Regulatory Update: Middle East Edition – August 2023
1.0 DIFC AND DFSA LATEST DEVELOPMENTS
On 9 August, the Dubai International Financial Centre’s (‘DIFC’) Data Protection Office confirmed an update to its approved jurisdictions for data transfers known as the ‘adequacy list’. The Californian Consumer Privacy Act 2018 (as amended by the California Privacy Rights Act 2020) entered the DIFC adequacy list following extensive evaluation, allowing DIFC companies to transfer freely to Californian companies without additional safeguards, thereby speeding up data transfer. The update is the first to diverge from traditional adequacy decisions.
You can read the DIFC article here.
On 14 August, the DIFC’s Artificial Intelligence (‘AI’) and Web 3.0 campus announced a new licence to incentivise tech start-ups to incorporate in the region. The new licence will be 90% subsidised for enterprises looking to set up in Dubai and will provide physical office or co-working spaces in the Innovation One building. Licence holders will also benefit from R&D facilitates, accelerator programmes, and state-of-the-art physical and digital infrastructure.
The initiative supports the United Arab Emirates’ (‘UAE’) projection of over US$300M in capital and over 3,000 jobs in the AI and Web 3.0 Campus by 2028. The campus will increase accessibility and participation in developing technologies in this industry sector.
You can read the DIFC article here.
On 15 August, the DIFC Academy celebrated the graduation of 28 tax professionals from its first cohort of the UAE’s Corporate Tax Diploma Programme. The one-month programme was delivered with PwC and educated students on the recently enacted Federal Decree-Law No.47 of 2022 (the ‘Corporate Tax Law’). The course was attended by finance and tax professionals and provided the skills and expertise to advise on the law’s applicability.
You can read the DIFC article here.
On 21 August, the DIFC announced the introduction of Sukoon Insurance’s subsidiary, Oman Insurance Workplace Saving Solution (‘OIWSS’), to the DIFC for the administration of employee money purchase schemes. OIWSS will use the DIFC’s platform to provide administration services to entities in the UAE and Gulf Cooperation Council (‘GCC’), partnering with Intertrust Group as a trustee and operator and Generali Global Pension to provide a capital-guaranteed option. The so-called ‘Go Saver’ offering will be managed by a digital platform with various investment solutions, including a shari’a offering, and will be available for free zone and onshore companies.
You can read the DIFC article in full here.
On 31 August, the DIFC announced proposed changes to the Employment Law, Trust Law, Foundations Law and Operating Law (the ‘Laws’) and the Operating Regulations. The changes seek to align the Laws with international best practice and Organisation for Economic Co-operation and Development (‘OECD’) guidelines.
Concerning the Employment law, amendments have been made to the requirement for companies to pay contributions for eligible GCC nationals to the Qualifying Scheme.
Concerning the Trust Law and Foundations Law, the amendments include:
- jurisdictional clarity for DIFC courts relating to DIFC trusts
- expansion of the role of ‘Registered Agents’.
Concerning Operating Law, amendments have been made to record retention rules and the definition of ‘Privileged Communications’.
Regarding the Operating Regulations, amendments have been made to enhance the powers of the Registrar of Companies (‘ROC’) to handle noise complaints for late-night establishments in the DIFC.
Comments are welcome until 29 September.
You can read the full paper here.
You can read the DIFC article here.
On 31 August, the DIFC published a summary article on the prevalent data protection concerns with Max Schrems, founder of NOYB and privacy advocate. The seminar discussed his views on the development of global data privacy laws, the role of the regulator and the recent Meta fine. He expressed concerns about the lack of automation with enforcement actions, the EU regulator’s focus on big-ticket enforcement action, and, consequently, the lack of regulation for companies falling under the radar (posing high privacy risks).
Attendees also heard of concerns regarding operability due to complex and conflicting rulings and laws, especially around cross-border transfer agreements.
You can read the article here.
On 30 August, the DIFC Data Protection Office announced its nomination for the Global Privacy Assembly Innovation Award. The nomination was received for the Ethical Data Management Risk Index (‘EDMRI), which seeks to apply a practical risk-based approach to international data transfers in addition to considering adequacy decisions to ensure mitigations can be used before data transfers commence.
You can read the nomination here.
You can review the EDMRI here.
On 3 August, the Dubai Financial Services Authority (‘DFSA’) issued a ‘Dear SEO’ letter notifying DIFC firms of the forthcoming Disclosures Thematic Review 2023.
