Regulatory Update: Middle East Edition – September 2022

On 21 September 2022 the Dubai Financial Services Authority (“DFSA”) introduced an online version of the MKT1 Form. This is part of the DFSA’s efforts towards moving to a fully digitised environment.

Firms have previously been used to preparing the MKT1 Form using a Microsoft Word version available in the Application Forms and Notices (“AFN”) module of the DFSA Sourcebook. The Microsoft Word version of the form will cease to be accepted by the DFSA from the 1 November 2022.

Further details of how to use the online MKT1 Form can be found here.

Following the launch of the Dubai International Financial Centre (“DIFC”) open finance lab, a two-day event took place on 27 and 28 of September 2022. The event included panel discussions, roundtables, and live demos with participation from market leaders from the open finance community. The event was held at the DIFC Innovation Hub and aimed to engage banks, regulators, and industry participants by providing discussions on educational topics, with experts sharing their learnings and challenges.

Topics discussed include:

The DFSA has issued an alert to the public in relation to a fake website set up by scammers to impersonate NNG Reinsurance Limited.

NNG Reinsurance Limited is a DFSA authorised firm and as highlighted by the DFSA, NNG Reinsurance Limited does not have a website nor correspond directly with prospective or actual policyholders, due to the financial services permissions granted to the firm.

The DFSA has urged the public not to visit the fake website or send any email communications to the email addresses listed on the website.

The DFSA published a Cyber Thematic Review Report on 16 September 2022. The report summarises the key findings from the review launched in January 2022. The aim of the review was to determine:

• whether progress had been made on the areas requiring improvement, as highlighted in the Cyber Thematic Review Report 2020
• the development of firms’ cybersecurity frameworks
• the level of implementation of the DFSA Cyber Risk Management Guidelines made by firms

Firms assessed as part of the review included authorised firms, authorised market institutions and registered auditors. Participation included completion of an online questionnaire sent to 512 firms, with a 92% response rate.

The outcome of the review was generally positive with the DFSA noting that material improvements in overall cyber maturity had been made to most of the areas assessed in the 2020 review. The DFSA highlighted significant improvements in:

• user authentication controls
• password security controls
• multi-factor authentication
• third-party cyber risk management

Although material improvements were identified, the DFSA noted that all 14 key findings from the 2020 review continue to require improvement.

The DFSA noted that many companies have adopted cyber security best practices over the last year, but further progress must be made, as firms should aim to implement a strong cyber infrastructure in accordance with the United Arab Emirates (“UAE”) National Cyber Strategy.

Firms are advised to read the report, whilst taking into consideration the nature, scale and complexity of their business. Firms are also advised to read the outcomes of the 2020 Cyber Thematic Review Report.

Firms should ensure that they consider and implement where appropriate:

• encryption techniques
• vulnerability assessments and penetration testing
• continuous monitoring detection and response capabilities
• third-party cyber risk management
• cyber risk identification and assessment capabilities
• IT asset identification and classification
• incident response testing programme

The DFSA has advised that it plans to conduct cyber thematic reviews every two years to understand the development of cybersecurity frameworks implemented by firms.

The DFSA will conduct an outreach session to share the above as well as other upcoming initiatives in the cyber risk supervision.

Further details of the 2022 review can be found here.

The Financial Services Regulatory Authority (“FSRA”) of Abu Dhabi Global Market (“ADGM”) have issued an alert to members of the financial services community and public, in relation to a website which falsely claimed to be connected to the Abu Dhabi Global Market (“ADGM”).

The website URL adgm-dsn.net, which seems to have now been disabled, included the ADGM’s logo, without permission to do so.

The website appeared to offer a digital asset trading platform and provided potential investors with the opportunity to sign up for trading accounts and deposit funds.

The FSRA believe that the website was linked to a company named Qingtai International Corporation. The FSRA has confirmed that the operators of the website are not licensed or regulated by the FSRA to carry on Regulated Activities in ADGM, and that the website is not associated with ADGM.

Anyone who is concerned about the authenticity of a website, or regulatory status of a firm can search the FSRA’s Public Register here.

On 19 September 2022, the ADGM hosted an event to discuss the topics of ‘the role of blockchain technology in achieving sustainable finance goals’ and ‘responsible innovation and global financial access’.

Developments in the technology space, such as blockchain, have the capability to radically reshape traditional financial markets, which will bring wider inclusion, access to new products, services, and investment opportunities, as well as greater transparency. These advancements come at a time where governments and institutions are progressing with policy goals designed to promote and increase capital allocation towards more environmentally aware industries and investments.

