Regulatory Update: Middle East Edition – November 2022

New rules were introduced from 1 November 2022 relating to firms conducting financial services including crypto tokens. The introduction of the new rules follows on from Consultation Paper 143 – Regulation of Crypto Tokens (“CP143”) released by the DFSA in March 2022, and the feedback statement shared by the DFSA in October 2022.

An appropriate licence or a variation of licence to include crypto tokens will need to be obtained by firms currently providing or wanting to provide financial services in relation to crypto tokens in or from the DIFC. An application can be made by completing and submitting the appropriate form to the DFSA, along with required information, firms should note that tokens must meet specific criteria. DFSA authorised firms already providing a service relating to crypto tokens immediately before the commencement of the regime have a 6-month transitional period to fully comply.

The DFSA General Module (“GEN”) has been updated to reflect the three DFSA recognised crypto tokens:

• Bitcoin (“BTC”)
• Ethereum (“ETH”)
• Litecoin (“LTC”)

Firms are not permitted to conduct financial services or activities involving crypto tokens unless the token is recognised by the DFSA. This also includes derivative transactions relating to crypto tokens. Firms who wish to provide services in relation to a token which is not currently recognised must apply to the DFSA in advance of providing the service, to request for the token to be recognised.

Firms conducting or applying to conduct financial services or activities involving crypto may wish to consider the following updates to their existing framework:

• Compliance Manual
  • updating the Compliance Manual and Compliance Monitoring Program to reflect the new rules concerning the crypto token regime
  • updating to include the requirement for an appropriateness test for crypto tokens or derivatives is provided to retail clients before services in relation to crypto tokens or derivatives are provided to the retail clients
  • ensuring the firm provides services only in relation to recognised crypto tokens.
• Business AML Risk Assessment (“BARA”)
  • updating the BARA to identify the inherent AML risks related to providing crypto tokens and derivatives.
• AML Policies and Procedures
  • revising the AML policies and procedures to introduce adequate controls concerning any inherent risks identified through the BARA.
• Risk Management Policy and Risk Register.
  • updating the Risk Register to identify the inherent business risks related to providing crypto tokens and derivatives
  • revising the business’s systems and controls to introduce adequate mitigation measures concerning any identified inherent risks.

The feedback statement can be found here.

The Dubai Financial Services Authority (“DFSA”) has released Consultation Paper 145 (“CP145”) on regulatory requirements for low-risk firms. The proposal displays the DFSA’s recognition for firm’s posing lower prudential risk and understanding that these firms may currently be subject to undue burden arising from the capital requirements imposed on them.

In summary, the paper includes the following proposals:

• removing expenditure-based capital minimum (“EBCM”) requirement for lower risk firms
  • a lower prudential risk firm is not subject to an EBCM requirement; therefore, its capital requirement will be its base capital requirement
  • a lower prudential risk firm must, at all times, maintain an amount which exceeds its capital requirement in the form of liquid assets.
• rationalising base capital requirement for certain firms
  • the capital requirement for a lower prudential risk firm is the base capital requirement specified in rule 3.6.2 for an authorised firm in category 4 (not including firms authorised to operate a crowdfunding platform, provide money transmission or operate an alternative trading system).
• adjusting the credit rating floor when placing liquid assets with a bank
  • lower the credit rating floor for banks when holding DFSA-regulated firms’ liquid assets, at the level of a short-term rating of A2/P2, or the equivalent long-term rating of BBB/Baa2.
• removing Internal Risk-Assessment Process (“IRAP”) reporting for certain firms
  • deleting IRAP preparation for category 3B, 3C, 3D and 4 firms (for certain firms).
• extending the temporary cover period for authorised individuals
  • extending the period from 12 weeks to 26 weeks, within a consecutive 12-month period.
• clarifying combinations of licensed functions in a single firm
  • proposal to update the GEN Module to clearly identify which combinations are not permissible.
• harmonising role definitions across GEN and Authorised Market Institutions (“AMI”) Modules.
  • technical amendments to the definitions of Finance Officer (“FO”), Compliance Officer (“CO”) and Money Laundering Reporting Officer (“MLRO”) have been proposed to create consistency between GEN, AMI and Anti-Money Laundering, Counter Terrorist Financing and Sanctions (“AML”) Modules.

