Regulatory Update: Middle East Edition – June 2022

The Dubai International Financial Centre (“DIFC”) has increased interest from American firms wishing to establish a regional presence in the DIFC following a US roadshow led by His Excellency Essa Kazim, Governor of DIFC. As part of the roadshow, the UAE delegation hosted an exclusive event attended by Standard Chartered Bank and the US-UAE Business Council, including the UAE Consul General in New York, Her Excellency Amna Binzaal Almheiri. The event highlighted market access, innovation, and talent as key reasons for DIFC’s success as a global platform and praised the current US$23 billion bilateral trade relationship.

The DIFC hosted Financial Technology (“FinTech”) week from 28 – 29 June, hosting more than 1,000 attendees across the FinTech sector. The event attracted FinTech innovators, leading investment firms, banks, policymakers, and service providers to join over 40 events, including key-note speakers, panel discussions, enterprise use-case presentations, and product showcases. The event will focus on the next phase of FinTech, including Web 3.0, metaverse, non-fungible tokens, crypto, blockchain, payments, embedded finance, open banking, regulatory technology, as well as environmental, social and governance initiatives.

The Dubai Financial Services Authority (“DFSA”), in partnership with Help AG, the administrators of the DFSA’s reporting platform, the Threat Intelligence Platform (“TIP”), held an educational session on cyber security. The seminar consisted of two sessions; email security and cloud attacks, based on trends observed on the TIP platform. Regarding email security, firms are reminded to follow basic IT hygiene measures and to provide awareness training on phishing and spearfishing, disingenuous links, malware and malicious content, inception and tampering with emails, fraud and business email correspondence, and the risk associated with these threats and attacks. Concerning cloud attacks, firms are expected to understand the technology behind their cloud solutions, especially where they use multi-cloud environments and to control network access and identification capacities to assess, defend and respond appropriately to risks.

The DIFC Academy held a training session on the registration and submissions for the Economic Substance Regulation (“ERS”), Common Reporting Standards (“CRS”) and the Foreign Account Tax Compliance Act (“FATCA”).

Per Resolution no. 57 of 2020 concerning Economic Substance Regulations, firms considered a licensee carrying out a relevant activity which derives income must report 12 months after the first financial year and submit a notification of eligibility six months following the report. The report will not be required for the reporting period when the firm submits a notification that demonstrated a valid exclusion.

The UAE is subject to FATCA and CRS regimes, and the Ministry of Finance (“MoF”) collates information to fulfil reporting obligations. Firms should register on the MoF portal if they are incorporated or registered within the UAE or are UAE branches of non-UAE financial institutions. Firms are required to submit a self-assessment in January and an annual reporting and risk assessment in June; an audit questionnaire may follow in September. Some firms will be subject to exemptions.

Firms registering for CRS and FATCA are advised of the updated deadline from 30 June 2022 to 20 July 2022.

The DFSA has issued multiple questionnaires throughout June to assist with upcoming thematic review findings, including targeted financial sanctions and suspicious activity report survey, an MLRO survey, and a cyber security survey. Firms were required to report their current understanding of the topics and provide insight into their policies and procedures.

In addition, the DFSA issued two questionnaires for their internal reporting purposes. The first regarding the firms’ involvement with Mr Sanjay Shah following a recent fraud finding, and the second expressing the firms’ interest in seeking a licence variation following the publication of the proposed Crypto Token Regime.

You can read the Crypto Token Regime here.

The DFSA has taken action against Trevor Conway, the SEO of Tradition, for showing a lack of fitness and propriety when overseeing trading activities concerning the Murabaha (an Islamic financing structure) commodities trading desk (the “Desk”). The Desk facilitated the purchase and supply of title to metal commodities sourced from suppliers for the use of the Desk’s clients to substantiate their Murabaha-based transactions with their respective customers. The Desk was found to be making available warrants that had previously been used and, therefore, the Desk did not provide clients with current titles to metal commodities contrary to Islamic finance principles. Trevor Conway was aware of the title of the metals being a precondition to Murabaha transactions and did not take action to stop the misleading practice.

You can read the enforcement notice here.

