.fatf-gafi.org/en/publications/Financingofproliferation/Proliferation-financing-risk-assessment-mitigation.html 26 Available at: https://www.fatf-gafi.org/media/fatf/documents/reports/Typologies%20Report%20on%20Proliferation%20Financing.pdf.

Page 26 of 59 CBUAE Classification: Public • Cabinet Resolution No. (50) of 202027 contains the list of strategic and dual-use goods controlled under UAE law. • Federal Decree Law No. (43) of 2021 concerns commodities subject to non-proliferation and provides for restriction of certain commodities and the issuance of permits to trade in such items. 4.3. Proliferation Finance Risk Assessments and Risk-Based Approach Under Article 4 of the AML-CFT Decision, any LFI is required to identify, assess, and understand its ML/TF risks. For this purpose, and pursuant to Notice No. CBUAE/BIS/2023/5960, LFIs should also perform, document, and keep up to date an institutional-level risk assessment that includes identifying, assessing, understanding and mitigating risks related PF, and have the appropriate mechanisms to provide PF risk assessment information to the CBUAE. An LFI’s risk assessment should be based on a comprehensive understanding of the PF threats and vulnerabilities, including the methods, actors, and networks involved in financing proliferation activities28 . When assessing inherent risks, LFIs should also consider the results of the Proliferation Financing National Risk Assessment (PFNRA) or any Topical Risk Assessment, as well as information from official sources, including the Supervisory Authorities, the FIU, the FATF, MENAFATF and other FSRBs, the Egmont Group, etc. Specifically, LFIs should consider PF risk factors arising in relation to their: • Customers; • Products, services, and transactions (new and existing); • Delivery channels (new and existing); • Geographic locations and markets; and • Operating structure (such as cyberthreats). Risk assessments should be an ongoing process, and should be reviewed regularly to ensure that they remain relevant and effective. LFIs should also ensure that their risk assessments are integrated into their overall risk management frameworks. LFIs should incorporate the outcomes of their controls, like the number of PF-related alerts generated by the transaction monitoring system, into their PF risk assessment. LFIs should apply risk mitigation methods that are appropriate to the types and levels of risk identified in their institutional risk assessment. PF risk management should be incorporated into an FI’s larger counter￾illicit finance program, and institutions can use many of the same controls to mitigate and manage their PF risk that they already employ for ML/TF and sanctions purposes. LFIs should consider, however, the following aspects of an effective program specifically in connection with PF risks: • Use of technology to detect sanctions evasion behavior: LFIs with higher risks should consider the use of data analysis programs that detect linkages, patterns, and relationships between or among networks. • Incorporating PF-specific information in the CDD process: Based on their risk assessments, LFIs should adapt their onboarding and CDD processes to collect additional information that may help to more accurately risk-rate customers for PF risk and develop detailed customer risk profiles.

27 Available at: https://www.uaeiec.gov.ae/en-us/un-page?p=7 28 Please refer to the EOCN PF Institutional Risk Assessment Guidelines, for further details online of questions to assess customers’ exposure to PF risks. Customer risk also includes a customer’s business activity, occupation and/or industry.

Page 27 of 59 CBUAE Classification: Public • Including PF risk in correspondent banking risk-ratings and EDD: Correspondent banking relationships are one of the main sources of PF risk for LFIs, but not all relationships present equal risk. LFIs should ensure that their risk-rating and EDD processes for correspondent banking relationships consider, assess, and manage PF risk. • Training to the FI’s leadership and staff at all levels on PF-related issues: Effective PF training should go beyond internal list-based screening processes to cover PF risks and sanctions evasion typologies, the findings of the LFI’s PF risk assessment, and the controls the institution has put in place to manage PF risk. The following sections provide further detail regarding PF-specific risks that LFIs should account for identifying, understanding, assessing, and mitigating PF risks. 4.3.1. Customer Risk Individuals and entities already designated for their involvement in PF activities clearly present prohibitive risks to LFIs, but LFIs should also be aware of the risks of providing financial services to individuals that are associated with designated persons and to entities that are owned or controlled by sanctioned parties. PF risk can also impact an LFI through its customers in certain business sectors or industries. These customers may include, for instance, producers of sensitive goods, producers of dual-use goods, and companies or institutions involved in advanced research. Shipping companies and general trading companies, particularly those serving high-risk regions, may also present significant PF risk. Such customers, particularly those that produce dual-use goods, or trade dual-use goods, may not be familiar with relevant import/export requirements and controls and may be unaware of the need to implement their own CPF safeguards, thus presenting higher risk to LFIs. Additionally, proliferation networks often rely on shell and front companies to mask end users and to disguise payments. These companies present higher levels of PF risk for a number of reasons including their potential roles in PF-related activities and schemes. Published case studies29 suggest that the following customer types may present higher levels of PF risk: • Parties with links to a country that is of PF concern, for example, dual national and entities owned by companies in the country of concern. • Producers of dual-use (sensitive or restricted) goods. • Small and medium-sized trading companies, particularly if they switch business to trade in potentially proliferation-sensitive goods or materials. • Customers who use personal accounts for trade or business-related transactions. • Customers who largely conduct cash-based businesses and originate from, reside or are associated with high-risk jurisdictions for TF/PF. • Shell and front companies. • Newly incorporated entities with no known background/history.

29 Available at: https://www.kcl.ac.uk/csss/assets/study-of-typologies-of-financing-of-wmd-proliferation-2017.pdf

Page 28 of 59 CBUAE Classification: Public • Shipping and logistics companies, particularly if they are identified as consignees on shipping documentation. • Entities operating in the maritime sector, through which proliferation actors can both move components and materials necessary for proliferation and generate funds for PF though economic activities through otherwise licit activities, such as the sale of natural resources. • Academic and research institutions, as there have been cases of such entities—particularly state￾owned institutions—procuring sensitive goods and materials on behalf of sanctioned WMD programs. • Among DNFBPs, including trust and company service providers (“TCSPs”) and DPMSs, which have been abused by proliferation actors to conceal their interests in a transaction (through the creation of shell or front companies) and to move funds across borders through the purchase and sale of gold, diamonds, and other precious metals and stones. • VASPs, which can allow proliferators to move funds across borders instantly, can provide access to fiat currencies, and have been abused to launder proceeds of crimes committed to support proliferation. Certain customer behavior may also indicate higher levels of risk and thus require additional scrutiny, including cross-border transactions involving legal persons and arrangements or multiple shell or front companies; high transaction volumes involving individuals acting on behalf of legal persons or arrangements; and customers who frequently transact with high-risk countries or whose transaction behavior is not related to their stated business purposes. Additional PF-related customer risk indicators identified by EOCN are presented in Annex 3 of this Guidance. LFIs should be cognizant of customer types that pose an elevated risk for PF and should assess the risk of these customers who may seek to or be part of schemes that involve obtaining funding or financing for WMD program activities or dual-use or proliferation sensitive goods or services. 4.3.2. Product, Service, and Transaction Risk Certain trade finance transactions implicating controlled goods or technology present elevated PF risks for LFIs because these transactions are often complex in ways that allow individuals and entities to mask their intentions or underlying illicit activities. Likewise, correspondent banking services are an important source of PF risk. Activities such as clearing intermediary wires can expose an LFI to additional risk because the institution should process or execute transactions for its customer’s customer. In such circumstances, the LFI will lack a complete understanding of the customer and the customer’s transactional history and should therefore rely on its respondent to apply effective, risk-based AML/CFT/CPF preventive and detective measures. Although trade transactions have traditionally been associated with letters of credit and documentary collection, trade transactions have increasingly relied on the use of “open account” cross-border wire transfers. This development poses challenges to risk management. Although wire transfers are generally less complicated mechanisms of financing trade transactions and can be processed more quickly and easily, it is often more challenging for FIs to obtain sufficient information to understand the purposes of transactions, the underlying goods or services paid for by the transactions, the shipping or transportation

