Regulatory Update February 2025 – ME Region

On 4 February, the Dubai Financial Services Authority (‘DFSA’) released its new business plan “Advancing Regulatory Excellence and Innovation”. The DFSA has highlighted the following key strategic themes for areas of focus: delivery, engagement, innovation, and sustainability.

In addition, the DFSA has stated its supervisory and regulatory priorities in relation to:

• banking:
  • macroeconomic and geopolitical risks
  • financial risks such as credit and liquidity
  • operational risks such as third-party risks and IT risks
• insurance:
  • ensuring firms have a strong risk management and compliance culture, along with robust frameworks for underwriting processes
  • examining closely the systems and controls for all firms licensed to hold insurance monies
• wealth management:
  • reviewing governance, client onboarding processes, product suitability at the point of sale, and client asset protection
  • ensuring that communications and marketing materials are clear, fair, and not misleading
  • enhancing the use of data to better define focus areas for supervisory review and analyse firms based on business models, risk types, and related themes
• markets:
  • ensuring high standards of market practices and appropriate disclosure under market and takeover rules
  • promoting fair, transparent, and efficient markets through ongoing monitoring of trading
  • providing education about the International Sustainability Standards Board (‘ISSB’) sustainability-related financial disclosure standards
• enforcement actions:
  • money laundering, terrorism financing, deliberate breaches of United Nations (‘UN’) sanctions or any breaches of Federal Law
  • misappropriation and mismanagement of client assets
  • misleading or deceptive conduct or obstructing DFSA investigations
• audit:
  • focusing on evaluating governance and culture within audit firms operating in the DIFC, as well as assessing the Audit Principal’s workload and its impact on audit quality
• authorisation:
  • digital transformation
  • enhanced communication
  • risk-based assessment.

You can read the DFSA article here.

On 5 February, the DFSA hosted an outreach session to present the findings from its recent whistleblowing thematic review. The objective of the review was to assess the effectiveness of regulated entities’ whistleblowing policies and procedures, particularly in facilitating the reporting, assessment, and, where appropriate, escalation of regulatory concerns. The DFSA also shared examples of good practices to help improve the speak-up culture within firms, ultimately enabling better detection and resolution of misconduct. The DFSA also provided feedback on their expectations from the review and encouraged regulated entities to take note and act.

The review highlighted key themes and findings across the following areas:

• whistleblowers’ protection
• quality of the entities’ whistleblowing policies and procedures
• lack of management information and ineffective oversight of whistleblowing arrangements
• training and awareness arrangements
• third parties whistle blowing arrangements
• monitoring and compliance

You can read the DFSA Thematic Review presentation here.

On 10 February, the DFSA issued a Dear SEO Letter “Thematic Review on Conflicts of Interest 2025”. This letter notifies Authorised Firms that the DFSA is conducting a cross-sector thematic review via asurvey on conflicts of interest to examine how firms (excluding representative offices) identify, record, and manage conflicts of interest such that the interests of customers are not adversely affected in respect of their business in the Dubai International Financial Centre (‘DIFC’). Responses to the survey were due by 28 February. Following the survey, the DFSA in Q2 2025 plans to complete an on-site assessment visit of a selected group of DIFC Firms that shall include a comprehensive review of Authorised Firms’ governance and control framework, including policies and procedures.

You can read the Dear SEO Letter here.

On 11 February, the DFSA published its findings from the 2024 thematic review “Targeted Financial Sanctions (‘TFS’) Compliance: DIFC Insurance Sector”. The findings from this review were generally positive, with areas for improvement mainly relating to documented control frameworks rather than the actual implementation of screening controls, as well as improvements in firms’ risk assessment methodologies. The review highlighted strong awareness and understanding of sanctions risk, with notable senior management engagement at the business approval level.

Areas identified for enhancement include:

• improving the Business Risk Assessment (‘BRA’) and Customer Risk Assessments (‘CRA’) to explicitly capture jurisdictional risk factors and the underlying insured risk in documentation
• ensuring policies, procedures, and related training materials clearly reference all UAE TFS obligations
• considering more detailed management information to track screening control and alert handling performance beyond just exception reporting
• ensuring that gap analyses are performed and thoroughly documented.

All firms in the insurance sector are expected to review the key findings and observations from the review and assess whether any improvements are necessary for their TFS systems and controls.

You can read the Thematic Review here.