Authorised firms will be expected to provide information to the regulator to allow a deeper understanding of the following:
- general compliance with the DFSA’s rules on financial promotions
- understanding of the regulatory status and scope of the licence
- understanding of the group and the authorised firm’s responsibilities in relation to communications with clients
- good and poor practices
- outliers and a material need for further action.
Authorised firms should be aware that samples will be taken from company websites, and any authorised firm in the DIFC may be selected. The DFSA may publish examples to demonstrate good and poor practices.
You can read the Dear SEO letter here.
On 8 August, the DFSA signed a Memorandum of Understanding (‘MoU’) with the UAE’s Financial Intelligence Unit (‘FIU’) to advance coordination and cooperation of Anti Money Laundering (‘AML’), Counter Terrorist Financing (‘CTF’) and illegal organisations measures. The MoU will support ongoing intelligence sharing, cooperation, and coordination for AML and CTF compliance.
You can read the DFSA article here.
On 9 August, the DFSA extended the 2023 Annual AML Return (‘Return’) deadline from 30 September to 6 October. The Return can be accessed by logging into the DFSA e-Portal and requires a detailed report of the entity’s AML compliance status for the preceding year. The Return must be submitted before 6 October to avoid any regulatory action.
On 10 August, the DFSA published its first industry-wide cyber simulation exercise. The report, published in partnership with Control Risk Consultancy, drew findings from 17 authorised firms assessed in May 2023. It allowed firms to evaluate and improve their crisis management infrastructure per the DFSA Cyber Risk Management (‘CRM’) rules. The stimulation and enactment of new rules form part of the DFSA efforts to improve cyber awareness.
The report covers core knowledge insights, including:
- cyber threats in the UAE
- expectations on crisis management
- details on the simulation exercise
- the objective of a simulation exercise
- the DFSA objectives
- the findings.
The CRM amends the following rulebooks with effect from 1 January 2024:
- General Module (‘GEN’)
- Conduct of Business Module (‘COB’)
- Authorised Market Institutions Module (‘AMI’)
- Prudential- Investment, Insurance Intermediation and Banking Business module (‘PIB’)
- Auditor module (‘AUD’).
For further details on the CRM changes, click here.
The Cyber Risk Management rules can be read here.
On 25 August, the DFSA issued a notification to all regulated firms on the publication of the General Module (‘GEN’) section 2 covering the notification requirements for auditor arrangements. The form is accessible on the DFSA portal and must be submitted immediately after the authorised person within the firm becomes aware of the appointment, resignation or termination of their auditor.
On 28 August, the DFSA issued a ‘Dear SEO Letter’ regarding the upcoming thematic review on complaint handling. The review will comprise of two parts. The first part applies to all authorised firms and consists of a survey to assess complaint handling arrangements, and related policies, procedures, systems and controls; the second part will be a detailed review of the same and will only apply to a sample of firms.
You can read the Dear SEO letter here.
2.0 ADGM AND FSRA LATEST DEVELOPMENTS
On 15 August, the Abu Dhabi Global Market’s (‘ADGM’) Financial Services Regulatory Authority (‘FSRA’) announced changes to its regulatory framework on client classification, client assets and conduct requirements regarding investment businesses. The amendments are enacted in response to Consultation Paper (‘CP’) No.2 of 2023 to modernise the FSRA rulebook and to align with international best practices.
The core amendments are summarised as follows:
- exclusion of client classification requirements for those entities marketing on behalf of a group entity for representative offices
- removal of the ‘market counterparty’ classification
- removal of ‘service-based’ clients’ classification
- update to the list of ‘deemed’ professional clients
- update to the requirements for an individual to be classified as an ‘assessed’ professional client, including an increase in asset requirements
- update to remove references to ’deemed’ classification and an increase in capital requirements
- the need to notify the client of any factors which could affect their classification
- enhancement to assess director’s and officer’s knowledge and experience for undertakings
- update to key information and client agreement requirements
- clarification of suitability assessment under a discretionary portfolio management agreement
- update to the requirements and classification for providing credit to an undertaking
- inclusion of information requirements for prime brokerage clients
- inclusion of rules for Multilateral Trading Facilities (‘MTF’) and Organised Trading Facilities (‘OTF’) operators
- removal of rules relating to central securities depositary
- clarification on sending confirmation notes
- update to core information requirements for retail clients
- update to client money requirements, including:
- general requirements
- requirements for client money and money controlled by an authorised person
- rules and exceptions on payment of client’s money into client’s accounts
- requirements for the maintenance of client accounts
- rules on the appointment of a third party to hold client’s accounts
- procedural rules on the payment of client money from a client account
- client disclosures on receiving client money
- expectations on reporting to clients
- rules on reconciliations
- applicability of ‘deemed trusts’
- client money distribution rules
- removal of the previous provisions relating to client assets
- update to the safe custody rules
- removal of auditor’s requirements
- inclusion of rules on holding collateral
- update to record-keeping requirements
- update to resolution planning for client money, relevant money and safe custody assets, including:
- core content requirements
- records of resolution packs
- rules regarding virtual assets
- including updated related guidance of the above
- ‘statutory trust’
In addition, the CP proposed several amendments to the Financial Services and Markets (Amendment No.4) Regulations 2023.
