LogoRegulatory Alerts
2021-01-01

Instructions No. 23 of 2021 on Updating Customer Data Based on the Risk-Based Approach

The Palestine Monetary Authority issued Instructions No. 23 of 2021 to mandate that all licensed banks update customer data using a Risk-Based Approach (RBA) aligned with anti-money laundering and counter-terrorist financing standards. The directive requires immediate data updates upon suspicious activity or fundamental changes, establishes mandatory review cycles of one, three, or five years for high, medium, and low-risk clients respectively, and restricts electronic updates to low-risk customers only. Banks must implement robust internal policies, maintain automated monitoring systems, submit monthly statistical reports to the Authority, and complete all mandatory updates by the end of Q1 2022, with non-compliance subject to penalties under existing banking and AML/CFT legislation.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Instructions No. (23) of 2021

Regarding the Updating of Customer Data Based on the Risk-Based Approach

Based on the provisions of Legislative Decree No. (9) of 2010 concerning Banks, particularly Articles (43) and (72) thereof,
and based on the provisions of Legislative Decree No. (20) of 2015 concerning the Combating of Money Laundering and Terrorist Financing and its amendments,
and in accordance with the authorities vested in us,
and in pursuit of the public interest,
we have issued the following Instructions:

Article (1)

Objective and Scope of Application

  1. These Instructions aim to regulate the process of updating bank customers' data in accordance with the Risk-Based Approach (RBA).
  2. The provisions of these Instructions apply to all banks licensed by the Palestine Monetary Authority to conduct banking business.

Article (2)

Updating of Data

The bank must update the customer's data and information in accordance with standard due diligence procedures or enhanced due diligence procedures to identify and understand their risks, provided that it includes the following:

  1. The customer's basic data and information.
  2. Data regarding the nature of the activity, monthly income and its sources, the beneficial owner, and persons authorized to manage the account, the purpose of the business relationship established with the bank, and any other information necessary to complete standard or enhanced due diligence procedures.
  3. Any information or data necessary to contribute to reclassifying the customer's risk level.

Article (3)

Bank Obligations

The bank must comply with the following:

  1. Update customer data immediately in the following cases:

    a. Existence of doubts regarding the accuracy or sufficiency of previously obtained data on customer identification.
    b. Occurrence of any fundamental changes to account management or the customer's data and information held by the bank.
    c. Detection of any unusual activities or transactions on the customer's accounts.
    d. Existence of indicators and red flags (Red Flags) suggesting suspicion of money laundering or terrorist financing crimes.
    e. Increase in the customer's risk level according to the bank's risk classification mechanism.

  2. Update customer data based on money laundering and terrorist financing risks according to the following timeframes:

    a. For high-risk customers at least once every year.
    b. For medium-risk customers at least once every three years.
    c. For low-risk customers at least once every five years.

  3. Adopt mechanisms, an action plan, and a timeline for updating each non-updated customer's data, providing a copy thereof to the Palestine Monetary Authority.

  4. Prepare policies and operational procedures for dealing with customers who fail to update their data, provided that these policies and procedures are approved by the bank's senior management.

Article (4)

Conditions for Updating Data According to the Risk-Based Approach

  1. The bank must update customer data according to the Risk-Based Approach, subject to the following:

    a. Preparing and adopting comprehensive policies, procedures, and work templates that serve the risk-based customer data updating process.
    b. Preparing and updating the self-assessment of money laundering and terrorist financing risks according to the main approved risk assessment axes (customers, products and services, distribution channels, geographic dimension), in alignment with the results of the National Risk Assessment (NRA) and its updates.
    c. Adopting and applying the Risk-Based Approach in the customer and beneficial owner identification process, ongoing transaction monitoring, and due diligence according to the assessment of customer risk levels.
    d. Providing electronic systems and programs capable of classifying customer risks and continuously monitoring transactions and financial movements, and issuing alerts, indicators, and red flags for unusual transactions, operations, and suspicious activities.
    e. Automatically and periodically querying customer names and data against effective blocking and freezing lists when initiating a business relationship and when processing outgoing financial transactions on their behalf.
    f. Relying on reliable sources to verify the accuracy and integrity of customer identity and data obtained during updates, and obtaining supporting documents for the updating process.
    g. Obtaining prior approval from the Palestine Monetary Authority when updating data using electronic means.
    h. Providing standards, procedures, and controls that ensure information security integrity when updating customer data via electronic means and applications.

  2. The bank may use electronic means to update the data of low-risk customers, and is prohibited from using electronic means to update the data of medium or high-risk customers.

Article (5)

Statistical Reports

The bank must provide the Combating Money Laundering and Terrorist Financing Department at the Palestine Monetary Authority with statistical reports related to data updating, on a monthly basis via the approved email AML-CFT@PMA.PS according to the attached template.

Article (6)

General Provisions

  1. A bank that does not meet the conditions and requirements for data updating according to the provisions of Article (4) of these Instructions must continue to update customer data in accordance with the provisions of Article (5), paragraph (8) of Instructions No. (2) of 2016 of the National Committee for Combating Money Laundering and Terrorist Financing regarding combating money laundering and terrorist financing in banks.
  2. The bank must complete the updating of mandatory customer data according to the provisions of paragraph (1) of this Article no later than the end of the first quarter of 2022.

Article (7)

Repeal of Conflicting Provisions

All provisions conflicting with these Instructions are hereby repealed.

Article (8)

Penalties

Anyone who violates the provisions of these Instructions shall be punished in accordance with the provisions of Legislative Decree No. (9) of 2010 concerning Banks and/or Legislative Decree No. (20) of 2015 concerning the Combating of Money Laundering and Terrorist Financing and its amendments.

Article (9)

Implementation and Enforcement

All competent authorities shall, each within their respective jurisdiction, implement the provisions of these Instructions, which shall apply from the date of their issuance.

Issued in Ramallah on 24/11/2021

Dr. Firas Malham
Governor

www.pma.ps

Ramallah and Al-Bireh Governorate - Palestine P.O.B. 452
info@pma.ps | Fax: +970 2 2415310 | Tel: +970 2 2415251
Gaza - Palestine P.O.B. 4026
Fax: +970 8 2844487 | Tel: +970 8 2825713

Share