Page 29 of 59 CBUAE Classification: Public of the goods involved, and other parties related to the transactions (e.g., importers and exporters). By contrast, illicit activity is generally more difficult to execute through traditional trade finance instruments such as letters of credit precisely because of the extensive documentation and diligence usually associated with issuing and processing these instruments. Trafficking of dual-use or proliferation-sensitive goods and materials is typically funded or financed in the same way as legitimate international trade, through open-account transactions (cross-border wires) or trade finance mechanisms. According to the International Chamber of Commerce, 80 percent of international trade takes place on open account terms, however, wire transfer messages (e.g., SWIFT messages) related to such transactions contain little information about the nature of the underlying transactions. LFIs are better placed to assess PF risk of international trade conducted using documentary trade finance mechanisms. These documents typically provide information about the type and quantity of goods and materials involved, the identities and locations of buyers and sellers, the shipping routes, the destinations and the names of vessels and shipping companies. However, this documentation may still not describe the contents of shipments in a way that enables them to be easily identified as proliferation-sensitive dual-use goods and materials. LFIs should be cognizant of those product and services that pose an elevated risk of abuse for PF and should assess the risk that products and services they offer may be used to obtain funding or financing for WMD program activities or obtain dual-use or proliferation sensitive goods or services critical to the programs. An LFI’s enterprise-wide ML/TF/PF risk assessment or standalone product risk assessment should evaluate the PF risk associated with a new product before the product is launched. The risk assessment should periodically assess the ML/TF/PF risk of all products and services the LFI offers. LFIs should place special focus, among others, on: • Traditional/documentary/open account trade finance;30 • Cross-border wires, including those related to trade and those that may be related to the sending of proceeds of criminal activity to intermediary countries; • Correspondent banking services; and • Products and services related to VA. PF-related risk indicators specific to the maritime sector, trade finance services, and specific types of transactions are presented in Annex 3 of this Guidance. 4.3.3. Geographic Risk Although only a relatively small number of countries have developed illicit WMD programs, activities related to these programs can span the globe due to the volume and transnational nature of international shipping and trade, flexible trade finance agreements (e.g., open-trade accounts), and correspondent and nested banking relationships. As such, no country is immune to PF risk, and some face heightened exposure based upon their location vis-à-vis major trade routes and/or proximity to other jurisdictions of PF concern.

30 Please note, the LFI may seek to engage in a sampling methodology to verify shipment documentation by an independent source.

Page 30 of 59 CBUAE Classification: Public Countries led by governments that are known or strongly suspected to be developing WMD present the highest geographical risk for FIs, particularly where these countries have been subject to UNSCR sanctions programs (i.e., North Korea). When UN sanctions were in place, the sourcing, shipment, and financing of proliferation-sensitive goods, materials, and technologies carried out by Iran’s nuclear procurement networks—and related sanctions￾evasion activities—extended to Europe, North America, and Asia, according to reports of the UN Panel on Iran. Similarly, North Korea’s MD procurement and sanctions-evasion networks also extend globally, as documented by the UN Panel on North Korea. Assessments of PF risk at the jurisdictional level should therefore take account the potential global reach of WMD procurement and financing networks. Geographic risk is not restricted to proliferating countries themselves. Countries and terrorist groups rely on transnational connections to procure illicit goods and services. For instance, North Korea relies on extensive corporate networks hosted in China, Hong Kong, Singapore, and Malaysia; in China, related companies are especially active in Liaoning and Jilin provinces.31 Proliferators may aim procurement efforts at countries with weak export control laws, and they may choose to have sensitive or dual-use items delivered initially to transshipment hubs rather than directly to their home countries. The UAE lies directly across the Persian/Arabian Gulf from Iran and is a significant partner for international trade, increasing the UAE’s potential e posure to sanctioned persons or entities in the region as well as to international trade and financial flows that carry heightened PF risks. LFIs should be cognizant of proliferating countries and the geographic risks posed by transnational connections that illicit actors seek to exploit when funding or financing WMD program activities or obtaining dual-use or proliferation sensitive goods or services. 4.3.4. Delivery Channel Risk Delivery channel risk stems from the e tent to which an LFI’s methods of account origination, account servicing, and transaction facilitation limit its understanding of its customers’ identities, activities, and counterparties. The following are key drivers of inherent ML/TF delivery channel risk: • Use of non-face-to-face channels; • Proportion of unsolicited (e.g., walk-in) customers; • Reliance on delivery by or through a third party; and • Near-instantaneous or irrevocable settlement or processing (also a driver of product and service risk). Services provided through higher-risk delivery channels are more susceptible to abuse by illicit actors, including, in the PF context, persons and entities subject to PF-related targeted financial sanctions and those providing support for, acting on behalf of, or owned or controlled by designated parties or assisting them in evading sanctions requirements. LFIs should be cognizant of delivery channels that pose an elevated risk of abuse for PF and should assess the risk that delivery channels can be used to obtain

31 Emil Dall, Tom Keatinge, and Andrea Berger, Countering Proliferation Finance: An Introductory Guide for Financial Institutions, RUSI Guidance Paper (April 2017) at 12 and 26, https://rusi.org/sites/default/files/201704_rusi_CFP_guidance_paper.1_0.pdf.

Page 31 of 59 CBUAE Classification: Public funding or financing for WMD program activities or for obtaining dual-use or proliferation sensitive goods or services critical to the programs. 4.3.5. Operational Risk Operational risk is a concept in enterprise-wide risk management that encompasses risks of loss and disruptions to business that stem from ineffective or failed internal processes, people, or systems or from external events. In the AML/CFT/CPF context, operational risk is a function of the stability of an institution’s compliance staff, systems, and policies; the stability of its exposure to the other risk categories such as customers; and whether the institution has experienced risk events such as a hack or other malicious cyber event. With respect to PF risks specifically, LFIs should identify, understand, assess, and mitigate risks associated with: • Inadequate or fluctuating staffing levels in key CPF control functions; • Material changes in the size or composition of the customer base; • Fluctuations in sanctions screening, customer risk rating, and other technological systems or models used to support CPF compliance; • The emergence of backlogs of transaction monitoring alerts or CDD/KYC refreshes; • The occurrence of PF-related internal or external risk events, including material compliance breaches and changes to the risk or regulatory environment; and • Lower levels of understanding and application of CPF controls amongst employees, due to lack of training and familiarization with PF red flags and CPF regulatory requirements. 4.4. Mitigating Controls Effective risk mitigation is critical to protecting the LFI, complying with its legal obligations, and meeting supervisory expectations. LFIs should establish policies, procedures, and processes to understand their risk and take effective, risk-based steps to protect themselves from abuse and from illicit actors and transactions. The sections below discuss how LFIs can apply specific preventive measures to identify, manage, and mitigate PF risks. LFIs should consult the legal and regulatory framework currently in force. The controls discussed below should be integrated into the LFI’s larger AML/CFT program and supported with appropriate governance and training. 4.4.1. CDD and EDD Measures 4.4.1.1. General CDD Measures Customer due diligence (“CDD”), and where necessary enhanced due diligence (“EDD”), are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers. Under Article 5 of AML-CFT Decision, LFIs must conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. An LFI’s CDD program should cover, at a minimum: • Customer identification and verification;

Page 32 of 59 CBUAE Classification: Public • Beneficial ownership identification and verification; • Understanding the nature and purpose of the customer account and relationship for the purpose of establishing a risk profile (see also section 3.4.2 below); and • Ongoing monitoring, including periodic and event-driven updating of customer and beneficial ownership information and the customer risk profile throughout the business relationship. Utilizing the information collected through general CDD, an LFI should screen the following parties against lists of sanctioned persons, internal watchlists (such as lists of customers previously exited for financial crime reasons), and, on a risk basis, relevant ML/TF/PF information sources (such as negative media databases) prior to a customer’s onboarding: • All customers, regardless of risk rating or risk profile; • Beneficial owners of legal entity customers (natural persons); • Natural persons appointed to act on behalf of the customer (agents acting on behalf of customers); • Directors, partners, and managers of customers that are legal persons; and • Natural persons having executive authority over customers that are legal arrangements, including individuals with power of attorney. With respect to sanctions lists, the parties listed above should be screened prior to a customer’s onboarding and on an ongoing basis. To support this effort, all systems containing customer data and transactions need to be mapped to an LFI’s screening system to ensure full compliance. The results of screening and assessment by the LFI should be documented. LFIs should consult the UAE legal and regulatory framework currently in force and related CBUAE Guidance for a full discussion of their CDD obligations and of the CBUAE’s e pectations for CDD procedures. Consistent with local regulatory requirements, all LFIs must ensure compliance, where applicable, with Recommendation 10: Customer Due Diligence, as outlined in the FATF 40 Recommendations. Additional detail regarding general CDD measures is available in the CBUAE’s AML/CFT Guidelines for Financial Institutions, sections 6.1 through 6.3. 4.4.1.2. Establishing a Customer Risk Profile that Incorporates PF Risks Under Article 8 of the AML-CFT Decision, LFIs are required to understand the nature of the customer’s business and the nature and purpose of the LFI’s relationship with the customer, including the expected uses to which the customer will put the LFI’s products or services. This step requires the LFI to collect information that allows it to create a risk profile of the customer, including the types and volumes of transactions the customer is expected to engage in for each customer account, and to assess the risks associated with the relationship. Establishing a risk profile that incorporates a customer’s PF-specific risk attributes is a critical component of effective CPF measures for FIs and can include assessing and assigning risk ratings to customers based on their potential exposure to proliferation financing activities. Customer risk rating enables FIs to prioritize their resources and efforts in managing PF risks and helps identify and allocate appropriate levels of due diligence, monitoring, and mitigation measures based on the types and levels of a customer’s risk.

