Guidance for Licensed Financial Institutions on Correspondent Banking and Expectations for Managing Correspondent Banking Relationships

CBUAE Classification: Public

ANTI-MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM AND ILLEGAL ORGANISATIONS GUIDANCE FOR LICENSED FINANCIAL INSTITUTIONS ON CORRESPONDENT BANKING AND EXPECTATIONS FOR MANAGING CORRESPONDENT BANKING RELATIONSHIPS October, 2025.

2 | Page CBUAE Classification: Public Contents

1. Introduction...........................................................................................................4 1.1. Purpose of the Guidance ..............................................................................4 1.2. Applicability...................................................................................................5 1.3. Legal Basis ....................................................................................................5 1.4. Acronyms and Definitions ............................................................................6
2. Understanding Correspondent Banking..............................................................8
3. Cross-Border Payments .....................................................................................11 3.1. Funds Transfer Requirements and the Role of Financial Institutions Processing Cross-Border Funds Transfers ..............................................13
4. Policy and Procedures........................................................................................15
5. Correspondent Banking Risk Factors ...............................................................15 5.1. Respondent Institution’s Third-Party Transaction Risk ...........................16 5.1.1. Nested Relationships .............................................................................................16 5.1.2. Payable-through Accounts .....................................................................................18 5.2. Respondent Institution’s Geographic Risk ...............................................19 5.3. Respondent Institution’s Ownership and Management Structures.........20 5.4. Respondent Institution’s Products and Services .....................................21 5.5. Respondent Institution’s Customer Base..................................................21
6. Risk Mitigation.....................................................................................................22 6.1. Enterprise-wide ML/TF/PF Risk Assessment and Correspondent Banking Risk Assessment..........................................................................23 6.2. Standard Customer Due Diligence.............................................................24 6.3. Specific Due Diligence for Correspondent Banking Relationships.........25 6.4. Enhanced Due Diligence for High-risk Correspondent Banking Relationships...............................................................................................29 6.5. Ongoing Monitoring of Correspondent Banking Relationships...............30 6.5.1. Ongoing Due Diligence ..........................................................................................30 6.6. Suspicious Activity and Reporting in Correspondent Banking ...............31

3 | Page CBUAE Classification: Public 6.6.1. Transaction Monitoring...........................................................................................31 6.6.2. Suspicious Transaction/Activity Reporting .............................................................32 6.7. Targeted Financial Sanctions Obligations ................................................34 6.7.1. Confirmed Name Match Reports............................................................................35 6.7.2. Partial Name Match Report....................................................................................35 6.8. Governance and Independent Audit ..........................................................35 6.9. Training........................................................................................................36 6.10. Record-keeping ...........................................................................................37 Annex 1. Global Standards on Correspondent Banking ........................................39 Annex 2. Correspondent Banking Red Flags..........................................................41 Annex 3: Transition from SWIFT to the ISO 20022 Payment Standard. ................43 Annex 4: SWIFT and Non-Customer RMA Relationships.......................................44 Annex 5: Synopsis of the Guidance ........................................................................46

4 | Page CBUAE Classification: Public

1. Introduction Correspondent banking relationships are essential to the global payment system and international economy, helping financial institutions facilitate cross-border transactions and serve their customers’ payment needs. Correspondent banking involves financial institutions providing services on behalf of other financial institutions, usually in different countries. To this end, correspondent banking is fundamental to international trade and commerce, particularly for emerging markets and developing economies. Depending on the services provided in a correspondent banking relationship, the types of transactions conducted through a correspondent account, and the adequacy of a financial institution’s financial crimes compliance (“FCC”) compliance program, the level of risk posed by a correspondent banking relationship varies. In addition, because regulatory and supervisory regimes governing the operation of foreign financial institutions differ greatly, not all foreign financial institutions engaging in correspondent banking relationships are subject to the same anti-money laundering, counter the financing of terrorism, and countering the financing of proliferation (“AML/CFT/CPF”) requirements as licensed financial institutions (“LFIs”) in the United Arab Emirates (“UAE”). In the UAE, correspondent banking relationships are subject to AML/CFT/CPF measures, and LFIs are required to identify and manage the money laundering (“ML”), terrorist financing (“TF”), and proliferation financing (“PF”) risks associated with these business relationships. To this end, this Guidance has been developed to assist LFIs with identifying and understanding the different risks in correspondent banking relationships. LFIs that offer correspondent banking services should therefore use this Guidance to design and appropriately tailor their policies, procedures, and processes to manage the specific risks associated with their correspondent banking relationships and to identify and report suspicious activities. 1.1. Purpose of the Guidance Article 44.11 of the Cabinet Decision No. (“10”) of 2019 Concerning the Implementing Regulation of Decree Law No. (“20”) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations charges Supervisory Authorities with “providing Financial Institutions…with guidelines and feedback to enhance the effectiveness of implementation of the Crime-combatting measures.” The purpose of this Guidance is to assist in the understanding and effective performance by the United Arab Emirates Central Bank’s (“CBUAE”) LFIs of their statutory obligations under the legal and regulatory framework in force in the UAE, focusing notably on the operationalization of the statutory obligations. It should be read in conjunction with the CBUAE’s Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations (“issued by Notice No. 74/2019 dated 19/06/2019”) and Guidelines on Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organizations for Financial Institutions (“issued by Notice 79/2019 dated 27/06/2019”) and any amendments or updates thereof.1 As such, while this Guidance neither constitutes additional legislation or regulation nor replaces or supersedes any legal or regulatory requirements or statutory obligations, it sets out the expectations of the CBUAE for LFIs to be able to demonstrate compliance with these requirements. In the event of a discrepancy between this Guidance and the legal or regulatory frameworks currently in force, the latter will 1 Available at https://www.centralbank.ae/en/cbuae-amlcft.

5 | Page CBUAE Classification: Public prevail. This Guidance may be supplemented with additional separate guidance materials, such as outreach sessions and thematic reviews conducted by the CBUAE. Furthermore, this Guidance takes into account standards and guidance issued by the Financial Action Task Force (“FATF”), international best practices, and other relevant international bodies. 2, 3 These are not exhaustive and do not set limitations on the measures to be taken by LFIs in order to meet their statutory obligations under the legal and regulatory framework currently in force. As such, LFIs and registered hawala providers (“RHPs”) should perform their own assessments of the manner in which they should meet their statutory obligations consistent with their risk exposure. This Guidance comes into effect immediately upon its issuance by the CBUAE with LFIs expected to demonstrate compliance with its requirements within one month from coming into effect. The CBUAE will review and amend this guidance, as appropriate, to reflect emerging and evolving risks. 1.2. Applicability Unless otherwise noted, this Guidance applies to all natural and legal persons, which are Financial Institutions or Licensees, or any other defined term which brings all entities within the scope of licensed and/or supervised entities by the CBUAE, in the following categories: • National banks, branches of foreign banks, exchange houses, finance companies, payment service providers, virtual asset service providers (“VASPs”), payment token service providers, registered hawala providers; and • Insurance companies, agencies, and brokers; • Other covered financial institutions not specified above, or any other entities that are licensed or registered by the CBUAE and are engaged in financial activities that fall under AML/CFT/CPF regulations. This Guidance applies to LFIs operating within the UAE and globally, including those acting as intermediaries in correspondent banking chains. For LFIs with operations outside the UAE, this guidance applies to their UAE-based activities and should inform group-wide standards, while adhering to applicable regulations in the local jurisdiction. The term “Licensed Financial Institution (LFI)” covers all entities listed in this section (i.e., Section 1.2. – Applicability). 1.3. Legal Basis This Guidance builds upon the provisions of the following laws: • Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and its amendments (“AML-CFT Law”); 2 For example, please see https://db.wolfsberg-group.org/assets/d39a5072-7fb6-4e31-9a87- 9e54021ce71f/Wolfsberg%20Correspondent%20Banking%20Principles%202022.pdf. 3 For example, please see https://www.bis.org/bcbs/publ/d405.pdf.

6 | Page CBUAE Classification: Public • Cabinet Decision No. (10) of 2019, as amended by Cabinet Decision No. (24) of 2022, Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organisations (“AML-CFT Decision”) and its amendments; • Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (“UNSC”) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution (“Cabinet Decision 74”), and its amendments; and • CBUAE/BSD Notice No. 1943.2022 Regarding AML/CFT Minimum Standards and Supervisory Expectations. LFIs must understand that non-compliance with these laws can result in severe penalties, including fines and loss of license. This Guidance also considers international standards and guidelines related to correspondent banking, including from the FATF Recommendations, the Basel Committee on Banking Supervision, and the Wolfsberg Group. 1.4. Acronyms and Definitions Terms Description AML Anti-money laundering CBUAE Central Bank of the United Arab Emirates CDD Customer due diligence CFT Counter the financing of terrorism CPF Countering the financing of proliferation EDD Enhanced due diligence FATF Financial Action Task Force FIU Financial Intelligence Unit ISO International Organization for Standardization LFI Licensed financial institution ML Money laundering MVTS Money or Value Transfer Services (MVTS) NBFI Non-bank financial institution PEP Politically exposed person

7 | Page CBUAE Classification: Public RMA Relationship Management Application RHP Registered hawala provider SAR Suspicious activity report STR Suspicious transaction report SWIFT Society for Worldwide Interbank Financial Telecommunications TFS Targeted Financial Sanctions UNSC United Nations Security Council Correspondent institution: A financial institution that provides financial services (“the correspondent institution”) to another financial institution (“the respondent institution”). A correspondent institution can conduct business transactions, accept deposits, and gather documents on behalf of the respondent institution. Correspondent banking: Correspondent banking is the provision of a current or other liability account, and related services, to another financial institution, including affiliates, either domestically or internationally, for the execution of third-party payments and trade finance, and processing of paper clearing needs in a particular currency. Respondent banks may be provided with a wide range of services, including cash management (e.g. interest-bearing accounts in a variety of currency), international wire transfers, cheque clearing, payable-through accounts and foreign exchange services. Derisking: The termination or restriction of business relationships, including correspondent banking relationships, by financial institutions to avoid risk, rather than manage it. Correspondent banking is an activity that has been negatively impacted by de-risking in certain regions and sectors. Nested (or “downstream”) activity: Activity where a financial institution’s correspondent relationship is used by one or more indirect respondent institutions (i.e., nested banks) through their relationships with the financial institution’s direct respondent institution to conduct transactions or obtain access to other financial services. Non-resident accountholders: Customers primarily resident in a different jurisdiction from where financial services are being provided. Payable-through (or “pass-through”) accounts: Correspondent accounts that can be accessed directly by third parties to transact business on their own behalf. Proprietary: Activity where a respondent institution is using the correspondent account to conduct

8 | Page CBUAE Classification: Public 2. Understanding Correspondent Banking As a global financial centre, the UAE relies on international correspondent banking networks to provide customers with access to cross-border products and services in different jurisdictions. To this end, correspondent banking supports international trade and business, increases financial inclusion, and furthers the UAE’s financial connectivity with the international economy. While correspondent banking offers significant benefits, it may also pose significant risks, including higher exposure to financial crimes risks and the imposition of regulatory penalties, and require LFIs to implement robust risk management strategies to address these challenges. Correspondent relationships involve the provision of financial services by one LFI, the “correspondent institution,” to another, the “respondent institution” through a bilateral agreement between the two financial institutions. In its capacity as a correspondent institution, a bank or other LFI, may provide respondent institutions with a wide variety of services, including cash management, cross-border wire transfers, check clearing, loans, letters of credit, and foreign exchange services. It is important to note, although the ML/TF/PF risks may be lower, LFIs should still conduct due diligence on their correspondent and their parent institutions, following a risk-based approach. In the context of this guidance however, correspondent banking mostly refers to ongoing, contractual relationships where a correspondent institution provides a range of financial services to a respondent institution. Correspondent banking is especially relevant when an LFI or their customers lack a direct banking or other business relationship with the other transacting party, for example, where the payment beneficiary does not hold an account at the originator’s financial institution or when the transaction must be denominated in a particular currency. The Wolfsberg Group establishes that “correspondent banking is the provision of a current or other liability account, and related services, to another financial institution, including affiliates, used for the execution of third-party payments and trade finance, as well as its own cash clearing, liquidity management and short￾term borrowing or investment needs in a particular currency.”4, 5 Correspondent banking does not include one-off transactions or the exchange of the SWIFT Relationship Management Application keys (“RMA”) as discussed in Section 6. SWIFT and Non-Customer RMA Relationships. Correspondent banking is defined by its ongoing, repetitive nature, and in this capacity, correspondent banking relationships can be understood as taking three main forms: • Traditional correspondent banking: In traditional correspondent banking relationships, the correspondent institution enters into an agreement with a respondent institution for the respondent institution to execute payments on behalf of its customers (third-party transactions) or on its own behalf (proprietary transactions). The respondent institution’s customers in traditional correspondent banking relationships do not have direct access to the respondent institution’s correspondent banking account. Figure 1: Traditional Correspondent Banking: Proprietary Transactions 4 Wolfsberg Group, Wolfsberg Financial Crime Principles for Correspondent Banking, 2022, https://db.wolfsberg-group.org/assets/d39a5072- 7fb6-4e31-9a87-9e54021ce71f/Wolfsberg%20Correspondent%20Banking%20Principles%202022.pdf. 5 For the purposes of this Guidance, and according to FATF, correspondent banking relationships also include Money or Value Transfer Services (“MVTS”) providers when they act as intermediaries for other providers, or where they are accessing banking or similar services through the account of another MVTS customer of the bank.

