Regulatory Update: Middle East Edition – January 2023

The Dubai Financial Services Authority (“DFSA“) is conducting a sectoral review of authorised firms providing the financial service of ‘Operating a Representative Office’ within the Dubai International Financial Centre (“DIFC”).

The DFSA issued a communication to all representative offices on 6 January 2023 requesting for a questionnaire to be completed as part of phase one of the review. The review will be conducted in two phases.

Overview of phase one:

• the format will be in the style of a desk based review
• there will be a questionnaire, with a deadline for completion by 20 January 2023 via the eportal
• the questionnaire covers various topics including:
  • business activities
  • funds
  • restricted speculative investments
  • ownership information
  • relationship with head office
  • principal representatives
  • compliance and anti-money laundering (“AML”)
  • fit and proper
• includes a review by the DFSA of the firms most recent Annual AML Return submission.

Overview of phase two:

• a potential risk assessment
• a sample of representative offices will be selected following the output from phase one
• aims to gain a detailed understanding of the firm’s presence in the DIFC
• the DFSA will conduct discussions with firm’s principal representative.

Any questions regarding the sectoral review should be submitted to the DFSA via the Supervised Firm Contact Form on the DFSA ePortal, accessible here.

The DIFC Academy has commissioned a Climate Finance Training Series, which can be attended by the financial services community either in person, or online.

The training series aims to create an awareness and understanding of the United Nations (“UN”) Framework Convention on Climate Change’s 28th session of the Conference of the Parties (“COP28”) process, best practice approaches to developing and applying net zero strategies, and worldwide trends in climate finance.

COP 28 will be held in the United Arab Emirates (“UAE”) in the period between 30 November to 12 December 2023.

The first training module will take place on 12 January 2023, further modules will be delivered in March, June and October 2023.

Further details of the training series can be found via this link.

The Chairman of the DFSA announced the release of the DFSA Business plan for 2023-34 on 16 January 2023.

The Business Plan spanning two-years details a roadmap to achieve the DFSA’s objectives including establishing and maintaining the DIFC’s standing as a leading global financial centre.

A key priority on the DFSA’s agenda is the continued fight against financial crime, whilst supporting the federal authorities to implement the recommendations from the Financial Action Task Force (“FATF”) United Arab Emirates (“UAE”) Mutual Evaluation which was published in 2020.

The focus will also be on several key projects including the continuing development of its support for trading venues and markets, enhancing the policy framework by implementing international standards, and reinforcing its regime for the protection of client assets to preserve the integrity of the DIFC financial services industry.

At a national level, the DFSA aims to deliver approaches on disclosure and taxonomy, corporate governance, and continue efforts to improve engagement and understanding of Environmental Social Governance (“ESG”) issues with DIFC firms.

The DFSA intends to enhance the utilisation of technology within the centre, encouraging the development and use of new technologies within the DIFC community.

The Business Plan can be viewed here.

The DFSA ‘In Action’ publication provides a helpful insight to readers of the DFSA initiatives and actions from 2022.

Summary of key facts and figures from 2022:

• 54% growth in registration and licensing activities
• number of authorised firms grew from 529 in 2021 to 588 in 2022, up by 11%
• number of regulated entities increased from 655 to 713, up by 9%
• 10 enforcement actions undertaken by the DFSA in 2022
• 15 scam alerts issued by the DFSA
• diversification in the types of firms authorised – more innovative companies being registered through the money services regime and its Innovation Testing Licence Programme
• 8,153 cyber events were shared through the DFSA’s Cyber Threat Intelligence Platform in 2022.

For further details the ‘In Action’ publication can be viewed here.

The introduction of the DIFC Metaverse Platform was announced on 30 January 2023, aiming to attract technology leaders worldwide and solidify Dubai’s reputation as an innovator in the metaverse space.

To kick off the new platform, a six-month accelerator programme looking to generate 500 applications from metaverse pioneers, has been announced.

The platform supports Dubai’s metaverse strategy which includes supporting 40,000 virtual jobs by 2030, attracting 1,000 companies specialising in metaverse and blockchain technologies and adding US$4Bn to the local gross domestic product (“GDP”).

The press release can be viewed here.

The ADGM has announced structural changes to the Abu Dhabi Global Market (“ADGM”) Authority and Registration Authority (“RA”), with the appointment of two new Chief Executive Officers (“CEO”).

