Regulatory Update: Middle East Edition – July 2021

The DFSA has released Consultation Paper 141, proposing new whistleblowing measures which build on existing requirements and aim for a more consistent approach to reporting and recording misconduct.

The proposed changes to the whistleblowing regime include:

• Clarifying the requirements for reporting misconduct. Whistleblowers do not need permission to make a report to a regulated entity or the DFSA and must not be subject to any subsequent action by an employer that is likely to cause detriment to the whistleblower.
• Proposals that whistleblowers would not need to disclose their identities. The DFSA will take appropriate measures to maintain the confidentiality of a whistleblower’s identity. However in some legal circumstances, confidential information may need to be provided to civil or criminal law enforcement agencies.
• Enhanced protection for whistleblowers. Persons disclosing information with reasonable suspicion that a regulated entity or employee/officer of the entity may have contravened any rules or legislation, will benefit from enhanced protection. Rules or legislation include the Regulatory Law, rules administered by the DFSA, as well as money laundering, fraud, or any other financial crime.
• Penalty guidance will be updated. A list of aggravating and mitigating factors will be added which could increase or decrease the financial penalty applied.
• Increased awareness about the whistleblowing regime. Regulated entities must inform all employees and officers about the protections afforded to whistleblowers under the whistleblowing regime.
• Establishing policies and procedures. All regulated entities must maintain policies and procedures which facilitate the reporting of concerns by whistleblowers and outline the process for assessing and escalating concerns about misconduct. Policies and procedures should cover:
  • internal arrangements for disclosing regulatory concerns
  • procedures for assessing and escalating whistleblower reports within the regulated entity and, where appropriate, to the DFSA or any other relevant authority
  • reasonable measures taken by the regulated entity to protect the identity and confidentiality of whistleblowers
    reasonable measures to protect whistleblowers from any detriment
  • procedures to provide feedback to whistleblowers where appropriate
  • measures setting out how the regulated entity will manage any conflicts of interest, and the fair treatment of any person accused of committing a breach by a whistleblower

Policies and procedures should be commensurate to the regulatory risk presented by the regulated entity, with larger or more complex entities having more detailed policies and procedures in place.

• Regulated entities that are branches or subsidiaries of companies outside of the DIFC may use existing whistleblowing reporting lines.
• Appropriate record keeping. Regulated entities must maintain appropriate records of whistleblower reports, including details of the alleged misconduct and the outcome. Reports must be made available to the DFSA on request at any time. If no reports are made, entities must note this in their records.
• The DFSA will create a specific whistleblowing email address for employees to report breaches concerning regulated entities. The DFSA will also introduce a dedicated webpage outlining information to assist whistleblowers in reporting misconduct.

The changes are not likely to take effect until early 2022 and all regulated entities will be informed by the DFSA about the implementation date earlier in that year.

The DFSA has fined the former Group Chief Financial Officer (“Group CFO”) of the Abraaj Group, Mr Ashish Bhrugu Dave, a penalty of $1.7 million for his involvement in the deception, unauthorised activity, and compliance breaches caused by Abraaj Investment Management Limited (‘AIML”) and Abraaj Capital Limited (“ACLD”).

The DFSA concluded that Mr Dave was knowingly involved in:

• breaches of DIFC legislation and the DFSA’s Rules, specifically that:
  • AIML carried out unauthorised financial services in and from the DIFC and actively misled and deceived investors in Abraaj funds
  • ACLD failed to maintain adequate capital resources, deceived the DFSA about its compliance with various legislation and rules, and was knowingly concerned in AIML’s unauthorised financial services activities
• carrying out unauthorised activity through his actions in the Abraaj investment cycle, from signing Investment Management Agreements to distributing proceeds to investors
• authorising temporary cash transfers at certain reporting period end dates and signing management representation letters to report falsely that ACLD complied with its capital resource requirements

The DFSA noted that as Group CFO, Mr Dave had clear visibility over the financial affairs of the Abraaj Group and in this position could have exposed or brought to a halt the breaches, yet he became actively involved in the deception.