The consultation paper and draft amendments can be accessed via this link.

The DFSA has requested for interested parties to provide their comments by 6 January 2023, comments can be submitted via this link.

A publication on Climate and Environmental Risk Management has been released by the DFSA’s Task Force on Sustainable Finance (“TFSF”).

The publication includes insights from various members, collaborating on key issues such as how to address and mitigate transition and physical risks emanating from climate change, and wider environmental risks in the UAE.

TFSF members, include representatives from international financial institutions based in the DIFC, including Bloomberg, Franklin Templeton, HSBC Bank Middle East, Standard Chartered and S&P Global, among others. The experience and knowledge that the task force has access too is invaluable in supporting the application and adoption of global regulatory standards for sustainable finance in the DIFC.

Further details can be found via this link.

On the 9 November 2022 the DFSA announced updates to the following forms:

• Applying for Authorisation (“AUT CORE”)
• Application to vary a Licence (“SUP4”).

Version 13 of SUP4 and Version 23 of AUT CORE can be found on the DFSA website within the Application Forms and Notices Module (“AFN”).

The updated form can be downloaded via this link.

Consultation Paper No. 146 (“CP146”) has been released in relation to miscellaneous changes to the DFSA modules. The paper may be of interest to insurers (and their auditors and actuaries), credit providers, and applicants to be licensed in these areas, as well as their advisers.

Proposals include amendments to:

• Prudential – Insurance Business (“PIN”) Module to reflect the introduction of IFRS 17, together with a number of other improvements to the insurance regime. The objective of IFRS 17 is to provide a more effective and consistent accounting model for insurance contracts among entities issuing insurance contracts globally. It is proposed that IFRS 17 will be effective for reporting periods beginning on or after 1 January 2023
• GEN and Glossary (“GLO”) Modules – in relation to the rules on the provision of credit, to ensure that buy now pay later (“BNPL”) activities are appropriately addressed by the DFSA regime. Clarification will be provided by amending the financial services activity of ‘Providing Credit’ to include BNPL providers who finance the purchase of goods or services.

The DFSA has requested for comments to be submitted by 7 December 2022 via this link.

Further details of CP146 can be found here.

The Dubai International Financial Centre (“DIFC”) Commissioner of Data Protection has released a non-legislative Consultation Paper (“CP”) on the topic of ‘Multi-Lateral Data Sharing Agreement and Enabling Technology Platform’.

The paper seeks public comments on the proposed development of a pilot program to test a multi-lateral data sharing consortium agreement and adequacy decision, supported by digital economy enabling technology, and based on best practice technology development principles. The consortium members will be made up of participating jurisdictions and pilot regulated entities.

The platform used to collate all data to be used as part of the adequacy assessment will be a data-sharing compliance monitoring platform, which will be principles-based, using data export/import enabling technology built into and founded on those principles.

The process to assess adequacy entails participating jurisdictions providing inputs relating to their data protection laws, regulations and enforcement. Regulated entities within those jurisdictions will then evidence adherence to the laws and regulations by automatically feeding any relevant reports, policies and procedures into the platform, as required by the consortium.

Ongoing research will supplement and enhance the compliance evaluation criteria and Ethical Data Management Risk Index (“EDMRI”) and resulting risk assessment. The information fed into the platform would produce a regulators’ dashboard of supervision, monitoring and enforcement actions; and a dashboard of current company compliance statistics of those involved in the pilot testing, ideally fed by compliance information provided by regulated financial services entities.