Page 33 of 59 CBUAE Classification: Public LFIs should consider various PF risk factors when assigning customer risk ratings. Key risk factors, among others, include: • Customer-specific attributes, including the customer’s background, ownership structure, geographic location, and business activities. Factors such as involvement in high-risk sectors32 , presence in high-risk jurisdictions, or connections to politically exposed persons (“PEPs”) can increase the risk rating. • Transactional behavior, particularly the customer’s transaction history, including the frequency, volume, and nature of transactions. Unusual transaction patterns, such as large or rapid fund transfers, transactions involving dual-use goods, or transactions with high-risk jurisdictions, may elevate the risk rating. • Red flags and risk indicators, including involvement in sanctioned or embargoed countries, presence on watchlists or control lists, or connections to entities or individuals involved in proliferation activities. • External factors such as industry-specific risks, regulatory changes, or geopolitical developments that may impact the customer’s risk profile. Although LFIs are not necessarily expected to have a dedicated customer risk rating methodology for PF risks, they should incorporate PF risk factors into internal processes or methodologies for establishing an overall customer risk profile and provide clear guidelines for segmenting customers and assigning risk ratings, scores, or levels. The methodology may take into consideration the following: • Risk categories: Define risk categories (e.g., low, medium, high) based on the institution’s risk appetite and regulatory requirements. Each category should have predefined criteria aligning with the identified risk factors. • Scoring system: Develop a scoring system to assess the risk factors and assign a numerical score to each factor. The cumulative score can then be used to determine the overall risk rating for the customer. • Risk rating scale: Define a risk rating scale corresponding to the risk categories, indicating the level of scrutiny and control measures required for each rating. This scale should align with the institution’s risk management framework. 4.4.1.3. EDD Measures for Heightened PF Risks The AML-CFT Law and the AML-CFT Decision impose EDD obligations on LFIs with respect to three classes of customers or transactions: • Customers that are PEPs, which include the direct family members or associates known to be close to the PEPs (AML-CFT Decision, Article 15); 33

32 As per best practice, consideration of a customer’s industry codes (HS Codes – Harmonized System Codes) can allow for targeted approaches to a specific customer set with PF-related questions, such as by helping determine the specific technology or equipment the customer is manufacturing or trading to determine whether the customer is exposed to heightened PF risks. 33 For more information on PEPs, please refer to CBUAE’s Guidance for LFIs on the Risks Relating to PEPs, available at: https://www.centralbank.ae/media/tvdchxqk/amlcft-guidance-for-licensed-financial-institutions-on-the-risks-relating-to-politically-exposed￾persons.pdf

Page 34 of 59 CBUAE Classification: Public • Business relationships and transactions with natural persons, legal persons, or legal arrangements from high-risk countries (AML-CFT Decision, Article 22); and • Correspondent banking or other similar relationships (AML-CFT Decision, Article 25). In addition to these classes of customers and transactions, for which EDD is mandatory, LFIs are expected to implement appropriate policies and procedures to determine whether relationships with or transactions undertaken for or on behalf of a customer present a higher risk for illicit finance. In the PF context specifically, where an LFI has determined that a customer or beneficial owner presents heightened risks for PF, or where it is required under UAE laws and regulations, LFIs should take the following steps: • Obtain senior management approval before establishing a business relationship or continuing an existing one. The specific senior management member within the LFI who shall be responsible for approving these relationships will vary based on the LFI’s own unique governance arrangements. If the approving member represents the business (e.g., the Chief Executive Officer, Chief Operating Officer, or Business Unit Head) as opposed to the compliance function (e.g., the Compliance Officer), the LFI’s policies and procedures should clearly require that the head of the LFI’s compliance function give an opinion as to whether the risk associated with the customer is acceptable. When approving an existing relationship with a customer identified as high risk for PF, senior management should be notified required by policy to approve the continuance of the relationship. • Take risk-based measures to establish the source and destination of funds. This requirement encompasses two distinct concepts: o Source of funds: The direct source of the funds that are used to initially fund the account and of any funds that are transacted through the account during the course of the business relationship. o Destination of funds: The final destination of the funds used for the customer’s transactions during the course of the business relationship. In both cases, where the LFI receives insufficient, implausible, inconsistent, or potentially suspicious information regarding the source or destination of funds, it should consider additional measures to corroborate such sources using independent documentary or non-documentary sources (or a combination). • Ascertain whether the customer conducts business in a high AML/CFT-risk jurisdiction, a jurisdiction of PF concern, or a third-party jurisdiction in close proximity to a jurisdiction of PF concern. On a risk basis, LFIs should collect and maintain up-to-date information on the main geographic locations where a customer operates and/or conducts business in order to determine, on a risk-sensitive and case-by-case basis, if individual transactions to high-risk PF jurisdictions are legitimate, consistent with the stated purpose, and within the LFI’s risk tolerance. • Conduct enhanced ongoing monitoring of the relationship. LFIs should perform risk-based ongoing monitoring of the business relationship for all customers. In cases of heightened PF risk, LFIs should consider: o Subjecting the customer file to more frequent review and updating, including a manual review of transactions. All customer files should be reviewed on a risk-based schedule. For customers

Page 35 of 59 CBUAE Classification: Public presenting the highest PF-related risks, reviewing the file as frequently as every six or nine months may be appropriate. This review should also include a review of substantial transactions on the account to ensure that they are consistent with information provided by the customer regarding expected activity and the jurisdiction(s) where it conducts business or has physical presence. o Applying risk-based transaction monitoring rules calibrated to address specific PF risks and typologies. Where automated transaction monitoring systems allow it, LFIs should apply PF￾specific monitoring rules to all customers. These rules should have more sensitive thresholds for alerts. o Requiring pre-approval for atypical transactions. It may be appropriate for LFIs to require pre￾approval from the compliance function for any transactions that falls out of the customer’s ordinary behavior, that not correspond with the nature of customer’s business, or that involve dealings in a new jurisdictions of PF concern, taking into consideration the LFI’s defined risk appetite. 4.4.2. Transaction Monitoring and Suspicious Transaction/Activity Reporting 4.4.2.1. Transaction Monitoring Under Article 16 of the AML-CFT Decision, LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may need to be the subject of an STR or SAR. Moreover, as required by Article 7 of the AML-CFT Decision, LFIs must continuously monitor all their transactions to ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity, and the risks they pose, including, when necessary, the source of funds. As with all customer types, LFIs that use automated monitoring systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behavior. When monitoring and evaluating transactions, the LFI should take into account all information that it has collected as part of CDD. On a risk basis, LFIs should embed PF-specific indicators, typologies, and scenarios into their transaction monitoring systems to identify red flags, such as: • Unusual patterns of transactions, such as round-tripping or layering; • Transactions involving high-risk jurisdictions or individuals; • Transactions involving dual-use goods or technology; • Transactions involving front or shell companies; • Transactions involving cash or non-face-to-face transactions; • Transactions involving unusual or non-commercial routes or channels; • Transactions that are inconsistent with the customer's business profile; • Transactions that are inconsistent with expected transaction patterns; and • Transactions originating from or associated with suspicious IP addresses or IP addresses located in high TF/PF risk jurisdictions.

Page 36 of 59 CBUAE Classification: Public Finally, LFIs should ensure that transaction monitoring systems include rules or scenarios designed to detect the above risk indicators and other transactions associated with PF and PF-related financial crimes that may involve third-party activity through the LFI’s account or relationship. Furthermore, it is imperative that the PF risk be incorporated into the LFI’s typology assessment in order to assess an LFI’s PF risk exposure as well as current and prospective automated transaction monitoring controls. Of note, emerging technologies such as data analytics and artificial intelligence have considerably enhanced transaction monitoring capabilities within LFIs. The use of this emerging technology can prove a powerful tool in detecting new patterns of suspicious behaviors and activities related to PF. 4.4.2.2. Suspicious Transaction Reporting As required by Article 15 of the AML-CFT Law and Article 17 of AML-CFT Decision, LFIs must file a suspicious transaction report (“STR”), suspicious activity report (“SAR”), or other report types with the UAE Financial Intelligence Unit (“FIU”) when they have reasonable grounds to suspect that a transaction, attempted transaction, or funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime. Please consult the CBUAE’s Guidance for LFIs on Suspicious Transaction Reporting for further information.34 Beyond the filing of STRs/SARs, it is crucial that LFIs cooperate with law enforcement and intelligence authorities to effectively combat PF networks. 4.4.3. Targeted Financial Sanctions Obligations The AML-CFT Law and AML-CFT Decision require LFIs to promptly apply directives issued by the competent authorities of the UAE for implementing the decisions issued by the UNSC under Chapter VII of the Charter of the United Nations. In furtherance of this requirement, the Cabinet Decision No. (74) of 2020 sets out the legislative and regulatory framework regarding TFS, including the Local Terrorist List and the UN Consolidated List. In addition, under Article 21 of the AML-CFT Resolution No. (74) of 2020, LFIs are required to have suitable risk management systems and take sufficient measures to identify whether a customer, or the beneficial owner of a customer, has been added to an international sanctions list or the Local List. LFIs are required to conduct screening prior to onboarding and on an ongoing basis, as discussed under section 3.4.1 above. Federal Law (50) of 2020 regarding goods subject to import and export controls contains the UAE list of dual-use and PF-sensitive goods. Lists of controlled chemical and non-chemical goods can be found on the EOCN website at: https://www.uaeiec.gov.ae/en-us/control-list-good. For more information and details on their obligations in relation to their sanction obligations, LFIs should consult the EOCN’s Guidance on Targeted Financial Sanctions for FIs, DNFBPs, and VASPs35 and the CBUAE’s Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions” and Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening. 36 As a best practice, LFIs should maintain an internal watchlist of parties that are related to sanctioned persons or entities or that pose elevated risk to the LFI for other illicit finance-related reasons. LFIs should

