some.im
开始使用

prompt-pack-aml-kyc-policy

Category: General Risk: Medium risk ★ 3.9 · Rating 3.9/5 (8) sboghossian/mini-claude-for-legal MIT

Rating is derived from the repo's GitHub stars and shown for reference.

network_accessfilesystem_access
Download zip View source

name: prompt-pack-aml-kyc-policy
description: Use when drafting an AML/KYC policy for a fintech company or financial institution, covering customer identification, risk assessment, ongoing monitoring, suspicious activity reporting, record-keeping, and regulatory filing obligations. Applies to MENA jurisdictions (UAE, KSA, EG, DIFC, ADGM) and globally, with particular attention to FATF 40 Recommendations and jurisdiction-specific AML regimes.
license: MIT
metadata:
id: prompt-pack.aml-kyc-policy
category: prompt-pack
practice_area: fintech-payments
priority: P2
intent: [drafting, aml-kyc-policy]
related: [prompt-pack-anti-money-laundering-policy, prompt-pack-bnpl-platform-agreement, heuristic-always-state-jurisdiction-first, kb-aml-mena, prompt-pack-ai-governance-policy]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"

AML/KYC Policy

When to use this

Use this skill when a fintech company or financial institution needs a formal AML/KYC policy to:

  • Comply with licensing requirements from a financial regulator
  • Satisfy correspondent banking due diligence
  • Establish internal controls for money laundering and terrorist financing prevention
  • Document compliance with FATF standards

This skill is particularly relevant for:

  • Fintech startups preparing for CBUAE, SAMA, DFSA, FSRA, or ADGM FSRA licensing
  • E-money institutions, payment service providers, crypto asset service providers, and lending platforms
  • Established financial institutions updating their AML framework after a regulatory examination

Prompt template

Draft an AML/KYC policy for [FinTech Company] operating in [jurisdiction]. Cover customer identification, risk assessment, ongoing monitoring, suspicious activity reporting, record keeping, training requirements, and regulatory filing obligations.

Use [[conversation-clarifying-questions]] to elicit [bracketed] inputs before drafting.

Required inputs

Input Why it matters
Company name and business model Determines risk appetite and applicable thresholds (e-money vs. crypto vs. lending vs. payments have different risk profiles)
Jurisdiction(s) of operation and licensing Determines the specific AML regulatory framework (CBUAE vs. DFSA vs. SAMA etc.)
Customer types Consumer vs. business customers have different CDD requirements
Transaction volumes and typical transaction size Risk-rating thresholds depend on actual volumes
Existing compliance infrastructure New build vs. update to existing policy

Document structure

1. Policy purpose and scope

  • Business description and AML risk context
  • Legal and regulatory basis: the applicable AML law and regulations
  • Scope: who is covered (all employees, agents, outsourced service providers)
  • Policy owner (typically MLRO — Money Laundering Reporting Officer)

2. Regulatory framework

Key applicable frameworks by jurisdiction:

Jurisdiction Primary AML law Regulator FATF member
UAE (onshore) AML/CFT Law Federal Decree-Law 20/2018; Cabinet Decision 10/2019 CBUAE (banking), MOE (DNFBPs) Yes (FATF)
DIFC DIFC AML/CFT Law (DIFC Law No. 1 of 2017 as amended); DFSA AML Module DFSA Yes (FATF via UAE)
ADGM ADGM AML/CFT Regulations; FSRA AML Rules ADGM FSRA Yes (FATF via UAE)
KSA AML Law (Royal Decree M/31/2003 as amended); CFT Law SAMA (financial institutions); FATF member Yes
Egypt AML Law No. 80/2002 as amended; CBE regulations CBE; EFSA Yes (FATF)
Lebanon AML Law No. 44/2015; Banque du Liban circulars SIC (Special Investigation Commission) MENAFATF member

All frameworks follow FATF 40 Recommendations as the baseline standard.

3. Customer due diligence (CDD)

3.1 Standard CDD — natural persons

Minimum identification requirements:

  • Full legal name (as on government-issued ID)
  • Date and place of birth
  • Nationality and country of residence
  • Occupation
  • Government-issued ID (passport, national ID, residency permit): number, expiry, issuing authority
  • Address (residential and/or correspondence)
  • Source of funds (for higher-risk customers or transactions above threshold)
  • Source of wealth (for PEPs and high-risk customers)

Verification methods: physical ID check; eKYC (permitted in UAE, KSA, DIFC for regulated entities); certified copies for non-face-to-face onboarding.

3.2 Standard CDD — legal entities

  • Full legal name and trading name
  • Jurisdiction of incorporation and registration number
  • Registered address and principal place of business
  • Certificate of incorporation / commercial registration
  • Articles of association
  • Identification of beneficial owners (UBO): individuals who own or control 25% or more (some jurisdictions: 10%) of the entity, and the natural persons who exercise ultimate effective control
  • Director identification

UAE: UBO information must be registered with the relevant authority (Ministry of Economy or free zone) under Cabinet Resolution 58/2020 on UBO.