Following the release of Consultation Paper No.137, ‘Refinements to the Employee Money Purchase’ (“EMP”) Regime in December 2020, the DFSA has made amendments to its legislation and the GEN, COB, Glossary and Prudential Rulebooks.

The amendments include:

• introducing an express exemption in respect of foreign EMP schemes
• removing the current exemption available to non-DIFC operators and administrators
• prohibiting DFSA licensed operators and administrators from operating, or acting as the administrator of, a foreign EMP scheme that receives DIFC employer contributions
• expanding the definition of financial products
• allowing voluntary contributions, subject to certain requirements
• removing the ability for an operator to be a branch
• decreasing the base capital requirement for an operator from $1million to $500,000

Firms should refer to the amendments in each rulebook and update policies and procedures where necessary, to ensure compliance with the updated rules.

The DIFC has enacted new Intellectual Property Regulations (“IP Regulations”).

The IP Regulations outline the process and requirements for filing intellectual property infringement complaints with the Commissioner of Intellectual Property (the “Commissioner”). The IP Regulations also enable the Commissioner to cooperate with relevant federal and local authorities in the UAE for the seamless protection of intellectual property rights across each of their respective jurisdictions in the country.

The powers and functions of the Commissioner can be found in the IP Regulations and include the power to undertake inspections and investigations in connection with violations of the IP Law. A ‘Register of Experts’, from which the Commissioner may appoint to assist in the investigation of a complaint, will be established.

The IP Regulations came into effect on 5 July 2021.

The Abu Dhabi Global Market (“ADGM”) has issued new Data Protection Regulations 2021 (“DPR”) 2021. All firms in the ADGM will need to be compliant with the requirements by 11 February 2022 to continue processing personal data. Firms that were established after the in-force date have until 11 August 2021 to comply. Failure to act or implement suitable measures may be punishable by the Commissioner of Data Protection with fines of up to $28 million.

The new rules around fees and fines will be implemented in the following legislation:

• Data Protection Regulations (Fees) Rules 2021 (DPR Fees Rules)
• Data Protection Regulations (Fines) Rules 2021 (DPR Fines Rules)

For entities registered on or after 14 February 2021, the Fines and Fees Rules will apply to from 14 August 2021.

For entities in existence before 14 February 2021, the Fines and Fees Rules will apply to from 14 February 2022.

CCL can assist in ensuring your firm is compliant with the new ADGM rules. We will assess your current data protection framework against the DPR requirements and provide you with a comprehensive report. Once the report is complete, we will create a bespoke implementation project plan, focusing on key policy and procedure requirements, as well as considerations for each of the business functions including IT, legal, compliance, and training.

The Central Bank of the UAE (“CBUAE”) held the National Summit on Counter-Terrorist Financing and Sanctions (the “National Summit”) on 15 July 2021. The event was held to showcase and discuss leading solutions in the field to help strengthen the capabilities of financial institutions.

The National Summit included a comprehensive agenda of keynote speeches and presentations in the areas of proliferation financing typologies, nuclear proliferation mitigation and detection, export control of dual use goods, the outcomes of sanctions screening, and the assessment of proliferation financing risk.

Through the National Summit, the UAE aims to reinforce its efforts to strengthen the implementation of international standards on combating money laundering and the financing of terrorism and proliferation and, particularly, the Financial Action Task Force (“FATF”) standards.

The Abu Dhabi Criminal Court has convicted nine individuals and indicted six companies for money laundering and illegal crypto currency trading.

The individuals stole Dh18 million in funds from victims by encouraging them to invest in a shell company that they claimed was specialised in trading digital currencies and global stocks. The victims were asked to transfer money to the UAE-based shell company from where a portion of the funds were transferred to accounts outside the UAE.

The discovery of activities and the arrests and conviction are a direct result of recent efforts by the UAE to improve its money laundering measures and implement these more effectively.

The FATF completed a second 12-month review of the implementation of its revised Standards on virtual assets and virtual asset service providers. The review follows the original FATF amendments two years ago, which placed anti-money laundering and counter-terrorism financing requirements on virtual assets and virtual asset service providers (“VASPs”).