9 | Page CBUAE Classification: Public Figure 2: Traditional Correspondent Banking: Third-party Transactions • Nested correspondent banking: In this scenario, a correspondent institution’s account with the respondent institution is used by one or more indirect respondent institutions or “nested” institutions. Specifically, the “nested” institutions obtain access to financial services through their relationship with the respondent institution, which they can then use for their own customers. Nested institutions do not have a direct relationship with the correspondent institution. Nested relationships are commonly found where one or more of the transacting parties holds an account at a smaller institution that must pass through larger intermediary institutions in order to transact with the ultimate beneficiary. Figure 3: Nested Correspondent Banking

10 | Page CBUAE Classification: Public • Payable-through or pass-through accounts: Payable-through accounts are similar to nested correspondent banking relationships, but in this case, the respondent institution allows its customers to directly access the correspondent banking account. In so doing, the respondent institution’s customers can conduct their own transactions through the correspondent banking account. Figure 4: Payable-through Account

11 | Page CBUAE Classification: Public LFIs should note that nested correspondent banking relationships and payable-through accounts pose heightened ML/TF/PF risks due to reduced transparency of the underlying transactions. LFIs allowing such arrangements should implement enhanced due diligence (“EDD”) measures. In light of the risks posed by correspondent banking relationships, banks may be tempted to derisk by severing relationships notably with higher-risk respondent institutions, but doing so can undermine their global reach and financial inclusion in emerging markets. LFIs should be aware of the potential negative impacts of de-risking. While managing risks is crucial, wholesale termination of correspondent banking relationships could lead to financial exclusion and push transactions into less-regulated channels. 3. Cross-Border Payments Particularly relevant in the context of correspondent banking, LFIs often turn to their correspondent banking relationships to conduct cross-border payments for their customers or the financial institution’s own cross￾border activities. When considering the risks and requirements of correspondent banking relationships, it is important to understand how cross-border payments are executed, and an LFI’s obligation to collect and monitor information associated with cross-border payments. LFIs must ensure compliance with all applicable AML/CFT/CPF regulations while conducting cross-border payments, emphasizing the importance of thorough monitoring and documentation to mitigate risks of financial crime. For the purposes of this Guidance, cross-border payments are financial transactions where the originator and remitter/beneficiary are based in separate countries. Cross-border payments cover both wholesale and retail payments, including cross-border remittances.

12 | Page CBUAE Classification: Public Background on SWIFT Payment Messages The vast majority of cross-border interbank transactions are made using the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) messaging system. SWIFT maintains a proprietary secure network with standardized data fields and protocols that allows LFIs and other participants to send secure payment instructions and other relevant transaction information to counterparties around the world. Importantly, the SWIFT network is a messaging infrastructure, and not a settlement system. The actual movement of funds is completed at the account level, through correspondent banking relationships between the transacting parties. SWIFT messages are called “MT” messages (stands for “message text”) and the first letter of the MT xxx number reflects the type of a message used. For example, for customer-initiated payments, financial institutions use MT 1xx and for intrabank settlements – MT 2xx. SWIFT has developed and regularly updates the formatting standards used for each type of message that dictates the mandatory versus optional fields, the length of fields, and information that should be reflected in each. Historically, due to less stringent standards in the format of certain SWIFT payment messages, intermediary financial institutions did not always have access to minimum originator and beneficiary information. Under this legacy messaging system for cross-border payments, ordering institutions would send two types of messages: • SWIFT MT 103: An ordering institution would use this message type when initiating a transaction on behalf of an ordering customer, by sending this message directly to the financial institution of the beneficiary customer. MT 103 is a longer message type (when compared to MT 202 discussed below) and would require an originating financial institution to include numerous data points about the transfer and remitter/beneficiary. • SWIFT MT 202: SWIFT standards require financial institutions to use this type of MT message when initiating transfers for its own account. A MT 202 message contains very few mandatory fields, only identifies financial institutions engaged in the funds transfer, and does not reference the originator or the beneficiary. In the mid-2000s, various regulatory authorities and industry groups noted that the use of MT 103 and MT 202 messages allowed for non-transparent funds transfers or even transfers where certain information was intentionally manipulated or withheld from correspondent banks. To address the financial transparency concerns associated with the use of the MT 202 message type and underlying non-bank payments (i.e., payments initiated by bank’s customers), in November 2009, SWIFT adopted a new message format, the MT 202 COV. The MT 202 COV contains mandatory fields for originator and beneficiary information. Financial institutions originating cross-border funds transfers on behalf of their customers are now required to use the MT 202 COV for any financial institution-to-financial institution payment for which there is an associated MT 103, thus providing intermediary financial institution with the information they need to perform sanctions screening and suspicious activity monitoring. Financial institutions may continue to rely on MT 202, a shorter message format, when the associated funds transfer is truly a transfer between two financial institutions acting on their own behalf. Of note, the use of MT messages for cross-border payments will end in November 2025. After this date, SWIFT will no longer support most MT messages, and the MX standards (ISO 20022) will become the new standard for payment messaging. With ISO 20022 migration, the equivalent MX message formats are PACS008 for customer credit transfer and PACS009 for financial institution credit transfer. LFIs should consider both MT and MX standards for comprehensive coverage of SWIFT messaging. Please, refer to Annex 3 Transition from SWIFT to the ISO 20022 Payment Standard for further details.

13 | Page CBUAE Classification: Public 3.1. Funds Transfer Requirements and the Role of Financial Institutions Processing Cross-Border Funds Transfers LFIs have specific requirements when processing cross-border fund transfers. In order to manage the risks associated with cross-border payments, it is essential that all LFIs in the transaction chain—including intermediary financial institutions that may lack a direct customer relationship with the ultimate originator or beneficiary—be able to screen and monitor the identities and locations of all transacting parties. Intermediary financial institutions play a critical role in ensuring the integrity of cross-border transfers by screening, monitoring and passing on all relevant information, even if they lack a direct relationship with the originator or beneficiary. Under Articles 27-29 of the AML-CFT Decision, qualifying cross-border wire transfers equal to or exceeding AED 3,500 (or equivalent in any other currency) should always contain the following: • The name of the originator; • The originator’s account or unique transaction number. In the absence of an account, the transfer must include a unique transaction reference number which allows the process to be tracked; • The originator’s identity number or travel document, date and place of birth, and address; • The name of the beneficiary; and • The beneficiary’s account or unique transaction number. In the absence of the account, the transfer must include a unique transaction reference number which allows the process to be tracked. As per Chapter 16 of the CBUAE Standards for the Regulations Regarding Licensing and Monitoring of Exchange Business, exchange houses are subject to stricter due diligence requirements, and should screen all transfers, inwards or outward. The quality of information provided in payment messages is critical. LFIs must ensure that all required data is accurate and complete to facilitate effective monitoring and compliance with AML/CFT obligations. Regarding the role of financial institutions processing cross-border wire transfers, originating financial institutions are responsible for using the right format for payment messages. To this end, originating financial institutions should require that information on an originator and beneficiary accompanies wire transfers messages. Other parties in the payment chain—such as an intermediary financial institution that may lack a direct customer relationship with the ultimate originator or beneficiary—are required to monitor the payments they process based on this information. In particular, the quality of information provided in payment messages helps facilitate and should be used as a basis for an LFI’s ongoing monitoring program. Article 28 of the AML-CFT Decision also requires intermediary financial institutions to take reasonable measures to identify cross-border wire transfers that lack required originator information or required beneficiary information. Intermediary financial institutions are required to actively monitor all cross-border wire transfers for compliance with information requirements and must implement robust procedures to identify and address any deficiencies in originator or beneficiary information. Intermediary institutions must also have risk-based policies and procedures for determining when to execute, reject, or suspend a wire transfer; and the appropriate follow-up action. These procedures should consider factors such as the completeness and accuracy of originator/beneficiary information and the presence of sanctions alerts.

14 | Page CBUAE Classification: Public As it relates to correspondent banking, a correspondent institution as an intermediary financial institution in the payment chain should: • Monitor the payment messages transmitted by the respondent institution for the purpose of detecting those which lack required originator and/or beneficiary information, including meaningless fields. • Verify the reliability of the respondent institution’s controls, for instance via sample testing (e.g., take a closer look at a few transactions to identify cases where they do not comply with the wire transfer information requirements). Sample testing may also help the correspondent institution to adjust the level and type of monitoring, including the timing of ex-post reviews. The respondent institution, acting as the ordering financial institution, remains responsible for performing CDD/KYC on the originator and must verify originator information for accuracy, obtain relevant information on the beneficiary in a manner that is consistent with straight-through processing, and maintain this information in accordance and Article 27 of the AML-CFT Decision. Furthermore, in cases where there is higher risk associated, the respondent institution is required to undertake EDD measures warranting for documented understanding of the purpose of transaction and the involved parties i.e., originator, beneficiary and any other party affiliated with the transaction. To address risks related to a lack of transparency in the international payments system, LFIs should implement policies, procedures, processes, and technology to apply increased transparency for cross￾border cover payments and adhere to the Message Standards, as noted in interagency guidance by the Wolfsberg Group and Clearing House (a banking association and payments company owned by the largest commercial banks). The standards stipulate that:6 • LFIs should not leave out, delete, or change information in payment messages or orders for the purpose of avoiding having that information be detected by any other financial institution in the payment chain; • LFIs should not use any payment message for the purpose of avoiding having that information be detected by any other financial institution in the payment chain; and • Subject to all applicable laws, LFIs should cooperate with other financial institutions in the payment process when requested to provide information about the parties involved in a payment; and • LFIs should strongly encourage their foreign correspondent banking customers to observe these principles. • LFIs should leverage technology solutions to enhance the monitoring of cross-border payments, ensuring that systems are in place to automatically detect transactions that lack required information, include inaccurate originator and beneficiary information, or exhibit suspicious patterns. Failure to comply with the established funds transfer requirements may result in enforcement actions, including fines and restrictions on operations, increased scrutiny from regulators, and potential reputational damage for LFIs, thereby underscoring the importance of adherence to these guidelines. 6 Wolfsberg Group, Clearing House, Statement on Payment Standards, 2007, please see https://db.wolfsberg-group.org/assets/973cf236-7292- 430b-ae56-100e434fa983/13.%20Wolfsberg_NYCH_Statement_on_Payment_Message_Standards_(2007).pdf

15 | Page CBUAE Classification: Public 4. Policy and Procedures It is essential for LFIs to develop a robust financial crime framework to identify, prevent, and effectively manage risk, rather than merely avoiding risk through derisking. LFI’s are required to develop risk-based internal policies and procedures for correspondent banking relationships, that should be approved by senior management or the board. The policies and procedures should include: • Implementation across the organization: LFIs should implement robust monitoring mechanisms to ensure the effective and consistent implementation of the policies and procedures across the organization, including branches, subsidiaries, and other entities in which LFIs hold a majority interest. • Communication: LFIs should clearly communicate the policy and procedures to all relevant employees and external or outsourced service providers; by providing regular training to all relevant employees or external service providers to ensure they understand and can effectively implement the policies and procedures. • Review and Update: LFIs should review and update the policies and procedures in a timely manner in response to events or emerging risks and ensure that such updates are communicated to employees and external or outsource service providers on a timely basis to ensure they are informed and act accordingly. • Formal Review Process: LFIs should implement a formal review process at least annually of the policies and procedures to assess the effectiveness of said policies and procedures, identify gaps or weaknesses, and make necessary updates, with necessary changes being subject to approval at appropriate levels where changes are material. • Exceptions and Deviations: LFIs should identify and document any exceptions or deviations from the policies and procedures related to the LFI, including a remedial action plan; these should be approved by senior management. • Local and International Regulatory Requirements: LFIs should develop internal policies and procedures for correspondent banking relationships that align with local requirements as well as international best practices, including FATF recommendations, to ensure compliance with applicable local and international regulatory requirements. The policy and procedures should be risk-based and regularly reviewed to ensure they align with evolving regulatory requirements, emerging risks, and mitigation measures. This approach will strengthen and maintain dynamic financial crime prevention framework that meets international standards, regulatory expectations, and industry best practices. 5. Correspondent Banking Risk Factors Different types of correspondent banking relationships present varying levels of ML/TF/PF risk. The following section examines common risk factors associated with correspondent banking relationships by reviewing aspects of a respondent institution’s risk profile, including transactions, geography, ownership and management structure, products and services, and customers that contribute to ML/TF/PF risk. LFIs should conduct a comprehensive risk assessment of their correspondent banking relationships, considering

16 | Page CBUAE Classification: Public all relevant risk factors and determine whether their correspondent banking relationships should be subject to additional EDD measures. Additional measures are necessary because cross-border correspondent banking relationships are inherently higher risk than domestic correspondent relationships. Simplified due diligence measures are not suitable in the context of cross-border correspondent banking. An LFI may also decide to suspend transaction activity or exit a correspondent banking relationship if risks cannot be sufficiently mitigated. LFIs should incorporate this assessment into their AML/CFT/CPF program and update their policies, procedures, and processes with the aim to manage associated illicit financing risks. To ensure effective risk management, LFIs should establish clear criteria for implementing EDD measures based on specific risk factors, such as transaction types and volumes, geographic location, ownership structures, and the nature of the respondent institution's customer base. 5.1. Respondent Institution’s Third-Party Transaction Risk Correspondent banking relationships involving the execution of transactions and the provision of other financial services for the respondent institution’s customers (otherwise referred to as “third-party transactions”) introduce specific ML/TF risks. This third-party risk is present across traditional correspondent banking relationships, nested correspondent banking relationships, and payable-through or pass-through accounts. For third-party transactions, the correspondent institution is effectively acting as the respondent’s “agent,” executing payments or other transactions for the respondent’s customers that can be individuals, legal entities, or other financial institutions. Without appropriate controls, a correspondent institution may allow a respondent institution’s customers to access the international financial system without first obtaining—or ensuring that the respondent institution has obtained—an adequate understanding of the customer’s identity and risk profile and is implementing adequate controls to manage such risk. In traditional correspondent banking relationships, for example, the correspondent institution acts as an intermediary for underlying customers of the respondent institution, often with very limited information about those ultimate customers. In this case, the correspondent institution has no direct relationship with the underlying parties to a transaction and is not able to verify their identities and purpose of the transaction, relying instead on the due diligence performed by the respondent institution. Notably, use of third parties is one method that money launderers and terrorist financiers employ to launder the proceeds of crime. By relying on other parties to conduct transactions, illicit actors can distance themselves from the transactions that can be directly linked to the suspected ML/TF offence. Money launderers and terrorist financiers may turn to nested correspondent banking relationships and payable￾through or pass-through accounts. With respect to the risks presented by third-party transactions, LFIs should implement EDD, including obtaining detailed information about the respondent institution’s customers, their risk profiles, and the controls in place to manage risks. 5.1.1. Nested Relationships As a type of third-party relationship, a correspondent institution that establishes a correspondent relationship with a foreign financial institution (respondent institution) may not know whether the respondent institution is permitting other financial institutions to operate through the respondent institution’s correspondent account or relationship. Such “downstream” or “nested” relationships place additional layers

