some.im
开始使用

prompt-pack-anti-money-laundering-policy

Category: General Risk: High risk ★ 3.9 · Rating 3.9/5 (8) sboghossian/mini-claude-for-legal MIT

Rating is derived from the repo's GitHub stars and shown for reference.

shell_execution
Download zip View source

name: prompt-pack-anti-money-laundering-policy
description: Use when drafting a comprehensive AML/KYC policy for a financial institution (bank, finance company, insurance firm) covering customer due diligence, enhanced due diligence, suspicious activity reporting, record-keeping, and staff training. Closely related to the fintech-focused AML/KYC policy skill; this skill addresses the broader financial institution context with additional emphasis on correspondent banking, trade finance, and institutional EDD.
license: MIT
metadata:
id: prompt-pack.anti-money-laundering-policy
category: prompt-pack
practice_area: fintech-payments
priority: P2
intent: [drafting, anti-money-laundering-policy]
related: [prompt-pack-aml-kyc-policy, prompt-pack-bnpl-platform-agreement, heuristic-always-state-jurisdiction-first, kb-aml-mena, prompt-pack-ai-governance-policy]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"

Anti-Money Laundering Policy

When to use this

Use this skill when drafting a comprehensive AML/KYC policy for a financial institution — bank, finance company, insurance company, investment firm, exchange house, or similar regulated entity. This skill has a broader scope than [[prompt-pack-aml-kyc-policy]] (which focuses on fintech/payments companies): it addresses the full financial institution context including:

  • Correspondent banking relationships
  • Trade finance and documentary credits
  • Institutional/corporate client EDD
  • Shell bank prohibitions
  • Sanctions compliance integration with AML controls

Prompt template

Draft a comprehensive AML/KYC policy for [financial institution/fintech company] operating in [jurisdiction]. Include customer due diligence procedures, enhanced due diligence triggers, suspicious activity reporting, record-keeping requirements, and staff training obligations.

Use [[conversation-clarifying-questions]] to elicit [bracketed] inputs before drafting.

Required inputs

Input Why it matters
Institution name and type Bank, finance company, exchange house, insurance — different regulatory frameworks
Jurisdiction(s) of licensing Determines the specific regulator and AML law
Business lines in scope Different business lines have different AML risks
Customer segments Retail, corporate, institutional, correspondent banks — each has different CDD standards
Existing AML controls infrastructure New build vs. policy update

Document structure

1. Policy statement and governance

Board-level commitment: the policy must be approved by the board of directors or equivalent governance body. The board is ultimately responsible for the AML framework.

Three lines of defence:

  1. First line: business units (own and manage AML risk day-to-day)
  2. Second line: compliance / AML function (design, monitor, and test controls; MLRO)
  3. Third line: internal audit (independent testing of the AML framework)

MLRO designation: name, role, reporting line, authority, resources. In most MENA jurisdictions the MLRO must be senior (MD/VP level or above) and the appointment must be notified to the regulator.

2. Regulatory framework

The policy must reference the specific legal and regulatory instruments applicable to the institution:

UAE onshore financial institutions:

  • AML/CFT Federal Decree-Law 20/2018 ("AML Law")
  • Cabinet Decision 10/2019 (implementing regulations)
  • CBUAE AML/CFT Standards (most recently updated 2023/2024)
  • CBUAE Circular on Financial Sanctions compliance

DIFC entities:

  • DIFC AML/CFT Law (DIFC Law No. 1 of 2017 as amended by Law No. 8 of 2024)
  • DFSA Rulebook: AML Module, and sector-specific modules (Islamic Finance Supplement, etc.)

ADGM entities:

  • ADGM AML/CFT Regulations 2015 (as amended)
  • ADGM FSRA AML Rules

KSA financial institutions:

  • AML Law (Royal Decree M/31/2003 as amended)
  • SAMA AML/CFT Rules (updated 2021)
  • SAFIU regulations

Lebanon:

  • AML Law No. 44/2015
  • Banque du Liban Basic Circular No. 83 (AML) and intermediary circulars
  • SIC (Special Investigation Commission) operational guidelines

Egypt:

  • AML Law No. 80/2002 (as amended by Law No. 78/2019)
  • CBE AML/CFT Instructions

3. Customer due diligence — expanded for financial institutions

[See [[prompt-pack-aml-kyc-policy]] for full CDD documentation requirements — this section expands on institutional-specific CDD]

3.2 Corporate and institutional clients

Additional requirements for legal entities:

  • UBO identification: trace beneficial ownership to the natural persons who own or control 25%+ (or 10% in some jurisdictions) — through all layers of holding structure
  • Complex structures: trusts, foundations, nominee shareholders require look-through to identify the ultimate beneficial owner
  • UAE UBO register: Cabinet Resolution 58/2020 requires UAE-incorporated entities to maintain and file UBO information; verify against the register

3.3 Correspondent banking

Before establishing or continuing a correspondent banking relationship:

  • Assess the respondent bank's AML controls (questionnaire, Wolfsberg AML correspondent banking principles)
  • Obtain senior management approval
  • Prohibit relationships with shell banks (banks with no physical presence in any jurisdiction)
  • No payable-through accounts to unverified third parties
  • Annual review of the relationship

