Regulatory Update: Middle East Edition – September 2023

On 5 September, the Dubai International Financial Centre (‘DIFC’) graduated its first cohort of attendees on the Metaverse Accelerator Programme (‘MA Programme’). Ten regionals and global start-ups in the metaverse, Artificial Intelligence (‘AI’), Web3, Augmented Reality (‘AR’), Virtual Reality (‘VR’) and blockchain sectors attended the MA Programme. The graduates attended a demo day with the opportunity to pitch to top venture capitalists, angel investors and industry experts in partnership with over 60 DIFC Innovation Hub partners including Abu Dhabi National Insurance Company (‘ADNIC’), DP World and Daoverse Capital. The MA Progamme aligns with the goals of the Dubai Higher Committee for Future Technology and Digital Economy and the Dubai Metaverse Strategy to create over 40,000 virtual jobs by 2030.

You can read the DIFC Article here.

On 6 September, the DIFC and Global Ethical Finance Initiative (‘GEFI’) announced additional events in the lead up to COP28, which is due to be hosted in Dubai between 30 November and 12 December 2023. The first event ‘Financing Survival’ will discuss tactics in the wake of a climate crisis with interested stakeholders including asset managers and regulators.  A second event ‘Unlocking Islamic Financing at COP28’ will discuss the untapped pool of capital to actively address climate change acknowledging Dubai as the global leader in green and sustainable bonds and Sukuk.

Further events include:

• DIFC Academy and Heriot Watt University’s discussion on the rise and fall of empires by academics Adam Smith and Ibn Khaldun
• DIFC Academy Sustainable Development Goals (‘SDG’) hive discussion on achieving the United Nations (‘UN’) SDGs including sharing expertise on achieving the Paris COP21 goals, nature and biodiversity as well as channelling financial flows from global north to global south.

You can read the agenda in full here  You can read the DIFC article here.

On 7 September, the DIFC Data Protection Office announced amendments to the Data Protection Regulations (‘DPR’). The amendments include enhanced guidelines on the use of AI and semi-automatic processing, data breach management, use of data for marketing and generation of data through digital, generative technology systems. The regulations also require user notification for the use of semi-automatic and automated systems and websites when such programmes process personal data.

You can read the DIFC article here and the DPR here.

On 20 September, the DIFC published its report on the five-year innovation plan for financial services ‘Drivers of Innovation in Financial Services’. The report, published in partnership with Refinitiv, discusses sectorial disrupters including transforming client expectations following the pandemic, the introduction of Big Tech and FinTech and technological developments such as AI, blockchain and cloud computing.

The report stresses the importance of established institutions in embracing facilitating technologies and growth opportunities in line with the below trends to ensure competitiveness in the global market.

Key trends include:

• embracing open finance
• greater decentralisation of finance
• digital assets as a viable asset class
• increasing consideration of Environmental, Social and Corporate Governance (‘ESG’).

You can read the DIFC article here and the report here.

On 26 September, the DIFC announced a two-day sustainability forum from 4-5 October. The event is expected to attract over a thousand attendees across 30 countries and will discuss key ESG items.

The agenda explores topics including:

• financial services role in addressing climate change
• creating a just transition to a sustainable economy.

You can read the DIFC article here.

On 28 September, the DIFC announced its consultation for a first-of-its-kind Digital Assets Law in addition to a new Law of Securities and related amendments to existing legislation. The proposed legislation will keep the DIFC aligned with global trends in international trade and financial markets in addition to providing legal certainty for investors and users of digital assets.

Consultation Paper (‘CP’) No. 4 of 2023 regarding the Digital Assets Law (‘DAL’) seeks comments on:

• the definition of a digital asset
• the interpretation of a digital asset property
• rules of acquisition and transfer of title
• thresholds for enforcement for interference, impairment, or use
• available legal remedies.

To ensure consistency, the CP also proposes amendments to:

• Contract Law, DIFC Law No.6 of 2004
• Law of Damages and Remedies, DIFC Law No.7 of 2005
• Law of Obligations, DIFC Law No.5 of 2005
• Implied Terms in Contracts and unfair Terms Law (‘ITCUT Law’), DIFC Law No.6 of 2005
• Trust Law, DIFC Law No.4 of 2018
• Foundations Law, DIFC Law No.3 of 2018
• Insolvency Law, DIFC Law No.1 of 2019
• Insolvency Regulations.