34 Available at: https://www.centralbank.ae/en/cbuae-amlcft. 35 Available at: https://www.uaeiec.gov.ae/API/Upload/DownloadFile?FileID=7f006d28-4a65-4829-aa35-b9dc3059e89a. 36 Available at: https://www.centralbank.ae/en/cbuae-amlcft

Page 37 of 59 CBUAE Classification: Public consider implementing such lists and screening against these lists during customer onboarding and on an ongoing basis thereafter. In addition, following a sanctions designation, further intelligence can be derived from an investigation into any linkages with a sanctioned party. This could include reviewing past transactions to identify the designated individuals and entities operating before they were sanctioned. 4.4.3.1. Confirmed Matches If an LFI identifies a confirmed match of an individual, entity, or group to the key identifiers published in the UAE Local Terrorist List or the UNSC Consolidated List is identified, LFIs are required to take the following actions: • Implement all necessary measures without delay as outlined in Article 15 of Cabinet Resolution No. (74) of 2020, to include freezing without delay, refraining from offering any funds or other assets and services, and reporting freezing measures to the EOCN and CBUAE; and • If the confirmed match is a potential customer, reject the transaction immediately and report the case. 37 Per section (5) of Article 21 of Cabinet Resolution No. (74) of 2020, LFIs are expected to report any freezing measures, prohibition to provide funds or services, and any attempted transactions immediately via the goAML platform by selecting the Funds Freeze Report (“FFR”) option. LFIs should also ensure that all necessary information and documents regarding the confirmed match are submitted along with the FFR. Pursuant to Section (1) of Article 22 of Cabinet Resolution No. (74) of 2020, supervisory authorities should receive all information within five working days. 4.4.3.2. Partial Name Matches If an LFI identifies a partial name match of an individual, entity, or group to the key identifiers published in the UAE Local Terrorist List or the UNSC Consolidated List is identified, LFIs should take the following actions: • Cross-check the identifiers published on the relevant sanctions list with the LFI’s internal customer, beneficial ownership, and other data as well as external sources where appropriate to determine whether the partial name match is a confirmed match or can be waived as a false positive; • If the LFI is unable to determine whether the partial name match is a confirmed match or a false positive, the LFI should suspend any transaction and report the case under Partial Name Match Report (“PNMR”) through the goAML platform to the EOCN and the CBUAE and uphold the suspension measures until a response is received from the EOCN on the status of the partial name match. LFIs are expected to submit a PNMR through the goAML platform within five business days of implementing the suspension measures. LFIs should ensure that all necessary information and documents regarding the potential match are submitted with the PNMR.

37 See also EOCN, Guidance on Targeted Financial Sanctions for FIs, DNFBPs, and VASPs, section 4, available at: https://www.uaeiec.gov.ae/en￾us/un-page?p=7

Page 38 of 59 CBUAE Classification: Public 4.4.4. Governance and Independent Audit The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces and organized in accordance with the “three lines of defence” model. All three lines of defence should report up to and have the active support and oversight of the LFI’s senior management, defined broadly to include executives, senior leadership, and the Board of Directors. Furthermore, Management Information and Reports related to PF alerts and internal investigations should be provided to senior management to enhance their understanding of the severity or scale of PF risks to the institution. Flagging alerts and investigations related to PF would enable Governance and Audit functions to accurately review and assess how the institution's PF controls are functioning and enable deficiencies to be addressed. See section 8 of the Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions for additional detail. 38 4.4.5. Training As with all risks to which the LFI is exposed, the CPF training program should ensure that employees are aware of the risks related to PF, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls. Training should be tailored and customized to the LFI’s risk and the nature of its operations and should be clearly documented in the LFI’s CPF compliance program and associated training policies, procedures, plans, materials, and attendance records. Overall, LFIs should conduct periodic assessments of their training curriculum to ensure that the training remains relevant in the face of evolving PF risks. 4.4.6. Record Keeping According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, LFIs must maintain detailed records associated with their ML/FT risk assessment and mitigation measures, as well as records, documents, data, and statistics for all financial transactions, records obtained through CDD measures and ongoing monitoring (including copies of personal identification documents), account files and business correspondence, and STRs/SARs and results of any analysis performed. LFIs should maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. LFIs should make the records available to the competent authorities immediately upon request. Consistent with local regulatory requirements, all LFIs should ensure compliance with FATF’s Recommendation 11: Record Keeping. The aforementioned provisions also require that all records be retained for at least five (5) years from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.

38 Available at: https://www.centralbank.ae/en/cbuae-amlcft.

Page 39 of 59 CBUAE Classification: Public 5. port ontrols 5.1. General Export controls regimes around the world are essential in preventing the unauthorized transfer of items and technologies that could be used in WMD proliferation. LFIs play a crucial role in ensuring compliance with export control laws and regulations, as they are often involved in processing and facilitating the financing and settlement aspects of international trade transactions. By understanding and complying with export controls, FIs can help in mitigating the UAE’s risks of PF. While sanctions themselves do sometimes include specific technology or arms related restrictions, export controls are typically administered through authorities other than sanctions authorities. They are generally designed to control access to sensitive technologies and items that may have military application or the potential for dual-use and implicate LFIs to the extent that they prohibit the financing of prohibited exports. LFIs should be familiar with the regulatory framework and international standards related to export controls associated with CPF. Among others, LFIs should be acquainted with the following: • National export control laws: LFIs should understand the export control laws and regulations applicable in the UAE, including the relevant lists of controlled items, technology, and services. 39 The national bodies responsible for implementing export controls include: o Executive Office for Control and Non-Proliferation (EOCN); o Ministry of Defence (MOD); o Federal Authority for Nuclear Regulation (“FANR”), regulating export controls of nuclear goods; o Federal Authority of Identity, Citizenship, Customs and Port Security (“ICP”); and o Security Industry Regulatory Agency (“SIRA”). • International export control regimes: LFIs should be aware of international export control regimes such as the Wassenaar Arrangement, Nuclear Suppliers Group, Australia Group, and Missile Technology Control Regime. These regimes provide guidelines and control lists to regulate the export of sensitive goods and technologies. • United Nations Security Council Resolutions: LFIs should also be familiar with the relevant UNSCRs that impose sanctions and export controls on specific countries or entities involved in proliferation activities. 5.2. Dual-Use or Controlled Goods The EOCN plays an active role in implementing export controls besides curbing the proliferation of weapons of mass destruction with relevant associated technology, based on policies, legislations and partnerships domestically and internationally. 40

39 Available at: https://www.uaeiec.gov.ae/API/Upload/DownloadFile?FileID=1852fefa-f0a7-4629-9515-78c13fd7354e 40 See: https://www.uaeiec.gov.ae/en-us/about-us

Page 40 of 59 CBUAE Classification: Public In cases where trade-based transactions potentially involve dual-use or controlled goods, LFIs should screen against the UAE Control List pursuant to Cabinet Resolution No. (50) of 2020 for potential matches and follow the steps set forth in the EOCN’s Guidance on Counter Proliferation Financing for FIs, DNFBPs and VASPs, section 6.41 Cabinet Resolution (50) of 2020 regarding commodities subject to import and export controls contains the UAE’s list of dual-use and PF-sensitive goods. LFIs should consider screening for dual-use and other controlled goods when trade finance products involving international trade transactions are being offered. Lists of controlled chemical and non-chemical goods, which includes dual-use goods associated with the proliferation of WMDs, can be found on the EOCN’s website42, and LFIs are encouraged to consult with the EOCN to ascertain whether commodities are subject to export controls or other restrictions, and where applicable verify availability of valid permit from relevant authorities for transactions involving dual-use goods. Lastly, during the recording of and monitoring of transactions associated with, or suspected to be associated with dual-use goods, LFIs should consider leveraging the standardized numerical method of classifying traded products, like the Harmonized System (“HS”), which is a standardized numerical method of classifying traded products.

