Regulatory Update: Middle East Edition – June 2021

His Highness Sheikh Maktoum bin Mohammed bin Rashid Al Maktoum, Deputy Ruler of Dubai and President of the Dubai International Finance Centre (“DIFC”), held the first board meeting of 2021 in May, during which he discussed the future of the DIFC, as well as commenting on the success of the first half of the year. His Highness praised the Dubai International Financial Centre Authority (“DIFCA”), Dubai Financial Services Authority (“DFSA”), and DIFC Courts for their contributions and agility over the period, which led to the success of the centre’s alignment with the 2024 strategic objectives. His Highness approved the 2030 strategy, which seeks to reinforce the DIFC’s infrastructure to attract exceptional global companies. The meeting was attended by His Excellency Essa Kazim, Governor of the DIFC; Tun Zaki bin Azmi, Chief Justice of the DIFC Courts; Fadel Al Ali, Chairman of the DFSA; Abdulfattah Sharaf, Hesham Al Qassim, and Arshad Ghafur.

Amazon Payment Services (“APS”) launched the Amazon FinTech Lab in the DIFC Innovation Hub, supporting the development of FinTech companies in the region. APS will provide an inclusive forum to discuss digital payments and their pain points and offer networking opportunities to encourage collaboration in the FinTech industry.

The DIFC FinTech Hive has announced the launch of the 2021 FinTech Hive AccelerateHer programme, which seeks to develop young women in financial services and equip participants for roles in executive positions. It aims to diversify the financial services sector of the future. Participants will benefit from mentorship opportunities, workshops, and networking events. The 2021 hybrid programme will combine online and face-to-face sessions for 40 participants who will join one of the two cohorts running throughout the year.

The programme is open to global applicants with six months to three years of experience in a financial institution. You can submit your application here.

Global Finance magazine has awarded the DIFC FinTech Hive the accolade of being one of the best innovation labs in 2021. The FinTech Hive has raised over $300 million in funds to date and supported more than 100 startups in the FinTech, InsurTech, RegTech, and Islamic FinTech industries across the region. The award highlights the centre’s efforts in transforming the region’s FinTech ecosystem and its commitment to driving sustainable economic growth.

The DFSA has opened its Innovation Testing Licence Programme to local and internal firms, enabling firms to test new and innovative financial products, services, and business models in and from the DIFC in a controlled regulatory environment. To participate in the licensed sandbox, applicants must provide a clear business model, along with their proposed product.

Applications will be accepted until 31st July by applying here.

The Legal and Director of Data Protection in the DIFC, Lori Baker, hosted an educational seminar on the role of the Data Protection Officer (“DPO”) and its importance for firms in the DIFC. Following the enactment of the DIFC Law No.5 of 2020 (“DPL”), firms conducting “high-risk processing” activities – as defined in the DPL – in or through the DIFC entity are required to appoint a DPO to oversee and monitor the processing of personal data under the control of the firm. Firms are susceptible to fines of USD 50,000 for failing to appoint a DPO where required by law.

You can find the DIFC’s DPO assessment tool here.

CCL offers a comprehensive assessment of your data protection infrastructure and can act as an outsourced DPO for your firm. For more information, contact Suzanne Ballabás.

The DFSA issued a ‘Dear MLRO’ letter following the issuance of new guidance from the Executive Office of the Committee for Goods Subject to Import and Export Control (the “Executive Office”) on targeted financial sanctions. The guidance reminds financial institutions and designated non-financial businesses and professions (“DNFBPs”) of their legal and regulatory obligations and clarifies procedures to request delisting, cancelling, and the unfreezing of funds.

Firms are reminded to:

• Cooperate with the Executive Office and the relevant supervisory authorities in all verification matters in a timely manner
• Implement freezing, cancellations, or lifting decisions without delay, pursuant to the related United Nations Security Council Resolution (“UNSCR”) or decisions of the Cabinet of the United Arab Emirates (“UAE”)
• Set and implement policies and procedures in compliance with Cabinet Resolution No. 74 of 2020 (Concerning the UAE list of terrorists and implementation of the UNSCR decisions)

You can read the new guidance in English here and in Arabic here.

The DFSA, in collaboration with the Central Bank of the UAE (“CBUAE”), the Securities and Commodities Authority (“SCA”) and the Abu Dhabi Global Market (“ADGM”) Financial Services Regulatory Authority (“FSRA”) (“the regulators”) launched a public consultation through June 2021, regarding the “Guidelines for Financial Institutions (“FI”)Adopting Enabling Technologies”. See 2.2 below for further details.

The CBUAE, together with the DFSA, the FSRA, the SCA, and the Ministries of Justice and Economy (collectively the “supervisory authorities”), published the AML and CTF Guidelines for 2021, following a review of financial institutions and DNFBPs during 2020-2021.

