Regulatory Update: Middle East Edition – July 2023

On 13 July, the Dubai International Finance Centre (‘DIFC’) announced the inaugural ‘Future Sustainability Forum’ as part of the DIFC 2030 strategy, the United Nations Climate Change Conference ‘COP28’ agenda and in support of the Year of Sustainability in the United Arab Emirates (‘UAE’).  The first meeting will be held between 4 and 5 of October in the Ritz-Carlton, DIFC, and will bring together change and decision makers in finance including industry leaders, investors, tech disruptors, and policy makers. Delegates will discuss ways to deliver a transition to a sustainable economy and to accelerate efforts to achieve the long-term goals of the Paris agreement and the United Nations (‘UN’) sustainable development goals.

Panel discussions and sessions include:

• supporting corporates in embedding Economic, Social and Governance (‘ESG’) within their organisations
• empowering companies to design their path to ‘Net-Zero’
• unlocking the potential of ESG-driven innovation
• fostering sustainable entrepreneurial ecosystems
• transforming capital to drive the low carbon transition.

You can read the DIFC article here. You can register for the event here.

On 17 July, DIFC Innovation Hub announced its partnership with Standard Chartered for the fifth cohort of the ‘Women in Tech’ accelerator programme.  The programme empowers women entrepreneurs in the UAE’s technology sector and will foster innovation, diversity, and economic development in the sector. This month, ten applicants will be selected to join immersive workshops, tailored training and invaluable mentorship opportunities. Successful participants will join an expansive professional network over nine countries as well as access to mentorship opportunities and equity free seed capital of US $100,000 for the top three women-led startups. The cohort will participate in a demo day in October 2023 to showcase their business proposals and to pitch for investment. Over the four cohorts of 20 participants, the programme has successfully raised over US $5M of equity allowing expansion globally and within the UAE.

You can the DIFC article here. You can read more about the programme here.

On 18 July, the DIFC announced a partnership with the Chartered Financial Analyst Institute (‘CFA Institute’) with the aim of strengthening the capabilities and proficiencies of financial management professionals. The knowledge hub will provide access to the latest industry perspectives and insights through workshops, webinars, conferences, training courses and thought leadership. Experts will be publishing beneficial reports accessible via the knowledge hub for the investment management community.

You can read the DIFC article here. You can apply to join the training here.

On 23 July, the DIFC announced several initiatives supporting growth in the family business sector as part of the UAE’s growth plan ‘The Dubai Economic Agenda D33’. Family business in the UAE currently represents 40% GDP and the new initiatives, along with recently introduced legislation, will support the family owned businesses. Of the initiatives introduced, including the design of a designated family business centre, family businesses in the UAE can enjoy support in growing business capabilities, including leadership guidance, training, and awareness support. The initiatives will contribute to the proposed expansion of the UAE’s wealth to US$1T by 2026.

You can read the DIFC article here.

On 26 July, the DIFC launched its 9th edition of the Financial Technology (‘FinTech’) accelerator programme. The programme is a catalyst for start-ups and scale-ups to establish in the market and this year will focus on open banking, Artificial Intelligence (‘AI’), innovative payment solutions, development of financial literacy and hyper-personalisation of services. Twenty businesses will be accepted onto the programme with access to key players in the financial markets for mentorship opportunities, investment exposure and networking.   Partners of the programme include Abu Dhabi Islamic Bank (‘ADIB’), Abu Dhabi National Insurance Company (‘ADNIC’), Emirates NBD, Emirates Post Group (‘EPG’), HSBC, Mauritius Commercial Bank (‘MCB’), Visa and Zurich.  The successful applicants will join the 1,369 financial services and innovation firms in the DIFC.

You can read the DIFC article here. You can learn more about the programme here.

On 11 July, the Dubai Financial Services Authority (‘DFSA’) issued ‘Dear MLRO: Update re High Risk Jurisdictions’ letter. The letter reminds regulated firms to verify and review lists against the UAE National Committee for Combating Money Laundering and Financing Terrorism and Illegal Organisations Committee (the ‘UAE NAMLCFTC’) to ensure compliance with the DFSA AML module.