With effect from January 2023, Mr Dhaher Bin Dhaher Al Mheuiri is the newly appointed CEO of the ADGM Authority. Prior to this appointment, Mr Dhaher was leading the Registration Authority as the CEO since its inception.

Mr Hamad Al Mazrouei is the newly appointed CEO of the ADGM RA, previously holding the role of the ADGM’s Chief Operating Officer.

The Financial Services Regulatory Authority (“FSRA”) have issued Financial & Cyber Crime Prevention (“FCCP”) Notice No.01 of 2023, the notice acts as an invitation to all Financial Institutions (“FI”), Virtual Asset Service Providers (“VASP”) and Designated Non-Financial Businesses and Professions (“DNFBP”) to attend outreach sessions in the form of online workshops.

The online workshops cover the following topics:

• best practices on raising suspicious transaction reports (“STR”) and suspicious activity reports (“SAR”) via goAML, in collaboration with the Financial Intelligence Unit (“FIU”)
• DNFBP sectoral money laundering (“ML”) and terrorist financing (“TF”) risk assessment, in collaboration with the Supervisory Sub-Committee.

The sessions are aimed at improving the quality of STR/SARs reports submitted via goAML, and to share the outcomes of these with the private sector to improve the level of understanding of ML/TF risks and to enhance mitigation measures.

The sessions aimed at the FI, VASP and DNFBP sectors will be held on 6 and 7 February 2023. The DNFBP sector is invited to attend additional sessions held on 14 and 15 February 2023.

The International Data Privacy Day in the UAE was celebrated by the ADGM on 24 January 2023, in collaboration with the United States (“U.S.”) Department of Commerce and the UAE Gulf Cooperation Council (“GCC”) Privacy Working Group.

The half day event hosted by the ADGM raised awareness of data privacy, discussions were held relating to best practices that help to build confidence for international businesses looking to do business in the region. As well as sharing ideas for how businesses located onshore in the UAE can prepare for the new UAE Personal Data Protection Law, ahead of the roll out of the regulations.

The 28 January is recognised globally as International Privacy Day, the date marks the anniversary on which the Council of Europe’s data protection convention ‘Convention 108’, was opened for signature.

Aside from the introductions from various speakers, the main sessions held were:

• a Privacy Framework Presentation held by National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce
• a panel discussion focused on ‘How Financial Free Zone Privacy Rules Build Trust for International Businesses’ with participation from the Commissioner offices of the ADGM, DIFC and Qatar
• a panel discussion with industry experts from PwC, NMC Group, Accenture and Metlife on the topic of ‘How Companies Can Prepare Better for the New UAE Personal Data Protection Law’.

Here is a summary of key points from the event:

• the NIST Privacy Framework is a flexible tool which helps firms to identify and manage their risks, alongside their existing operations – the framework is agnostic to any particular law, however, it can assist firms in fulfilling their compliance obligations
• Privacy by Design (“PbD”) was a concept founded in the 1990’s by an Information and Privacy Commissioner in Canada – it is now about to become an international privacy standard for the protection of consumer products and services, on 8 February 2023 the International Organization for Standardization (“ISO”) is expected to adopt PbD as ISO 31700
• implementing an effective information governance strategy and developing a methodical approach to data management which will keep track of the data flow, international included is of utmost importance
• onshore business who are subject to the UAE Personal Data Protection Law, can prepare ahead of the release of the regulations by identifying their data footprint as a starting point, create awareness about the concept of data protection amongst senior management, to get senior management buy in
• the principle of data minimisation and relevance was highlighted, as per the DIFC Data Protection Law No.5 of 2020 and the ADGM Data Protection Regulations 2021, businesses should keep data processing simple and to the point
• the panel of industry experts spoke about the growing new generation of privacy laws and regulations around the world, businesses will benefit by introducing an effective privacy framework, which will in turn mitigate the risk of fines and other sanctions, and will enable more efficient and compliant cross-border data sharing
• the guidelines for data protection and privacy apply across the board and include the following:
  • the importance of safeguarding data
  • obtaining consent from the person whose data is being collected, where necessary
  • identifying the regulations that apply to the business and the data it collects
  • ensuring employees are fully trained in the nuances of data privacy and security.

Further details of the event can be found here.

The ADGM hosted the fifth edition of the Abu Dhabi Sustainable Finance Forum (“ADSFF”), which included a week of events discussing current challenges and trends focussed on ‘charting the path to COP28’. Approximately 1000 participants joined the event, which commenced on 19 January 2023.