On 25 February, the DFSA requested feedback via email on “Changes to EPRS Reporting Requirements – Capital Adequacy and Cryptocurrency”. Following the 2024 changes to the Prudential – Investment, Insurance Intermediation and Banking Rulebook (‘PIB’) on credit risk, counterparty credit risk, and credit valuation adjustment risk to align with Basel 3 standard, the DFSA is updating the Electronic Prudential Reporting System (‘EPRS’) forms to reflect these changes, along with revisions to the Prudential Returns Module (‘PRU’) Sourcebook, which provide guidance for completing EPRS submissions.

In addition to the changes related to the capital adequacy reporting requirements, the DFSA is also proposing minor amendments to relevant reporting forms capturing cryptocurrency activities.

A summary of the key high-level change points in relation to capital adequacy is set out below :

• deletion of deferred settlement transactions from B130B – credit risk
• addition of new form, B140H – market risk, to capture the capital requirement calculation for credit valuation adjustment
• addition and removal of accounts and amendment of formulas to calculate capital requirement for securities financing transactions (‘SFT’) in B130B – credit risk – SFT
• addition and removal of accounts and amendment of formulas in line with new counterparty credit risk methodology in B130B – credit risk – over-the-counter derivatives, exchange traded derivatives, long settlement transactions and risk-weighted assets.

Comments are welcome until 14 March and can be submitted directly to the DFSA by email. The changes will be effective for the Q2 2025 reporting period.

On 27 February, following the ending of consultation period, the DFSA published its updated regulatory framework.

Key amendments implemented to DFSA Rulebooks include:

• Prudential – Investment, Insurance Intermediation and Banking Business Rulebook (‘PIB’): Measurement of Exposure (‘E’) for off-balance sheet items other than counterparty credit risk exposures (‘CCR’) or SFTs under 4.9.4
  • removal from guidance and addition of requirements for the firms to calculate the amount of investor’s interest as the sum of investors’ drawn balances related to the securitised exposures and exposure associated with investors’ undrawn balances related to the securitisation exposures (‘SE’)
  • addition of a requirement for firms to apply a 1.2 times multiplier, if the official exchange rate between the lending currency and the obligor’s source of income currency is fixed via an official currency peg, provided both currencies are issued by a central government or central bank with an external credit assessment of credit quality grade 1 from a recognised external credit rating agency
  • clarification on the determination of size of firm’s exposure as a proportion of its tier 1 capital and not capital resources

• PIB: Financial group concentration risk limit under 8.4
  • replacement of capital resources with tier 1 capital throughout the section

• PIB: Liquidation of assets during periods of stress and throughout entire module under 9.3.8:
  • replacement of the term ‘liquidation’ with ‘monetisation’

• PIB: Table 1 Authorised firms reporting matrix
  • addition of form B130D – settlement risk
  • addition of form B140H – credit valuation adjustment

• General Rulebook (‘GEN’): Definitions relating to crypto tokens under A2.5
  • addition of unrecognised tokens that fall outside the scope of the DFSA restrictions in relation to certain types of domestic funds investing in crypto tokens

• Conduct of Business Rulebook (‘COB’): Application of suitability under 3.4.1
  • addition of exclusion of operating a crowdfunding platform from suitability

• Fees Rulebook (‘FER’): Declarations of external fund manager under 2.12
  • addition of fee of US$20,000 for submitting declaration to the DFSA

• Anti-Money Laundering, Counter-Terrorist Financing and Sanctions Rulebook (‘AML’): Annual information return under 15.1.3
  • clarification on the requirement for designated non-financial businesses and professions (‘DNFBPs’) to submit their annual return through the DFSA electronic portal

• Glossary Rulebook (‘GLO’): Glossary under section 2
  • removal of definition of multilateral development bank
• Miscellaneous amendments to the following Rulebooks: Authorized Market Institutions (‘AMI’), Islamic Finance Rules (‘IFR’) and Markets Rules (‘MKT’).

You can find full details of the implemented changes here.

On 27 February, the DFSA announced a significant increase in the number of authorised firms in 2024, with 135 new entities added, bringing the total number of regulated entities to more than 900. The DFSA also authorised 946 individuals and registered 17 DNFBP such as accountancy firms, legal practices, and compliance consultancies. The increase in authorisations and engagement with the regulated community via outreach sessions and roundtables in 2024, highlights the DFSA’s commitment to fostering financial innovation while maintaining alignment with global regulatory standards.

You can read the full announcement here.