Lori Baker, VP, Legal & Director of Data Protection, Office of the Commissioner of Data Protection, hosted “Tuesday talks with Lori” on inspection requests under the DIFC Law no.5 of 2020 on Data Protection. The DIFC Commissioner has commenced inspections by issuing over 100 inspection requests for firms registered in the DIFC. The inspection request will require firms to explain and demonstrate a comprehensive data protection infrastructure in line with their obligations under the law. The inspection questionnaire will be accessible via the DIFC portal, and firms will be notified of a request via their primary contact registered in the DIFC portal. The request will be broken into three sections covering:

• background information – data processing
• resource management and training
• data processing questionnaire

Firms have two weeks to action a request with no possibility of an extension. Fines will be automatically issued for failing to respond. Whilst fines are unlikely to be issued without further investigation and direction from the Commissioner, firms should be aware of the Commissioner’s powers to issue fines and provide directions (including the requirement to assign a dedicated resource to data protection, often referred to as a Data Protection Officer) as well as the power to publish compliance failures.

You can download our helpful data protection articles here.

The Abu Dhabi Global Market (“ADGM”) Registration Authority (“RA”) has announced a 12-month moratorium on new licence applications to become registered Company Service Providers (“CSP”), expiring on 16 June 2023. The moratorium includes any amendments to the business activities of existing ADGM licence holders, as well as new applications for registration including activity 7025 – Company Service Provider. The Registrar may grant exceptions.

The ADGM signed a Memorandum of Understanding (“MoU”) with First Abu Dhabi Bank (“FAB”) to support the growth of the banking and financial services community. The MoU will provide preferential banking services to ADGM firms including fast and efficient account opening and dedicated client managers. In addition, the MoU outlines a framework that enables both parties to share knowledge and strengthen FinTech initiatives such as the ADGM Digital Lab. The MoU will create opportunities for business development, and education and awareness campaigns within the ADGM.

The MoF had a virtual outreach session on “Best practices on raising Suspicious Activity Reports (“SAR”)” for the banking and securities sector.

The MoF highlighted the following as satisfactory practices:

• reviewing alerts using a risk-based approach and typologies
• identifying proliferation financing suspicions and reporting in a timely manner
• suitably investing in resources and capacity to assess and handle SARs
• documenting rationale even where the suspicion is disregarded
• ensuring alerts are discounted or escalated
• performing screening and adverse media checks on all counterparties
• designing tailored training programmes using quality analysis
• quality documentation of changes to risk ratings
• suitable controls to ensure changes to sanction lists are documented
• implementing clear policies and procedures
• ongoing, accurate and up-to-date know your client documents and assessments

The MoF listed the top red flags reported for banks as:

• lack of documentation to support transactions
• transactions that are inconsistent with the account’s regular activity
• transactional activity inconsistent with a customer’s alleged employment, business or expected activity, or where the transactions lack a business or apparent lawful purpose
• accounts that show a high velocity in the movement of funds
• the transaction is not economically justified considering the accountholders business

The MoF also provided the top red flags for finance companies as:

• evidence of corporate fraud
• transactions frequently in “rounded off” amounts
• transactions are not economically justified considering the accountholders business or profession
• transactional activity is inconsistent with the customer’s alleged employment, business or expected activities, or where transactions lack a business or apparent lawful purpose
• the ultimate beneficial owners are not adequately identified

In addition, firms are reminded to provide comprehensive SARs with a high level of detail to facilitate an efficient investigation.

The Abu Dhabi Accountability Authority launched the anti-corruption platform called “Majib” designed to report corruption concerns for any entity owned by the Abu Dhabi Government by 25% or more. The platform allows for concerns to be reported subject to whistleblowing protections and displays a positive move towards accountability and anti-corruption measures in the UAE.

The Abu Dhabi Securities Exchange (“ADX”) has issued circular 29/2022 “concerning insider trading prohibition period”. ADX has advised that all Securities and Commodities Authority (“SCA”) listed companies, accredited brokers and investors in ADX of the commencement of the insiders trading prohibition period starting on 16 June 2022, pending the full disclosure of the 2nd Quarter of 2022 financial statements. The decision was made subject to Article No. (14) of SCA Board of Directors’ Decision No. 2/R of 2001 “concerning the regulations as to Trading, Clearing, Settlement, Transfer of Ownership and Custody of Securities”.

The Financial Intelligence Unit (“FIU”) issued its Quarter 1 2022 feedback report for reporting entities. The FIU reported:

• multiple failures to report customer suspicions where the activity displays clear red flags as highlighted in published typologies
• cases of defensive reporting and blacklisting clients based on a request for information from the FIU
• mismatches of information between submitted SAR / Suspicious Transaction Reports (“STR”) and the submitted supporting documentation

Firms are reminded that a request for information from the FIU is not the same as a search and freeze order. The firm should apply appropriate levels of customer due diligence and risk management and mitigation measures; SARs or STR should only be raised where suspicion is present.