17 | Page CBUAE Classification: Public of intermediation between the correspondent institution and the ultimate customer, further increasing the risk that the correspondent is allowing third parties to access the international financial system without an adequate understanding of the customer or the AML/CFT/CPF controls needed to manage such customer risk. The risk in this activity is that the correspondent institution is at least one step further removed from the institution that has conducted due diligence on the transacting party, thereby limiting the correspondent institution’s visibility into the parties involved in the transaction who could be abusing the lack of transparency afforded to them to conduct illicit activity. To manage the risks posed by nested relationships, a correspondent institution should require that the respondent institution disclose the existence of nested relationships as part of account opening and ongoing account activity reviews. Correspondent institutions should conduct reviews of nested relationships at least annually, assessing the risk associated with nested financial institutions and ensuring that adequate AML/CFT/CPF controls are in place to mitigate risks. Correspondent institutions should take reasonable steps to understand the types of financial institutions to whom a respondent institution offers downstream services and assess the strength and effectiveness of the respondent institution’s AML/CFT/CPF controls to mitigate these risks. LFIs should also ensure that payment instructions are formatted in a manner that is transparent to enable easy identification of involved parties for the purpose of effective monitoring and screening. Additionally, correspondent institutions should consider the degree to which the respondent institution examines the AML/CFT/CPF controls of those financial institutions. For example, the correspondent institution should ensure that the respondent institution allowing nested relationships conducts correspondent banking due diligence on the nested institutions as well as its parents, subsidiaries, and affiliates. These steps may also include consideration of institution types, scale of services, and geographic location of downstream financial institutions and their customers. To this end, the correspondent institution may consider the following factors, among others, when assessing the risk of a respondent institutions offering downstream financial services: • The number, type, and jurisdictions of the nested financial institutions a respondent institution serves; • If the nested financial institutions are located outside of the UAE, the correspondent institution should assess if those countries are (a) high risk for ML/TF and (b) have an adequate AML/CFT/CPF supervisory regime; • Types of services the respondent institution offers to nested financial institutions (if they are proprietary only, the ML/TF risks are reduced than if the nested financial institutions engage in third￾party transactions); and • The length of the relationship between the correspondent and respondent institution (i.e., a well￾established relationship enables the correspondent institution to have a better understanding of the respondent institution’s expected activity and ML/TF risk associated with the relationship than a new relationship). Understanding the risks associated with nested relationships, downstream correspondent banking relationships can be a generally legitimate part of correspondent banking. Nested relationships may be a way for global financial institutions, for instance, to help smaller financial institutions within the respondent institution’s region obtain access to the international financial system or to facilitate transactions where no direct relationship exists between financial institutions.

18 | Page CBUAE Classification: Public 5.1.2. Payable-through Accounts A payable-through account involves a respondent institution opening a correspondent account with a correspondent institution and then providing its customers with the means of directly transacting on the respondent’s account with the correspondent institution. This can take the form, for instance, of a respondent institution’s customers being able to write cheques and have access to other financial services on the correspondent account. In this scenario, ML/TF/PF risks are heightened as the respondent institution lacks direct oversight of the transactions being conducted on the account, which can pose even greater risk to the correspondent institution who lacks access to information about the third parties accessing the account. A third party’s direct access to the correspondent account differs from downstream or nested relationships where the respondent institution is routing the nested financial institution’s transactions to the correspondent institution. Similar to nested relationships though, for correspondent institutions that allow payable-through accounts, the respondent institution should seek to demonstrate that it conducts adequate Customer Due Diligence/ Know Your Customer (“CDD/KYC”) on its customers and that it is able to provide such information upon request to the correspondent institution. Correspondent institutions should perform additional due diligence and monitoring for respondent institutions in higher-risk jurisdictions commensurate to the respondent institution’s risk. As a best practice, the correspondent institution should collect information from the respondent institution about the identities of any persons with authorization to direct transactions through a payable-through account, and the sources and the ultimate beneficial owners (“UBOs”) of funds in the Best Practices: Nested Relationships Following a risk-based approach, a correspondent institution may apply the following enhanced measures: • A correspondent institution should request a respondent institution’s list of nested financial institutions receiving downstream services and perform internal watchlist, negative news, politically exposed person (“PEP”), and sanctions screening on these institutions. • A correspondent institution, on a risk-sensitive basis, may request further information from the respondent on their customer due diligence and AML/CFT/CPF controls of the underlying nested financial institution(s) in order to inform their own assessment of the nested financial institution(s). • A correspondent institution can communicate to the respondent institution that nested financial institutions’ AML/CFT/CPF programs should be updated periodically and that information on their AML/CFT/CPF programs should be provided to the correspondent institution upon request. • A correspondent institution may wish to collect a statement from the respondent institution affirming that payment instructions for transactions on the correspondent account will be formatted to facilitate monitoring and screening of all involved parties to a transaction.

19 | Page CBUAE Classification: Public payable-through account. Given the heightened risks, correspondent institutions should also consider implementing additional controls for payable-through accounts, such as stricter transaction limits, real-time transaction monitoring, and enhanced scrutiny of the purpose and nature of transactions. 5.2. Respondent Institution’s Geographic Risk Also impacting a respondent institution’s ML/TF/PF risk is a respondent institution’s exposure to jurisdictions with elevated ML/TF/PF risk. For jurisdictions that have unsatisfactory AML/CFT/CPF laws and regulations or weak AML/CFT/CPF regulatory and supervisory regimes, for instance, the ML/TF/PF risk of providing correspondent banking services to financial institutions located or operating through these jurisdictions is heightened. This includes if a respondent institution has exposure to a country that has been found to be deficient in its application of global FCC standards, such as by the FATF. In addition to assessing the ML/TF/PF risks where the respondent institution is based, correspondent institutions should also assess the risks associated with the respondent institution’s presence or operations in countries with the following risk indicators. These risk indicators should be considered for jurisdictions where a respondent institution’s ultimate parent is headquartered, and where the respondent institution conducts business, including the location of a respondent institution’s branches and subsidiaries: • Jurisdictions with weak regulatory AML/CFT/CPF frameworks, as determined by the LFI or as notified by local regulatory or supervisory authorities; • Jurisdictions subject to a call for action or under increased monitoring by FATF; • Jurisdictions subject to the UNSC or UAE sanctions, or other relevant international sanctions; • Jurisdictions where there are ongoing conflicts; • Jurisdictions that are known to produce or transit drugs; • Jurisdictions that have relatively higher levels of corruption or organized crime, or are known as a financial secrecy or tax haven; and • Jurisdictions that are known to provide transit corridors to countries rated as high-risk by the UAE National Anti-Money Laundering and Combatting Financing of Terrorism and Financing of Illegal Organizations Committee (NAMLCFTC). In order to understand a particular jurisdiction’s ML/TF/PF risk, a correspondent institution should verify whether the jurisdiction of a respondent institution is considered as jurisdictions under increased monitoring or jurisdiction subject to a call for actions by FATF. The correspondent institution may also review other sources of information, including AML/CFT/CPF laws and regulations of the respondent institution’s home country, country assessment reports and guidance from regulatory agencies and applicable international bodies, including the World Bank or International Monetary Fund. This will help a correspondent institution to evaluate the degree of risk presented by a specific jurisdiction. The assessment of a respondent institution’s exposure to a jurisdiction with heightened ML/TF/PF risk should be considered as part of a correspondent institution’s risk assessment of each correspondent banking relationship. LFIs should also implement continuous monitoring of geographic risks associated with correspondent banking relationships, adapting their risk assessments in response to changes in the regulatory environment and emerging risks in high-risk jurisdictions.

20 | Page CBUAE Classification: Public 5.3. Respondent Institution’s Ownership and Management Structures Certain features of a respondent institution’s ownership and management structure may present increased ML/TF/PF risks, making it more conducive for illicit actors to own, control, hold a significant or controlling interest, or hold a management function in a respondent institution. Correspondent institutions should prioritize transparency in ownership and executive management structures, requiring thorough documentation of beneficial ownership and executive management structures to mitigate potential ML/TF risks. The following features should be considered along with other risk factors when deciding to onboard and continue a correspondent banking relationship: • Respondent institution’s legal form (such as whether the respondent institution is state owned, publicly held, or privately owned). Certain factors associated with whether an institution is state owned, publicly held, or privately-owned impact the risk of the correspondent institution’s relationship with the respondent institution. Generally speaking, more transparency in a respondent institution’s ownership structure is associated with less ML/TF/PF risk, while opaque ownership structures present a greater degree of ML/TF/PF risk. Risks are elevated, for instance, if the respondent institution is privately owned by UBOs and senior management located in high￾risk jurisdictions. Alternatively, risks are reduced if an institution is publicly owned with shares traded on a recognized exchange in a jurisdiction with a satisfactory AML/CFT/CPF regulatory regime. However, different exchanges will have different requirements for reporting, and LFIs should ensure that the disclosure and transparency requirements of a regulated stock exchange are at least equivalent to those of the UAE. • The location and reputation of shareholders and beneficial owners. Shareholders and UBOs pose different levels of ML/TF/PF risk. Because shareholders and UBOs could have direct influence over how a respondent institution implements its AML/CFT/CPF program, it is important for a correspondent institution to identify these individuals and obtain relevant information about them, further discussed below, including their background, source of funds, and source of wealth, when the institution is not state-owned or publicly listed. • The presence of any PEP(s) in the senior management or ownership structure, particularly in circumstances where the PEP(s) have day-to-day control over the respondent. Politically exposed persons (“PEPs”) are at higher risk of involvement in certain proceeds-generating offenses (e.g., corruption, misuse or theft of public funds, and bribery), and the presence of a PEP in a respondent institution’s senior management or ownership structure increases a respondent institution’s financial crime risk. PEPs are at greater risk of misdirecting a respondent institution’s funds—using their power or influence in a respondent institution to directly enrich themselves, their family members, and their associates, which should be considered as part of a correspondent institution’s risk assessment of a correspondent banking relationship. To assess the risks associated with a respondent institution’s ownership and management structure, correspondent institutions should identify and perform negative news, PEP, and sanctions screening on the respondent institution’s shareholders, UBOs, senior management, and other officers, as relevant, such as the Chief Executive Officer and the Chief Financial Officer. In certain circumstances, such as if the shareholders and UBOs are associated with financial crime-related negative news, the correspondent institution should evaluate the UBOs’ and shareholders’ source of wealth and source of funds. The

21 | Page CBUAE Classification: Public correspondent institution also should gather sufficient information about the ownership and control structure of the respondent institution that also includes verifying that the respondent institution is not a shell bank. 5.4. Respondent Institution’s Products and Services The nature of the products and services offered to a respondent institution, or that a respondent institution offers to its customers, can impact the risk associated with the correspondent banking relationship. LFIs should consider the following factors when evaluating the risks of products and services involving a respondent institution: • Potential for intermediation: The extent to which the correspondent institution or respondent institution is offering services that carry intermediated risk, such as if the respondent institution will be allowing nested relationships or providing payable-through accounts. In this case, the institution would have limited visibility into the originator or beneficiary of a transaction (payment instructions) that it is processing, increasing the ML/TF/PF risk of the products and services provided. • Potential for anonymity: Whether the correspondent institution or respondent institution will be offering services to the respondent institution that facilitate anonymity, such as allowing nested relationships, enabling an illicit actor to operate with limited transparency when conducting transactions. • Cross-border funds flows: Whether the correspondent institution or respondent institution offers services that typically or characteristically involve the cross-border movement of funds (such as cross-border remittances, cross-border bulk cash delivery, international cash letters, trade finance, etc.), as illicit actors often exploit cross-border funds flows to disguise the origins of illicit funds, making them appear legitimate through complex layering and integration schemes involving multiple jurisdictions. • Settlement times and terms: Whether the correspondent institution or respondent institution offers services that provide for near instantaneous and irrevocable settlement, making financial crime harder to detect and reverse. To manage these risks, a correspondent institution should collect the purpose of the respondent institution’s account and relationship with the correspondent institution. As part of establishing a correspondent banking relationship, a correspondent institution should also understand the anticipated activity for the products and services the respondent institution intends to use with the correspondent, assessing whether this anticipated activity is reasonable for the size and characteristics of the respondent institution’s customer base. The correspondent institution should also conduct ongoing transaction monitoring to assess any anomalies between the actual use of the correspondent institution’s products and services with the anticipated activity established during onboarding. 5.5. Respondent Institution’s Customer Base A respondent institution’s customer base impacts its level of ML/TF/PF risk, and subsequently, the risk it contributes to a correspondent banking relationship. Specifically, a respondent institution that derives a significant portion of its business income from high-risk customers poses greater ML/TF/PF risk to a correspondent institution. Overall, high-risk customer types have elevated ML/TF/PF risk due to the nature of their business and potentially weak AML/CFT/CPF controls (e.g., dealers in precious metals or stones,