Firms are reminded to:

• review, assess and reassess clients in line with the so-called ‘black list’ and ‘grey list’ issued by the Financial Action Task Force (‘FATF’) prior to establishing a relationship and throughout the relationship
• ensure that correct due diligence is applied to risk rating and apply correct counter measures.

You can read the letter in full here.

On 11 July, the DFSA announced changes to the DFSA rulebooks following the responses to Consultation Paper (‘CP’) 147 ‘Technology: Cyber Risk Management and Innovation Support’ and CP 150 ‘Proposals in Relation to Money Services, Crypto Token and Crowdfunding’.

The following changes will be in force from 1 August:

• General Rulebook (‘GEN’)
  • removal of the reference of ‘FinTech’
  • further guidance on issuing payment instruments and restrictions that may apply in relation to the firms licence
  • guidance on the stored value in relation to money service firms
  • clarification on payment transactions
  • clarification on the definition of ‘payment instruction’ for ‘personalised devices’
  • updated guidance on recognised crypto tokens in the DIFC
  • restrictions on referrals to crypto tokens and guidance on due diligence
  • requirements for the pre-approval, applications, authorisation and test plan for licencing of innovative technologies
  • clarification on waivers or modifications of Dubai Financial Services Authority (‘DFSA’) rules
  • the application of restrictions and conditions for innovative technologies

• Code of Business (‘COB’)
  • update to the requirements relating to the use of currencies for money service providers which clarifies that stored token value conversion is allowed
  • new requirements for when payment accounts may be provided
  • rules on reconciliation for money service providers

The following additional changes will be effective from 1 January 2024:

• Prudential: Investment, Insurance Intermediation, and Bank Business Module (‘PIB’)
  • removal of the requirement to establish and maintain technology policies and processes
  • inclusion for domestic firms on a quarterly and annual basis to file report ‘B470: Crowdfunding Intermediation’
• GEN
  • creation of cyber risk management section (GEN 5.5) and supporting guidance covering:
    • requirement to manage cyber risk appropriate to the nature, scale and complexity of its activities
    • creation of key definitions
    • obligations to create and maintain a cyber risk management framework and appropriate governance
    • requirement to identify and assess cyber risk
    • measures to protect IT assets from cyber incidents
    • requirement to monitor IT systems and networks to potential or actual cyber incidents
    • requires an authorised person to report material cyber risks
  • Auditor Module (‘AUD’)
    • inclusion of a cyber risk management section referencing GEN
  • COB
    • For Automatic Transfer Service (‘ATS’) removal the reference to technology resource requirements
    • removal of the reference to provide arrangements regarding the protection of technology systems from damage, tampering misuse or unauthorised access during an assessment of technology systems
    • addition of the reference to GEN updates
  • Authorised Market Institutions (‘AMI’)
    • removal of references to technology resources
    • reference to GEN

You can read the rulebook updates in full here.

The DFSA issued multiple advisory letters on current issues of concern in the DIFC.

On 14 July, the DFSA issued a Dear SEO letter ‘Recent Systematic Supply Chain Cyber Attack’ in response to the MOVEit cyber attack.  The commonly used data transfer mechanism ‘MOVEit’, supplied by Progress Software, experienced threats by malicious actors attempting to exploit vulnerabilities to deploy ransomware as well as stealing valuable sensitive data.

Progress Software advises firms to mitigate exposure by:

• check exposures to MOVEit including supply chain exposure
• assess threat vulnerabilities and impact
• review Progress Softwares mitigation guidance and implement as appropriate
• report exposure to the DFSA via the Cyber Incident Notification form on the DFSA portal.

Firms are reminded to:

• ensure software has patch updates
• identify third party vulnerabilities and security levels
• prioritise vulnerabilities based in severity, impact and exploitability
• implement a robust patch management system
• set minimum security requirements for vendors
• build assurance activities including periodic assessments
• contract vendors and third parties to include a right to audit
• register with the DFSA’s Threat Intelligence Platform (‘TIP’)

You can read the DFSA letter here, the Process Software mitigation measures here and register for TIP here.