On 24 February, the Global Privacy Assembly (‘GPA’) announced that the Dubai International Financial Centre (‘DIFC’) has been selected to host the GPA conference in 2026. GPA is an independent international body that operates primarily to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The selection highlights the DIFC’s role in upholding high standards of privacy and data security and fostering trust among global businesses and multi-jurisdictional stakeholders.

You can read the DIFC article here.

On 26 February, the DIFC published Consultation Paper No.1 on DIFC Law Amendment Law no.1 of 2025. Through the proposed legislation, the Dubai International Financial Centre Authority (‘DIFCA’) intends to enact amendments to:

• the Data Protection Law, DIFC Law No. 5 of 2020 (‘DPL’)
• the Law of Security, DIFC Law No. 4 of 2022 (‘LoS’)
• the Insolvency Law, DIFC Law No. 1 of 2019 (‘Insolvency Law’)
• the Employment Law, DIFC Law No. 2 of 2019 (‘Employment Law’).

A summary of the amendments are as follows:

• clarification of the scope and extra-territorial application of the DPL to ensure DIFC data subjects receive the full protection afforded by the Law
• an additional sub-article is proposed to Article 28(2) to ensure that individuals have the right to seek redressal even where redress involves a government authority respondent
• introduction of a Private Right of Action through the DIFC Courts, enhancing the rights and legal remedies available to data subjects for violations of the Data Protection Law
• clarificatory amendments in respect of the LoS, Insolvency Law and Employment Law.

You can read the consultation paper here. Comments are welcome until 26 March 2025.

On 4 February, the Financial Services Regulatory Authority (‘FSRA’) issued a Dear SEO Letter directly to authorised firms, introducing a standardised procedure for reporting Information Technology (‘IT’) and cyber incidents. This includes the use of a common reporting template.

Key takeaways from the letter include:

• definition of reportable incidents, including IT failures such as unscheduled disruptions to online services or hacking
• expected timeline for reporting (as soon as possible)
• notification mechanisms via email to the FSRA, using the Initial IT & Cyber Incident Report Template and the IT & Cyber Incident Progressive Report Template
• reminder of reporting obligations to other regulatory bodies and law enforcement agencies concerning data protection or suspicious activity reports.

This initiative reflects an increased focus on IT and cybersecurity, as initially outlined in the 2023 Discussion Paper on IT and IT Risk Management.

On 14 February, the FSRA issued a Dear SEO Letter to authorised firms, sharing observations from the review conducted to assess the effective implementation of the client classification rules outlined in the Conduct of Business Rules (‘COBS’). The review was carried out across several areas of compliance including assessing the policies and procedures, considering the effective implementation and evaluating the record keeping.

Key takeaways from the review include:

• assessment of net assets (COBS 2.4.4)
  • firms are expected to clearly demonstrate that a client’s net assets are accurately assessed and calculated based on verified evidence
• assessment of knowledge and experience (COBS 2.6.2)
  • firms are required to independently verify and validate information provided to it by prospective clients to ensure regulatory compliance and to document such assessment themselves and should not solely rely on the self-assessment completed by clients
• reliance of classification made elsewhere (COBS 2.6.3)
  • a gap analysis is required to assess whether the FSRA client classification requirements are fully met when a firm relies on classifications made elsewhere
• governance training and record keeping (COBS 2.7)
  • training is required for relationship managers and operations on client classification procedures, proper documentation of their assessments, including relevant evidence, and the timely notifications that need to be made to clients
• ongoing monitoring (COBS 2.6.1 and relevant guidance)
  • firms are required to periodically review client classifications and reclassify clients if there are any changes to the client’s circumstances that necessitate reclassification
• funds managers and unitholders (Fund Rulebook (‘FUNDS’) 1.2 and COBS chapter 2)
  • fund managers are reminded that FUNDS Rule 1.2 requires them to classify potential unitholders as Professional Clients before admitting them to Exempt Funds or Qualified Investor Funds.

All firms are required to perform a gap analysis on their practices and address any identified gaps by making necessary improvements or adjustments.

On 7 February, the Abu Dhabi Global Market (‘ADGM’) announced the launch of a new Online Registry Solution for reporting Foreign Account Tax Compliance Act (‘FATCA’) and Common Reporting Standard (‘CRS’) Entity Self-Certification Form (‘SCF’) for ADGM-domiciled entities. This Online Registry replaces the previous email submission method. Firms licensed in 2024 were reminded that SCF submissions must be made through the ADGM Registration Authority Portal by 30 May 2025.