Consultation Paper No.5 of 2023 regarding the Law of Security (‘LAS’) seeks comments on:

• key definitions and related requirements
• security rights in movable assets that become fixtures outside the DIFC
• treatment of fixtures
• treatment of rent as a receivable
• rules of acquisition financing
• the introduction of super-priority
• asset classes
• rule on limitation for collateral takers
• consumer protection thresholds
• security registry, filing and registration
• enforcement and remedies
• transitional timeframes.

To ensure consistency, the CP also proposes amendments to:

• Law of Security, DIFC Law No.8 of 2005
• Personal Property Law, DIFC Law No.9 of 2005
• DIFC Securities Regulations 2019.

The new law will repeal the DIFC Financial Collateral Regulation 2019 in its entirety.

Comments are welcome for both papers until 5 November by emailing [email protected].

The DIFC article can be read here. Consultation papers can be read here

On 5 September, the Dubai Financial Services Authority (‘DFSA’) issued a ‘Dear SEO’ letter on its observations as part of the Representative (‘Rep’) Office Sectorial Review. The review assessed Rep offices compliance with the Rep Office (‘REP’) rulebook and the applicable Anti Money Laundering (‘AML’) rules. The review was conducted in several stages starting with a desk-based exercise and progressing to onsite visits for selected firms.

Of the sample firms, two categories of key findings were addressed:

• regarding conduct compliance, Rep offices were found to:
• market open-ending and/ or digital asset funds contrary to their licence scope
• fail to meet the required regulatory disclosures
• produce promotional materials that did not comply with the DFSA rules on marketing content.
• regarding financial crime compliance, Rep offices were found to:
• fail to submit a Business AML Risk Assessment (‘BARA’) or submit an inadequate BARA resulting in inaccurate policies and procedures
• rely on group AML policies which did not reference DFSA rules
• appointed Money Laundering Reporting Officers (‘MLRO’) who failed to understand their duties
• fail to provide evidence of screening against the UN and UAE sanction lists.

Firms should:

• conduct a self-assessment of the firm’s compliance with the DFSA rulebooks in these areas considering the DFSA findings
• report any findings, with suggested remedial actions, to the DFSA before 30 October.

You can read the ‘Dear SEO’ letter here.

On 12 September, the DFSA issued a thematic review on complaints handling in accordance with the DFSA rulebooks.

The review aims to assess:

• the application of relevant rulebooks, in particular General Module (‘GEN’) Chapter 9, with reference to complaint handling, dispute resolution and compliance
• identify good practice and improvement areas to share with the DIFC community
• identify firms requiring further action where there is material non-compliance.

The review will be conducted in two phases. The first will consist of a desk-based review of policies, procedures, systems and controls; the second will apply to selected firms and will consist of an onsite visit.

Firms who have failed to submit by the deadline of 26 September will be sampled in phase two.

On 13 September, the DFSA hosted a findings seminar following the cyber simulation exercise conducted in May. The exercise replicated a large-scale cyber attack targeting financial institutions in the DIFC, allowing firms to test their response plan. The session discussed mechanisms for increasing cyber resilience and improvement areas and observed best practices in the community. In addition, the DFSA hosted an expert speakers’ panel who discussed global best practices, future exposures and mitigation measures.

On 20 September, Ian Johnston, Chief Executive at the DFSA, spoke at the Ethical Financial Global Summit 2023. Mr Johnston discussed the DIFC and the DFSA growth in sustainable finance highlighting the robust ecosystem available for industry expansion. The panel also discussed Dubai’s extensive guidance on ESG investing and transparency measures to protect stakeholders’ interests in the region.

Between the 18 to 30 September, Abu Dhabi Global Market (‘ADGM’) delegates attended International Private Equity Market (‘IPEM’) 2023 in Paris.  The event ‘Destined to Outperform’ was attended by key Abu Dhabi entities including Abu Dhabi Department of Economic Development (‘ADDED’), Abu Dhabi Investment Office (‘ADIO’), Abu Dhabi IPO Fund (‘ADIPOF’), Abu Dhabi Security Exchange (‘ADX’) and First Abu Dhabi Bank (‘FAB’) and promoted ADGM as the ‘Capital of Capital’ in line with the emirates vision. The event brought together thought leaders, industry experts from private equity, venture capital, hedge funds and the wider financial industry.

You can view the ADGM article here.

On 28 September, the ADGM in partnership with Deloitte, hosted a UAE tax seminar. The seminar educated attendees on the implementation and auditing implications of the UAE Federal Decree Law 47 of 2022 in addition to the support guidance released since publication.