An agreement amongst member international financial centres will be created to allow for effective, comprehensive and reliable due diligence and data sharing. Where there are gaps between requirements in relevant laws and regulations, the participating jurisdictions must agree on the appropriate controls and safeguards.

The DFSA requested for comments to be submitted by 30 November 2022

Further details of the consultation paper can be found via this link.

A session on the Electronic Prudential Reporting System (“EPRS”) was held on 22 November 2022 by the DFSA.

The EPRS enables all DFSA authorised firms to submit their regulatory returns online. The session provided an insight into each prudential form and the requirements applicable to each.

Firms may note that the forms applicable to each category are listed in PIB module, Appendix 2.4. The EPRS will populate the forms applicable to the entity, in line with the schedule, ready for completion.

The EPRS technical notes and user guides are available on the DFSA website via this link.

Following on from the consultation paper on ‘Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships’ released by the Financial Stability Board in November 2020, the DFSA has now announced a thematic review on outsourcing and third-party risk. Authorised firms were notified by a ‘Dear SEO letter’.

The review will be undertaken to gather an understanding of the materiality and level of outsourcing and third-party arrangements relied on by authorised firms and examining the supporting control framework.

The review will be split into two phases. Phase one was launched on 23 November 2022 and requires authorised firms to respond to a questionnaire which will be accessed via the eportal under ‘online forms’. The questionnaire will provide an overview of the firm’s outsourcing and third-party arrangements and controls.

The deadline for the completion of the form is 20 December 2022.

The second phase is expected in Q1 2023 and will include the participation of a number of authorised firms, selected from the outcome of the first phase. A detailed review of the control framework will be conducted by the DFSA, including the review of policies and procedures, and will include an on-site assessment visit.

The 2020 consultation paper can be found here.

Further details of the thematic review may be found here.

The first in-person EU-MENA Regulators Summit was hosted by the FSRA on 15 November 2022, during Abu Dhabi Finance Week (“ADFW”).

Representatives from the USA, the MENA region and the European Union were in attendance to discuss the topics of:

• the international agenda on sustainable finance, focusing on disclosure and taxonomy, facilitating the transition required to meet the net zero strategic initiative targets, and the role of regulators in supporting the journey to reach these targets
• the regulation of digital assets, focusing on new technologies and digitalisation, and the importance of international cooperation and partnerships.

The event was aimed at reinforcing partnerships and international co-operation in relation to the regulation of financial services.

Further details of the event can be found here.

Day three of ADFW saw the launch of the web based interactive platform ‘Abu Dhabi Crypto Hub’. The Crypto Hub provides users access to information and connect with ADGM’s existing Virtual Assets firms.

The newly launched hub is the next step in representing the strategic initiatives of the ADGM in support of Abu Dhabi’s growth as a financial hub, and its commitment to economic diversification.

The full article covering day three of ADFW can be found here.

On 8 November 2022 the FSRA and ADGM released the joint Consultation Paper (“CP”) No.6 of 2022 on the Proposals for a Sustainable Finance Regulatory Framework. The FSRA and ADGM seek views on their proposals for a regulatory framework for sustainable finance.

The paper discusses the proposed rules on sustainability-orientated investment funds, managed portfolios, bonds and sukuks, As well as a framework on environmental disclosure requirements for ADGM companies.

The proposal for the regions first regulatory framework focusing on green investments includes:

• allowing climate transition investment funds to channel capital to assets and entities on a path to reducing their greenhouse gas emissions
• allowing green investment funds to channel capital towards environmentally sustainable activities
• a framework for green and climate transition discretionary portfolio management services
• a framework for green bonds and sustainability-linked bonds
• enhancing the ADGM’s existing environmental, social and governance (“ESG”) disclosure requirements, to now cover disclosure by regulated financial service firms, listed companies and large private commercial entities
• the world’s first regulated voluntary carbon exchange and clearing house, where carbon offsets, while traded and settled as spot commodities, are treated as regulated financial instruments by the ADGM.