22 | Page CBUAE Classification: Public non-profit organizations, cash-intensive businesses, PEPs, Virtual Assets Services Providers, and FinTech Companies) and due to the jurisdictions where they are located or operate (e.g., jurisdictions that are known as financial secrecy or tax havens). For example, non-resident accountholders pose greater ML/TF/PF risk to a respondent institution obtaining identification information, understanding source of wealth and source of funds, and performing customer verification is typically more difficult for non-residents than local customers. For a respondent institution with a significant proportion of non-resident accountholders, a correspondent institution should understand why so many customers are non-residents in addition to whether or not the respondent institution’s AML/CFT/CPF controls are sufficient to manage the risks of this customer type. Examples of customer types that should be avoided by correspondent institutions are the following, although this list is not exhaustive and should be evaluated when considering an LFI’s risk appetite: • Shell banks: Shell banks have been found to facilitate ML/TF/PF due to their lack of a physical presence and their association with jurisdictions that have weak AML/CFT/CPF supervisory regimes. Correspondent institutions should ensure that they do not knowingly deal with financial institutions that engage shell banks. Under Article 25 of the AML-CFT Decision, LFIs should avoid entering into, or continuing, a correspondent banking relationship with shell banks. • Unlicensed and/or unregulated banks or NBFIs: Unlicensed and/or unregulated banks or non￾bank financial institutions (“NBFIs”) lack AML/CFT/CPF regulatory oversight and a supervisor that monitors their ongoing compliance and AML/CFT/CPF program effectiveness. Maintaining accounts for a respondent institution that engages unlicensed and/or unregulated banks or NBFIs increases the risk of processing transactions for customers that lack appropriate CDD/KYC, and thus, elevating the chances of abusing the unlicensed and/or unregulated bank or NBFI for illicit purposes. To manage the risks of a respondent institution’s customer base, the correspondent institution should collect sufficient information to understand the major business activities that could explain and provide a business rationale for the respondent institution’s high-risk customer types. In determining the risk and control effectiveness of a respondent institution, the correspondent institution should also consider all relevant risk factors, not limited to a respondent institution’s customer base (such as by assessing a respondent institution’s products and services, countries in which it operates, and target markets) in addition to a respondent institution’s AML/CFT/CPF controls designed to mitigate these risks. As part of this evaluation, the correspondent institution should also take into consideration, the number of years the respondent institution has been offering correspondent banking services to its customers. 6. Risk Mitigation As discussed, correspondent banking relationships are diverse in nature and pose varying levels of risk to an LFI. To mitigate risks associated with correspondent banking relationships, LFIs should design and implement controls to identify, assess, and manage the ML/TF/PF risks of each correspondent banking relationship and embed these assessments within their broader AML/CFT/CPF program. LFIs are also encouraged to explore and consider the adoption of new technologies, such as blockchain or distributed ledger technology, in their correspondent banking operations. These technologies have the potential to enhance transparency and strengthen AML/CFT/CPF controls.

23 | Page CBUAE Classification: Public The sections below discuss how LFIs can apply preventive measures associated with their correspondent banking relationships. The risk mitigation measures addressed in this Guidance are not a comprehensive discussion of all AML/CFT/CPF requirements imposed on LFIs. LFIs should therefore consult the UAE legal and regulatory framework currently in force. The controls discussed below should be integrated into each LFI’s broader AML/CFT/CPF program and supported by appropriate governance, independent audit, and training. The level and nature of risk of a respondent institution’s risk may also change over the course of its relationship with an LFI, and adjustments should be made in the LFI’s AML/CFT/CPF controls to reflect these changes. 6.1. Enterprise-wide ML/TF/PF Risk Assessment and Correspondent Banking Risk Assessment Under Article 4 of the AML-CFT Decision, LFIs are required to identify, assess, and understand the ML/TF/PF risks to which they are exposed in order to determine the nature and extent of AML/CFT/CPF resources necessary to mitigate and manage those risks. For this purpose, LFIs should also perform, document, and regularly update an enterprise-wide risk assessment that includes an assessment of risks related to correspondent banking. The LFIs’ policies and procedures should indicate the appropriate frequency for conducting the enterprise-wide ML/TF/PF risk assessment and the circumstances and significant changes requiring an off-cycle risk assessment. LFIs should also ensure that their enterprise￾wide ML/TF/PF risk assessments explicitly incorporate and integrate the risks associated with correspondent banking activities across all business units. Conducting a risk assessment is the first step in an LFI’s effort to counter illicit finance, including risks stemming from offering correspondent banking services. Specifically, LFIs should evaluate the ML/TF/PF risks associated with respondent institutions. To form a clear understanding of their risk exposure, LFIs may opt to perform a standalone risk assessment of their correspondent banking line of business. When performing the correspondent banking risk assessment, LFIs should identify and assess risks taking into account different categories of risk factors. The most common categories of risk factors are customers, geographies, products and services, and delivery channels. LFIs should assess their ML/TF/PF risk exposure taking into account different categories of risk factors, including customers, geographies, products and services and delivery channels as follows: • Customers: To better understand customer risk, LFIs should assess their exposure to respondent institutions’ customers engaged in potentially higher-risk activities, such as customers that operate in high-risk industries (e.g., customers operating in the extraction and management of oil, gas, and other natural resources; customers involved in nuclear power; gambling; production, sales, and distribution of marijuana, gambling; etc.). Customers with complex ownership structures may also pose heightened ML/TF/PF risks. Certain customer behaviour may also indicate higher levels of risk and thus require additional scrutiny, such as customers that handle customer money (such as lawyers, accountants, consultants, and real estate agents). Particularly important in the context of correspondent banking, the LFI should evaluate the ability of third parties to have access to a correspondent account, such as through nested relationships or payable-through accounts. • Geographies: LFIs should also consider the ML/TF/PF risks associated with the countries where respondent institutions are located, where respondent institutions’ ultimate parent are headquartered, and where respondent institutions conduct business, including the location of branches and subsidiaries. The adequacy of a respondent institution’s AML/CFT/CPF regulatory

24 | Page CBUAE Classification: Public and supervisory authority and that of the respondent institution’s ultimate parent also impacts an LFI’s geographic risk. Jurisdictions with weak or inadequate AML/CFT/CPF framework present higher risk. • Products and Services: LFIs should consider their products and services and assess the inherent risk associated with offering such products in the context of correspondent banking. LFIs should take into account product transparency, complexity, potential for intermediation, settlement times and terms, usage of cash, and cross-border funds flows. Specifically, LFIs should evaluate products and services that enable cross-border transactions (such as cross-border bulk cash currency, cross-border funds transfers, international cash letters, trade finance, etc.) and the extent to which these products and services can be abused for illicit activity, such as by masking end-users and disguising payments. • Delivery Channels: Overall, an LFI should assess products and services that are provided to respondent institutions through higher-risk delivery channels, specifically, those that create anonymity and can be used to obscure the source or destination of funds. The primary drivers of risk for delivery channels include whether a particular delivery channel involves non-face-to-face transaction initiation mechanisms, is operated by or through a third party, or offers rapid or near￾instantaneous processing and settlement. If a respondent institution operates as a virtual bank, for instance, risks are greater that the institution does not truly understand the identity and activities of the customer. In addition, delivery channels operated by third parties are inherently higher risk because—as with transactions taking place through a non-face-to-face channel—they make it more difficult for an institution to truly understand the identity and activities of the customer or collect meaningful and sufficient data for ongoing monitoring. Risk assessments should provide a consolidated assessment of an LFI’s ML/TF/PF risks across all business units, including those of branches, subsidiaries, parent entities, or other affiliates located outside the UAE. The identified risks should be consistently reported to senior management, and any internal control deficiencies noted during the risk assessment process should be appropriately tracked and remediated. LFIs should also ensure that their risk assessments are integrated into their overall risk management frameworks, including into an LFI’s risk appetite. The risk appetite should set out the different types of parties and transactional activity the LFI prohibits from being processed through its correspondent accounts, which should be approved by the LFI’s Board of Directors or senior management. Risk assessments and risk appetite statements should be an ongoing process and should be reviewed regularly to ensure that they remain relevant, effective, and up to date. Furthermore, the LFI should adopt mitigation strategies based on the correspondent banking risk assessment including enhanced due diligence measures, more frequent reviews, limitations etc. 6.2. Standard Customer Due Diligence Under Article 5 of the AML-CFT Decision, LFIs should conduct CDD before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship. An LFI’s CDD program should cover, at a minimum: • Customer identification and verification; • Beneficial ownership identification and verification;

25 | Page CBUAE Classification: Public • Understanding the nature and purpose of the customer account and relationship for the purpose of establishing a risk profile; and • Ongoing monitoring, including periodic and event-driven updating of customer and beneficial ownership information and the customer risk profile throughout the business relationship. CDD, and where necessary EDD, are the core preventive measures that help LFIs manage the risks of all customers, particularly higher-risk customers. Accordingly, as a first step to onboarding a potential respondent institution, an LFI is required to identify and verify the identity of the respondent institution, using reliable, independent sources. LFIs should verify the identity of respondent institutions using reliable, independent sources such as corporate registries, beneficial ownership registries, and other licensing authorities.7 Although the LFI can require information directly from the respondent institution, the LFI should seek to verify this information. For verification purposes, the correspondent institution can rely on corporate registries, beneficial ownership registries, and other registries maintained by licensing authorities. For more information on what constitutes a reliable, independent source, please refer to the Guidance for LFIs on CDD/KYC and Record-keeping. In addition to verifying the respondent institution’s identity, an LFI should also identify and take reasonable measures to verify the identity of the respondent institution’s UBOs. To perform this verification, the correspondent institution should gather sufficient information about the ownership and control structure of the respondent institution and establish that the respondent institution is not a shell bank. In this capacity, the correspondent institutions can obtain information on a respondent institution’s shareholders, senior management, and other officers, as relevant, such as the Chief Executive Officer and the Chief Financial Officer. The LFI should then screen these parties against lists of sanctioned persons, internal watchlists (such as lists of customers previously exited for financial crime reasons), and relevant ML/TF/PF information sources (such as adverse media databases) prior to onboarding a respondent institution and opening the correspondent account. If the LFI discovers that a PEP is associated with a respondent institution, such as a member of the respondent institution’s Board of Directors or senior management, the LFI should ensure it has an understanding of the person, their role and the appropriateness of that role in the respondent institution, their ability to influence the respondent institution, and the risk they may present to the relationship. Finally, as part of standard CDD, an LFI should determine if a financial institution customer must be subject to specific due diligence for correspondent banking relationships. If the financial institution qualifies as one of the types of financial institutions receiving correspondent banking financial services from the LFI, an LFI should apply the requirements for correspondent banking relationships in Section 6.3 Specific Due Diligence for Correspondent Banking Relationships. 6.3. Specific Due Diligence for Correspondent Banking Relationships In addition to the CDD conducted on all customers, according to Article 25 of the AML-CFT Decision, LFIs are obliged to fulfil certain due diligence requirements regarding their correspondent banking relationships and other similar relationships they maintain, regardless of whether these relationships involve foreign or domestic financial institutions. Specifically: 7 For more information on what constitutes a reliable source, please refer to the Guidance for LFIs on CDD/KYC and Recordkeeping.

26 | Page CBUAE Classification: Public • LFIs are required to collect sufficient information about any receiving correspondent institution for the purpose of identifying and achieving a full understanding of the nature of its business, and to determine, through publicly available information, its reputation and level of AML/CFT/CPF controls, including whether it has been subject to a ML/TF/PF investigation or regulatory action; • LFIs are obliged to evaluate the AML/CFT controls applied by the receiving correspondent institution; • LFIs are required to obtain approval from senior management before establishing new correspondent relationships; and • LFIs are obliged to understand the responsibilities of each institution in the field of AML/CFT/CPF. In performing the following steps on a respondent institution, the LFI should assess whether it is evaluating a correspondent banking relationship or “other similar relationship.” As clarified by the FATF, “other similar relationships” includes providing services to MVTS providers when they act as intermediaries for other providers, or where they are accessing banking or similar services through the account of another MVTS customer of the bank. LFIs—including RHPs, exchange houses, and payment service providers—should therefore determine the extent to which they should apply enhanced measures—applying additional scrutiny and collecting additional information—on a respondent institution that poses increased ML/TF/PF risks, as referenced in Section 5, according to a risk-based approach. A. Understand Respondent Institution’s Business and Intended Purpose of the Correspondent Account When an LFI performs CDD/KYC on a respondent institution, it should gather sufficient information to understand the nature of the respondent institution’s business in line with identified risks. Understanding the respondent institution’s business profile and intended purpose of the correspondent account requires the LFI to consider all relevant risk factors, such as developing a general overview of the respondent institution’s products and services; customer base, including nested relationships; and countries and markets in which it operates. What this means is that the LFI should seek to understand a respondent institution’s major business activities, including the target markets and customer segments that are served by a respondent institution. In addition to examining the nature of the respondent institution’s business—the types of customers they serve and the location of their customers and markets—the LFI should evaluate the respondent institution’s intended purpose of the correspondent account. In general terms, the LFI should evaluate the products and services the respondent institution will offer to its customers and how it will provide these services by assessing the following risk factors: • The purpose of the services provided to the respondent institution (e.g., foreign exchange services for the respondent institution to conduct proprietary trading or payments between a respondent’s financial group within the same jurisdiction are potential lower risk scenarios); • What types of customers the respondent institution intends to serve through its correspondent banking relationship and how it will offer these services, such as: o Whether the correspondent account will be used for nested downstream activity, by either the respondent institution’s affiliates (branches, subsidiaries, and affiliates of the respondent institution’s financial group) or other third parties;