On 24 July, the DFSA issued the ‘Dear SEO’ letter ‘UAE Ministry of Finance (‘MOF’) consultation on application of the UAE Corporate Tax Law to the Free Zones’. The MOF received opinions from concerned stakeholders in financial free zones on the proposed corporate tax framework, in particular the applicability of ‘Qualifying Activities’ and ‘Excluded Activities’.  Feedback was accepted until 2 August 2023 and any amendments to the framework will be advised in due course.

You can read the Dear SEO letter here.

On 24 July, Swee Lian Teo announced her departure from the board of directors of the DFSA with effect from 31 August. Teo has served on the board for six years and has been the chair of the Boards Risk Committee as well as a member of the Governance and Nominations Committee and Emirati Working Group.

You can read the DFSA article here.

On 27 July, the DFSA held a cyber security awareness session on resilience, security frameworks and management.   

The speaker discussed core cyber definitions including:

• Cyber Resilience to mean the ability to protect and defend an entity/individual from cyber-attacks
• Cyber Security to mean the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enables by cyber resources.

In addition, the speaker also discussed relevant cyber security frameworks to reduce loss and continue a ‘business as usual’ approach including the use of a cyber security resilience framework and the UAE’s recommended cyber security framework ‘NIST’.  The speaker discussed modern risks including the rising hacker trend of ‘ransomware as a service’ and the use of artificial intelligence in attacks.

Businesses were reminded to ensure they have suitable policies in place that address modern cyber risks to address breaches when they occur and were reminded that 82% of attacks occur due to human error.

Cyber security Policies should include:

• Incident response plan
• Information sharing
• Management of:
  • Ransomware
  • Phishing attacks
  • DDoS attacks
  • Data leaks
• Assignment of responsibilities
• Communication action plan
• Clear objectives

On 4 July, the DIFC Data Protection Office issued ‘Thematic Assessment Report No. 1 of 2023: Article 28’. Article 28 of the DIFC Law No.5 of 2020 provides rules on data sharing with government entities.

The law requires firms to:

• determine the validity of a request
• assess risks with sharing information
• implement measures to mitigate the risk
• obtain written assurance (where possible) of compliance with law.

The thematic report, in conclusion of the March 2023 thematic review, found that Designated Non-Financial Business or Professions (‘DNFBP’) and financial institutions in the centre are unclear on expectations and the applicability of the law especially when requests were received from regulators or auditors outside the DIFC such as the UAE Central Bank. Many firms failed to have a suitable policy regarding data sharing and most firms failed to include government sharing.

You can read the thematic review report here.

On 4 July, the Abu Dhabi Global Market (‘ADGM’) implemented the Sustainable Finance Regulatory Framework reinforcing its position as a leading sustainable financial hub. The framework will support the UAE’s transition to net-zero greenhouse gas emissions by introducing rules on sustainability oriented investment funds, managed portfolios and bonds as well as requirements for ESG disclosures. The framework allows compliant firms a designation demonstrating their ability to meet robust standards which can be used in marketing materials and client communications.  The framework is supported by various initiatives such as the Abu Dhabi Sustainable Finance Declaration and the School of Sustainable Finance.

To support the framework, the ADGM’s Financial Services Regulatory Authority (‘FSRA’) rules have been amended to:

• Fund Rules (‘FUNDS’)
  • Introducing chapter 4 ‘Special Classes of Funds’ and exclusions for specific rules for public funds, exempt funds and Qualifying Investor Funds (‘QIF’)
  • Defining ‘ADGM Green Fund’
  • Defining ‘ADGM Climate Transition Fund’ including guidance notes
  • Including requirements for Green Funds and ADGM climate Transition Funds and guidance notes on:
    • Attestation requirements
    • Systems and controls
    • Notification requirements
    • Cancellation requirements
  • Conduct Of Business Rules (‘COB’)
    • Adding core rules for ADGM Green Portfolios and ADGM Climate Transition Portfolios and guidance including:
      • Application
      • Investment requirements
      • Attestation requirements
      • Portfolio rules
      • Application rules for designation as a ADGM Green Portfolio or ADGM climate Transition Portfolio
      • Notification requirements
      • Cancellation requirements
    • Market Rules (‘MKT’)
      • Offer of securities including:
        • Linked debentures
        • Qualifying debenture principles
        • Requirement for external review
        • Application rules for linked bond designation
        • Annual submission for review of designation
        • Withdrawal of approval
        • Notification of issuer rules
        • Application rules for sustainably linked Sukuk
      • Glossary (‘GLO’)
        • To include definitions for related terms. You can find the full list here.