The supervisory authorities assessed areas, including governance frameworks, management oversight, AML and sanctions compliance, risk assessment frameworks, monitoring and surveillance tools, and record-keeping practices.

The supervisory authorities advised financial institutions as follows:

• In relation to governance frameworks and management oversight:
  • Money Laundering (“ML”) and Terrorist Financing (“TF”) assessments should be risk-based and tailored to identify and assess relevant ML and TF risks.
  • A ‘three-line defence’ model should be adopted: business operations are the first line of defence, risk and control functions are the second, and internal audits are the third. This model instils a risk culture, and internal controls should be adjusted to the size, business nature, and complexity of the firms’ operations.
  • ML and TF documentation should be clear and incorporate comprehensive procedures that identify key stakeholders and their respective ML and TF responsibilities.
  • A robust AML and CTF programme should be developed to mitigate identified risks.
  • An appropriate compliance officer and money laundering reporting officer with suitable experience should be appointed.
• In relation to onboarding and continuous monitoring of customers:
  • Customers should be risk-rated in accordance with the internal policy. A risk rating model to determine the customer risk rating should be developed based on different risk factors according to nature, complexity, size, products and services, delivery channels, business segments, and jurisdictions.
  • Know Your Client (“KYC”) data should be complete and of high quality.
  • Appropriate Customer Due Diligence (“CDD”) should be undertaken at the time of onboarding, and risk-based ongoing due diligence should be conducted throughout the business relationship.
• In relation to monitoring and surveillance:
  • Surveillance indicators should be established to identify suspicious activity and transactions, and such indicators should be reviewed and updated on an ongoing basis.
  • Firms should comply with the directives of the relevant competent authorities and supervisory authorities concerning targeted financial sanctions and other decisions issued by the UN Security Council.
  • Suspicious transactions must be reported to the UAE Financial Intelligence Unit (“FIU”) without delay.
• In relation to record-keeping:
  • Detailed records, documents, data, and statistics for all transactions should be maintained. All CDD records, account files, business correspondence, and results of any analysis undertaken should also be maintained.

The supervisory authorities advised DNFBPs as follows:

• In relation to compliance culture and awareness:
  • The AML/CTF framework should be effective and of high quality.
  • The compliance culture should be robust.
• In relation to ML/TF Risks:
  • Identify, assess and understand the ML/TF risk when making business-wide assessments.
  • ML and TF risks should be effectively mitigated through internal policies, procedures, and controls.
• In relation to customer due diligence:
  • The CDD measures applied should be risk-based.
• In relation to policies and procedures:
  • The policies and procedures should be clear steering documents and must incorporate comprehensive procedures.
• In relation to internal controls:
  • Strong internal controls that are adequate to mitigate risks concerning customers, products and services, and/or transactions must be developed and maintained.
• In relation to suspicious activity reporting,
  • Suspicious activities and any additional information related to them must be reported to the FIU without delay.

You can read the full report here.

The DFSA imposed a temporary restriction on FFA Private Bank (Dubai) Limited (“FFA”) due to concerns about its trading systems and controls to identify, assess and report suspicions of market abuse. The firm is prohibited from receiving, arranging, or executing trading orders from, or on behalf of, specific clients until it can demonstrate a suitable enhancement to its controls.

Firms are reminded to reassess the effectiveness of internal systems and controls. They should demonstrate that an adequate framework is in place to identify and report suspicions of market abuse.

The FSRA issued a consultation paper proposing the use of non-face-to-face verification, known as electronic Know Your Customer (“eKYC”), for the discharge of CDD requirements. The proposal imposes standards that are closely aligned with the Financial Action Task Force (“FATF”) recommendations, as well as the UAE’s Federal Anti-Money Laundering legislation and guidance issued by the FSRA and other federal authorities. The consultation paper proposes to update the Anti Money Laundering and Sanctions Rules and Guidance (“the AML Rulebook”) and the General Rulebook (“GEN”). Comments are welcomed by the 29th July 2021 by emailing [email protected] using the consultation paper title as the subject line.

You can review the paper here.

The CBUAE, SCA, FSRA of Abu Dhabi Global Market (“ADGM”) and the DFSA (“the regulators”) launched a public consultation through June regarding the “Guidelines for Financial Institutions Adopting Enabling Technologies”. The regulators sought input on cross-sectorial principles and best practices for enabling technologies, such as application programming interface, big data analytics and artificial intelligence, biometrics, cloud computing, and distributed ledger technologies. The guidelines seek to implement international standards and industry best practices and will apply to all financial institutions using enabling technologies that are licensed and supervised by the regulators.