The Executive Office for Control and Non-Proliferation (“EOCN”) issues guidance on counter Proliferation Financing (“PF”) for Financial Institutions (“FI”), Designated Non-Financial Businesses and Professions (“DNFBP”) and Virtual Assets Service Providers (“VASP”). The guidance explains the various stages of PF, the framework establishing counter PF in the UAE, understanding and assessing PF risks, preventative and mitigating measures (including training and the use of dual goods), international obligations, sanction evasion, and red flags.

Firms are reminded to apply enhanced due diligence measures where transactions are assessed as high risk. This may include:

• obtaining additional information or updating a client’s record more frequently
• requiring the client to provide a list of main suppliers and customers and conducting suitable due diligence on the same
• reviewing the clients’ policies and procedures (especially around export controls) and requesting they be enhanced where required, and obtaining senior management for continuing business

Firms can register for upcoming events from the EOCN here.

The FATF reviewed the progress of the United Kingdom (“UK”) in meeting their AML and CTF obligations reported in their Mutual Evaluation Report (“MER”). The MERs assess jurisdictions against 40 FATF recommendations.

The UK has been reported as compliant in 24, largely compliant in 15, and partially compliant in 1 recommendation.

The updated consolidated rating table can be found here.

FATF and FATF-style regional bodies have updated their monitoring lists. The so-called “grey” list addresses countries considered to have deficiencies in line with the FATF’s 40 recommendations on terrorist financing, counter money laundering, and financing of proliferation. The so-called “black list” addresses countries that have significant deficiencies in the FATF 40 recommendations and requires either the application of enhanced due diligence or rejection of business as well as a report to the Executive Office of Non-Proliferation.

Counties moved onto the grey list are subject to increased monitoring until the deficiencies are addressed; countries on the blacklist have failed to complete the FATF implemented an action plan to address significant deficiencies and are subject to ongoing review.

The grey list includes:

• Albania
• Barbados
• Burkina Faso
• Cambodia
• Cayman Islands
• Gibraltar
• Haiti
• Jamaica
• Jordan
• Mali
• Morocco
• Myanmar
• Nicaragua
• Pakistan
• Panama
• Philippines
• Senegal
• South Sudan
• Syria
• Türkiye
• Uganda
• United Arab Emirates
• Yemen

Malta has made substantial progress in addressing its deficiencies and is no longer subject to increased monitoring; following the identification of new deficiencies, Gibraltar has been added to the list.

The blacklist includes:

• Democratic People’s Republic of Korea (“DPRK”)
• Iran

For further details of each jurisdiction’s report in June 2022, click here.

The FATF has issued a statement on the conflict in Ukraine and has decided to limit the Russian Federations’ role and influence within the FATF.

The FATF will monitor the situation and consider at each of its Plenary meetings whether the grounds exist for lifting or modifying these restrictions.

The FATF advised all jurisdictions to remain vigilant to possible emerging risks from the circumvention of measures taken as well as vigilant of threats to the integrity, safety, and security of the international financial systems due to the conflict.

The FATF held its midyear plenary meeting for 2022. The discussions included the conflict in Ukraine (see 4.3 for further information), approval of an anti-money laundering report for the real estate sector, and a targeted update on virtual assets and virtual asset providers.

The meeting signifies the final FATF meeting under the German Presidency of Dr. Marcus Pleyer whose focus whilst in presidency included challenges in digitalisation and the balance of data protection. The incoming President will be T. Raja Kumar of Singapore from 1 July 2022.

The FATF confirmed ongoing work to help countries more effectively recover criminal assets. The upcoming report will discuss countering money laundering from ransomware attacks and provide an update on best practices to combat the abuse of non-profit organisations. Further reports are set to be released which discuss the misuse of citizenship and residency by investments schemes, guidance on how to assess the implementation of the “United Nations Convention against corruption”, and a review on how the non-financial sector may facilitate corruption.

The FATF also released a white paper for public consultation on revisions to recommendation 25 (of the FATF 40 recommendations) relating to transparency and beneficial ownership of legal arrangements.

The proposed amendments and clarifications or feedback cover topics such as:

• countries should require trustees of any express trust governed under their law to obtain and hold adequate, accurate, and current beneficial ownership information regarding the trust
• all countries should take measures to ensure that trustees disclose their status to financial institutions and DNFBPs when, as a trustee, forming a business relationship or carrying out an occasional transaction above the threshold
• competent authorities, and in particular law enforcement authorities, should have all the powers necessary to obtain timely access to the information held by trustees and other parties

You can submit your comments before 1 August 2022 by emailing [email protected] with the subject line Comments of [author] on the draft Amendments to Recommendation 25.