You can read the ADGM article here.  You can review the rulebook changes in full here.

On 7 July, the FSRA issued a ‘Dear SEO/MLRO’ letter regarding management of high-risk jurisdictions. Following the National Committee for Combating Money Laundering and Financing Terrorism and Illegal Organisations (the ‘Committee’) decision, the FSRA issued   Notice No. FSRA/FCCP/06/2021, 28/2021, 14/2022 and 01/2023 on their obligations regarding the black and grey list for financial institutions, virtual asset service providers and non-profit organisations.

Firms are reminded to:

• adopt the black and grey list in accordance with the AML obligations and the Financial Action Task Force (‘FATF’) recommendations
• continuously review changes to the black and grey list
• conduct suitable and considered Customer Due Diligence (‘CDD’) or Enhanced Due Diligence (‘EDD’) as appropriate
• ensure timely reporting to the Financial Intelligence Unit (‘FIU’) via GoAML where required
• only use third party due diligence services from a non-blacklist jurisdiction
• comply with target financial sanctions

You can read the letter in full here.

On 13 July, the Securities and Commodities Authority (‘SCA’) signed an MoU with the UAE Bank Federation (‘UBF’) fostering mutual cooperation in developing the financial sector to develop the asset and wealth management sector, a key focus for the UAE over the next 50 years. The MoU will foster partnerships between government and private sector, in particular the SCA’s legislation and infrastructure to attract foreign business. The parties agree to share expertise and studies to improve the asset management sector as well as setting up a joint committee to enhance legislation keeping up with the industry’s development. The MoU will also provide for joint promotion events to attract further business to the UAE.

You can read the SCA article here.

On 18 July, in accordance with Cabinet Resolution No. (111) of 2022, the SCA announced the availability of licences for virtual asset providers (‘VASP’) to be regulated in the region following the formation of the Dubai Virtual Assets Regulatory Authority (‘VARA’). The SCA has issued extensive guidelines and associated application forms requiring VASPs currently conducting business in the UAE to apply for a licence.  The SCA warns of regulatory action for failing to comply with fines up to AED10M or public prosecution for failing to attain a licence.

The SCA will also warn investors to only deal with VARA regulated VASPs to ensure protected investments.

You can read the SCA article here.

On 6 July, the FIU hosted the 29th Egmont Group Plenary meeting ‘Use of Advanced IT Technologies by FIUs to Enhance their Operations’. The event was attended by over 500 attendees and discussed AML and CTF efforts of the UAE, its integration at a national level and its alignment with the UAE’s vision and directives of NAMLCFTC using its mature framework and efficient systems.  The congregation also discussed the use of Regulation Technology (‘RegTech’) and other modern technologies to facilitate efficient reporting and oversight. The use of such technologies can be used to establish awareness and information sharing across FIUs. Other sessions discussed privacy, the use of AI and blockchain technologies by FIUs.

On 4 July, the Central Bank of the UAE (‘CBUAE’) held an outreach session on the outcomes from the thematic review in Suspicious Transaction Reporting (‘STR’). The speakers discussed firms reporting Anti Money Laundering (‘AML’) and Counter Terrorist Financing (‘CTF’) obligations and its importance in a regional and global fight against financial crime. The speakers then discussed the functionality and use of the reporting system ‘GoAML’ and the types of reports available as well as common issues including incorrect details, poor supporting documentation and incorrect categorisation all causing an unnecessary and costly delay.