The ADGM shared their thoughts with the community, along with an open discussion covering the following topics:

• leveraging the power of blockchain technology to promote greater transparency and investor protection while respecting the individual right to privacy
• broadening financial access with digital assets
• creating greater efficiency in carbon credit and renewable energy credit markets through blockchain-based digitalisation

On 27 September 2022, the FSRA announced new enhancements to the capital markets framework. The updates follow on from the proposals that were initially announced in March 2022, which received positive feedback from the industry.

Major enhancements to the capital markets framework were made in relation to:

• spot commodities
• virtual assets
• securities
• benchmarks
• derivatives
• environmental instruments

The objectives of the updates are to secure and reinforce ADGM’s capital market ecosystem across the Middle East and North Africa (“MENA”) region, enable wider participation within primary and secondary markets, and ensure ADGM market participants operate to the highest regulatory standards. The ADGM is the first financial centre in MENA to implement regulatory framework for environmental instrument and spot commodity activities.

Markets-related activities will be positively impacted and those affected may include:

Whilst conventional financial services activities will significantly benefit from the changes, custodians/MTFs operating within ADGM are now able to seek approval from the FSRA to engage in non-fungible token (“NFT”) activities. This follows on from the innovative establishment of the comprehensive regulatory framework for virtual asset activities, which was introduced in 2018 and continues to enhance the globally leading position of the ADGM.

Amendments have been made to the following FSRA rules and regulations:

• Financial Services and Markets Regulations (“FSMR”)
• Market Rules (“MKT”)
• Market Infrastructure Rulebook (“MIR”)
• General Rulebook (“GEN”)
• Conduct of Business Rulebook (“COBS”)
• Islamic Finance Rules (“IFR”)
• Fees Rules (“FEES”)

The existing Rules of Market Conduct (“RMC”) have been replaced with a Code of Market Conduct (“CMC”).

Further details of the updates can be found here.

On 12 September 2022, the FSRA published ‘Guiding Principles for the Financial Services Regulatory Authority’s Approach to Virtual Asset Regulation and Supervision’. The document outlines the expectations and risk appetite for regulating virtual asset service providers.

The principles serve as means for greater regulatory collaboration and cohesion between the FSRA and other regulatory authorities. As such, the principles provide an overview of the FSRA’s risk appetite and priorities for the virtual assets sector, which are as follows:

Principle 1: a robust and transparent risk-based regulatory framework

Principle 2: high standards for authorisation

Principle 3: preventing money laundering and other financial crime

Principle 4: risk sensitive supervision

Principle 5: commitment to enforce regulatory breaches

Principle 6: international cooperation

The principles have been introduced to ensure:

• customer protection
• market integrity
• financial stability
• risk sensitivity and confidence in the ecosystem

Further details of the ADGM FSRA’s Guiding Principles can be found here.

The FSRA has published consultation paper No.5 of 2022 to seek views on proposed amendments to the COBS rulebook, Prudential – Investment, Insurance Intermediation and Banking Rules (“PRU”), and FEES rulebook for Authorised Persons offering over-the-counter (“OTC”) leveraged products to retail clients.

The proposed changes are aimed at providing robust protection for retail clients as the risk of using such products has the potential to result in substantial losses.

The paper proposes the following:

• definition of “OTC leveraged products”
  • the offering or sale of binary options and analogous products to retail clients should be prohibited under proposed COBS 23.12.1, which will also include analogous products
• margin close-out requirements for retail clients
  • 50% margin close-out requirements for retail clients should be put in place to protect retail clients from losses resulting from adverse market movements relating to the class of underlying assets, particularly given the high leverage involved in such products
• prohibition on referrals by unregulated persons
  • prohibiting authorised persons from accepting referrals of retail clients from unregulated third parties
• prohibition on funding account through a credit card or a third-party credit facility
  • prohibition on retail clients funding their accounts using credit cards, this requires the authorised person to assess, amongst other things, that the offering of OTC leveraged products to retail clients is appropriate given their financial situation and in the light of the high level of losses suffered by the target market
• other proposed changes:
  • granting a six-month transition period in relation to meeting of the proposed introduction of margin close-out requirements, the prohibitions on referrals by unregulated third parties, and the use of credit cards and/or credit facilities
  • amendments to FEES to reflect that authorising firms wishing to offer those products, the application fee and annual supervision fee for these firms are each set at US$40,000 to reflect this and these fees are reflected in the existing FSP condition

The proposed supplementary guidance will aid potential applicants in understanding the FSRA’s expectations in relation to the experience and qualifications of individuals proposed for senior positions and further operational considerations.