41 Available at: https://www.uaeiec.gov.ae/API/Upload/DownloadFile?FileID=1852fefa-f0a7-4629-9515-78c13fd7354e 42 Information available at: https://www.uaeiec.gov.ae/en-us/control-list-good

Page 41 of 59 CBUAE Classification: Public nne 1. elect PF hreats Rele ant to FIs Proliferators may procure licit and illicit goods, and the technology needed for the development of WMD capabilities and related delivery mechanisms. This Annex aims at assisting LFIs in identifying potential PF threats in order to mitigate the related risks. The following is a list of several potential threats related to products and services that LFIs might offer, or that otherwise can be used for PF purposes. 43 Financial Products and Services Directly Related to Trade in Proliferation-Sensitive Goods Use of trade finance products and services and clean payment services in procurement of proliferation￾sensitive goods. Use of front companies, shell companies or brokers to obtain trade finance products and services or as parties to clean payments. Use of companies to provide unlicensed money remittance services. Nationals or dual citizens of proliferating states, or family members of such persons (regardless of citizenship), used as intermediaries in countries not of proliferation concern to facilitate procurement of goods and/or for payment of funds. Likely to involve use of personal banking products. Use of universities or research centers to procure dual-use goods and/or for payment of funds, including Iranian and Syrian institutions. Money transfer services used to conduct cash transfers related to procurement of goods. Use of third countries to channel financial transactions related to mining deals. Use of professional intermediaries and firms to mask parties to transactions and end users. Use of personal accounts to purchase industrial items. Use of non-specific, innocuous or misleading descriptions of goods or purpose of payments. Use of fake or fraudulent documents related to shipping, customs or payments to facilitate transactions or trade finance. Use of financial routes that are circuitous to the movement of sensitive goods or to countries not of proliferation concern. Use of vessels that do not attract proliferation concern to obtain maritime or cargo insurance products. Use of shipping companies, brokers and agents to obtain insurance or other financial services related to maritime transport. Often combined with use of front companies with opaque ownership structures. The following is a list of underlying licit and illicit activities that LFIs’ customers might be engaged in that can potentially be linked to PF efforts: Licit and Illicit Revenue-Raising Activities Arms trafficking (small and conventional) used by state and non-state actors to raise revenue. Sale of non-nuclear arms, military equipment or technologies, or paramilitary equipment or technologies by proliferating states to other states.

43 Royal United Services Institute for Defense and Security Studies, Guide to Conducting a National Proliferation Financing Risk Assessment, May 2019, available at: https://static.rusi.org/20190513_guide_to_conducting_a_national_proliferation_financing_risk_assessment_web.pdf

Page 42 of 59 CBUAE Classification: Public Sale of coal used by state and non-state actors to raise revenue. Construction industry and/or related trades owned or operated by or on behalf of nationals or dual citizens of North Korea or North Korean entities. Profits from payment of contracts form part of North Korea’s revenue-raising activities. Cross-border smuggling of cash, gold or other high-value goods by mules to support state and non-state proliferation activities. Cross-border smuggling of cash, gold or other high-value goods in diplomatic bags by diplomats or consular officers to support state proliferation activities. Cybercrime, such as hacking accounts to obtain value, largely used by state actors. Drug trafficking by state and non-state actors, including through connections with organized criminal networks. Proceeds used to support proliferation activities. Export of art or statues by North Korea or involving North Korean designated entities and individuals to raise revenue. Sale of minerals (gold, iron, steel, copper, zinc and so on) by North Korea or involving North Korean designated entities and individuals to raise revenue. Payments made to laborers or workers (nationals or dual citizens) from North Korea. Payments are then largely confiscated by North Korea as part of its revenue-raising activities. Restaurants or other small to medium-sized, largely cash-based businesses owned or operated by or on behalf of nationals or dual citizens of North Korea. Profits from businesses are sent to North Korea as part of its revenue-raising activities. Export of seafood originating from North Korea or involving North Korean designated entities and individuals. Export of textiles originating from North Korea or involving North Korean designated entities and individuals. Wildlife trafficking by state and non-state actors including through connections with organized criminal networks. ‘Ta es’ and ‘duties’ collected by terrorist groups in controlled areas, as well as donations made to terrorist groups, as part of revenue-raising activities to support procurement of WMD materials, particularly radiological, chemical, or biological weapons. The following is a list of financial and non-financial products, services, entities, and methods that can be used for PF activities: Financial and Corporate Infrastructure in Support of the Movement of Finances and Goods Use of banks and other financial institutions with foreign branches operating in countries of proliferation concern. Use of cryptocurrencies to avoid the formal financial system. Use of diplomats, consular officers or diplomatic or consular missions of North Korea to build networks, including corporate networks, within a country. These networks then facilitate a range of revenue-raising activities as well as facilitating financial products or services related to trade in goods. Use of local branches of banks and financial institutions based in countries of proliferation concern.

Page 43 of 59 CBUAE Classification: Public Money-exchange businesses used for cash transfers in support of proliferation networks, where transfers involve individuals or entities owned or controlled by proliferation actors. Can also involve structured payments to organized crime networks involved in revenue-raising activities. Use of hawala or bartering systems of value transfer to pay and settle debts among members of a proliferation network. Use of a ledger payment system among members of a network that minimizes the need for international financial transactions. Banks may be used to facilitate some end-of-term settlements between companies and/or individuals. Financial institutions with known histories of providing accounts to, or otherwise facilitating, financial activities of proliferation states. Use of companies to provide unlicensed money-transfer services among members of networks or to conduct ad hoc transactions. Use of professional intermediaries and corporate service providers to mask the presence of proliferation actors. Use of trade or other economic relations of countries with links or significant exposure to a proliferating country. Often facilitated by a complex corporate network. Use of organized or transnational crime networks, particularly their transport corridors and intermediaries in their networks. Establishment of corporate networks that facilitate but may not be solely involved in PF activities. Ultimate beneficial ownership, connections and control structures are opaque.

Page 44 of 59 CBUAE Classification: Public nne 2. F F PF pologies This Annex includes FATF PF typology reports which can help LFIs develop an understanding of the issues surrounding PF and assist them in identifying and analyzing the existing PF threats and the methods used by the proliferators and the facilitators. Some sources provide lists of “red flag” indicators for FIs to employ in detecting potential connections to proliferation, even though these are not uniquely determinative of proliferation financing (proliferation financing activities may share similar traits with money laundering, especially trade-based money laundering, and terrorist financing activities). Indicators listed in Annex 1 of the FATF Typologies Report44 include: • Transaction involves person or entity in foreign country of proliferation concern. • Transaction involves person or entity in foreign country of diversion concern. • The customer or counter-party or its address is similar to one of the parties found on publicly available lists of “denied persons” or has a history of e port control contraventions. • Customer activity does not match business profile, or end-user information does not match end￾user’s business profile. • A freight forwarding firm is listed as the product’s final destination. • Order for goods is placed by firms or persons from foreign countries other than the country of the stated end-user. • Transaction involves shipment of goods incompatible with the technical level of the country to which it is being shipped, (e.g., semiconductor manufacturing equipment being shipped to a country that has no electronics industry). • Transaction involves possible shell companies (e.g., companies do not have a high level of capitalization or displays other shell company indicators). • Transaction demonstrates links between representatives of companies exchanging goods i.e., same owners or management. • Circuitous route of shipment (if available) and/or circuitous route of financial transaction. • Trade finance transaction involves shipment route (if available) through country with weak export control laws or weak enforcement of export control laws. • Transaction involves persons or companies (particularly trading companies) located in countries with weak export control laws or weak enforcement of export control laws. • Transaction involves shipment of goods inconsistent with normal geographic trade patterns (e.g., does the country involved normally export/import good involved?). • Transaction involves financial institutions with known deficiencies in AML/CFT controls and/or domiciled in countries with weak export control laws or weak enforcement of export control laws. • Based on the documentation obtained in the transaction, the declared value of the shipment was obviously under-valued vis-à-vis the shipping cost. • Inconsistencies in information contained in trade documents and financial flows, such as names, companies, addresses, final destination, etc. • Pattern of wire transfer activity that shows unusual patterns or has no apparent purpose.