The highlights of the forum included:

• the ADGM’s Sustainable Finance Declaration welcoming 37 new signatories, bringing the total number of members to 117, a signing ceremony took place to solidify the signatories commitment towards the climate change and sustainability
• fintech company ‘Aspiration’ announced that they are setting up an office in the ADGM, the multibillion-dollar company is a climate action company pioneering solutions to assist companies, individuals, and investors to offset their carbon footprint and move toward net zero
• discussions by the ADSFF on areas of collaboration to increase the flow of capital towards transition finance and sustainable investments ready for COP28.

Further details of the event can be found here.

New guidelines on AML and combatting the financing of terrorism (“CFT”), with a focus on the use of digital identity (“ID”) methods were issued by the Central Bank of the UAE (“CBUAE”) on 11 January 2023. The guidelines set the requirements which licensed financial institutions (“LFI”) must adhere to, with immediate effect.

LFI’s affected may include:

• exchange houses
• insurance companies
• finance companies
• banks
• agents
• brokers.

Topics such as authentication mechanisms, identity proofing, and use of digital ID systems are all covered within the guidelines. For transaction monitoring and ongoing customer due diligence (“CDD”) purposes LFIs should make use of data generated by authentication mechanisms, for example internet protocol (“IP”) addresses, to assist in detecting suspicious transactions and/or behaviour in, to, or from high-risk and sanctioned jurisdictions.

LFIs are required to have adequate governance and sufficient policies and procedures in place, as well as to use technology best practices.

Although the use of digital ID methods is encouraged, LFIs also need to consider the technology and security challenges that they may present. Considering the implementation and enforcement of any necessary safeguards to reduce risks, such as the use of stolen, synthetic, or falsified IDs, security breaches, and cyber-attacks.

Due diligence should be completed on the digital ID system chosen to assess appropriateness and provide assurance to the LFI, including in relation to the accuracy of the digital ID system. LFIs can perform the assurance reviews directly or obtain audit or assurance certification from an expert body.

The announcement and guidance can be accessed here.

Over 600 participants logged into the virtual session held by The UAE Ministry of Finance (“MoF”) on 16 January 2023, as part of its Corporate Tax (“CT”) Public Awareness Programme.

Participants in the session included experts from the Federal Tax Authority, Dubai Chambers and the MOF, as well as those from the private sector including tax experts and business sector representatives.

The new Corporate Tax Law is based on international best practice, and aims to support the UAE’s strategic objectives, creating tax transparency, and preventing detrimental tax practices.

Key points from the second awareness session include:

• details of CT Law will be announced through Cabinet Decisions
• threshold of AED375,000 recently confirmed
• generally aligned with global standards, such as tax neutrality, transfer pricing, relief from corporate tax, General Anti-Avoidance Rule and certain exemptions
• UAE entities are subject to CT at 9%, however, pillar 2 may be developed and announced in due course
• non-residents with no permanent establishment in the UAE will not be subject to CT or required to register for CT
• supporting documentation will be required for all registered entities, including exempted persons, for seven years
• registration for CT will be phased, with invites shared when registration is required, there will be no penalty for late registration
• tax registration number (“TRN”) for CT will be different from the existing TRN for value added tax
• there will not be a requirement to apply for deregistration if taxable income reduces to below AED375,000
• entities registered in the freezones must comply with parameters and conditions, as required, more details will be released soon
• the objective of the UAE is to keep the compliance burden as low as possible.

A Memorandum of Understanding (“MoU”) was signed on 17 January 2023 between Securities and Commodities Authority (“SCA”) and the Ministry of Interior, as part of SCA’s initiatives to combat unlicensed financial activities.

Both parties have strategic objectives to protect investors’ rights and enhance financial stability of the UAE economy.

The MoU sets out to formalise the approach to the exchange of information regarding illegitimate practices and activities in the securities and commodities market in the UAE.

The SCA announcement can be found here.

With the intention to explore the opinions of interested parties, stakeholders and experts, the SCA has published a preliminary draft of an asset-backed securities system, referred to as ‘securitization system’. The release of the draft regulation was announced on 4 January 2023.

The introduction of a securitization system will be a new initiative, previously unseen in the local financial markets in Dubai. The term ‘Securitization’ refers to a process where individual or combined assets are sold and transferred to a Special Purpose Company and in turn asset-backed securities are issued.