Consultation Paper No. 5 of 2022 including the supplementary guidance can be found here.

Comments can be submitted to the FSRA until 28 October 2022 by emailing [email protected]

Working in collaboration, the FSRA, the DFSA and the Central Bank of the United Arab Emirates (“CBUAE”) held the Gulf Cooperation Council (“GCC”) Regulators Cyber Risk Supervisory College second meeting.

The purpose of the college is for regulatory authorities supervising financial institutions in the GCC region to discuss supervision initiatives that are current and upcoming in the cyber risk space, discuss areas for potential collaboration, and to discuss the role of GCC regulators in efforts to mitigate cyber risk.

The second edition focused on current trends in relation to cyber risk supervision, as well as technology risks related to digital assets and distributed ledger technologies. Supervisory expectations of cyber risk management practices applied by regulated institutions, was also a topic of discussion.

One of the leading cryptocurrency exchanges, Binance, has joined the new virtual asset ecosystem, being granted a Minimal Viable Product (“MVP”) license by the Dubai Virtual Asset Regulatory Authority (“VARA”). This is following the likes of blockchain.com and crypto.com, who have also recently been granted licenses by VARA.

Binance was initially granted a license in March 2022 to enable it to operate within Dubai’s virtual asset market model as a base before further expansion into the region. Under the initial regulatory phase, Binance was permitted to extend limited exchange products and services to pre-qualified investors and professional financial service providers only.

The MVP license will allow Binance to offer crypto assets, crypto transfers, token offers, exchange services, crypto payments, crypto to fiat conversions and management services. With the ability to offer these products and services to retail and institutional traders in Dubai.

The joint seminar on the topic of ‘Applying Risk-Based Approach and Strengthening Compliance with Financial Action Task Force (“FATF”) Preventive Measures’ was held by the Executive Office for Control and Non-Proliferation (“EOCN”), in cooperation with the United Nations Office of Counter-Terrorism (“UNOCT”).

The seminar is part of a series aimed at creating awareness of risk-based control and the tools used to ensure that financial institutions understand and comply with anti-money laundering (“AML”), combatting the financing of terrorism (“CFT”) and proliferation requirements.

During the two-day workshop the focus was on raising the level of compliance of financial institutions and the designated non-financial businesses and professions (“DNFBP”) with the international standards in general and the requirements for the implementation of targeted financial sanctions. Best practices were shared by experts and specialists, presenting examples to strengthen internal control systems to protect financial institutions and specific DNFBPs from exploitation in money laundering, terrorist financing or proliferation.

To assist with AML, CFT and proliferation requirements, firms are advised to:

• use a risk-based approach
• have appropriate targeted financial sanctions (“TFS”) procedures and resources
• undertake regular and ongoing screening on the latest local terrorist list and United Nations (“UN”) consolidated list
• screening should be conducted in the following circumstances:
  • upon any updates to the local terrorist list or UN consolidated list
  • prior to onboarding new customers
  • upon know your customer (“KYC”) reviews or changes to a customer’s information
  • before processing any transaction
• screen their existing customer databases, ultimate beneficial owners, parties to transactions
• appoint a designated officer to act on a potential match or positive match immediately
• have stringent KYC policies and procedures
• be aware of TFS requirements to screen, freeze and report
• report all sanctions list matches within the designated timeframe
• be transparent when reporting suspicious activity to the Financial Intelligence Unit (“FIU”), explain what the plan of action is, for example, if the firm plans to exit the relationship or enhance the AML
• consider the outcome of the National Risk Assessment and regulatory guidance

A meeting was held by His Excellency Khaled Mohamed Balama, Governor of the CBUAE, with bank executive officers. The significance of the consumer protection framework and complaints management was highlighted during the meeting. A new unit by the name of ‘Sanadak’ is planned to be established to act as a consumer complaint resolution unit in the Middle East region that will provide efficient access and quick turnaround for resolution of consumer complaints.

The aim of the the Memorandum of Understanding (“MoU”) is to establish a general framework for co-operation in the field of supervision and control within the insurance sector.

This is part of an agreement signed by the Kingdom of Saudi Arabia and the UAE, in their regulatory efforts to promote supervision and regulation of the insurance sector and its development.