27 | Page CBUAE Classification: Public o Whether the correspondent account will be used to conduct payable-through account activity, by either the respondent institutions affiliates (branches, subsidiaries, and affiliates of the respondent institution’s financial group) or other third parties; and • The expected activity within the correspondent account, including the transaction volume and value and the nature of the planned transactions. Please note, the above risk factors that an LFI should evaluate for a respondent institution need to be applied equally to their branches, affiliates, and subsidiaries when they are direct customers of the LFI. B. Assess Respondent Institution’s Regulatory Status and AML/CFT/CPF Regime In addition to understanding a respondent institution’s business and purpose of the account, the LFI should verify that the respondent institution is subject to regulatory oversight and is licensed in the jurisdictions where it operates. This can involve obtaining a respondent institution’s license or charter, or other documentation evidencing the respondent institution’s authorization or certification to operate as a financial institution. Separately, the LFI should evaluate the regulatory AML/CFT/CPF framework where the respondent institution is based. Depending on the risk of the relationship, the LFI may also assess the regulatory AML/CFT/CPF framework where the respondent institution’s ultimate parent is headquartered and the location of the respondent institution institution’s branches and subsidiaries. As discussed in Section 5.2 Geographic Risk, to determine the adequacy of a specific jurisdiction’s AML/CFT/CPF regime, an LFI should review guidance from regulatory agencies and applicable international bodies, including by reviewing a country’s Mutual Evaluation Report or other country assessment reports on a country’s AML/CFT/CPF regime. This will help the LFI to evaluate the quality and effectiveness of a respondent institution’s regulatory framework. Other sources of information include AML/CFT/CPF laws and regulations of the respondent institution’s home country, and an LFI may even seek to engage AML/CFT/CPF supervisors and other relevant bodies about the AML/CFT/CPF regime in a respondent institution’s home country. C. Evaluate Respondent Institution’s AML/CFT/CPF Control Framework When assessing the level of risk of a particular correspondent banking relationship, LFIs should also evaluate a respondent institution’s AML/CFT/CPF controls to decide whether to onboard or continue a correspondent banking relationship. Determining the adequacy of a respondent institution’s AML/CFT/CPF controls is particularly important in the context of correspondent banking, as the LFI has limited visibility into the respondent institution’s customer base. To mitigate this risk, the LFI is responsible to ensure that the respondent institution has appropriately conducted CDD/KYC on its customers and is implementing risk-based controls embedded within a broader AML/CFT/CPF program to manage its risks. A useful tool for assessing a respondent institution’s AML/CFT/CPF controls and determining the quality of the respondent’s AML/CFT/CPF program is the Wolfsberg Group CBDDQ. The Wolfsberg Group CBDDQ has been designed to provide LFIs with an in-depth view of a respondent institution’s FCC policies and practices. Specifically, the CBDDQ enables LFIs to obtain a greater level of understanding of how a respondent institution mitigates the risk of their products, services, customer base, and jurisdictions. While LFIs may use the CBDDQ as part of their AML/CFT/CPF program’s due diligence requirements, the Wolfsberg Group CBDDQ is only one possible source to understand a respondent institution’s AML/CFT/CPF controls. LFIs are expected to perform their own internal assessment—going beyond relying on the respondent institution’s responses—on whether their respondent institution has adequate AML/CFT/CPF controls, including by undertaking enhanced measures to understand and assess

28 | Page CBUAE Classification: Public the AML/CFT/CPF controls of any higher-risk respondent institutions, as described in Section 6.4 Enhanced Due Diligence for High-risk Correspondent Banking Relationships. In sum, all correspondent banking relationships should be subject to an appropriate level of due diligence following a risk-based approach. The CDD/KYC process should not be treated as a “paper-gathering exercise,” and as such, this requires the LFI to assess the respondent institution’s AML/CFT/CPF controls on a risk-sensitive basis (e.g., receiving a description of the respondent institution’s AML/CFT/CPF policies, procedures, and process, and checking if the internal audit function or other external third party that regularly reviews the adequacy of the respondent institution’s AML/CFT/CPF controls). This information￾gathering process that is part of CDD/KYC should be supplemented by discussions with the respondent institution’s Money Laundering Reporting Officer (“MLRO”) and local management to assess their AML/CFT/CPF awareness and the respondent institution’s compliance with international standards. D. Assess the Respondent Institution’s Reputation Complementing its review of a respondent’s institution regulatory status and AML/CFT/CPF regime, the LFI should research the respondent institution’s reputation and determine if the respondent institution has been the subject of any investigation or regulatory action related to financial crime. Information to consider includes the specific type of regulatory action issued (civil, administrative, criminal); the timeframe of when the compliance lapses occurred; the severity of the deficiencies; and if applicable, how the respondent institution remediated the identified deficiencies. Public registries, third-party databases, and reputable newspapers can help in examining an LFI’s AML/CFT/CPF record and understanding the respondent institution’s overall reputation. Upon completing its review, the LFI should determine the extent to which the investigation or regulatory action is relevant to informing its onboarding decision, including whether the LFI should apply EDD measures on the respondent institution given the materiality of the investigation or regulatory action. E. Senior Management Approval and Correspondent Banking Agreement In all cases, the LFI should obtain approval from senior management before establishing new correspondent relationships, as required by FATF Recommendation 13 and Article 25 of the AML-CFT Decision. In addition, senior management approval should accompany a formalized, written agreement or contract that includes the following: • Describes the correspondent and respondent institution’s roles, responsibilities, and expectations of the respective parties, including the respondent institution’s responsibilities specific to AML/CFT/CPF compliance; • Covers the products and services to be provided under the correspondent banking relationship; • Addresses any potential restrictions on the use of the correspondent banking relationship; • Permitted third-party usage of the correspondent account and applicable internal controls to these situations; • Any potential restrictions that the correspondent institution may want to place on the use of the correspondent account (e.g. limiting transaction types, volumes, etc.); • Conditions regarding the requests for information on particular transactions, especially in the case of “payable through accounts” relationships, and

29 | Page CBUAE Classification: Public • Causes for termination or limitations of a business relationship. Correspondent agreements should also include a statement that the respondent institution does not provide financial services directly or indirectly to shell banks or to customer types prohibited under the LFI’s AML/CFT/CPF policies. Each agreement may differ based on the nature and risks of the correspondent relationship. 6.4. Enhanced Due Diligence for High-risk Correspondent Banking Relationships Although all correspondent banking relationships should be subject to specific due diligence measures, an even higher level of scrutiny should be applied to respondent institutions that present greater ML/TF/PF risks when considering the risk indicators referenced in Section 5. Risk Factors. These risk factors include, but are not limited to, the following: • Correspondent banking relationship arrangements that provide services to nested institutions or allow payable-through account activity; • Respondent institution with geographic locations, including parent company, branches, and subsidiaries, in high-risk jurisdictions; • Respondent institution has an ownership or management structure that poses specific ML/TF/PF risks (such as the presence of PEPs in the senior management or ownership structure); • Respondent institution’s is using the correspondent banking relationship to provide products and services that are higher risk for ML/TF/PF; and • Respondent institution’s customer base has a significant proportion of high-risk customer types due to the nature of their business or due to the jurisdictions where they are located or operate. LFIs should follow a risk-based approach and scale their due diligence efforts based on the risk levels of correspondent banking relationships. Applying a risk-based approach to due diligence or tiered approach to CDD/KYC, ensures that the depth of information collected is commensurate with the associated risk levels of the correspondent banking relationships. For higher risk correspondent banking relationships, the LFI should apply EDD measures on institutions that pose increased ML/TF/PF risks. Conducting a more detailed and in-depth review for higher-risk relationships, may include, but is not limited to, reviewing thoroughly the respondent institution’s AML/CFT/CPF controls and internal audit reports, interviewing an MLRO and Compliance Department, obtaining an independent third-party review of the respondent institution’s AML/CFT/CPF controls, and potentially scheduling an onsite visit. The onsite visit could be an opportunity for the LFI to speak with representatives of the respondent institution to obtain additional information, review AML/CFT/CPF controls, and corroborate findings. In addition to such enhanced measures for understanding the respondent institution’s risk profile, an LFI may seek to establish additional terms in the LFI’s written agreement with the respondent institution, as referenced in Section 6.3. Specific additional measures to establish between the LFI and respondent institution includes potential restrictions and controls the LFI seeks to apply to the correspondent banking relationship as a condition for opening a correspondent account and for reducing the risk posed by the relationship. Examples of risk-based measures an LFI could apply on a higher risk correspondent banking relationship are the following:

30 | Page CBUAE Classification: Public • Restricting certain products offered to the respondent institution (e.g., restricting the use of higher￾risk products like international cash letters); • Limiting the volume of activity (e.g., only executing a certain amount of third-party transactions in the span of a month); and • Conducting real-time monitoring and sample testing of transactions to ensure timely and effective detection of potentially suspicious activity. Additionally, higher levels of senior management approval may be necessary for higher risk correspondent banking relationships, as well as the performance of transaction monitoring review of all activities to determine consistency with profile, projected account activity and actual volumes. 6.5. Ongoing Monitoring of Correspondent Banking Relationships Following the decision to onboard a respondent institution, an LFI should review its relationships with respondent institutions on an ongoing basis to assess whether the relationship remains within the LFI’s risk appetite. For high-risk correspondent banking relationships, LFIs should conduct ongoing due diligence at least annually or more frequently based on changes in assessed risk levels, customers behaviors, or regulatory updates. This review should include evaluating the ongoing effectiveness of the respondent institution’s AML/CFT/CPF program and to ensure that all information relating to a respondent institution’s CDD/KYC risk profile are accurate and up to date. CDD/KYC information should be updated regularly in accordance with a risk-based approach, and updates should also occur when there are changes to risks associated with the relationship. 6.5.1. Ongoing Due Diligence LFIs are required to conduct ongoing due diligence of a correspondent banking relationship (both existing and new relationships), including periodic reviews of the CDD/KYC information on the respondent institution. The frequency of these reviews will depend on the levels of risk associated with the respondent institution, based on risk factors, changes in customer behavior, or regulatory updates. For high-risk relationships, reviews, including periodic reviews of CDD/KYC information, should be conducted more frequently (e.g., quarterly) to ensure that all information is up-to-date and aligns with the risks established at onboarding. In addition to updating a respondent institution’s CDD/KYC information, an LFI should conduct a risk-based review to determine the effectiveness of the respondent’s AML/CFT/CPF program, and the respondent institution’s ability to manage risks of its customers. By conducting a reassessment of its correspondent banking relationship, an LFI ensures information on the respondent institution is up to date and aligns with the risks of the relationship established at onboarding. The frequency with which periodic reviews are undertaken will depend on the level of risk associated with the respondent institution. When a review identifies material changes in the respondent institution, the LFI should reflect on whether it should adjust its risk assessment of the respondent institution and what further information may be needed to support this adjustment. Particularly important in the context of correspondent banking is an account activity review of the respondent institution’s activity on the correspondent account. As part of this account activity review, the LFI should review the respondent’s transactional activity, paying close attention to whether transactional activity is inconsistent with due diligence information or expected activity and whether there are any material changes in the volume and/or value of transactions in the correspondent account. To this end, the LFI

31 | Page CBUAE Classification: Public should utilize all available information, such as the presence of any adverse news on the respondent and its customers and whether any suspicious activity reports (“SARs”) or suspicious transaction reports (“STRs”) were filed on the respondent and its customers. Furthermore, the correspondent institution should identify whether the services will be used, via nested or downstream correspondent banking relationships, by either the respondent bank’s affiliates or other third parties. The correspondent institution should conduct enhanced ongoing monitoring of these activities, and specifically review full transactions to assess the potential misuse of nested relationships by LFIs from higher-risk jurisdictions. Overall, the account activity review should help facilitate a comparison between what the respondent institution declared at onboarding or during the last periodic review with the respondent institution’s actual use of the correspondent account. Any change identified during the ongoing monitoring should be promptly reflected in the LFI’s risk profile as well as in enterprise-wide ML/TF/PF risk assessment. If an LFI finds that after a reassessment of a respondent institution’s relationship, the respondent institution’s risk profile has changed and/or is using the correspondent account in a manner that is outside of the LFI’s risk appetite, the LFI should seek to communicate correspondent account termination decisions to senior management. LFIs should give consideration to account terminations that could restrict access to financial services for an entire group of customers, potential customers, or geographic locations. LFIs should maintain a clear audit trail of the reasons and process for closing the account. LFIs should also document all findings from ongoing monitoring activities, including any actions taken in response to identified risks, to ensure accountability and facilitate the conduct of audits. 6.6. Suspicious Activity and Reporting in Correspondent Banking 6.6.1. Transaction Monitoring Under Article 16 of the AML-CFT Decision, LFIs must monitor activity by all customers to identify behaviour that is potentially suspicious and that may require filing of an STR, SAR, or other report types. Moreover, as required by Article 7 of the AML-CFT Decision, LFIs must continuously monitor all their transactions to Best Practices: Continual Communication about Correspondent Banking A correspondent institution should continuously engage a respondent institution to understand and assess the AML/CFT/CPF controls a respondent institution. As per best practice, this can also take the form of regular outreach and ongoing dialogue that also includes messaging a correspondent institution’s AML/CFT/CPF requirements and expectations specific to the correspondent banking relationship. Helping a respondent institution understand a correspondent institution’s AML/CFT/CPF policy and risk appetite, for instance, can bridge any gaps in understanding and also promote the adoption of a robust AML/CFT/CPF control framework. In addition, this type of engagement supports with the identification of any new and emerging risks; helps quickly resolve any incidents (such as any requests for information specific to activity detected through a correspondent institution’s transaction monitoring program); and overall, enables a coordinated approach to a correspondent institution’s risk management program.