Firms are expected to:
- update affected policies, procedural documents and forms to reflect the changes
- revisit and review current client clarifications
- issue/reissue client classification letters for clients with updated classification
- update wording classification wording in client agreements (as required).
It is worth noting that the FSRA has sent a follow up clarification on 19 August to explain when revision to the classification of Assessed Professional Clients is due based on the changes in the requirement of minimum net assets.
For “existing clients”, i.e., those onboarded prior to 15 August 2023 that are classified as “assessed” Professional Clients, the FSRA expect firms to do so when proposing to offer to that client new products or services that are not currently present in that client’s portfolio. For “new clients”, i.e., those onboarded from 15 August 2023, the requirement in COBS 2.4.4(b)(i) is immediately applicable.
The regulation amendment is effective from 8 August and can be read here.
The rules are effective from 15 August and can be read in full here.
On 1 August, the ADGM issued a ‘Dear SEO letter’ seeking tax information on Omesh Jain as part of an exchange of tax information request. Entities are requested to search their accounts, records and relationships with Mr Jain and to report immediately with the following:
- account opening forms
- KYC forms
- name and address of the introducer of the account
- authorised signatories
- bank statements and account portfolios.
Whilst the deadline for the information request was 8 August, we advise any firms with records that have not yet been reported to comply immediately.
You can submit the requested information to [email protected].
On 22 August, the ADGM announced the 100-day countdown to the Abu Dhabi Finance Week (27-30 November). The event is themed ‘Investing in the Transition Era’ and expects over 3,500 top financial firms to attend globally. The event will examine factors affecting monetary systems, technological disruptions, financing the race to net zero, the resultant services and facilities and the industrial and social sectors impacting the global financial system. Attendees from local and international financial firms, industry experts, policymakers, regulators, investors and bankers will discuss maximising opportunities and minimising challenges within the ‘transitional era’. The event will also host the ADGM Future Global Leadership Summit 2023.
You can register your interest to attend here.
3.o MIDDLE EAST REGULATORY UPDATES
On 12 August, the UAE’s Securities and Commodities Authority (‘SCA’) celebrated International Youth Day. The day highlighted the strength of hiring a young workforce, the SCA’s initiatives to support young talent and their contribution to a green economy. Praise was given to the youths’ contribution to tailoring the green bonds and sukuk initiative.
On 31 August, the SCA announced its partnership with the Corporate Social Responsibility (‘CSR’) fund to further promote sustainability and social responsibility standards in the UAE. The partnership is a step toward the ‘We are UAE 2031’ targets and hopes to incentivise joint stock companies. The partnership will enhance awareness, promote corporate disclosure practices and encourage contributions to CRS projects.
You can read the SCA article here.
On 6 August, the Ministry of Finance (‘MOF’) announced the Finance Strategic Plan 2023- 2026. Concerning regulatory updates, the plan will focus on sustainability, enhancing trust and transparency, and development of legislation. The plan aims to promote international relations, increase competition and contribute to a sustainable economy.
You can read the MOF report here.
On 10 August, the Virtual Assets Regulatory Authority (‘VARA’) signed an MoU with Dubai’s Department of Economy and Tourism (‘DET’) to provide assurance services city-wide to enable Virtual Assets (‘VA’). DET and VARA agree to deploy end-to-end processes at scale to ensure market-leading consumer protection and security standards are maintained. As part of the agreements, DET will also provide inspection and enforcement support as well as assistance with applications for renewals, amongst other commitments. The parties will collaborate on awareness campaigns, including consumer protection and enforcement actions.