The guidelines will be implemented in the second half of 2021 and can be reviewed in draft here.

The FSRA has imposed several fines ranging from USD 5,000 to USD 10,000 on eight DNFBPs for contravention of AML and sanctions and guidance rules. The DNFBPs failed to submit their annual AML returns by the FSRA’s deadline.

Financial institutions and DNFBPs are reminded of their AML reporting obligations to report on their operations between the 1st January to the 31st December by the following the 30th April each year.

The CBUAE issued new outsourcing regulation and accompanying standards (collectively “the Regulation”) for banks operating in the UAE. The Regulation enhances the framework governing the UAE’s banking sector, ensuring banks are appropriately managing the risk of using outsourced functions.

The Regulation requires that:

• Policies and procedures for outsourcing activities must be approved by the board
• Banks outsourcing material activities must obtain a notice of non-objection from the CBUAE
• Banks must obtain approval from the CBUAE and customers before sharing any confidential data

You can read the regulation here and the standards here.

The CBUAE issued two guidance notes on AML and CTF for licensed financial institutions. The guidance should enhance firms’ understanding of their obligations under the Federal Decree-Law No. (20) of 2018 on AML/CTF and the Cabinet Decision No. 10 of 2019, with consideration to the FATF’s international standards.

The guidance reminds firms of their obligation to:

• Make suspicious activity reports within 35 days of detection
• Submit suspicious activity reports to the FIU via the goAML platform
• Implement an effective AML/CTF programme suitable to the specific risks faced by the firms

You can read the guidance here.

The CBUAE issued guidance on AML and CTF for its licensed FIs, which provide services to real estate and precious metals and stones sectors. The guidance will assist firms in understanding their statutory obligations under the UAE’s legal and regulatory framework in conjunction with Notice no. 74/2019 “Procedures for Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations”. The guidance provides an overview of the specific risks these industries face, including the attractiveness of illicit finance in otherwise legitimate sectors, the facilitation of international movement of value, and the exploitation of varying regulatory regimes such as the requirement to conduct CDD for certain transactions. The guidance provides useful typology references, mitigation factors, and CDD and Suspicious Activity Reporting expectations in the UAE.

The guidance came into effect on the 20th June, 2021.

You can read the guidance here.

The SCA has been awarded the ISO 22301:2019 certificate to acknowledge its resilience and management during the COVID 19 pandemic. The ISO 22301:2019 standards are internationally recognised business continuity and management standards that require firms to prepare diligently and respond to disruptive incidents. The certificate was received in the field of “drafting regulations governing transactions taking place on the UAE financial markets and the licensing, inspections and supervision of companies operating in the securities and commodities field” and is one of 11 certificates obtained by the SCA to date.

Her Excellency Dr. Maryam Buti Al Suwaidi, acting Chief Executive Officer of the SCA, reviewed the SCA’s development initiatives with Prof. Marlene Amstad, Chair of the Swiss Financial Market Supervisory Authority (“FINMA”) to address issues in the securities sector. The agenda included a review of international best practices, the exchange of observations in promoting the investment environment, sustainable investing, virtual assets, and self-regulatory organisations, and a discussion on the development of initiatives to accelerate the SCA to upgrade to advanced market status.

The FATF has published various resources to assist firms in implementing RegTech as part of their AML / CTF measures. The resources cover considerations such as the efficiency of CDD, the expectations of a risk-based approach for using RegTech, and the quality of results.

Firms can read the FATF report on emerging and available technology solutions here and can read the opportunities and challenges summary here.

The FATF released the 2021 follow-up reports for Bhutan, Pakistan, and Mexico, assessing the technical compliance deficiencies identified in their respective Mutual Evaluation Reports.

The assessment results are as follows:

• Bhutan has been reevaluated as largely compliant with the six recommendations reviewed.
• Pakistan has been reevaluated as compliant on 5, largely compliant on 16, and partially compliant on one recommendation of the 22 recommendations reviewed.
• Mexico has been reevaluated as compliant on 8, largely compliant on 22, partially compliant on 9, and non-compliant on one recommendation of the 40 recommendations reviewed.

You can read the complete evaluation for Bhutan here; for Pakistan here; for Mexico here.

The United States Securities and Exchange Commission (“SEC”) obtained an asset freeze and other emergency relief measures against two investment firms: UCB Financial Advisers, Inc., and UCB Financial Services, for engaging in the act of ‘cherry picking’ in which they channeled USD 4.6 million into preferred accounts. The SEC also filed fraud charges against Ramiro Jose Sugranes, an investment professional.

Firms are reminded to conduct regular reviews, maintain details of employees’ close ties, and report suspicions of market abuse to the relevant supervisory authorities.