The draft regulation included 24 articles, some of which included were:

• the scope of application
• parties involved in the securitization process
• criteria and requirements for assets subject to securitization transaction
• criteria for real sale
• definition of SPV
• application submission and provisions regulating sukuk
• debt securities
• proceeds of subscription
• listing
• trading.

Feedback is welcomed from all parties concerned with the local capital market, including investors, media professionals, dealers of all categories, financial analysts, brokers, researchers, and other interested parties. Interested parties were requested to view the draft decision and submit their feedback by the latest 31 January 2023.

Further details of the announcement can be found here.

The virtual workshop held on 31 January and 1 February 2023 was a collaboration between the UN Office of Counter-Terrorism and the UAE Executive Office for Control and Non-Proliferation (“EOCN”) discussing the topic of ‘Sharing of Information Between Public and Private Sector’.

The intention of the sessions was to discuss issues relating to the impact of information sharing between the public private sector for combatting terrorist financing, sanction evasions and solutions for overcoming the challenges faced.

The workshop covered the following topics:

• role, impact and benefits of information sharing for combatting terrorist financing
• utilizing public private partnership to enhance effectiveness
• tools and technologies to enhance information sharing
• confidentiality and data protection
• panel discussion: public private partnership to experience in UAE & Egypt
• panel discussion: sharing of information in TFS implementation
• de-risking and its impact on information sharing
• models from different countries
• showcase public private partnership in combatting sanction evasion.

A summary of the workshop will be included in the February Regulatory Update.

On 25 January, the Financial Conduct Authority(“FCA”) published its Consumer Duty implementation plans. The plans follow on from a review of multiple FCA authorised firms, conducted to gather an understanding of their plans to embed the Duty within their businesses.

The Consumer Duty rules and guidance were initially published in July 2022 with the aim of setting a higher level of standards of consumer protection within the financial services sector, requiring firms to act to provide good outcomes for customers.

The review conducted looked at the implementation plans of larger firms, who have dedicated FCA supervisors. The FCA findings show that many examples of good practice have been identified but there are still areas which could be improved, such as by:

• prioritising appropriately, and focusing on reducing the risk of poor consumer outcomes and assessing where their firm is likely to be furthest away from the requirements of the Duty
• carefully considering the substantive requirements of the Duty, ensuring that when the firm is undergoing a review of their products and services, communications and customer journeys, they identify and make the changes needed to comply with the Duty
• working with other firms in the distribution chain in relation to information sharing, to assist with implementing the Duty on time.

The FCA has set an implementation deadline of July 2023 for new and existing products and services. For closed products or services, the rules come into force on 31 July 2024.

Full details of the review can be found here.

The Digital Operational Resilience Act (“DORA”) was announced by the European Union (“EU”) on 27 December 2022 and came into force on 16 January 2023. The legislation sets obligations for FIs and critical third-party providers, with the aim of ensuring the European financial sector is able to maintain resilient operations through a severe operational disruption.

DORA will require FIs and third-party providers to implement risk management frameworks, new systems and controls, and policies and contractual provisions to be included in information communication technology focused outsourcing arrangements.  The regulation includes a two-year implementation window for firms to become DORA-compliant, with the new rules therefore taking effect on 17 January 2025.

Full details of the Act may be viewed here.

Several Mutual Evaluation Reports and Follow-Up Reports have been published by the Financial Action Task Force (“FATF”), highlighting the improvements made towards positive re-ratings.

The process for new jurisdictions involves a review against the FATFs 40 recommendations. For jurisdictions with existing ratings and who are in enhanced follow-up, the jurisdictions are assessed on their progress made towards addressing compliance requirements. Re-ratings are given where sufficient progress has been evidenced towards satisfying the individual recommendations.