44 Financial Action Task Force, Proliferation Financing Report (June 2008) https://eurasiangroup.org/files/FATF_docs/Typologies_Report_on_Proliferation_Financing.pdf

Page 45 of 59 CBUAE Classification: Public • Customer vague/incomplete on information it provides, resistant to providing additional information when queried. • New customer requests letter of credit transaction awaiting approval of new account. • Wire instructions or payment from or due to parties not identified on the original letter of credit or other documentation. • Stealing funds or sensitive information through cyber operations to finance proliferation activities. • Employing cryptocurrencies and other digital assets to evade traditional financial tracking system (e.g., through the theft of virtual assets and the mining of cryptocurrencies through crypto-jacking). • Involvement of company service providers, lawyers, accountants, and financial advisors in the creation or management of companies and other legal persons or legal arrangements to structure transactions and corporate entities in ways that obscure proliferation financing.

Page 46 of 59 CBUAE Classification: Public nne 3. N PF Risk Indicators As per the EOCN’s 2023 Terrorist & Proliferation Financing Red Flags Guidance45 which presented a number of PF-related risk indicators that LFIs should consider in identifying, understanding, assessing, and mitigating PF risks, he following sections present relevant risk indicators concerning customer risk, transactional risk, and risks specific to the maritime sector and trade finance activity: Customer Risk Indicators • During onboarding, a customer provides vague or incomplete information about their proposed trading activities. The customer is reluctant to provide additional information about their activities when queried; • During subsequent stages of due diligence, a customer, particularly a trade entity, or its owners or senior managers, appears in sanctioned lists or negative news, e.g., relating to past ML schemes, fraud, other criminal activities, or ongoing or past investigations or convictions, including appearing on a list of denied persons for the purposes of export control regimes; • A customer is a person connected with a country of proliferation or diversion concern, e.g., through business or trade relations, as identified through the national risk assessment process or by relevant national CPF authorities; • A customer is a person dealing with Dual-Use goods, goods subject to export control goods, or complex equipment for which he/she lacks technical background, or that is incongruent with their stated line of activity; • A customer engages in complex trade deals involving numerous third-party intermediaries in lines of business that do not accord with their stated business profile established at onboarding; • A customer or counterparty, declared to be a commercial business, conducts transactions that suggest that they are acting as a money remittance business or a pay-through account; These accounts involve a rapid movement of high-volume transactions and a small end-of-day balance without clear business reasons. In some cases, the originators appear to be entities who may be connected with a state-sponsored proliferation programme (such as shell companies operating near countries of proliferation or diversion concern), and the beneficiaries appear to be associated with manufacturers or shippers subject to export controls; • A customer affiliated with a university or research institution is involved in the trading of Dual-Use goods or goods subject to export control; • A customer’s activity does not match the customer’s business profile, or end-user information does not match the end-user’s business profile; and • A new customer requests a letter of credit transaction while awaiting approval of new account.

45 Terrorist & Proliferation Financing Red Flags Guidance: Published by the EOCN in September 2023 Updated: December 2023

Page 47 of 59 CBUAE Classification: Public Transactional Risk Indicators • A transaction involves person or entity in foreign country of proliferation concern; • A transaction involves person or entity in foreign country of diversion concern; • A transaction involves financial institutions with known deficiencies in AML/CFT controls and/or domiciled in countries with weak export control laws or weak enforcement of export control laws; • Wire transfer activity shows unusual patterns or has no business or apparent lawful purpose; • The originator or beneficiary of a transaction is a person or an entity ordinarily resident of or domiciled in a country of proliferation or diversion concern, e.g., DPRK and Iran; • Accounts or transactions involve possible companies with opaque ownership structures, front companies, or shell companies, e.g., companies do not have a high level of capitalisation or display other shell company indicators. Countries or the private sector may identify more indicators during the risk assessment process, such as long periods of account dormancy followed by a surge of activity; • Business or compliance personnel identify links between representatives of companies exchanging goods, e.g., the same owners or management, physical address, IP address, or telephone number, or activities that appear to be co-ordinated; • The account holder conducts financial transactions in a circuitous manner. • A transaction or account activity involves an originator or beneficiary that is domiciled in a country with weak implementation of relevant UNSCR obligations and FATF Standards or a weak export control regime (also relevant to correspondent banking services); • A customer of a manufacturing or trading firm wants to use cash in transactions for industrial items or for trade transactions more generally. For financial institutions, the transactions are visible through sudden influ es of cash deposits to the entity’s accounts, followed by cash withdrawals; • Transactions are made on the basis of “ledger” arrangements that obviate the need for frequent international financial transactions. Ledger arrangements are conducted by linked companies that maintain a record of transactions made on each other’s behalf; • Occasionally, these companies will make transfers to balance these accounts; • A customer uses a personal account to purchase industrial items that are under export control, or otherwise not associated with corporate activities or congruent lines of business; • Account holders conduct transactions that involve items controlled under Dual-Use or export control regimes, or the account holders have previously violated requirements under Dual-Use or export control regimes; and • Transactions associated with a customer’s frequent travel to or from high-risk countries associated with proliferation activities.

Page 48 of 59 CBUAE Classification: Public Maritime Sector Risk Indicators • An order for goods is placed by firms or persons from foreign countries other than the country of the stated end-user; • A trade entity is registered at an address that is likely to be a mass registration address, e.g., high￾density residential buildings, post-box addresses, commercial buildings, or industrial complexes, especially when there is no reference to a specific unit; • The person or entity preparing a shipment lists a freight forwarding firm as the product’s final destination; • The destination of a shipment is different from the importer’s location; • Inconsistencies are identified across contracts, invoices, or other trade documents, e.g., contradictions between the name of the exporting entity and the name of the recipient of the payment; differing prices on invoices and underlying contracts; or discrepancies between the quantity, quality, volume, or value of the actual commodities and their descriptions; • A shipment of goods has a low declared value vis-à-vis the shipping cost; • A shipment of goods is incompatible with the technical level of the country to which it is being shipped, e.g., semiconductor manufacturing equipment being shipped to a country that has no electronics industry; • A shipment of goods is made in a circuitous fashion (if information is available), including multiple destinations with no apparent business or commercial purpose, indications of frequent flags hopping, or using a small or old fleet; • A shipment of goods is inconsistent with normal geographic trade patterns, e.g., the destination country does not normally export or import the goods listed in trade transaction documents; • A shipment of goods is routed through a country with weak implementation of relevant UNSCR obligations and FATF Standards, weak export control laws, or weak enforcement of export control laws; and • Payment for imported commodities is made by an entity other than the consignee of the commodities with no clear economic reasons, e.g., by a shell or front company not involved in the trade transaction. Trade Finance-Related Risk Indicators • A trade finance transaction involves a shipment route (if available) through a country with weak export control laws or weak enforcement of export control laws; • A transaction involves persons or companies (particularly trading companies) located in countries with weak export control laws or weak enforcement of export control laws; • A transaction involves a shipment of goods inconsistent with normal geographic trade patterns (e.g., does the country involved normally export/import good involved?);

Page 49 of 59 CBUAE Classification: Public • Based on the documentation obtained in the transaction, the declared value of the shipment is obviously under-valued vis-à-vis the shipping cost; • Prior to account approval, the customer requests a letter of credit for a trade transaction to ship Dual-Use goods or goods subject to export control; • Lack of full information or inconsistences are identified in trade documents and financial flows, such as names, companies, addresses, final destination, etc.; • Identifying documents seem to be forged or counterfeited; • Identifying documents seem to be tampered or modified documents with no apparent explanation, especially those related to international trade; and • Transactions include wire instructions or payment details from or due to parties not identified on the original letter of credit or other documentation.

Page 50 of 59 CBUAE Classification: Public nne 4. F F Potential Indicators of anctions asion cti it ( entioned in hird Part Reports) This Annex provides a list of indicators that can help LFIs identify and detect suspicious PF activities, including those related to the evasion of TFS imposed under UNSCRs or local designations. The February 2018 FATF Guidance on Counter Proliferation Financing 46 listed additional potential indicators of sanctions evasion activity mentioned in third-party reports (e.g., UN Panel of Experts reports, Study of Typologies of Financing of WMD Proliferation47): • Involvement of items controlled under WMD export control regimes or national control regimes. • Involvement of a person connected with a country of proliferation concern (e.g., a dual-national), and/or dealing with complex equipment for which he/she lacks technical background. • Use of cash or precious metals (e.g., gold) in transactions for industrial items. • Involvement of a small trading, brokering or intermediary company, often carrying out business inconsistent with their normal business. • Involvement of a customer or counter-party, declared to be a commercial business, whose transactions suggest they are acting as a money-remittance business. • Transactions between companies on the basis of “ledger” arrangements that obviate the need for international financial transactions. • Customers or counterparties to transactions are linked (e.g., they share a common physical address, IP address or telephone number, or their activities may be coordinated). • Involvement of a university in a country of proliferation concern. • Description of goods on trade or financial documentation is non-specific, innocuous or misleading. • Evidence that documents or other representations (e.g., relating to shipping, customs, or payment) are fake or fraudulent. • Use of personal account to purchase industrial items.