32 | Page CBUAE Classification: Public ensure that the transactions conducted are consistent with the information they have about the customer, their type of activity, and the risks they pose, including, when necessary, the source of funds. Transactions may be suspicious simply by virtue of their individual characteristics (such as their value, source, destination, or use of intermediaries). Alternatively, transactions may be suspicious because, together with other transactions, they form a pattern that diverges from expected or historical transactional activity and may otherwise be indicative of illicit activity. In the context of correspondent banking, LFIs should continuously monitor transactions to, from, or through the correspondent account for unusual and potentially suspicious activity. Specifically, LFIs should put in place appropriate transaction monitoring policies, procedures, processes, and technology to be able to detect any activity that is inconsistent with the purpose of the services provided to the respondent institution and/or that is not in line with the anticipated activities of the respondent institution. The policies and procedures should require appropriate monitoring of the Respondent’s activity, incorporating due diligence results, such as customer risk rating and other factors considered meaningful in the assessment of transaction activity. The results of suspicious activity monitoring should be factored into the periodic review of the customer relationship, particularly when the results of transaction monitoring indicate elevated risk levels. The relationship between due diligence information and transaction monitoring shall be continuous throughout the life of the Respondent relationship and apply to both the Respondent and any related suspicious activity. These policies and procedures should also include guidance and examples on what the correspondent institution considers to be unusual or suspicious. While all correspondent banking relationships should be subject to ongoing monitoring, certain respondent institutions may require enhanced monitoring depending on unique risk factors posed by the relationship (e.g., respondent institution is located in high-risk jurisdiction, respondent institution has a history of prior SAR/STR filings, etc.). To this end, as part of transaction monitoring, LFIs should tailor their scenarios, parameters and thresholds used to monitor correspondent banking activities. For example, LFIs can adapt transaction scenarios to identify hidden relationships between accounts and customers, which can be useful to identify common beneficiaries and remitters amongst apparently unconnected parties. Overall, transaction monitoring programs should be calibrated to the size, nature, and complexity of each institution. Larger LFIs with extensive correspondent banking relationships, as well as high transaction volumes and values, may implement Transaction Monitoring systems that also track the activities of their customers' customers. Transaction monitoring can include manual monitoring processes and the use of automated and intelligence-led monitoring systems, with automated solutions being the preferred option. LFIs with a larger scale of operations are expected to have automated systems capable of handling, in real time, the risks from an increased volume and variance of transactions. LFIs utilizing automated systems should apply rules with appropriate thresholds and parameters that are designed to detect common typologies for illicit behaviour. While smaller LFIs may rely on transaction monitoring systems that are less automated, they should still ensure that their systems and controls are appropriately executed to address the risks from their day-to-day transactional activity. With that understanding, smaller LFIs should look to employ automated systems wherever feasible. 6.6.2. Suspicious Transaction/Activity Reporting As required by Article 15 of the AML-CFT Law and Article 17 of the AML-CFT Decision, LFIs must file an STR, SAR or other report types with the UAE FIU when they have reasonable grounds to suspect that a transaction, attempted transaction, or certain funds constitute, in whole or in part, or are intended to be

33 | Page CBUAE Classification: Public used in a crime. LFIs should continuously monitor transactions to identify behaviour that is potentially suspicious and may require filing of an STR, SAR, or other report types. Transactions may be suspicious due to individual characteristics (e.g., value, source, destination) or because they form a pattern diverging from expected or historical transactional activity. This applies equally in relation to suspicious transactions involving a respondent institution’s activities. LFIs are encouraged to adopt a proactive monitoring strategy that anticipates potential suspicious activities, thereby strengthening their overall AML/CFT framework. When a transaction monitoring system alerts the LFI to a transaction that could indicate potentially suspicious activity, the LFI should have processes to request information from a respondent institution to investigate the alerted activity. In order to understand the background of a transaction that has been processed through a correspondent account, the correspondent bank may send a request for information. This request for additional information should be targeted on the specific transaction which created an alert in the system, and could include, depending on the risk level of the transaction, a request to access information about the customer of the respondent institution as a means to get a proper understanding of the reasonableness of the transaction. Depending on the risk of the activity, the correspondent institution may request that the respondent institution provide information about their customer. Accordingly, when an LFI is assessing whether to file an STR or SAR, an LFI may seek to request information on a respondent institution’s customers, such as: • Purpose of the customer’s account with the respondent institution; • Duration of customer relationship with the respondent institution and whether the respondent institution classifies the customer as a high-risk customer; • Customer’s source of funds; • Information regarding the customer’s legal and ownership structure (such as information on parent company and the customer’s UBOs); • Nature of the relationship (including any other affiliations/connections) between the customer and counterparty; • Purpose of the transaction (including goods and services exchanged) between the customer and counterparty; • Alignment of the transaction with the customer’s historical transactional activity; • Status of the bank account of customer (opened/closed); and • Any other relevant information about the customer to support with the LFI’s investigation. Responses to requests for information by the respondent bank should be timely and provide responses to inquiries related to transactions in the account with the level of detail requested, If the respondent institution fails to provide sufficient documents and data in response to the LFI’s request for information, or the documents and data indicate the presence of illicit activity, an LFI may have grounds to file an STR or SAR. Furthermore, a request for information could be followed by a reassessment of the respondent’s business and risk profile where/when necessary. STR filing is not simply a legal obligation; it is a critical element of the UAE’s effort to combat financial crime and protect the integrity of its financial system. By filing STRs with the UAE Financial Intelligence Unit (“FIU”), LFIs alert law enforcement authorities about suspicious behaviour and allow investigators to piece together transactions occurring across multiple LFIs. LFIs should ensure that all relevant staff receive comprehensive training on identifying suspicious transaction patterns

34 | Page CBUAE Classification: Public and the appropriate actions to take when such patterns are detected. Please consult the CBUAE’s Guidance for LFIs on Suspicious Transaction Reporting for further information.8 An STR or SAR also may trigger concerns that the respondent institution is unable to manage its financial crime risks and could lead to a reassessment of the respondent’s relationship with the correspondent institution, depending on the severity of the activity. If a correspondent institution collects data and documents that do not necessitate a STR or SAR filing, the information obtained should nonetheless be recorded in the respondent institution’s customer profile for future reference. 6.7. Targeted Financial Sanctions Obligations The AML-CFT Law and AML-CFT Decision require LFIs to promptly apply directives issued by the Competent Authorities of the UAE for implementing the decisions issued by the UNSC under Chapter VII of the Charter of the United Nations. In furtherance of this requirement, the Cabinet Decision 74 of 2020 sets out the legal and regulatory framework in the UAE regarding Targeted Financial Sanctions (“TFS”), including the UAE Local Terrorist List and the UNSC Consolidated List. In addition, under Article 15 of the AML-CFT Decision, LFIs are required to have suitable risk management systems and take sufficient measures to identify whether a customer, or the beneficial owner of a customer, has been added to UAE Local Terrorist List or UNSC Consolidated List. In practice, it will generally be appropriate to conduct screening prior to onboarding and ongoing screening on all customers. LFIs should take appropriate steps to screen customers and transactions. Respondent institutions frequently use SWIFT messages to conduct cross-border remittances, and LFIs with a high volume of SWIFT messages should determine whether their screening efforts are adequate to detect involvement of a sanctions target, particularly in the case of screening backlogs, unusual spikes in screening activity, updates to the relevant sanction lists, and other operational events. Correspondent banking due diligence and ongoing account monitoring should also consider how well the respondent institution is implementing sanctions screening, including information on the mechanisms for screening transactions with required originator and beneficiary information, risk-based policies and procedures for determining how to handle such transactions, systems for sanctions screening, and procedures and systems for clearing false positives results. Correspondent institutions should adopt strict sanctions programs and screen all the information available (e.g., payer’s information, payee’s information, and intermediary’s information) against relevant sanctions list to ensure there is no sanctioned person involved in the transaction. The timing of the screening should be in a manner that allows freezing or suspending of assets once such assets are in an LFI’s possession. For more information and details on obligations in relation to sanctions obligations, LFIs should consult the Executive Office for Control and Non-Proliferation (“EOCN”)’s Guidance on Targeted Financial Sanctions for FIs, DNFBPs, and VASPs 9 and the CBUAE’s Guidance for Licensed Financial Institutions on the Implementation of Targeted Financial Sanctions” and Guidance for Licensed Financial institutions on Transaction Monitoring Screening and Sanctions screening.10 8 Available at: https://www.centralbank.ae/en/cbuae-amlcft. 9 Available at: https://www.uaeiec.gov.ae/API/Upload/DownloadFile?FileID=7f006d28-4a65-4829-aa35-b9dc3059e89a. 10 Available at: https://www.centralbank.ae/en/cbuae-amlcft

35 | Page CBUAE Classification: Public 6.7.1. Confirmed Name Match Reports LFIs must implement strict protocols for addressing confirmed matches, including immediate reporting to authorities and potential termination of the relationship, to ensure compliance with sanctions obligations. If an LFI identifies a confirmed name match of an individual, entity, or group to the key identifiers published in the UAE Local Terrorist List or the UNSC Consolidated List, LFIs are required to take the following actions: • Implement all necessary measures without delay as outlined in Article (21) of Cabinet Resolution No. (74) of 2020, to include freezing without delay, refraining from offering any funds or other assets and services, and reporting freezing measures to the EOCN and CBUAE; and • If the confirmed name match is a potential customer, reject the transaction immediately and report the case.11 LFIs should promptly apply directives issued by competent authorities of the UAE, if a confirmed match is identified. Per Section (5) of Article 21 of Cabinet Resolution No. (74) of 2020, LFIs are expected to freeze assets without delay (24 hours) and report any freezing measures, prohibition to provide funds or services, and any attempted transactions immediately via the goAML platform within five working days by selecting the Confirmed Name Match Report (“CNMR”) option. LFIs should also ensure that all necessary information and documents regarding the confirmed name match are submitted along with the CNMR. Pursuant to Section (1) of Article 22 of Cabinet Resolution No. (74) of 2020, supervisory authorities should receive all information within five working days. 6.7.2. Partial Name Match Report If an LFI identifies a partial name match of an individual, entity, or group to the key identifiers published in the UAE Local Terrorist List or the UNSC Consolidated List, LFIs should take the following actions: • Cross-check the identifiers published on the relevant sanctions list with the LFI’s internal customer, beneficial ownership, and other data as well as external sources where appropriate to determine whether the partial name match is a confirmed match or can be waived as a false positive; and • If the LFI is unable to determine whether the partial name match is a confirmed name match or a false positive, the LFI must suspend any transaction and report the case to the EOCN and the CBUAE and uphold the suspension measures until a response is received from the EOCN on the status of the partial name match. LFIs are expected to submit a Partial Name Match Report (“PNMR”) through the goAML platform within five working days of implementing the suspension measures. LFIs should ensure that all necessary information and documents regarding the potential match are submitted to the PNMR. 6.8. Governance and Independent Audit The specific preventive measures discussed above should take place within, and be supported by, a comprehensive institutional AML/CFT/CPF program that is appropriate to the risks an LFI and respondent institution face, and organized in accordance with the “three lines of defence” model. All three lines of 11 See also EOCN, Guidance on Targeted Financial Sanctions for FIs, DNFBPs, and VASPs, section 4, available at: https://www.uaeiec.gov.ae/en￾us/un-page?p=7.