The FATF recently reviewed the jurisdictions below:

• Bahamas
  • 5th Follow-Up Report since the 2017 evaluation
  • significant progress has been made to address deficiencies identified
  • 2 recommendations were amended from partially compliant to compliant
  • 40 recommendations in total are rated as compliant or largely compliant
• Uganda
  • 9th Follow-Up Report and 4^th re-rating since the 2016 evaluation
  • significant progress has been made to address deficiencies identified
  • 1 recommendation was amended from partially compliant to compliant
  • 1 recommendation was amended from partially compliant to largely compliant
• Ecuador
  • 1st Mutual Evaluation Report
  • 1 recommendation rated non-compliant
  • 1 recommendation rated partially compliant
  • 18 recommendations rated largely compliant
  • 10 recommendations rated compliant
• Lithuania
  • 3rd Follow-Up Report since the 2018 evaluation
  • 2 recommendations were amended from partially compliant to largely compliant
• Kenya
  • 1st Mutual Evaluation Report
  • 11 recommendations rated non-compliant
  • 26 recommendations rated partially compliant
  • 1 recommendation rated largely compliant
  • 2 recommendations rated compliant
• Suriname
  • 1st Mutual Evaluation Report
  • 7 recommendations rated non-compliant
  • 23 recommendations rated partially compliant
  • 9 recommendations rated largely compliant
  • 1 recommendations rated compliant
• Namibia
  • 1st Mutual Evaluation Report
  • 3 recommendations rated non-compliant
  • 16 recommendations rated partially compliant
  • 16 recommendations rated largely compliant
  • 5 recommendations rated compliant

Further details of the latest reports can be found here.

The Executive Office of the Committee for Goods and Materials Subject to Import and Export Control (“CGMSIEC”) has updated the UN Security Council (“UNSC”) sanctions list. One individual and one entity has been added.

Firms are reminded to monitor geopolitical events and any resulting updates to the international sanctions lists so that they can assess their exposure to sanctioned individuals and entities. Sanction contraventions must be reported to the relevant authorities without delay, and regulators will expect to be notified of any sanctions matters that may result in reputational consequences for the firm.

The updated sanctions list can be found here.

The DFSA has published two Decision Notices confirming the action taken against two DFSA regulated firms for their repeated failure to submit annual AML returns on time, despite the reminders issued to the firms by the DFSA.

The notice concerning EY Law LLP was published on 10 January 2023. The firm was subject to a fine of US$8,400, which includes an early settlement discount, for failure to submit its 2021 and 2022 AML returns prior to the deadline given.

The notice concerning Nasco France SAS – DIFC Representative Office was published on 4 January 2023. The firm was subject to a fine of US$5,600, which includes an early settlement discount for failure to submit its 2020, 2021 and 2022 AML returns prior to the deadline given.

The Decision Notices can be viewed here.

The Financial Markets Tribunal has upheld the DFSA imposed fine on Abraaj’s founder and former CEO Mr Arif Naqvi.

The fine totalling US$135,566,183 is the largest fine ever levied on an individual by the DFSA. Mr Naqvi is also prohibited and restricted from performing any function in or from the DIFC.

The Decision Notice published by the DFSA on 27 January 2022 described Mr Naqvi’s failings in respect of the Abraaj Group, which included him knowingly being involved in misleading and deceiving investors, which directly or indirectly misled or deceived the investors.

Further details of the DFSA’s media release can be found here.

Al Rayan Bank Plc has agreed to the FCA findings in relation to serious AML failings. An early settlement was reached of £4,023,600, following a 30% discount.

The AML failings of the bank included:

• inadequate source of wealth and source of funds checks
• lack of staff training in relation to the handling of large deposits.

The bank was aware of the weaknesses, and money laundering risks created by this, yet failed to conduct adequate remediation.

The FCA press release can be found here.

The largest bank in Denmark, Danske Bank has agreed to accept a guilty plea and settle a fine of US$2Bn.

The fine is made up of multiple individual penalties including:

• circa US$1.2Bn in criminal forfeiture to the US
• circa US$672mn to Danish authorities
• circa US$178mn to US Securities and Exchange Commission.

The failures of the bank occurred between 2009 and 2016, high-risk customers utilised Danske Bank to facilitate the transfer of billions of dollars in suspicious transactions through the US and other countries. Danske Bank was aware of these high-risk transactions and made materially misleading statements and omissions in the bank’s publicly available reports stating that it complied with its AML obligations and that it had effectively managed its AML risks.

Major U.S. cryptocurrency exchange Coinbase Inc will pay a US$50Mn fine and agreed to invest US$50Mn in its compliance function over the next two years to rectify violations of the New York Banking Law and the New York State Department of Financial Services (“DFS”) money transmitter, virtual currency, transaction monitoring, and cybersecurity regulations. The Consent Order was approved on 4 January 2023.

Regulators first detected the compliance issues at Coinbase in 2020, identifying weaknesses as far back as 2018, which included the firm allowing customers to open accounts without conducting adequate background checks.

The full Consent Order can be found here.