46 Financial Action Task Force, FATF Guidance on Counter Proliferation Financing (February 2018), available at: https://www.fatf￾gafi.org/en/publications/Financingofproliferation/Guidance-counter-proliferation-financing.html. 47 Available at: https://www.kcl.ac.uk/csss/assets/study-of-typologies-of-financing-of-wmd-proliferation-2017.pdf

Page 51 of 59 CBUAE Classification: Public Annex 5. EOCN PF Sanctions Evasion Red Flags and Typologies This Annex provides a list of indicators, as identified by the EOCN, that can help LFIs identify and detect suspicious PF activities related to sanctions evasion. Below is a list of UAE-specific PF sanctions evasion red flags indicators identified by the EOCN48: • Dealings, directly or through a client of your client, with sanctioned countries or territories where sanctioned persons are known to operate. • The use of shell companies through which funds can be moved locally and internationally by misappropriating the commercial sector in the UAE. • Dealings with sanctioned goods or under embargo. For example: o Oil or other commodities o Dual-Use items (wire nickel, inverters, etc.) • Identifying documents that seemed to be forged or counterfeited. • Identifying tampered or modified documents with no apparent explanation, especially those related to international trade. • The activity developed or financed does not relate to the original or intended purpose of the company or entity. For example: o For companies, they are importing high-end technology devices, but they are registered as a company that commercializes nuts. o For a non-profit organization, they are exporting communication devices, but they are an entity aimed to provide health services. • Very complex commercial or business deals that seem to be aiming to hide the final destiny of the transaction or the good. • Complex legal entities or arrangements that seem to be aiming to hide the beneficial owner.

48 Available at: https://www.uaeiec.gov.ae/en-us/un-page?p=3#

Page 52 of 59 CBUAE Classification: Public nne 6. PF Related Reasons for Reporting This Annex aims at assisting LFIs in drafting potential SARs or STRs by providing PF-related Reasons for Reporting (RFRs) to accurately characterize reportable activity, as per the guidance of the UAE FIU. goAML PF-related RFRs A shipment of goods is incompatible with the known business activity and nature of products or services provided by the entities involved in the transaction. A shipment of goods is made in a circuitous fashion (if information is available), including multiple destinations with no apparent business or commercial purpose, indications of frequent flags hopping, or using a small or old fleet. Possible TBML. A transaction involves persons or companies (particularly trading companies) located in countries with weak export control laws or weak enforcement of export control laws. Based on the documentation obtained in the transaction, the declared value of the shipment is obviously under-valued vis-à-vis the shipping cost. (Possible TBML). Customer or transaction is suspected of being linked (directly or indirectly) to DPRK’s nuclear-related, WMD-related, or ballistic missiles weapons program. Customer or transaction is suspected of being linked (directly or indirectly) to IRAN’s nuclear weapons program. Customer or transaction is suspiciously involved in the supply, sale, delivery, export, or purchase of dual￾use, controlled, or military goods to countries of proliferation concerns or related to illegal armed groups. Sender or originator appears to be entities who may be connected with a state-sponsored proliferation program and the beneficiaries appear to be associated with manufacturers or shippers subject to export controls. The customer uses a personal account to purchase industrial items that are under export control, or otherwise not associated with corporate activities or congruent lines of business. The person or entity preparing a shipment lists a freight forwarding firm as the product’s final destination. Possible TBML. Trade finance transaction(s) involving shipment route through country with weak export control laws or weak enforcement of export control laws. Transaction involves sale, shipment, or export of dual-use goods incompatible with the technical level of the country to which it is being shipped.

Page 53 of 59 CBUAE Classification: Public nne 7: nopsis of the uidance Purpose and applicability of this Guidance Purpose The purpose of this Guidance is to assist the understanding and effective performance by CBUAE licensed financial institutions (LFIs) of their statutory obligations related to counter proliferation financing (CPF) under the legal and regulatory framework in force in the UAE. Applicability This Guidance applies to all natural and legal persons, which are licensed and/or supervised by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers; and insurance companies, agencies, and brokers. Understanding ML/TF Risks Related to PF Threats Related to PF: • PF threats and related sources of funding mainly derive from three categories, i.e., financial products directly related to trade in PF-sensitive goods; revenue-raising activities; and the use of financial and corporate structures to support movement of funds and cash. • PF threats can be posed by state and non-state actors attempting to obtain WMD and their delivery systems or raising, moving, or using funds to procure such items. Under the FATF Standards, PF threats and CPF requirements are provided under: (i) UNSCR 1540 (2004), regarding non-state actors; (ii) UNCSRs 1718 (2006), 2087 (2013), 2094 (2013). and 2270 (2016), regarding the Democratic People’s Republic of North Korea (“DPRK” or “North Korea”); and (iii) UNCSR 2231 (2015), regarding the Islamic Republic of Iran (“Iran”). Other Select Threats Relevant to LFIs • Financial Products and Services Directly Related to Trade in Proliferation-Sensitive Goods, including: (i) Nationals or dual citizens of proliferating states, or family members of such persons used as intermediaries in countries not of proliferation concern to facilitate procurement of goods and/or for payment of funds; (ii) Use of universities or research centers to procure dual-use goods and/or for payment of funds; • Licit and Illicit Revenue-Raising Activities, including (i) Arms trafficking (small and conventional) used by state and non-state actors to raise revenue; (ii) Sale of non-nuclear arms, military equipment or technologies, or paramilitary equipment or technologies by proliferating states to other states; (iii) Construction industry and/or related trades owned or operated by or on behalf of nationals or dual citizens of North Korea or North Korean entities; (iv) Cybercrime, such as hacking accounts to obtain value, largely used by state actors, and (v) Export of art or statues by North Korea or

Page 54 of 59 CBUAE Classification: Public involving North Korean designated entities and individuals to raise revenue, (vi) Export of seafood and textiles originating from North Korea or involving North Korean designated entities and individuals, and (vii) Restaurants or other small to medium-sized, largely cash-based businesses owned or operated by or on behalf of nationals or dual citizens of North Korea. • Financial and Corporate Infrastructure in Support of the Movement of Finances and Goods, including: (i) Use of diplomats, consular officers or diplomatic or consular missions of North Korea to build networks, including corporate networks, within a country; (ii) Use of organized or transnational crime networks, particularly their transport corridors and intermediaries in their networks, and (iii) Use of professional intermediaries and corporate service providers to mask the presence of proliferation actors. Vulnerabilities Related to PF • LFIs vulnerabilities associated with PF, : (i) Trade finance transactions, where trade-based illicit finance may facilitate the purchase or transfer of goods and services used in procurement of WMDs; (ii) Correspondent banking relationships, and nested relationships where heightened PF risk is present insofar as it can involve the rapid and repeated transfers of large quantities of funds on behalf of parties that are not the direct customers of the correspondent; (iii) Hawala and other alternatives to traditional banking, in particular unlicensed hawala providers (UHP), MSBs, VASPs and new technologies, where illicit actors may exploit these alternatives to traditional banking channels to transfer funds to proliferators; (iv) Offshore accounts can be abused given the opacity and complexity of cross-jurisdictional regulations to obscure the trail of funds; (v) Free trade zones, in which incentives are offered sometimes without the appropriate AML/CFT safeguards, relaxed oversight, week inspection procedures and adequate coordination with other authorities; (vi) Shell and front companies and complex ownership structures, which can be ideal vehicles for nefarious actors to conduct illicit activities and conceal their true identities; (vii) Insurance and reinsurance, which may be susceptible to abuse by illicit actors insofar as they are seeking to move goods and funds, insure illicit activities and goods, or manipulate insurance claims to obtain funds for PF purposes; (viii) Non-profit organization (NPOs) and charities may be used to provide financial support to entities or individuals involved in proliferation activities; (ix) Real estate sector, may be susceptible to abuse by nefarious actors seeking to conceal illicit funds in real estate transactions, and (x) Dealers in