The review found that many jurisdictions have continued to make progress in implementing the Standards.

• 58 out of 128 reporting jurisdictions advised that they have now implemented the revised FATF Standards, with 52 of these regulating VASPs and 6 of these prohibiting the operation of VASPs.
• The other 70 jurisdictions have not yet implemented the revised Standards in their national law.

Gaps in implementation mean that there is not yet a global regime to prevent the misuse of virtual assets and VASPs for money laundering or terrorist financing.

The FATF expects all jurisdictions to implement the revised FATF Standards, including the travel rule requirements, as quickly as possible.

The FATF will continue to:

• focus on implementing the current FATF Standards on virtual assets and VASPs and finalise the revised FATF Guidance on virtual assets and VASPs by November 2021
• accelerate the implementation of the travel rule
• monitor the virtual asset and VASP sector, but not further revise the FATF Standards at this point in time (except to make a technical amendment regarding proliferation financing)

The US Financial Crimes Enforcement Network (“FinCEN”) recently issued its government wide AML and CTF priorities. This is to demonstrate the Biden administration’s considerations in enhancing AML requirements, regulations and enforcement, and recognising the important tools to address criminal activity in the US and internationally.

FinCEN’s AML/CTF priorities are as follows:

• Corruption
• Cybercrime, including cybersecurity and virtual currency
• Fraud
• Foreign and domestic terrorist financing
• Transnational criminal organisation activity
• Drug trafficking organisation activity
• Human trafficking and smuggling
• Proliferation financing

The full guidance can be found here.

Companies are advised to take appropriate measures to reduce the risk of money laundering and other financial crimes in their own business operations by constantly improving compliance programmes and updating these in line with the issued US Government priorities.

The US Department of Treasury has fined US-based online money transmitter, Payoneer, $1.4 million in a settlement for apparent violation of sanctions. Payoneer, which was listed on Nasdaq early last month, processed 2,241 payments worth over $800,000 in various jurisdictions and regions subject to sanctions. 19 transactions were also conducted with sanctioned persons.

Firms are reminded to review their systems, controls, policies and procedures to ensure they do not engage in unauthorised transactions with sanctioned individuals and entities.

Two years after the bank promised to straighten out its act, a suspected money-laundering network is said to have moved over $4 billion through 60 HSBC accounts. The ring was discovered in 2016 when HSBC was trying to assess its exposure to the Gupta family – previously accused of corrupt links with former South African president Jacob Zuma.

The bank was expected to disclose this information to the independent monitor brought in by the US Department of Justice in 2012. However, the bank waited to be questioned about it and never voluntarily disclosed information about the Hong Kong ring.

Firms are reminded to establish and maintain effective AML policies and procedures which should be risk-based and regularly reviewed. Employees should be periodically trained on key topics, including suspicious transaction reporting and transaction monitoring.

Robinhood Markets Inc. will pay a fine of $10 million for violating cybersecurity and AML practices. This comes a week after the cryptocurrency brokerage agreed to pay $70 million to resolve allegations that it misled its customers, approved ineligible traders, and failed to supervise its technology.

The CEO, Director, Compliance Officer, and Money Laundering Reporting Officer of Yardley Securities Limited (“YSL”), Raymond Leung Tak Shing, was reprimanded by the Securities and Futures Commission (“SFC”) of Hong Kong for failing to comply with the AML regulatory requirements. The SFC accused him of “failure to discharge his duties” as a member of YSL’s senior management and he was fined $400,000.

Senior management of firms are reminded of their overarching responsibility to ensure their firms have adequate systems and controls in relation to money laundering and terrorist financing.

The UK Financial Conduct Authority (“FCA”) fined Lloyds Bank General Insurance (“LBGI”) and its subsidiary, Halifax, for failing to properly communicate their “competitive” home insurance renewal claim with proof. About 87% of policyholders decided to renew, and Lloyds bank failed to check if the said claim was accurate. The FCA said there was a “risk of harm” to customers as it was likely that the renewal premium was higher than the previous year. Lloyds apologised and returned funds to some of its customers who were affected by the misleading letters.