The ADGM welcomes comments from the public, to be submitted by 20 December 2022, comments can be submitted by email.

Further details of the consultation paper can be found via this link.

On 23 November the ADGM Registration Authority (“RA”) warned members of the public to be aware of a firm holding a forged commercial licence under the name of Emirates Commercial Insurance LLC.

Emirates Commercial Insurance LLC has not been incorporated in the ADGM or licensed by the RA to conduct business activities in the ADGM.

Falsely claiming registration and licensing to conduct business in ADGM is a finable offence under ADGM legislation. The ADGM is concerned that forged documents and false claims of incorporation in the financial centre may mislead members of the public to invest in these fraudulent companies.

Members of the public are encouraged to search the public register prior to the provision of any services from unknown entities.

The ADGM public register can be accessed here.

The full RA alert can be found here.

On 24 November the ADGM released Consultation Paper (“CP”) No.7 of 2022 on the Amendments to the ADGM’s Company Service Provider Regulatory Framework. The paper covers proposals on ADGM commercial rules and regulations relating to corporate service providers (“CSPs”) in the ADGM.

The proposals include amendments to the following rules and regulations:

• Companies Regulations 2022
• Foundations Regulations 2017
• Commercial Licensing Regulations 2022
• Limited Liability Partnerships Rules 2021.

In summary, the proposed changes include the introduction of a requirement for:

• a mandatory training certification to be completed by CSP employees
• at least one CSP staff member involved in processing applications or client facing, must be generally physically present in the CSP’s registered office in ADGM during ordinary business hours
• the CSP’s office to be open during ordinary business hours or as otherwise announced by the RA
• CSPs to pay an additional annual CSP business activity fee (US$2,500)
• CSPs to file annual audited accounts with the RA
• CSPs must have a compliance officer and MLRO:
  • as a full-time employee or outsourced to a recognised service provider on a full-time basis
  • the CO and MLRO must be independent from any other statutory role of the company.
• a minimum regulatory capital of US$50,000 to be maintained by CSPs at all times.

Additional proposed changes include:

• amendments of the existing professional indemnity insurance (“PII”) rules for CSPs to require for certain minimum PII cover which considers the revenue of each CSP
• clarification and expansion on the contents of a CSP’s annual return
• the introduction of principles to be followed and adhered to by CSPs
• permission for a special purpose vehicle (“SPV”) or foundation to file a strike off application with the RA directly
• amendments to the criteria which exempts an SPV from the requirement to appoint a CSP.

The ADGM welcomes comments from the public, to be submitted by 23 January 2023, comments can be submitted by email.

Further details of the consultation paper can be found via this link.

A memorandum of understanding (“MoU”) has been entered into by the ADGM, Abu Dhabi Islamic Bank

(“ADIB”), National Bank of Ras Al-Khaimah (“RAKBANK”) and Wio Bank, with the goal of supporting small and medium enterprises (“SMEs”) within the ADGM.  The MoU will focus on addressing the needs of key financial entities in Abu Dhabi by providing ADGM registered and licensed businesses with preferential banking services, such as efficient bank account opening and unique remittance services.

Wio Bank is the first UAE Central Bank regulated digital banking platform. The MoU signed with Wio Bank will assist SMEs with fast-tracked application submission, zero balance account opening and other unique features.

The full article can be accessed here.

More than 100 participants representing firms licensed by Securities and Commodities Authority’s (“SCA”) attended the Companies’ Obligations to AML and TF Measures Workshop, hosted by SCA.

The workshop covered several important topics including:

• requirements for the risk-based assessment methodology
• definition of duties and responsibilities of the Compliance Officer/MLRO
• the national institutional structure of the UAE to meet the requirements of the FATF
• legislations and guidelines
• policies and procedures
• submission of suspicious activity reports
• business and customer risk assessments.

Further details of the workshop can be found here.

Following on from the public statement that was published in 2021, the second public statement provides an update on the progress of the Sustainable Finance Working Group’s (“SFWG”) development in the area of sustainable finance in the UAE.