3.4 Trade finance

Trade finance is a high-risk area for money laundering (invoice fraud, mis-invoicing, commodity fraud):

  • Independent verification of trade transactions where possible
  • Dual-use goods: screen for export control and sanctions implications
  • Documentary credits: verification of underlying trade and parties
  • Red flags: unusual pricing, indirect routing, unusual countries, complex payment structures

4. Enhanced due diligence triggers

Apply EDD where:

Trigger Notes
Politically Exposed Person (PEP) Senior government official or state enterprise; close family or known associate. EDD applies for foreign PEPs at all times; some jurisdictions require EDD for domestic PEPs on risk basis
High-risk jurisdiction FATF grey list; FATF black list; jurisdiction on company's own internal high-risk list
Unusual transaction patterns Activity inconsistent with customer profile or declared purpose
High-value transactions above threshold UAE: cash transactions above AED 55,000; international: USD 10,000 CTR threshold
Complex or opaque structures Multiple layers of holding; nominee shareholders
Adverse media Negative credible media about customer, beneficial owner, or associated parties

EDD requirements:

  • Source of funds and wealth documentation
  • Senior management approval for onboarding or continuing relationship
  • More frequent periodic review (at minimum annually for PEPs and high-risk)
  • Enhanced transaction monitoring

5. Sanctions screening

While distinct from AML, sanctions compliance is typically managed within the AML function:

  • Screen all new customers at onboarding against designated lists (OFAC SDN, EU Consolidated List, UN SC Sanctions, UAE Cabinet Decision 20/2019 local terrorist list, jurisdiction-specific lists)
  • Screen at each periodic review and on transaction processing (real-time or near real-time for financial institutions)
  • Freeze and report: if a match is confirmed, freeze the account/transaction and report to the relevant authority immediately
  • False positive management: documented process for clearing false positives; documentation retained

6. Suspicious activity reporting

[See [[prompt-pack-aml-kyc-policy]] for the core SAR process — this section adds institutional-specific elements]

Additional for financial institutions:

  • Multiple internal SARs on the same customer or relationship should trigger a full relationship review
  • Automated transaction monitoring system: document the rules, thresholds, and scoring model used; update model regularly
  • L-SAR (Large Cash Transaction Report) / CTR (Currency Transaction Report): mandatory filing in UAE (above AED 55,000 cash) and other jurisdictions — separate from SAR
  • Tipping-off: a criminal offence under AML Law in all MENA jurisdictions; employees must be trained that they cannot tell the customer a report has been made or is being considered

7. Record-keeping

Record type Retention period
Customer identification records UAE: 5 years after end of relationship; KSA: 10 years; DIFC: 6 years; Lebanon: 5 years
Transaction records Same as identification records
SAR/internal reports Same retention period; access restricted to need-to-know
Correspondent banking due diligence Same period as relationship
Training records 3 years minimum

8. Staff training

  • Scope: all employees; enhanced training for MLRO, compliance team, and customer-facing staff
  • Frequency: on joining; annually; on material regulatory changes
  • Content: AML obligations; red flags for ML/TF; internal reporting process; consequences of non-compliance (criminal liability; regulatory sanction; dismissal)
  • Completion tracking: attendance records; assessment scores; evidence of training materials used

9. Governance and reporting

  • Annual AML report: MLRO presents to the board/senior management annually; includes: SAR statistics, training completion rates, high-risk customer numbers, enforcement/regulatory developments, gaps and remediation plan
  • Regulatory reporting: comply with all periodic and ad hoc regulatory reporting obligations (CBUAE, DFSA, SAMA, SIC, CBE)
  • Independent AML audit: internal audit or external auditor reviews AML framework at least annually; report findings to board/Audit Committee; remediation tracked

Jurisdictional notes — enforcement risk

  • UAE/DIFC: CBUAE and DFSA have both imposed significant fines for AML failures. DFSA AML enforcement actions are published. UAE onshore: CBUAE has issued consent orders and revoked licenses for AML deficiencies.
  • KSA: SAMA has increased AML enforcement in the banking and fintech sector since 2020. Fines and license suspensions are used.
  • Lebanon: SIC (Special Investigation Commission) has enforcement powers; Banque du Liban circulars carry supervisory authority.
  • Egypt: CBE has imposed penalties for AML deficiencies; enforcement is increasing.

Common mistakes

  • Policy approved by management, not the board — board approval is mandatory in most MENA frameworks
  • No operationalized screening procedure — a policy requirement for PEP screening without a screening tool or process is a compliance failure
  • Correspondent banking section missing — often omitted but required for institutions with correspondent relationships
  • Tipping-off prohibition not addressed in employee training
  • No annual AML review obligation — the policy must require itself to be reviewed
  • [[prompt-pack-aml-kyc-policy]] — fintech-focused AML/KYC policy (narrower scope)
  • [[kb-aml-mena]] — MENA AML/CFT law reference
  • [[heuristic-always-state-jurisdiction-first]] — jurisdiction determines the applicable AML law
  • [[prompt-pack-bnpl-platform-agreement]] — BNPL agreement with embedded AML requirements