You can read the VARA article here.
On 24 August, the VARA announced a revision to the Custody Services rulebook. The amendments will allow Virtual Asset Services providers (‘VASP’) to carry out custody services with approval from the regulator without obtaining the licence of ‘VA Management and Investment Services’. Entities wishing to execute the activity will no longer be required to open a separate entity; however, additional licencing and supervisory fees will be payable for the service.
You can read the VARA article here.
Between14 and 16 August, the Saudi Central Bank (‘SAMA’) hosted the 20th anniversary of the Annual Islamic Financial Services Board (‘IFSB’) meeting in Riyadh. Central bank governors attended the event, IFSB council members and experts in the field. Delegates discussed recent developments in the Islamic services sector, including stability.
You can read the SAMA article here.
On 29 August, SAMA published a consultation paper regarding the Regulation of the Law of Systematically Important Financial Institutions’. The CP discusses the enhancements to the regulatory frameworks to reduce reliance on government support in crises. The CP also discussed the expectations for protecting clients’ funds, assets and deposits.
Comments are welcome until 27 September and can be submitted here.
You can read the CP here.
4.0 INTERNATIONAL UPDATES
On 30 August, the Financial Action Task Force (‘FATF’) updated its consolidated mutual evaluation reports following updates to multiple jurisdictions over the quarter. The consolidated table represents the jurisdictions’ efforts to improve compliance effectiveness and technical compliance in line with the 40 FATF Recommendations.
You can read the consolidated ratings here.
5.0 ENFORCEMENT ACTIONS
On 1 August, the DFSA issued a fine of US$3.9M to Mirabaud (Middle East) Limited (‘MB’) for AML control failures. The failings were observed between June 2018 and October 2021, including failure to notice obvious red flags by one relationship manager servicing nine interlinked accounts.
Mirabaud was found to have:
- missed obvious layering techniques associated with money laundering, including:
- unconnected accounts being opened and operated by connected and interlinked persons
- funds being deposited by third-party accounts
- transactions being over-complicated with consideration to the finding of the Know Your Client (‘KYC’) checks and the associated expected activity
- significant funds being transferred overseas to third parties with opaque ownership structures and to bank accounts with different jurisdictions to the incorporated jurisdiction
- repeated flows of funds between connected entities
- weak and ineffective policies and procedures leading to a significant volume of transactions that:
- were outside the account’s expected activity
- prohibited transactions being allowed for purposes outside of company policy
- inconsistent client profiles
- inconsistent KYC and Customer Due Diligence (‘CDD’)
- failed to submit multiple Suspicious Transaction Reports (‘STR’)
- failed to follow up on CDD where information was highlighted as inaccurate or incorrect
- failed to collect suitable evidence for the client’s classification as professional-client
You can read the DFSA report here.
You can read the decision notice here.
On 29 August, the ADGM’s Registration Authority (‘RA’) issued multiple penalties for breaching the Beneficial Ownership and Control Regulations 2018 (‘BOCR’). The entities failed to report amendments within 15 days of ownership changes, contrary to section 5 of BOCT.
The following entities received a fine:
- Adrian Limited (‘AL’) for US$450
- Open Mineral Ltd for US$450
- Feds Group Holdings Ltd for US$450.
You can read the enforcement details here.
On 31 August, ADGM’s RA fined KPMG Lower Gulf Limited (‘KPMG’) US$30,000 for systematic failures relating to its audits. Despite the ADGM requirements, KPGM had its ADGM-specific reports signed by non-ADGM Registered Audit Principles. The RA highlighted the issue previously, and despite reassurances that controls had been enhanced, the failure was noted again, incurring a breach.
You can read the decision notice in full here.
On 9 August, the CBUAE struck off and revoked the licence of the UAE Exchange House, RMB Commercial Brokers Co (‘RBM’), for concerns relating to its AML controls. RBM was found to have weak AML systems and controls, participated in severe misconduct and collusion to evade the CBUAE instructions and failed to report regulatory breaches.
You can read the CBUAE report here.
On 21 August, the Ministry of Economy (‘MoE’) suspended the licence of 50 Designated Non-Financial Businesses and Professions (‘DNFBP’) for failing to register on the GoAML platform. The affected entities will be prohibited from providing services for three months and will only be reinstated once registered on the AML system.
You can read the MoE report here.