The MoU will encourage the exchange of supervisory and regulatory information, such as:

• solvency rules
• calculation of technical allocations
• investment policy rules
• procedures related to supervision
• follow up and enforcement on insurance companies – which will also include cross border companies
• suspicious activities, fraud, money laundering and terrorist financing

The CBUAE and the Saudi Central Bank will also cooperate on the implementation of international standards in their markets, particularly the International Financial Reporting Standard (“IFRS”).

Further details of the MoU can be found here.

The UAE Executive Office of Anti-Money Laundering and Countering the Financing of Terrorism (“EO AML/CFT”) have introduced measures to address the FATF concerns since being placed on FATFs ‘grey list’.

FATF’s official statement issued on 4 March 2022 announced that it had placed the UAE under more stringent monitoring, while recognising that the country had made positive progress in its AML, CFT and counter-proliferation financing (“CPF”) efforts.

The aim of the measures is to remedy any non-compliant and partially compliant outcomes from the mutual evaluation report and follow-up report.

Summary of the UAE’s key efforts during 2022:

• registration for DNFBPs introduced on the goAML website
• Dubai set up a specialised AML court
• the CBUAE issued separate sets of regulations to address risks associated with payments and with politically exposed persons (“PEP”).
• the UAE AML/CFT Public Private Partnership completed a round of 10 meetings to increase cross-sector collaboration
• the Dubai Land Department took steps to publish new real estate acquisitions to improve transparency, although the identity of the vendor and buyer remain confidential
• the UAE Ministry of Justice has issued instructions to law firms informing them of the introduction of a new report on the goAML website that links financial institutions and DNFBPs to the Financial Intelligence Unit (“FIU”)
• realtors must report any payments for real estate assets in either crypto or cash in transactions involving US$15,000 or more to the FIU, as well as filing suspicious activity reports when necessary
• fines have been issued by the FSRA in relation to AML/CFT oversight deficiencies, most recently in August an FSRA regulated firm Wise were fined US$360,000
• fines totalling US$1.05Bn were levied against banks, money exchange houses and other businesses in 2021

FATF’s latest report on the United Arab Emirates can be found here.

It has been agreed by Deutsche Bank that they will pay a settlement of US$26.25M to a US shareholder lawsuit. Shareholders claimed that the bank had ineffective oversight of high risk, high net worth clients, including Russian oligarchs.

The bank was accused of having ineffective controls against money laundering and KYC, with the share price falling as issues emerged. The US$26.25M settlement covers Deutsche Bank investors in the US from 14 March 2017 to 18 September 2020. Deutsche Bank denied any wrongdoing in agreeing to settle.

The United Kingdom’s (“UK”) newly appointed Chancellor of the Exchequer, Kwasi Kwarteng, announced in a statement on 23 September 2022, that the majority of modifications to financial services regulation will be revealed late in 2022. This includes changes to the Markets in Financial Instruments Directive (“MiFID II”). The work is scheduled to be fully completed by 31 December 2023.

Officials suggested that MiFID II changes may include investor protection modifications. For example, firms would be required to ask customers about their environmental, social and governance (“ESG”) preferences when selling financial products.

The Financial Services and Markets Bill will transfer all retained EU law concerning financial services to the Prudential Regulatory Authority (“PRA”) and Financial Conduct Authority (“FCA”) to be rewritten or removed if necessary. The retained EU law is set to expire on 31 December 2023.

The FATF and INTERPOL have launched a joint initiative with the aim of depriving criminals of illicit funds and assets.

According to estimates by the UN Office on Drugs and Crime, countries intercept and recover less than one percent of global illicit finances. It is often the case that assets are transferred out of countries quickly and then channeled to or through multiple countries. This means that the process of asset recovery is often complex and requires international cooperation.

FATF and INTERPOL held a roundtable event on the 12 and 13 of September 2022, ‘FATF-INTERPOL Roundtable Engagement’ (“FIRE”), was the first event of its kind. 150 experts participated in the event, including international organisations, financial intelligence units, law enforcement agencies, prosecutors, asset recovery offices, policy makers and private sector industry leaders.

It was agreed by participants that a stronger understanding of the global financial crime landscape, in relation to cyber-enabled financial crime, is crucial in the efforts against illicit flows.

Experts highlighted the need to focus on:

• promoting national policies and actions that prioritise tracing, seizure and confiscation of criminal assets
• enhancing operational cooperation at national, regional and international levels
• increasing effective information sharing among authorities and with the private sector.