On 20 February, the ADGM Registration Authority (‘ADGM RA’), in collaboration with key experts from ADGM, LexisNexis Risk Solutions, Ernst & Young, and the UAE Financial Intelligence Unit (‘FIU’), hosted an event focused on beneficial ownership in the United Arab Emirates (‘UAE’). The event provided valuable insights into navigating the complexities of Ultimate Beneficial Ownership (‘UBO’), covering current strategies, challenges, and the future direction of UBO compliance. The RA provided an overview of its activities, collaboration with other agencies in the ADGM, and progress to date, along with key features of the beneficial ownership regulations in the UAE.

The key takeaways from the conference include:

• common areas of regulatory contraventions include failure to maintain records of beneficial owners, late filings, providing false or misleading information
• challenges in unwrapping complex ownership structures, and the cost of resourcing required to review new data
• key trends and typologies identified by the FIU in disguising UBOs in the UAE
• expectations for authorised firms to go beyond the information provided and fully understand their obligations regarding beneficial owners which include reporting Suspicious Activity Reports (‘SARs’) and Suspicious Transaction Reports (‘STRs’).

On 24 February, the ADGM announced that it has successfully completed its jurisdictional expansion to include Al Reem Island. This expansion adds approximately 500,000 sqm of new office space, offering more opportunities for companies seeking to establish themselves in the growing financial hub. To enhance the ecosystem’s appeal, the ADGM has also introduced an updated fee schedule, effective 1 January 2025, that  reduces fees for obtaining and renewing commercial licenses for non-financial and retail businesses operating within its jurisdiction by 50 percent or more.

You can read the ADGM article here.

On 14 February, the FSRA alerted the public about recent fraudulent schemes in which entities or individuals had been making false claims on social media that they are associated with the ADGM and promising loans to solicit upfront payments.

The FSRA asks for the public to be aware that:

• the ADGM and its staff do not facilitate or process loan transactions for third parties
• any advertisements on social media platforms or unsolicited communications suggesting otherwise are fraudulent.

You can read the FSRA alert here.

On 2 February, Saudi Arabia’s Capital Market Authority (‘CMA’) and the Insurance Authority (‘IA’) signed a Memorandum of Understanding (‘MoU’) to strengthen collaboration and coordination between the two parties to enhance oversight and regulation of insurance companies listed on the capital market and to ensure complementary and consistent roles between the two authorities.

You can read the CMA article here.

On 5 February, the Central Bank of the UAE (‘CBUAE’) and the Economic Security Centre of Dubai signed a MoU to strengthen their cooperation in areas of mutual interest. This includes the exchange of information on best practices and international guidelines for combating financial crime. The MoU also addresses the UAE’s role in the Financial Action Task Force (‘FATF’) and explores challenges and solutions to support national initiatives. Additionally, it aims to enhance professional skills, provide staff training, and implement joint awareness campaigns to combat financial crime.

You can read the CBUAE article here.

On 12 February, the Abu Dhabi Securities Exchange (‘ADX’) signed an agreement with the CBUAE to process cash settlements in AED for trades of ADX-listed financial instruments as well as transactions related to margin calls and collateral using the CBUAE network. Under this agreement, cash settlements for trades will be processed through the CBUAE network, fully adhering to the International Organisation of Securities Commissions (‘IOSCO’) standards for central counterparty clearing (‘CCP’) and central securities depository (‘CSD’) services. Trades will include shares, bonds and Exchange Traded Funds (‘ETFs’).

Margin calls and margin collateral transactions for ADX-CCP will be handled through the CBUAE network, offering an automated direct debit mechanism that accelerates the settlement process and ensures timely fulfilment of financial obligations without delays.

You can read the ADX article here.

On 27 February, the Executive Office for Control & Non – Proliferation (EOCN) hosted an outreach session to present the outcomes of the National Risk Assessment (‘NRA’) of Proliferation Financing (‘PF’) for banks, insurance providers, securities and VASPs. The session focused on the threats, vulnerabilities, and overall risk of proliferation financing in the UAE, as well as the mitigation measures in place and the inherent and residual risk ratings.

The data for the assessment was gathered from both public and private sector entities, utilising a combination of surveys, interviews, case studies, and expert consultations. A total of over one thousand data points were analysed, including 59 surveys and 31 interviews from the public sector, as well as 1,500 surveys and 31 interviews from the private sector.