You can read the white paper here.

The FATF held a conference on digital transformation and its use in combatting money laundering and terrorist financings more effectively and efficiently. The conference was attended by more than 100 experts in financial crime, data protection, and technology and discussed the potential impact of new technologies in the regulatory space. Key to the discussion was the interconnectivity of data protection and privacy regimes with anti-money laundering requirements, whereby new technologies balance the rights of individuals with the efficiency of anti-money laundering technologies. Mr Kumar, the future President of the FATF, stated that digital transformation in the AML space was imperative for the future of AML and CTF and proliferation techniques.

The Basel Committee on Banking Supervision published the “Principles for effective management and supervision of climate-related financial risks”. The report discusses key principles to improve the banks’ risk management and guides the banks to take a holistic approach to address climate-related financial risks in banking systems. The paper sets out 18 principles, including:

• implementation of an understanding of climate-related risk drivers and incorporating these into the business strategies and risk management frameworks
• board members should assign responsibilities to members or committees and exercise oversight
• appropriate policies, procedures and controls should be implemented across the entire organisation
• climate-related crime risks should be implemented into the three lines of defence framework
• identification and quantification of climate-related financial risks to be incorporated into internal capital and liquidity adequacy assessment process and stress testing programmes
• identification, monitoring and management of all climate-related financial risks that could materially impair the financial condition, including capital resources and liquidity positions; this should correlate with the banks’ risk appetite
• internal reporting systems capable of monitoring material climate-related financial risks and producing timely information to ensure effective board and senior management decision-making
• an understanding of the impact of climate-related risk drivers on their credit risk profiles to ensure that credit risk management systems and processes consider material climate-related financial risks
• an understanding of the impact of climate-related risk drivers on their market risk positions to ensure that market risk management systems and processes consider material climate-related financial risks
• an understanding of the impact of climate-related risk drivers on their liquidity risk profiles to ensure that liquidity risk management systems and processes consider material climate-related financial risks
• an understanding of the impact of climate-related risk drivers on other risks
• use of scenario analysis to assess the resilience of their business models and strategies to a range of plausible climate-related pathways and determine the impact of climate-related risk drivers on their overall risk profile
• incorporation of material climate-related financial risks into their business strategies, corporate governance and internal control frameworks is sound and comprehensive
• identification, monitoring and management of all material climate-related financial risks as part of their assessments of banks’ risk appetite and risk management frameworks
• supervisors should regularly identify and assess the impact of climate-related risk drivers on their risk profile and ensure that material climate-related financial risks are adequately considered in their management of credit, market, liquidity, operational, and other types of risk
• supervisors should utilise an appropriate range of techniques and tools and adopt adequate follow-up measures in case of material misalignment with supervisory expectations
• supervisors should ensure that they have adequate resources and capacity to assess banks’ management of climate-related financial risks effectively
• supervisors should consider using climate-related risk scenario analysis to identify relevant risk factors, size portfolio exposures, identify data gaps and inform the adequacy of risk management approaches

You can read the report here.

The BIS set out its blueprint for the future digital monetary system considering the future of central bank money being held in digital representation within a safe, stable, accountable and open infrastructure in its recent report “Annual Economic Report 2022”. The report examines the limitations of crypto and decentralised finance and its inherent associated risk and explores ways to secure the future of finance.

The report can be read in full here.

The CBUAE has imposed an administrative fine and financial sanctions on a finance company operating in the UAE for failing to submit audited financial statements by the deadline and failing to abide by CBUAE guidelines. In addition, the firm was directed to rectify compliance shortcomings in relation to the Consumer Protection Regulations and Complaint Management System rulebook within one month.

Firms are reminded to engage a reputable auditor to review financial statements promptly and diarise reporting obligations.

The Australian Financial Services (“AFS”) finds the financial services provider RI Advice (“RI”) in breach of its financial services licence in a landmark cyber security case. RI was found to have not acted efficiently, honestly and fairly as a result of its failure to have adequate risk management systems in place suitable for managing cybersecurity risks.

Firms are reminded to include cyber security in business risk assessments and include developments in the field on the Board’s agenda.

The South African arm of the UAE-based firm DeVere Group, Brite Advisors, and Nigel Green, the firm’s CEO, have been fined a combined $800,000 by the South African regulator (“FSCA”). In addition, the firm’s licence has been revoked and Mr Green has been barred from working in financial services within the country for 5 years. Mr Green was found to have failed to comply with various financial sector laws impacting his fitness and propriety requirements.

The judgement is subject to appeal proceedings.