36 | Page CBUAE Classification: Public defence must report up to, and have the active support and oversight of, the LFI’s senior management, defined broadly to include executives, senior leadership, and the Board of Directors. Specific to managing the unique risks posed by correspondent banking relationships, LFIs should consider creating a formal governance body with oversight of correspondent banking relationships. The governance body can be charged with reviewing and approving certain high-risk correspondent banking relationships and act as a point of escalation for potentially suspicious activity involving correspondent accounts and circumstances warranting termination of a correspondent banking relationship. LFIs should organize their AML/CFT/CPF programs according to the 'three lines of defence' model: frontline personnel as the first line of defence; AML/CFT compliance function as the second line, and internal or external auditors as the third line. The governance body should include representation from all three lines to ensure effective oversight and risk management. Under three lines of defence model, an LFI operating correspondent banking services including its business units, sales or relationship managers, and other frontline personnel serve as the first line of defence against ML/TF/PF, and other forms of illicit activity. They should scrutinize respondent institutions at onboarding and perform periodic and risk-based account activity reviews to update respondent institution information and the LFI’s understanding of the respondent’s risks. The LFI’s AML/CFT compliance function, in turn, constitutes the second line of defence, supporting the frontline units’ risk management activities through its system of internal controls and related monitoring, reporting, and risk assessment responsibilities. The core of an effective risk-based program is an appropriately experienced MLRO, located within the second line of defence, who understands the LFI’s risks and obligations and who has the resources and autonomy necessary to ensure that the LFI’s program is effective. The governance body with oversight of correspondent banking, as described above, should include representation from the first and second lines of defence. Finally, under Article 20.6 of the AML-CFT Decision, LFIs must be subject to independent testing by internal or external auditors, who represent the third line of defence by providing independent assurance to the Board of Directors and senior management on the effectiveness and adequacy of the LFI’s governance, risk management, and internal controls. LFIs should conduct independent audits of their AML/CFT/CPF programs regularly following a risk-based approach to assess the compliance with regulatory requirements and the effectiveness of controls of the LFI’s AML/CFT/CFP program, with a scope including correspondent banking relationships and associated risks. Auditors should have sufficient expertise and understanding of ML/TF/PF risks and requirements and should be fully independent of the activities and reporting structure of the functions subject to independent testing. Additionally, as per Article 32 of the AML-CFT Decision, LFIs with overseas branches, subsidiaries, or other affiliates or legal entities must ensure that all entities within the affiliate network are subject to the AML/CFT/CPF policies, procedures, and controls that are at least as stringent as those in place at the LFI located in the UAE. Likewise, all institutions within the affiliate network should be included in the LFI’s enterprise risk assessment and subject to AML/CFT independent testing and consolidated governance and oversight. 6.9. Training As with all risks to which an LFI is exposed, an LFI’s AML/CFT/CPF training program should ensure that employees are aware of the risks of correspondent banking relationships and equipped to apply appropriate

37 | Page CBUAE Classification: Public risk-based controls to manage these risks. Training should be tailored and customized to an LFI’s risk and the nature of its operations and should be clearly documented in its AML/CFT/CPF program, including associated policies, procedures, training plans, and training materials. LFIs should provide training to employees at onboarding, and on an ongoing basis, covering updates in AML/CFT/CPF emerging and evolving risks, including correspondent banking risks. Specifically, the LFI’s AML/CFT/CPF training programs should train employees on how correspondent banking transactions may be used for ML/TF and should also refer employees to the systems, processes, and controls, documented in the LFI’s policies and procedures, for managing this risk. This training should be targeted to cover those employees directly involved in correspondent banking transactions and dealing with correspondent banking relationships, such as front-line managers and other personnel associated with an LFI’s correspondent banking unit. Tailored training should, among other topics, cover: • Applicable AML/CFT/CPF laws and recent trends in ML/TF/PF, including the ways in which such laws demonstrate changes to correspondent banking guidance, best practices, and risk mitigation strategies; • The LFI’s own policies, procedures, and processes to combat ML/TF/PF, including how to identify and report suspicious correspondent account activity; and • ML/TF typologies of abuse of correspondent banking relationships, including transaction monitoring scenarios. Ensuring that AML/CFT/CPF compliance personnel are aware of and trained on global FCC standards and best practices is critical to proactively ensuring an LFI is meeting current correspondent institution and international AML/CFT/CPF expectations in the context of its correspondent banking relationships. Respondent institutions should proactively engage their correspondent institution if they need assistance in interpreting global FCC standards or require targeted training. 6.10. Record-keeping According to Article 16 of the AML-CFT Law and Article 24 of the AML-CFT Decision, LFIs operating correspondent banking services must maintain detailed records associated with their ML/TF/PF risk assessment and mitigation measures as well as records, documents, data and statistics for all financial transactions, all records obtained through CDD/KYC measures for both the originators and the beneficiaries, account files and business correspondence, copies of personal identification documents, including STRs/SARs and results of any analysis performed. LFIs should maintain the records in an organized manner so as to permit data analysis and the tracking of financial transactions. Records should be sufficient to permit reconstruction of individual transactions so as to provide, if necessary, evidence for prosecution of criminal activity. LFIs must maintain all records, documents, and data for all transactions, whether local or international, and should make the records available to the competent authorities immediately upon request. The statutory retention period for all records is at least five years, from the date of completion of the transaction or termination of the business relationship with the customer, or from the date of completion of the inspection by the CBUAE, or from the date of issuance of a final judgment of the competent judicial authorities, or liquidation, dissolution, or other form of termination of a legal person or arrangement, all depending on the circumstances.

38 | Page CBUAE Classification: Public When an LFI enters into a correspondent banking relationship, for example, it should keep all the due diligence records associated with the respondent institution for at least five years, such as: • A copy of the respondent institution’s license or banking charter; • A copy of the correspondent banking contractual agreement outlining the respective responsibilities of the correspondent institution and the respondent institution; • Due diligence conducted on the respondent institution, including the respondent institution’s AML/CFT/CPF controls and compliance with AML/CFT/CPF regulations in jurisdictions where the respondent institution operates; • A Wolfsberg Group CBDDQ completed by the respondent institution; • A written statement from the respondent institution that it does not have a correspondent banking relationship with a shell bank; and • Records of site visits and call reports documenting the interviews conducted of the respondent institution, as applicable. • A copy of records of the ML/TF/PF risk assessment of the correspondent banking relationship and any mitigation measures. This should include CDD/KYC records, account files, business correspondence, copies of personal identification documents, STRs/SARs, and results of any analysis performed. LFIs should also ensure that all records are stored securely with access controls in place to protect sensitive information, in compliance with data protection regulations.

39 | Page CBUAE Classification: Public Annex 1. Global Standards on Correspondent Banking Given the different risk factors posed by correspondent banking relationships, both global standards-setters and industry groups have issued standards, principles, and guidance governing how correspondent institutions should seek to manage the ML/TF/PF risks associated with their correspondent banking relationships. Particularly, as foreign respondent institutions may not be subject to equivalent laws, regulations, and supervision as domestic LFIs, the FATF and Wolfsberg Group recommend specific measures for correspondent institutions to gain appropriate assurance that respondent institutions are adequately managing the ML/TF/PF risks associated with their customers, about whom the correspondent institution may have limited information. FATF Standards As part of the FATF Standards, FATF outlines the due diligence that correspondent institutions should apply to understand the risks of a respondent institution and the respondent institution’s customers. Correspondent institutions should apply due diligence to understand the risks of respondent institutions and their customers by gathering sufficient information about the respondent institution to understand fully the nature of the respondent’s business and to determine the institution’s reputation and the quality of its supervision. Specifically, FATF Recommendation 13 sets forth EDD requirements for financial institutions providing financial services to foreign respondent institutions, as these relationships are seen to be inherently higher risk for ML/TF than domestic correspondent relationships. In addition, the FATF requires EDD for financial institutions providing financial services to “similar relationships” as cross-border correspondent banking relationships, which includes providing services to MVTS providers when they act as intermediaries for other providers, or where they are accessing banking or similar services through the account of another MVTS customer of the bank. These requirements supplement the basic CDD requirements that LFIs must meet for all customers under Recommendation 10. FATF Recommendation 13 requires financial institutions to: • Gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business and to determine the institution’s reputation and the quality of its supervision, including whether it has been subject to a ML, TF or PF investigation or regulatory action; • Assess the respondent institution’s AML/CFT/CPF controls; • Obtain approval from senior management before establishing new correspondent relationships; • Delineate clearly the responsibilities of each institution; and • Ensure that the respondent institution has conducted CDD on “payable-through accounts” customers with direct access to accounts of the correspondent institution, and that the correspondent institution can provide relevant CDD information upon request. According to FATF Standards, LFIs also should avoid entering into, or continuing, a correspondent banking relationship with shell banks, defined as banks that have no physical presence in the country in which it is incorporated and licensed. In addition, LFIs should verify that respondent institutions do not permit their accounts to be used by shell banks.

40 | Page CBUAE Classification: Public The Wolfsberg Group The Wolfsberg Group is an industry group of 12 global banks that aims to develop industry standards for the management of financial crime risks, particularly with respect to AML/CFT policies. The Wolfsberg Group has published a number of documents, including principles, guidance, frequently asked questions (“FAQs”), and statements. Of these documents, the 2022 Wolfsberg Financial Crime Principles for Correspondent Banking,12 known as the Wolfsberg Principles, represents global guidance for financial institutions engaging in foreign correspondent banking relationships. Wolfsberg Principles and Correspondent Banking Due Diligence Questionnaire To assist with the due diligence process for cross-border and other higher risk correspondent banking relationships, the Wolfsberg Group issued a Correspondent Banking Due Diligence Questionnaire (“CBDDQ”), most recently revised in February 2023.13 The CBDDQ is designed to help correspondent institutions collect information that can inform a risk assessment of their respondent institution’s business and financial crimes risk management program, with sections addressing the following information about a respondent institution: • A respondent institution’s basic information, ownership structure, and regulatory background; • Products and services offered by the respondent institution; • Information aimed at helping a correspondent institution assess the adequacy of the respondent institution’s AML/CFT/CPF, sanctions, fraud and anti-bribery and corruption (“ABC”) programs; and • Information on a respondent institution’s policies, procedures, and controls covering CDD/KYC, EDD, risk assessment, payment transparency, monitoring and reporting, independent testing, quality assurance/compliance testing, and training. 12 Wolfsberg Group, “Wolfsberg Financial Crime Principles for Correspondent Banking,” 2022, https://db.wolfsberg-group.org/assets/d39a5072- 7fb6-4e31-9a87-9e54021ce71f/Wolfsberg%20Correspondent%20Banking%20Principles%202022.pdf 13 Wolfsberg Group, “Wolfsberg Group Correspondent Banking Due Diligence Questionnaire (CBDDQ) V1.4,” 2023, https://db.wolfsberg￾group.org/assets/27bae403-246e-419c-8c37-af52e66b53ad/CBDDQ%20v1.4.pdf

41 | Page CBUAE Classification: Public The use of this questionnaire or similar risk assessment tools has become an industry best practice for foreign financial institutions with global networks that receive correspondent banking services. Correspondent institutions should utilize tools like the Wolfsberg Group's Correspondent Banking Due Diligence Questionnaire (CBDDQ) to assess the adequacy of the respondent institution’s AML/CFT/CPF controls, sanctions, fraud, and anti-bribery and corruption programs. The CBDDQ should be integrated into their AML/CFT/CPF program to guide their approach to managing the risk of correspondent banking relationships. Annex 2. Correspondent Banking Red Flags Correspondent institutions should identify and address red flags by continuously monitoring transactions for red flags and unusual patterns. The following is a list of red flags14 associated with correspondent banking relationships. These red flags, when combined with the risk factors identified in this Guidance, present instances that, when identified, warrant additional scrutiny. • The activity of the correspondent account is inconsistent with the foreign correspondent banking customer’s business; • Transactional activity that appears unusual in the context of the relationship with the correspondent account; • Many funds transfers are seen in large, round-dollar amounts, where the correspondent account has not previously been used for similar transfers; 14 The Clearing House, “Guiding Principles for Anti-Money Laundering Policies and Procedures in Correspondent Banking,” February 2016, https://media.theclearinghouse.org/-/media/Action-Line/Documents/Volume-VII/20160216-TCH-AML-Correspondent-Banking-Guiding￾Principles.pdf?rev=dc5d809b732b4afd8d29c049a13a277b&hash=62D3B42791D3F39276D1E5B8FC814A94 Best Practices: Correspondent Banking Due Diligence Questionnaire • Respondent institutions should integrate Wolfsberg Group’s 2023 CBDDQ into their AML/CFT/CPF program, guiding their approach to managing the risk of correspondent banking relationships. • Respondent institutions should refer to the CBDDQ as the “industry standard” for CDD/KYC requirements and expectations, which can help respondent institutions if located in jurisdictions with less stringent AML/CFT/CPF regulatory regimes. • Respondent institutions may seek to communicate about their alignment with the CBDDQ requirements, whether as part of a site visit or other correspondence with the correspondent institution, in order to provide assurance to the correspondent institution about the rigor of the respondent institution’s AML/CFT/CPF controls applied on its customers. • Respondent institutions should regularly update the CBDDQ and proactively communicate changes about their AML/CFT/CPF controls to the correspondent institution.

42 | Page CBUAE Classification: Public • An unusually large number of funds transfers or fluctuations in the volume of funds transfers (e.g., sudden bursts of activity followed by lulls); • Funds transfer activity to or from a correspondent account that is unexplained, repetitive, or shows unusual patterns; • The engagement in an unusual volume of the foreign correspondent banking customer’s own bank check or dollar draft activity; • A sudden increase in transaction volume, especially if it involves high-risk jurisdictions; • Unusually high numbers of returned or rejected items involving a correspondent account; • Large currency or bearer instrument transactions either into or out of the correspondent account; • The deposit or withdrawal from a correspondent account of multiple monetary instruments (e.g., traveler’s checks, money orders and bank drafts) just below the reporting threshold on or around the same day, particularly if the instruments are sequentially numbered; • The issuance of large volumes of cashier’s checks or bank drafts against the correspondent account, particularly when the face amounts are less than local reporting requirements; and • High-value deposits or withdrawals, particularly irregular deposits or withdrawals, not commensurate with the type of correspondent account or business of the foreign correspondent banking customer; • The provision of insufficient or suspicious information during the onboarding process; • The reluctance to provide complete information about the nature and purpose of its account, anticipated account activity, prior correspondent banking relationships, the names of its officers and directors, or information on its business location; • Transactions occurring in bursts of activity within a short period of time; • A request to establish a relationship with, or route a transaction through, a financial institution that is not accustomed to doing business with foreign financial institutions and that has not sought out business of that type; • The routing of transactions through several jurisdictions or financial institutions prior to, or following entry into, the financial institution without any apparent purpose other than to disguise the nature, source, ownership or control of the funds; • Frequent or numerous funds transfers originating from or for the benefit of shell banks or high-risk foreign correspondent banking customers; • Fund transfer activity occurring to or from a correspondent account originating from or going to a financial secrecy haven or a higher-risk geographic location (such as a FATF non-cooperative jurisdiction) without an apparent business purpose, or when the activity is inconsistent with the foreign correspondent banking customer’s business or history; • Beneficiaries of foreign correspondent banking customers maintaining accounts at foreign financial institutions that have been the subject of previous SAR/STR filings due to suspicious wire activity;