Japan has taken action in efforts to combat money laundering and terrorist financing since the last mutual evaluation which took place on 2021. The efforts were acknowledged with the FATF re-rating Japan on recommendation 2 from partially compliant to largely compliant. Japan is currently compliant with 4 recommendations and largely compliant with 25, remaining partially compliant with 9 recommendations. Japan will continue to be in enhanced follow up, keeping the FATF informed of progress achieved.

Japan’s 2022 Follow-up Report can be viewed here.

Columbia has made progress in improving its level of compliance with the FATF standards since its 2018 mutual evaluation. The following re-ratings have now been applied:

• Recommendation 13 from partially compliant to compliant
• Recommendation 16 from partially compliant to compliant
• Recommendation 19 from partially compliant to compliant
• Recommendation 33 from partially compliant to compliant
• Recommendation 34 from partially compliant to compliant

Colombia is now compliant with 13 recommendations, largely compliant with 15 recommendations and partially compliant with 10 recommendations. The country has one non-compliant rating.

Columbia’s 2022 Follow-up Report can be viewed here.

The Executive Office of the Committee for Goods and Materials Subject to Import and Export Control (“CGMSIEC”) has updated the UN Security Council (“UNSC”) sanctions list. Two individuals have been added and two entities have been amended.

Firms are reminded to monitor geopolitical events and any resulting updates to the international sanctions lists so that they can assess their exposure to sanctioned individuals and entities. Sanction contraventions must be reported to the relevant authorities without delay, and regulators will expect to be notified of any sanctions matters that may result in reputational consequences for the firm.

The updated sanctions list can be found here.

The FSRA announced on 1 September 2022 that five reporting financial institutions have been ordered to pay penalties and administrative fees ranging from AED 30,000 to AED 119,000 for contraventions of the Common Reporting Standard Regulations (“CRS”) 2017.

The actions were imposed by the FSRA in relation to failures to:

• apply adequate due diligence procedures
• keep records of the performance of due diligence
• report required information in a complete and accurate manner
• obtain valid self-certification of tax information from clients.

Securities regulators have imposed a fine of US$35M on Morgan Stanley for not safeguarding sensitive personal information of 15 million customers.

Customer data dating back to 2015 was stored on computer servers and hard drives. In 2016 the bank hired a company for the purpose of moving and storing the data. The company hired by Morgan Stanley had no data-destruction experience to delete the data from the devices, therefore they therefore failed to clear all data from the servers and hard drives. The company later resold around 4,900 of the devices, some of the devices were not cleared of the customer data.

The incident was identified in 2017, when an information technology consultant in the United States bought one of Morgan Stanley’s old pieces of hardware, the individual then informed Morgan Stanley that he had discovered some of their data.

Morgan Stanley has had previous incidents of not safeguarding customer data. In 2019 during a routine upgrade of computer equipment, the company attempted to delete the customer data from 500 servers at local branches, however, 42 of the servers that contained customer data were misplaced.

The United Kingdom (“UK”) is currently investigating Russian billionaire Petr Aven for alleged sanctions evasion. Two UK banks raised red flags regarding fund transfers in a National Crime Agency (“NCA”) investigation into nine bank accounts, held by six individuals and companies connected to the individual.

It has been alleged by the NCA that Aven had the intention to use two companies to help manage his expenses to evade sanctions.

Lawyers for Aven and the two companies have demanded that two Account Freezing Orders be retracted, due to there being no reasonable basis for any purported suspicion and that the agency had misled the judge.

This is thought to be the first major sanctions evasion case which will test the UK’s approach to sanctions enforcement and will set the course for the NCA’s strategy going forward.

Oracle Corp will pay around US$23M to resolve charges in relation to bribery of foreign officials, with the aim of winning business. The business units located in Turkey, the United Arab Emirates and India had access to so called ‘slush funds’ for this purpose.

The case covered purported acts of bribery occurring between 2014 and 2019.This will be the second time the Securities and Exchange Commission (“SEC”) has charged Oracle with offences against the Foreign Corrupt Practices Act (“FCPA”), a US anti-bribery law.

Aside from allegedly using the slush funds to bribe officials, it was reported that the business units also used funds to pay for foreign officials to attend technology conferences and for the officials’ spouses and children to accompany them, or take side trips to Los Angeles and Napa Valley, California.

Oracle agreed to pay a US$15M fine and around US$7.9M of disgorgement and interest. Oracle have not admitted nor denied wrongdoing in agreeing to settle.