With regards to management and governance, the speakers noted trends leading to deficient practices including:

• Lack of seniority or independence of the Money Laundering Reporting Officer (‘MLRO’)
• Insufficient tracking of alerts
• Gaps in action plans
• Failure to file STR leading to an incorrect reflection of typologies
• Lack of training
• Lack of management oversight

For policies and procedures, the speaker’s noted the deficiencies in:

• Conducting gap assessments on updates to AML law, regulation and guidance
• Weakness in standard operating procedure documents including:
  • Management of automated and manual case notifications
  • Decision making criteria of MLRO reporting
  • Post STR mitigation actions
  • Red flag indicators
  • Management for lack of Know Your Client (‘KYC’) and Customer Due Diligence (‘CDD’)

For risk-based deployment of transaction monitoring controls the speaker’s addressed deficiencies of:

• DNFBPs not incorporating manual and automated monitoring controls
• conducting typology assessment
• Documentation of detection strategies
• Utilisation of non-risk based transaction monitoring
• Risk groups not including risk profile and nature of business considerations

For data identification and management the speaker’s addressed deficiencies of:

• Inconsistent or incomplete data in systems
• Multiple customer information including multiple risk information
• Document and policy to test for data integrity
• Documentation of transaction monitoring that is not risk based
• Adequate detection controls

For alert review, case investigation, and STR or Suspicious Activity Report (‘SAR’) decision making the speaker’s addressed deficiencies in:

• Risk scoring models (of absence of) prioritising alerts
• Vague closing comments for alerts
• No evidence of adverse media or screening
• Inconsistency of receiving or recording
• Incomplete trackers ( of absence of)
• Documentation (or absence of)
• Workflow management
• Storing and accessibility of evidence and supporting documents
• Clients rejected at onboarding stage not being flagged as a SAR.

For post SAR and STR the speaker’s addressed deficiencies in:

• Policy and procedure in identifying associated accounts of SAR/STR
• Categorising post STR account as high risk for both retained and exited relationships
• Documentation and rationale for retaining post STR relationships
• Failure to add post STR/STA account to watchlist

On 19 July, the CBUAE’s Governor met with the International Monetary Fund’s (‘IMF’) Managing Director to discuss bilateral relations in enhancing the integrity of financial systems and supporting global growth. The parties discussed sustainable finance in the wake of 2023 United Nations Climate Change Conference (‘COP 28’), green financing and the UAE’s growth strategy for sustainable financing.  The parties also discussed the effect of geopolitical regional tensions and its effect on the sustainable agenda.

You can read the CBUAE report here.

On 20 July, the CBUAE signed a Memorandum of Understanding (‘MoU’) with Dubai Police to promote cooperation and coordination in the fight against financial crime. The MoU will facilitate transfer of information regarding financial crimes, money laundering and suspicious cases through an effective communication plan. The MoU also committed to awareness campaigns in typologies and joint inspections.

You can read the CBUAE article here.

On 11 July, the MOF announced various transformational projects in line with the ‘We the UAE 2031’ vision.  Of the compliance related initiatives, the MOF declared its ‘Imposing a Federal Tax on Corporations and Business’ project. The project aims to establish a corporate tax policy and its supporting legislation, regulation and ministerial resolutions. The MOF also declared a new ‘E-Billing System’ project which aims to activate a sophisticated country level billing system for tax returns thereby improving tax compliance and reducing tax evasion.

You can read the MOF article here.

On 6 July, the Saudi Central Bank (‘SAMA’) issues regulations relating to the Law on Payment and Payment Services. The regulations address the soundness and efficiency of payment services in the Kingdom by aligning Principles for Financial Market Infrastructures (‘PFMI’). The regulations promote investment, stimulate innovation and competition, and encourage new payment products.

You can read SAMA’s article here. You can read the full regulation here.

On 26 July, SAMA and the Hong Kong Monetary Authority (‘HKMA’) signed a MoU to strengthen financial collaboration. The MoU covered financial infrastructure development, open market operations, monetary policy, and Fintech development to facilitate the exchange of expertise and knowledge sharing in areas related to regulatory issues, laws and policies, and best practices.  The parties shared their experiences in research, development and innovation, highlighting areas of development in supervisory technologies, tokenisation, and payment infrastructure.

You can read the SAMA article here.