43 | Page CBUAE Classification: Public • The reappearance of a beneficiary’s financial institutions based in offshore locations, the account of at least one of which has been closed by the foreign correspondent banking customer due to overall suspicious activity; • Large currency or bearer instrument transactions either into or out of the correspondent account; the deposit or withdrawal from a correspondent account of multiple monetary instruments (e.g., traveler’s checks, money orders and bank drafts) just below the reporting threshold on or around the same day, particularly if the instruments are sequentially numbered; • The issuance of large volumes of cashier’s checks or bank drafts against the correspondent account, particularly when the face amounts are less than local reporting requirements; • High-value deposits or withdrawals, particularly irregular deposits or withdrawals, not commensurate with the type of correspondent account or business of the foreign correspondent banking customer; • Funds transfers to or from the correspondent account originating from or going to accounts of individuals or entities identified by law enforcement agencies as being suspected of engaging in money laundering or terrorist activities; • The presence of a sanctioned entity as beneficiary; and • An inquiry by or on behalf of a foreign correspondent banking customer regarding exceptions to the reporting requirements of the UAE or other rules requiring the reporting of suspicious transactions. Annex 3: Transition from SWIFT to the ISO 20022 Payment Standard. As the financial industry continues to grow in complexity and geographical coverage, financial institutions are relying on an ever-growing number of different settlement systems, data exchange formats and standards. For example, financial institutions rely on SWIFT to settle cross-border payments (with SWIFT being a proprietary messaging system), but also use domestic settlement systems such as SEPA (Europe), CHIPS and the Fedwire (US), CHAPS (UK), and others. Separately, for settling securities-related transactions, financial institutions rely on yet another set of systems such as DTCC (US) and Cboe Clear (Europe). In the UAE, the Central Bank of the UAE owns, operates and manages the following payment systems, categorized into Large-Value Payment Systems such as the UAE Funds Transfer System and Retail Payment Systems such as the Image Cheque Clearing System, the UAE Wages Protection System, the UAE Switching System, the UAE Direct Debit System, the UAE Payment Gateway System. Therefore, a financial institution often needs to deploy multiple systems and tools that are able to generate, process, and store messages in the various formats used by different settlement providers. Lack of a uniform, global standard causes delays in payments, securities settlements, and other financial services; interrupts straight-through processing (“STP”) and requires manual intervention; necessitates the deployment of multiple internal systems; and may also lead to lack of transparency or failure of certain automated compliance controls. To address these issues, the International Organization for Standardization (“ISO”) developed ISO 20022, a new financial standard that is envisioned to become a

44 | Page CBUAE Classification: Public global standard on payments. SWIFT is a major participant and contributor in developing this new standard, promoting its adoption worldwide. ISO 20022 is based on the core principle that all financial industry market participants—from financial institutions to end-users—should be able to rely on a single global standard that is based on methodology and glossary available to all in open source. The ISO 20022 standard has also been designed with the aim of being able to cover all types of business processes of the industry, ranging from accounting, payments, to securities settlements and asset allocation. Instead of designing a new message type for a particular subset of financial transactions, the ISO 20022 standard aims to create a library of all business processes that exist in the financial industry (with an opportunity to document new processes in future, if needed) and then write automated messages based on certain “blocks” that are elements of each documented business process. All these processes and building blocks are available in the open-source Data Dictionary published by ISO. To further promote uniformity, ISO 20022 uses XML (eXtensible Markup Language), which is a widespread international language model to represent structured information. While for certain financial processes the adoption of ISO 20022 is voluntary, in 2018, the SWIFT community decided to adopt ISO 20022 for all cross-border payments. The adoption period started in March 2023 and is scheduled to be completed by November 2025. During this period ISO 20022 and SWIFT MT messages co-exist. However, starting in November 2025, SWIFT will retire SWIFT MT 1xx, 2xx, and 9xx message series (other MT messages are not currently impacted). The adoption of the global ISO 20022 cross-border payment standard will lead to further improved STP rates, offer higher quality data exchange, and further transparency. The transition from SWIFT to ISO 20022 will require correspondent institutions to adapt their systems for processing cross-border payments. This transition should be managed proactively to ensure that all necessary infrastructure is in place, including training staff on the new standard and testing systems for compliance with ISO 20022 requirements. Financial institutions should prepare for the transition to ISO 20022 by assessing their current systems for compatibility, investing in necessary upgrades, and providing comprehensive training for staff to ensure a smooth transition, During the transition from SWIFT to ISO 20022, LFIs should also ensure that internal systems are updated to handle both message formats concurrently to avoid disruptions in payment processing. Annex 4: SWIFT and Non-Customer RMA Relationships As discussed above, the SWIFT network is a messaging infrastructure, and not a settlement system. In the context of correspondent banking, financial institutions use the SWIFT RMA messaging capability to exchange secure messages with non-customer financial institutions or other third parties for the purpose of facilitating non-transactional and transactional messages. This type of engagement between financial institutions supports the exchange of information necessary for international finance and global banking— whether or not the message exchanged contains payment instructions. As a result, LFIs should also understand the requirements and their obligations surrounding SWIFT RMA relationships. Within the category of non-customer RMA relationships, “reporting-only” relationships are those non￾customer RMA relationships in which exchanged messages do not lead to the initiation of any transactions; “transactional” relationships, on the other hand, are all other non-customer RMA relationships that do lead to the initiation of transactions.

45 | Page CBUAE Classification: Public Examples of non-customer RMA relationships may include: • The receipt of balance and transaction information on a corporate customer’s account at another financial institution, so that the corporate customer can view activity through its financial institution’s reporting tool. • The relaying of payment instructions from a corporate customer to their third-party financial institution. • The provision of information from a sub-custodian financial institution to the global custodian at the request of the customer. • The exchange of messages with financial institutions that do not otherwise have direct payment relationships, such as in the context of trade finance. As advised by the Wolfsberg Group, 15 for transactional non-customer RMA relationships, financial institutions should perform the following minimum due diligence prior to the exchange of SWIFT keys and on a periodic basis thereafter: • Collect the name and address of the non-customer financial institution or other third party; • Conduct name screening against relevant watchlists, such as internal, PEP, and sanctions lists in accordance with applicable internal policies and procedures. • Assess the risks associated with the RMA relationship on the basis of the above information and applicable “red flags” to determine whether further review is required based on the financial institution’s risk appetite.16 Separately, a more granular version of RMA, known as RMA Plus, allows institutions to specify which message type(s) they want to send to and receive from each of their counterparties. The use of RMA Plus to restrict the range of message types that can be exchanged may enable financial institution personnel to review a correspondingly restricted list of red flags for the purpose of assessing the risk associated with the RMA relationship. For non-customer RMA relationships that are reporting-only, there are no minimum due diligence requirements; however, sanctions obligations should always be considered as it relates to the information that is available to the financial institution. The Wolfsberg Group also indicates that financial institutions should periodically review non-customer RMA relationships to identify those that should be canceled due to lack of usage. Finally, financial institutions should establish clear communication protocols and maintain comprehensive documentation for all non-customer RMA relationships to ensure compliance and facilitate risk management. 15 Wolfsberg Group, “Guidance on SWIFT RMA Due Diligence,” 2024, https://db.wolfsberg-group.org/assets/ed52141f-81ce-4cdf-9815- ceff95cb941c/Swift%20RMA%20Guidance.pdf 16 Applicable “red flags” may be similar to the correspondent banking red flags listed in Annex 2. Correspondent Banking Red Flags. These may include, but are not limited to: unexplained or unusual transactions such as frequent transfers of large sums of money to and from high-risk jurisdictions, without clear or legitimate business reasons; layering or routing funds to third parties without any clear commercial justification; involvement of high-risk or sanctioned jurisdictions; reluctance to provide information or documentation etc.

46 | Page CBUAE Classification: Public Annex 5: Synopsis of the Guidance Introduction Purpose and Scope of the Guidance The purpose of the Guidance on Correspondent Banking and Expectations for Managing Correspondent Banking Relationships is to assist licensed financial institutions (LFIs) in the understanding and effective performance of their statutory obligations under the legal and regulatory framework in force in the UAE related to correspondent banking, focusing notably on the operationalization of the statutory obligations. Applicability This Guidance applies to all natural and legal persons, which are Financial Institutions or Licensees, or any other defined term which brings entities within the scope of licensed and/or supervised entities by the CBUAE, in the following categories: national banks, branches of foreign banks, exchange houses, finance companies, payment service providers, registered hawala providers; and other covered financial institutions not specified above, or any other entities that are licensed or registered by the CBUAE and are engaged in financial activities that fall under AML/CFT/CPF regulations. Legal Basis • Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering (“AML”) and Combatting the Financing of Terrorism (“CFT”) and its amendments; • Cabinet Decision No. (10) of 2019, as amended by Cabinet Decision No. (24) of 2022, Concerning the Implementing Regulation for Decree-Law No. (20) of 2018 on AML and CFT and Financing of Illegal Organizations and its amendments; • Cabinet Decision No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of United Nations Security Council (“UNSC”) Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolution and its amendments; • CBUAE/BSD Notice No. 1943.2022 Regarding AML/CFT Minimum Standards and Supervisory Expectations. Acronyms and Definitions • Several frequently used terms and phrase are defined, and a list of acronyms used in the Guidance is provided. Correspondent Banking Risk Factors Respondent Institution’s Third￾Party Transaction Risk • This section discusses third-party transaction risks and provides further details on nested relationships and payable￾through-accounts. • The section also includes best practices to manage third￾party risks.

47 | Page CBUAE Classification: Public Respondent Institution’s Geographic Risk • This section notes the impact of respondent institution’s exposure to jurisdictions with elevated ML/TF/PF risk. • It provides criteria to assess respondent institutions’ jurisdictional risks. Respondent Institution’s Ownership and Management Structures • This section discusses the features of a respondent institution’s ownership and management structure that may present increased ML/TF/PF risks. • The section details further criteria related to the respondent institution’s legal form, location and reputation of shareholders and beneficial owners, and the presence of Politically Exposed Persons in the senior management or ownership structure. Respondent Institution’s Products and Services • This section discusses the respondent institution’s products and services that may present increased ML/TF/PF risks, because of the potential for intermediation, anonymity, cross￾border fund flows, settlement times and terms. • The section also includes information to collect on the purpose of the respondent institution’s account and relationship with the correspondent institution. Respondent Institution’s Customer Base • This section discusses how a respondent institution’s customer base impacts its level of ML/TF/PF risk and provides examples of high-risk customers. • This section also includes examples of types of customers to avoid such as shell banks, unlicensed or unregulated banks or non-bank financial institutions. Risk Mitigation Enterprise-Wide ML/TF/PF Risk Assessment and Correspondent Banking Risk Assessment • This section discusses how LFIs are required to identify, assess and understand their ML/TF/PF risk exposure to appropriately manage them. • The section also underscores the need for correspondent banks to assess the risk factors of their respondents through a review of their customers, geographies, products and services, and delivery channels risks. Standard Customer Due Diligence (CDD), Specific Due Diligence for Correspondent Banking Relationships • This section covers the standard due diligence and CDD measures LFIs should apply before or during the establishment of the business relationship or account, or before executing a transaction for a customer with whom there is no business relationship, including identification and verification requirements. • The section also discusses specific due diligence required for correspondent banking relationships and other similar relationships, including but information to understand fully the nature of a respondent institution’s business, regulatory status and reputation, and an assessment of the respondent institution’s AML/CFT controls.

48 | Page CBUAE Classification: Public • The section also discusses the requirements correspondent banks should have in place when offering correspondent banking services, such as senior management approval and correspondent banking agreement. Enhanced Due Diligence for High-Risk Correspondent Banking Relationships • This section details the enhanced due diligence measures applicable to correspondent banking relationships subject to a higher level of scrutiny. • The section provides a list of risk factors for correspondent banking relationships, as well as detailed guidance on potential enhanced due diligence measures. Ongoing Monitoring of Correspondent Banking Relationships • The section provides information on how to conduct ongoing due diligence of a correspondent banking relationship to ensure the information is up-to-date and the risks of the relationship aligns with the risks established at onboarding. • The section offers details on the frequency of the review, the account activity review, and best practices related to ongoing communication with the respondent institution. Risk Mitigation Suspicious Activity and Reporting in Correspondent Banking • This section discusses how LFIs should continuously monitor all transactions and customers activities, including those of respondent institutions, to identify suspicious behaviors that may necessitate the filing of a Suspicious Transaction Report (STR), Suspicious Activity Report (SAR), or other report types. • The sections detail the requirements related to transaction monitoring, and suspicious transaction and activity reporting. Targeted Financial Sanctions Obligations • This section covers the requirements related to the implementation of Targeted Financial Sanctions obligations by LFIs. • The section includes information about the appropriate steps to screen customers and transactions both for correspondent and respondent institutions. Governance and Independent Audit • This section details the governance structure and three lines of defence model to manage the risks posed by correspondent banking relationships. • This section also provides information about the requirements of independent testing and audit to provide assurance to the Board of Directors and senior management of the effectiveness and adequacy of the LFI’s governance, risk management, and internal controls. Training, Recordkeeping • The training section provides guidance to LFIs on the importance of covering correspondent banking risks as part of the AML/CFT/CPF training program, to ensure that employees are aware of the risks of correspondent banking relationships and equipped to apply appropriate risk-based controls to manage these risks.

49 | Page CBUAE Classification: Public • The recordkeeping section details the need LFIs for operating correspondent banking services to maintain detailed records associated with the correspondent banking relationships, including the ML/TF/PF risk assessment of the relationship and related mitigation measures . Annexes Annex 1 • This Annex covers the Global Standards on Correspondent Banking. Annex 2 • This Annex covers the Correspondent Banking Red Flags. Annex 3 • This Annex covers the Transition from SWIFT to the ISO 20022 Payment Standard. Annex 4 • This Annex covers SWIFT and Non-Customer RMA Relationships.