The SFWG is coordinated by the FSRA and includes members such as representatives of governmental bodies and ministries, security exchanges and federal and financial free zone regulators. The SFWG successfully delivered their pledge of commitment towards achieving the desired changes.

The public statement includes details of the three workstreams agreed by members, which are:

• workstream one on sustainability disclosure
• workstream two on sustainability-focused corporate governance
• workstream three on the UAEs sustainable finance taxonomy.

To assist in achieving its goal of supporting the development of sustainable finance in the UAE, the SFWG facilitates regulatory co-operation between the UAE authorities on practices and frameworks.

Further details of the public statement can be found here.

A three-day workshop was held on financial investigations in terrorist financing cases by the Executive Office for Control and Non-Proliferation (“Executive Office”). The event was prepared in coordination with the UN Office of Counter-Terrorism and with the participation of international experts specialising in combating the financing of terrorism and methods of investigation.

Participation included representatives of the government sector from the federal and local regulatory authorities. The event focused on the importance of international cooperation to combat crimes and coordinate efforts to address attempts by terrorist groups and organisations to exploit designated non-financial businesses and professions, financial institutions, and non-profit organisations.

The Executive Office summary of the workshop can be found here.

In coordination with the World Bank, the Executive Office of AML and Counter terrorism Financing (EO AML/CTF) hosted a programme of workshops in advance of the UAE’s second National Risk Assessment (NRA).

There were more than 80 representatives participating in the four-day workshops, held in Abu Dhabi, including those from the Ministry of Finance, CBUAE, Ministry of Justice, law enforcement agencies, Ministry of Economy, supervisory authorities and registrar offices.

The workshops focused on identifying, assessing, and understanding the UAEs money laundering and terrorist financing risks the country may be subject to in the coming year.

Details of the workshop can be found here.

On 3 November 2022 the Central Bank of Bahrain (“CBB”) announced the release of their first report focused on the Bahrain Digital Payment Landscape. The report discusses multiple initiatives undertaken by CBB relating to digital technologies and payments.

The report includes a comprehensive analysis of the development of payment and settlement services in Bahrain’s banking sector. The efforts made to introduce innovative technologies to facilitate banking transactions, provided to the public, are also highlighted.

The full report can be viewed here.

The CBB released a statement on 6 November 2022 relating to its continued progress in implementing high ESG standards.

The CBB announced that they are currently working on the release of disclosure guidelines to assist companies with ESG integration and reporting. The disclosure guidelines will be based on international best practices and will become part of the CBBs regulatory framework.

The statement can be viewed here.

The Saudi Data & Artificial Intelligence Authority (“SDAIA”) has issued proposed amendments to the Personal Data Protection Law (“PDPL”). The proposal follows the enactment of the PDPL on 24 September 2021.

The proposed amendments seek to address several issues in the current version of the PDPL. The suggestions appear to have the intention to align the PDPL more closely with the European General Data Protection Regulation (“GDPR”).  However, there remain some key differences, including the fact that its requirements are focused almost entirely on the obligations of controller. The development of the PDPL to attempt to bring it more in line with GDPR would assist firms operating in the Kingdom of Saudi Arabia (“KSA”) when conducting international business, especially in relation to the introduction of the concept of adequate jurisdictions. Aligning the PDPL with international standards will also benefit business who wish to conduct data transfers to KSA.

The proposed amendments include:

• the right for data subjects to data portability
• a further legal basis on which organisations can rely on for the processing of personal data (a controller’s legitimate interest for processing)
• clarification of the statutory threshold that must be met, to require a breach notification to be made the KSA regulator
• the regulatory framework for cross-border personal data transfers
• the introduction of the concept of adequacy.

Comments from the public are welcome to be submitted before 20 December 2022.

The suggested amendments and platform to submit comments can be found here.