Key takeaways and recommendations from the seminar include:

• the UAE’s overall residual risk rating for PF is assessed as medium-high
• the effectiveness of preventative and mitigating measures at a national level is partially effective and requires further improvement
• reporting entities should incorporate PF-specific Customer Due Diligence (‘CDD’) and Enhanced Due Diligence (‘EDD’) criteria to strengthen their onboarding processes
• reporting entities should ensure they have timely, accurate, and up-to-date UBO information to facilitate effective CDD/KYC/EDD measures
• efforts should be made to improve the understanding of the differences between submitting Partial Name Match Report (‘PNMR’) / Fund Freeze Report (‘FFR’) and SARs / STRs.

On 28 February, the UAE National Anti-Money Laundering and Combatting Financing of Terrorism and Financing of Illegal Organizations Committee (‘NAMLCFTC’), held an outreach session on SARs and STRs and general feedback to reporting entities.

Key takeaways and recommendations from the session include:

• guidelines for ensuring high-quality SAR and STR along with areas for improvement
• reminder of the responsibilities of the three lines of defence in the reporting process
• key differences between SARs/STRs and other forms of regulatory reporting
• reminder of best practices to using goAML system and user account management
• an overview of SAR/STR process from identification to submission and follow-up

The United Nations Security Committee (‘UNSC’) updated an entry on its sanction list in light of the global political landscape. As a member of the UN, the UAE is committed to implementing the UNSC resolutions, and all firms must report on their involvement with sanctioned entities.

On 21 February, the Security Council Committee removed one entry to its sanctions list. Information on the individual are as follows:

• name: “Lionel Dumont”
• date of birth: 29 January 1971
• place of birth: Roubaix, France
• nationality: France

Further details can be found here.

On 19 February, the second Financial Action Task Force (‘FATF’) Plenary began, concluding FATF Week, which had started on 17 February. Delegates representing over 200 members of the Global Network and observer organisations, including the International Monetary Fund (‘IMF’), the UN, the World Bank (‘WB’), INTERPOL, and the Egmont Group of Financial Intelligence Units (‘EG’), participated in the Working Group and Plenary meetings in Paris.

During the Plenary, delegates discussed key developments in the fight against illicit finance, including a new FATF project aimed at detecting, disrupting, and investigating online child sexual exploitation. The agenda also focused on efforts to strengthen financial inclusion through a risk-based implementation of FATF Standards. To support the implementation of changes to the Standards regarding financial inclusion, the Plenary agreed to launch an additional public consultation. The Plenary also decided to consult publicly on initiatives related to payment transparency, as well as complex proliferation financing and sanctions evasion. These efforts are part of the FATF’s ongoing commitment to gather the broadest range of views and perspectives to inform its work.

Additionally, delegates reviewed progress made by jurisdictions identified as presenting risks to the financial system.

You can read the outcomes here.

On 21 February, the FATF released an updated list of “jurisdictions under increased monitoring”, also known as the ‘grey list’. The Philippines has been removed from the list, while Nepal and Lao PDR have been added to the list of countries under increased monitoring.

You can read the updated ‘grey list’ here.

On 25 February, FATF announced that it is considering proposals to update its Guidance on AML/CFT measures and financial inclusion. This initiative is part of FATF’s ongoing efforts to address the unintended consequences of AML/CFT measures. FATF is inviting feedback from interested stakeholders on the proposed updates, with responses due by 4 April 2025.

Further details can be found here.

On 15 February, the CBUAE imposed a financial penalty of AED 3.5M on an exchange house operating in the UAE for failing to comply with Anti-Money Laundering and Combating the Financing of Terrorism policies and procedures. The name of the exchange house was not published.

The CBUAE, in exercising its supervisory and regulatory responsibilities, ensures that all exchange houses, along with their owners and staff, comply with UAE laws, regulations, and standards set by the CBUAE, aiming to maintain the transparency and integrity of the exchange house sector and the UAE financial system.

You can read the CBUAE article here.

On 25 February, the Securities and Commodities Authority (‘SCA’) announced financial penalties imposed on several companies between January and February 2025. The penalties were related to violations of regulations, non-compliance with anti-money laundering and counter-terrorism financing (‘CFT’) rules, and the promotion of activities outside the scope of their SCA-granted licenses. The total value of the penalties amounts to AED 1.15M. The SCA’s actions emphasize its commitment to safeguarding investor rights and reinforcing the integrity of the UAE’s financial markets.

You can read the SCA article here.