Page 55 of 59 CBUAE Classification: Public precious metals and stones (DPMS), particularly those involved in gold trade given their intrinsic characteristics, such as high value, ease of trade, mutability, portability, liquidity, transferability, anonymity and availability in the UAE. Mitigating PF Risks PF Risk Assessment and Risk Based Approach • Pursuant to Notice No. CBUAE/BIS/2023/5960, LFIs should perform, document, and keep up to date an institutional-level risk assessment that includes identifying, assessing, understanding and mitigating risks related PF, and have the appropriate mechanisms to provide PF risk assessment information to the CBUAE. Specifically, LFIs should consider PF risk factors arising in relation to their customers; products services and transactions; delivery channels; geographic locations and markets, and operating structures. • PF risk management should be incorporated into an LFI’s larger counter-illicit finance program, and institutions can use many of the same controls to mitigate and manage their PF risk that they already employ for ML/TF and sanctions purposes. Specifically, LFIs should consider: (i) The use of technology to detect sanctions evasion behavior; (ii) Incorporating PF-specific information in the CDD process; (iv) Including PF risk in correspondent banking risk-ratings and EDD, and (v) Training to the LFI’s leadership and staff at all levels on PF related issues. Customer Due Diligence General CDD Measures. The following elements of CDD must be carried out for all customers, no matter the customer type. • Customer identification and verification • Beneficial owner identification and verification • Understanding the nature of the customer’s business and the nature and purpose of the business relationship, including determining the nature of any VASP or VA activity • Ongoing monitoring • Sanctions screening Establishing a Customer Risk Profile that Incorporates PF Risks. LFI should collect information that allows it to create a risk profile of the customer that incorporates a customer’s PF-specific risk attributes, including: • Customer specific attributes, such as customers’ background, ownership structure, involvement in high￾risk sectors and connections to PEPs

Page 56 of 59 CBUAE Classification: Public • Transactional behavior, such as the transaction history, and unusual transaction patterns involving dual-use goods. • Red flags and indicators, including involvement in sanctioned or embargoed countries, presence on watchlists or control lists, or connections to entities or individuals involved in proliferation activities. • External factors, such as industry-specific risks, regulatory changes, or geopolitical developments that may impact the customer’s risk profile • Understand and assess the VASP’s reputation. Enhanced Measures for Higher-Risk Customers. • EDD for High-Risk Customers: Where LFIs have identified indicators of heightened PF risk related to a customer, such as Customer that are PEPs, Business relationships in high-risk jurisdictions, and correspondent banking relationships, they should perform the following: (i) Obtain senior management approval before establishing a business relationship or continuing an existing one; (ii) Take risk-based measures to establish the source and destination of funds; (iii) Ascertain whether the customer conducts business in a high AML/CFT-risk jurisdiction, a jurisdiction of PF concern, or a third-party jurisdiction in close proximity to a jurisdiction of PF concern, and (iv) Conduct enhanced ongoing monitoring of the relationship. Transaction Monitoring and Suspicious Activity Reporting Transaction Monitoring. In the context of PF risks, LFIs should ensure that transaction monitoring rules or keyword are embedded with PF-specific indicators, typologies, and scenarios into their transaction monitoring systems to identify red flags. Suspicious Activity Reporting. LFIs are required to file an STR or SAR or other report types with the UAE FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, regardless of the amount, the proceeds of crime, are related to a crime, or are intended to be used in a crime.

Page 57 of 59 CBUAE Classification: Public Mitigating ML/TF Risks Related to VASP Customers and VA-Related Customer Transactions Targeted Financial Sanctions Obligations and Freezing Without Delay • The AML-CFT Law and AML-CFT Decision require LFIs to promptly apply directives issued by the competent authorities of the UAE for implementing the decisions issued by the United Nations Security Council (“UNSC”) under Chapter VII of the Charter of the United Nations (“UN”) and the Cabinet Decision No. (74) of 2020 which sets out the legislative and regulatory framework regarding TFS, including the Local Terrorist List and the UN Consolidated List. • LFIs are required to have suitable risk management systems and take sufficient measures to identify whether a customer, or the beneficial owner of a customer, has been added to an international sanctions list or the Local List. • LFIs are required to conduct screening prior to onboarding and on an ongoing basis. • LFIs should maintain an internal watchlist of parties that are related to sanctioned persons or entities or that pose elevated risk to the LFI for other illicit finance￾related reasons. Training As with all risks to which the LFI is exposed, the AML/CFT training program should ensure that employees are aware of the risks related to PF, are familiar with the obligations of the LFI, and are equipped to apply appropriate risk-based controls. Governance and Independent Audit The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT program that is appropriate to the risks the LFI faces and organized in accordance with the “three lines of defence” model. All three lines of defence should report up to and have the active support and oversight of the LFI’s senior management, defined broadly to include executives, senior leadership, and the Board of Directors. Furthermore, Management Information and Reports related to PF alerts and internal investigations should be provided to senior management to enhance their understanding of the severity or scale of PF risks to the institution. Record Keeping • LFIs must maintain detailed records associated with their ML/FT/PF risk assessment and mitigation measures, as well as records, documents, data, and statistics for all financial transactions, records obtained through CDD measures and ongoing monitoring (including copies of personal identification documents), account files and business correspondence, and STRs/SARs and results of any analysis performed.

Page 58 of 59 CBUAE Classification: Public • LFIs should make the records available to the competent authorities immediately upon request. UAE CPF Legal and Regulatory Framework • Federal Decree Law No. (20) of 2018, Article 16.e.1 specifies that FIs and DNFBPs shall undertake “Prompt application of the directives when issued by the competent authorities in the state for implementing the decisions issued by the UN Security Council under Chapter (7) of UN Convention for the Prohibition and Suppression of the Financing of Terrorism and Proliferation of eapons of Mass Destruction, and other related directives”. • Federal Decree-Law No. (20) of 2018, Article (28) of which provides for a penalty of imprisonment of no less than a year and no more than (7) years, or a fine of no less than AED 50,000 for anyone who violates any of the directives of Chapter 7 of the UN Convention for the Suppression of the Financing of Terrorism and Proliferation of WMD and other related directives. • UAE Cabinet Decision No. (74) of 2020, Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolutions, wherein, inter alia, Article (11.1) designates the EOCN as a National Coordination body. • Federal Decree Law No. (43) of 2021, on the Commodities Subject to Non￾Proliferation, wherein prohibits or restricts certain commodities, requires the issuance of permits to trade such commodities, lays out obligations for the permit holder and establishes penalties for violation of said statute. • Federal Decree Law No. (13) of 2007, on Items Subject to Import and Export Control and its Amendments, including Federal Law No. (12) of 2008. • Cabinet Resolution (50) of 2020, on the Schedule of Strategic Items Attached to Federal Law (13) of 2007, which implements internationally agreed dual-use goods subject to import and export control. UAE authorities involved in matters related to CPF • EOCN: is the authority responsible for implementing the provisions of Federal Decree Law No. (43) of 2021 On the Commodities Subject to Non￾Proliferation which replaces Federal Law No. (13) of 2007 Concerning Commodities Subject to Control of Import and Export. This is for the aim of preventing the illegal and unauthorized circulation of dual-use goods that contribute to the production or development of weapons of mass destruction, along with their associated technology and means of delivery. In cooperation with the Ministry of Foreign Affairs and International Cooperation (MoFAIC) and other government agencies exert extreme efforts in following up the application of the resolutions and requirements of the United Nations Security Council and other relevant international and regional organizations and coordinates to and supervises the application of targeted financial sanctions (TFS) relating to terrorist lists system, as well as the implementation of Security Council resolutions on the prevention and suppression of terrorism, its financing, the cessation of arms proliferation and financing, in addition to other relevant resolutions in coordination with competent stakeholders. • FANR: is the regulatory authority responsible for overseeing the nuclear industry’s compliance with Federal Law No. (6) of 2009, Concerning the Peaceful Uses of Nuclear Energy.

Page 59 of 59 CBUAE Classification: Public • ICP: was established in and is charged with implementing the UAE’s unified customs law and e ecuting the UAE’s obligations under the Gulf Cooperation Council’s (GCC) customs union. Export Controls Export controls regimes around the world are essential in preventing the unauthorized transfer of items and technologies that could be used in WMD proliferation. LFIs play a crucial role in ensuring compliance with export control laws and regulations, as they are often involved in processing and facilitating the financing and settlement aspects of international trade transactions. Dual Use or Controlled Goods • In cases where trade-based transactions potentially involve dual-use or controlled goods, LFIs should screen against the UAE Control List pursuant to Cabinet Resolution No. (50) of 2020 for potential matches and follow the steps set forth in the EOCN’s Guidance on Counter Proliferation Financing for FIs, DNFBPs and VASPs, section 6 • LFIs should consider screening for dual-use and other controlled goods when trade finance products involving international trade transactions are being offered. Lists of controlled chemical and non-chemical goods, which includes dual-use goods associated with the proliferation of WMDs, can be found on the EOCN’s website • LFIs are encouraged to consult with the EOCN to ascertain whether commodities are subject to export controls or other restrictions, and where applicable verify availability of valid permit from relevant authorities for transactions involving dual-use goods • LFIs should consider leveraging the standardized numerical method of classifying traded products, like the Harmonized System (“HS”), which is a standardized numerical method of classifying traded products