KPMG will no longer be able to secure audit contracts in Abu Dhabi following the removal from the list of authorised accountants, updated by the Abu Dhabi Accountability Authority (“ADAA”).

The ADAA have not published justification for their decision to remove KPMG from the list. The list is updated every three months by ADAA. The ADAA monitors government entities and state-related companies to promote transparency.

It is understood that the renewal application submitted by KPMG Lower Gulf to conduct statutory audits was returned asking for more information.

An updated version of the Guidance on Counter Proliferation Financing (“CPF”) for Financial Institutions (“FI”), DNFBPs and Virtual Asset Service Providers (“VASPS”) was published by the Executive Office for Control & Non-Proliferation (“EOCN”) on 1 November 2022.

The Guidance has been updated to include the following:

• the process for transactions involving dual use goods
• good and bad practices on targeted financial sanctions and CPF compliance
• typologies used by proliferation financing (“PF”) actors
• Additional information on UAE Control List
• criteria for issuance of EOCN permits

Firms are advised in particular to take note of the good and bad practice examples, to help them in correctly fulfilling their obligations. The examples given include:

The full guidance document can be found here.

The Mutual Evaluation Report of the Republic of Paraguay has been published by the Financial Action Task Force (“FATF”). The report includes the findings from the on-site visit that took place from 23 August to 3 September 2021. It was noted that Paraguay’s AML/ combatting the financing of terrorism (“CFT”) system has made significant improvements since the last evaluation. A more robust legal and institutional framework to fight against money laundering, terrorist financing and PF has been introduced.

The full Mutual Evaluation Report on Paraguay can be found here.

The People’s Republic of China Third Enhanced Follow-up Report and Technical Compliance Re-Rating has been published by FATF.

China took part in a mutual evaluation in 2016, and has since made progress in addressing some of the technical compliance deficiencies that were identified in the 2016 report. FATF have confirmed that China is now compliant on 9 Recommendations, largely compliant on 22 and partially compliant on 5 Recommendations. The country remains non-compliant on 4 recommendations.

China remains in enhanced follow up and has agreed to keep the FATF updated on its progress towards achieving improved AML/CFT measures.

The Follow-up Report on China can be found here.

Bank Secrecy Act (“BSA”) filings have revealed an increase in ransomware reporting during the second half of 2021. The Financial Crimes Enforcement Network (“FinCEN”) published the findings within their Financial Trend Analysis issued on 1 November 2022.

The figures provide an indication that ransomware continues to be a significant threat to U.S. individuals and entities. A large number of ransomware attacks appear to originate from actors located in Russia.

Other findings from the report include:

• a substantial increase in ransomware-related incidents (since 2020)
• BSA filings relating to ransomware were approximately US$1.2Bn (in 2021)
• approximately 75% of reports made to FinCEN relating to ransomware-related incidents were connected to Russia-related ransomware variants (second half of 2021).

The FinCEN Financial Trend Analysis can be found here.

The DIFC Branch of Bank of Singapore Limited has been fined around US$1.1M by the DFSA for failing to adhere to DFSA legislation. The fine originally imposed was US$2M, however the bank offered the DFSA an enforceable undertaking to remediate failings and agreed to settle the matter.

It was found that the bank had acted outside the scope of its licence by conducting the financial service of Arranging Deals in Investments, when not authorised to do so.

Deficiencies were also identified in the bank’s AML systems and controls, including deficiencies in the bank’s:

• assessment of risks posed by clients
• suspicious activity reporting
• customer due diligence (“CDD”) and enhanced CDD methods
• AML business risk assessment
• identification of source of wealth and source of funds.

Further details of the DFSA’s Decision Notice can be found here.

Denmark’s largest bank, Danske Bank, is in the final stages of reaching a solution with the US and Danish authorities to resolve a money-laundering breaches.

Fines of circa US$2Bn are expected to be imposed by US Department of Justice, the US Securities and Exchange Commission and the Danish Special Crime Unit, by the end of 2022.