On 3 July, the Central Bank of Oman (‘CBO’) published a working paper ‘Composite Financial Stability Indicator for Oman’. The paper provides insights to stakeholders and policymakers on the current state of financial stability in Oman as well as development areas. The paper considers banking stability, systemic risk, debt sustainability, currency stability and capital market certainty and considers external factors such as the COVID-19 pandemic and its effect on financial stability in the Sultanate.  The paper will be updated annually to provide transparency and vital information to readers.

You can read the CBO’s article here. You can read the full report here.

On 4 July, the International Organization of Securities Commissions (‘IOSCO’) hosted its 48th annual meeting.  The event brought together various capital market supervisory authorities and industry experts to discuss enhancing financial market infrastructure, enacting legislation to fight cross-border financial fraud, and a compliance overview with the laws and regulations both regionally and internationally.  Participants reviewed IOSCO’s business, strategic priorities, and initiatives to integrate efforts to bring stability to financial markets, promote sustainable finance, and keep pace with the developments related to crypto assets and sustainable finance. In addition, the Growth and Emerging Market Committee (‘GEM’) discussed international sustainability standards and enforcing corporate sustainability disclosures. Participants of the Africa/Middle East Regional Committee (‘AMERC’) discussed a draft MoU on the exchange of information of its members.

You can read the SCA article here.

On 5 July, the FATF held an AML awareness seminar on the art and antiquities market. Expert speakers from public sector and civil society representatives discussed what market participants, governments and banks can do to prevent illicit financing. The webinar stressed the importance of understanding the history of trading and the use of documentation as well as the money laundering risks of using third party intermediaries especially where the use of such intermediaries is for the purpose of buyer’s anonymity.

You can watch the recorded webinar here.

The Financial Action Task Force (‘FATF’) conducted mutual evaluations for several jurisdictions which have received updated ratings. The ratings are aligned to 40 internationally recognised standards for CTF, AML and Proliferation Financing (‘PF’).

Updated ratings include:

• Türkiye was found to be compliant in 14, largely compliant in 25, partially compliant in one recommendation.
• The Commonwealth of Dominica was found to be compliant in 16, largely compliant in 17, partially compliant in six and non compliant in one recommendation.
• The Republic of Kazakhstan was found to be compliant in five, largely compliant in 28, partially compliant in seven of the recommendations.
• Turkmenistan was found to be compliant in eight, largely compliant in 19 and partially compliant in 13 recommendations.
• The Republic of Uzbekistan was found to be compliant in eight, largely compliant in 26, partially compliant in 6 recommendations.

Gabon was found to be compliant in three, largely compliant in ten, partially compliant in 18 and non compliant in nine recommendations.

The Republic of Chad was found to be compliant in four, largely compliant in ten, partially compliant in 17 and non-compliant in nine of the recommendations.

You can read the consolidated ratings here.

On 21 July, the ADGM’s RA issued a fine of US$12,000 to Moore Stephens and its registered audit principle for acting outside of licence permissions. The fine consisted of US$8,000 to Moore Stephens and US$4,000 to Farad Kersi Lakdawala. The RA found Moore Stephens to have conducted an audit for an ADGM firm in 2021 without holding the correct licence against the core principle of acting with ‘due care, skill and diligence’. In addition, the firm did not apply the correct international standards in accordance with the International Ethics Standards Board for Accountants ‘Code of Ethics for Professional Accountants’ (‘IESBA Code’) and auditing standards pursuant to the International Standards on Auditing (‘ISA’).

You can read the ADGM report here. You can read the decision notice for Stephen Moore in full here and Farad Kersi Lakdawala here.

On 20 July, the ADGM’s Regulatory Authority (‘RA’) issued a fine of US$90,000 to Equiom Corporate Services (Middle East) Ltd (‘ECS’) for failing to implement suitable money laundering policies and procedures in accordance with the AML rulebook. Following a regulatory inspection, ECS failed to apply customer due diligence (and enhanced due diligence, where it applied), in addition to primary and ongoing checks on source of wealth, source of funds and beneficial ownership. ECS received a 20% discount of fine due to early settlement.

You can read the full notice here.