3.3 Enhanced due diligence (EDD)

Apply EDD when:

  • Customer is a Politically Exposed Person (PEP) or close associate/family member of a PEP
  • Customer or transaction involves a high-risk jurisdiction (FATF grey or black list; company jurisdiction is a secrecy jurisdiction)
  • Transaction type is inherently high-risk (large cash; correspondent banking; cross-border wire to high-risk jurisdiction; crypto asset transactions)
  • Customer is a legal entity with complex or opaque ownership structure

EDD requires:

  • Senior management approval for onboarding
  • Source of wealth documentation and verification
  • Enhanced ongoing monitoring (lower transaction thresholds for review)
  • More frequent periodic review (at least annually vs. standard 2–3 years)

3.4 Simplified due diligence (SDD)

Permitted only where risk is demonstrably low — typically for regulated financial institutions as customers (themselves subject to AML rules), listed companies on regulated exchanges, and government entities. Document the basis for SDD application.

4. Risk assessment and risk-rating

A written risk assessment is required by FATF and all MENA AML frameworks. The risk assessment must:

  • Identify the money laundering and terrorist financing risks inherent in the business model
  • Assess the residual risk after controls
  • Be reviewed at least annually and on material business changes

Customer risk rating factors:

  • Customer type (natural person / legal entity / PEP / high-risk business)
  • Product/service used (cash-intensive / cross-border / crypto / trade finance)
  • Geography (high-risk vs. standard vs. low-risk jurisdictions)
  • Transaction behavior (patterns consistent with declared purpose?)

Risk categories: Low / Medium / High (define thresholds numerically where possible)

5. Ongoing transaction monitoring

  • Define monitoring rules and thresholds per product type
  • Automated transaction monitoring system: what rules are in force; who reviews alerts; escalation path for unresolved alerts
  • Periodic review schedule: Low-risk customers: every 3 years; Medium: every 2 years; High: annually; PEPs: annually minimum
  • Trigger events for ad-hoc review: adverse media; law enforcement inquiry; unusual transaction pattern; customer request for transaction outside declared purpose

6. Suspicious activity reporting (SAR/STR)

  • Internal reporting: any employee who suspects money laundering or terrorist financing must report to the MLRO immediately (internal SAR form)
  • MLRO review: assess within [X] business days; decide whether to file with the financial intelligence unit (FIU)
  • External reporting:
    • UAE: report to goAML (FIU, part of CBUAE)
    • KSA: report to SAFIU (Saudi Financial Intelligence Unit) via goAML
    • Lebanon: report to the Special Investigation Commission (SIC)
    • Egypt: report to the Money Laundering Combating Unit (MLCU)
    • DIFC/ADGM: report to UAE FIU; notify DFSA/FSRA of material SAR filing
  • Tipping-off prohibition: once an internal SAR is filed, do not alert the customer that a report has been made or is under consideration — this is a criminal offence in all MENA jurisdictions
  • Freeze pending report: if transaction has not been executed, freeze pending MLRO decision

7. Record-keeping

  • Customer identification records: minimum 5 years after end of customer relationship (UAE: 5 years; DIFC: 6 years; KSA: 10 years)
  • Transaction records: same retention period as identification records
  • SAR/STR records: retain for same period; protect from unauthorized access
  • Training records: 3 years minimum
  • Format: original documents or certified copies; electronic storage is permitted in most MENA jurisdictions with audit trail integrity requirements

8. Training obligations

  • Initial training: all new employees before client-facing duties begin
  • Annual refresher: all covered staff
  • Enhanced training: MLRO, compliance team, customer-facing staff
  • Content: AML/CFT obligations; red flags; internal reporting procedures; consequences of non-compliance
  • Documentation: attendance records; assessment results; training materials

9. MLRO role and responsibilities

  • Appoint a designated MLRO (Money Laundering Reporting Officer) and deputy
  • MLRO requirements: senior; sufficient authority and resources; direct board access
  • MLRO obligations: oversee AML programme; receive internal SARs; file external reports; produce annual AML report to board
  • Regulatory notification: MLRO appointment must typically be notified to the regulator (DFSA: prior approval required; CBUAE: notification)

Jurisdictional notes

UAE: Virtual Asset Service Providers (VASPs)

UAE VASPs regulated by VARA (Virtual Assets Regulatory Authority) — Dubai, or by SCA (Securities and Commodities Authority) — federally. Both require an AML programme compliant with CBUAE guidance and FATF Recommendation 15 (travel rule).

KSA

SAMA has issued detailed AML/CFT Rules (2021) for banks and finance companies. New fintech entrants must comply from day one of operations. The SAFIU reporting obligation is strict — fines for non-reporting are significant.

DIFC

DFSA Sourcebook: AML Module (AML). The DFSA has taken enforcement action against firms with inadequate AML controls. CDD failures are a top enforcement priority.

Common mistakes

  • No written risk assessment — required by all MENA frameworks; a policy alone is not sufficient
  • PEP screening not operationalized — having a policy requirement but no screening tool or process
  • Tipping-off omission — policy does not address the prohibition on alerting customers
  • No MLRO appointment or MLRO without sufficient authority or resources
  • Record retention periods not jurisdiction-calibrated — 5-year UAE minimum vs. 10-year KSA minimum creates issues for firms operating in both
  • [[prompt-pack-anti-money-laundering-policy]] — related policy for broader financial institution use
  • [[kb-aml-mena]] — MENA AML/CFT law reference
  • [[prompt-pack-bnpl-platform-agreement]] — BNPL product which carries AML obligations
  • [[heuristic-always-state-jurisdiction-first]] — jurisdiction-first drafting