You can read the Ministry of Finance (‘MOF’) site and the federal law here.

On 18 September, the Securities and Commodities Authority (‘SCA’) hosted an Anti-Money Laundering (‘AML’) and Counter Terrorist Financing (‘CTF’) workshop in collaboration with the Ministry of Economy (‘MoE’). The two-day workshop promoted UAE cooperation and an exchange on expertise in addition to upskilling MoE further embedding the strong compliance culture.

Topics included:

• assessment of money laundering risks
• supervision and inspection mechanisms
• procedures and systems
• enforcement actions
• imposition of punitive measures
• grievance measures
• corrective measures.

You can read the MoE article here.

On 28 September, the SCA invited stakeholders to comment on their satisfaction with the SCA’s website.  The feedback will be collated to improve the content and layout of the website to better meet the expectations of its users.

Comments are welcome until 25 October. You can read the SCA invite here.  

On 26 September, the UAE Sustainable Working Group (‘SWG’) launched consultation paper ‘Principles for Sustainable-Related Disclosures for Reporting Entities’. The SWG, consisting of the Central Bank of the UAE, the SCA and the ADGM’s Financial Services Regulatory Authority (‘FSRA’), seeks stakeholders’ opinions on four principles that will be treated as a minimum standard on disclosures for sustainability related matters.

The principles are:

1. Reporting entities should put in place adequate policies, procedures and systems allowing them to report on sustainability-related matters.
2. In disclosing information about their sustainability-related risks and opportunities, reporting entities should consider including the several factors including:
   • transparency
   • materiality
   • relevance
   • comprehensiveness
   • consistency and comparability
   • clarity
   • frequency and timeliness
   • stakeholder engagement
   • verification and assurance
   • integration
   • continual review and improvement.
3. Sustainability-related disclosures should reflect the way in which an entity operates, including in the areas of governance, strategy and risk management, and incorporate relevant metrics and targets. While additional, specific disclosure requirements may apply depending on the type of reporting entity, the following minimum disclosures would be expected from the reporting entities:
   • governance
   • strategy
   • risk management
   • metrics and targets
4. To improve transparency and quality of sustainability-related, product-level disclosures, market participants should consider the following elements when dealing with and offering sustainability-related products:
   • naming
   • labelling and classification
   • objectives disclosure
   • risk disclosure
   • marketing materials
   • monitoring and reporting.

Comments are welcome by 20 October here.

You can view the DFSA article here. You can read the principles’ detail here.

On 13 September, the Ministry of Finance (‘MOF’) hosted the regional Organisation for Economic Co-operation and Development (‘OECD’) event ‘pillar two; the global minimum tax of base erosion and profit shifting and the global anti base erosion rules’. Participants discussed the strength in enforcing a global minimum tax, the importance of an internationally coordinated system of taxation and the use of policy and legislation in building a strong and sustainable ecosystem.

The agenda included various panel discussions regarding:

• technical developments
• latest developments
• roadmap of implementation and administration
• scope of sovereign wealth funds and joint ventures.

You can read the MOF article here.

On 1 September, the Executive Office for Control and Non-Proliferation (‘EOCNP’) published guidance on Reg Flags for financial institutions, Designated Non-Financial Businesses and Professions (‘DNFBP’) and Virtual Asset Service Providers (‘VASPs’) in the UAE and other regional countries.

Notable red flags for terrorist financing include:

• multiple withdrawals of ATM cash
• funds sent or received via international transfers especially from higher risk jurisdictions
• foreign exchange transactions on behalf of a third party without apparent business connection with the customer or to higher risk jurisdictions
• multiple business accounts/ non-profit organisations/ charities distributing funds to a small number of foreign beneficiaries
• transactions or entities identifying risk through media or sanctions screening.

Notable flags for proliferation financing include:

• dealing directly or through a third party with sanctioned countries
• the use of shell companies
• dealings with dual-use or controlled goods
• forged or counterfeited documents
• tampered of modified documents without explanation
• nonspecific, innocuous or misleading description of gods
• shipment of goods which is incompatible with business activity
• activity which does not align with original or intended purpose of the company
• shipment of goods/ transaction involved in sale is incompatible with technical level of the country to which the goods are being ships
• over complex deals which seem to hide the final destination
• complex legal entities which seems to hide Ultimate Beneficial Owner (‘UBO’)
• excessive use of currency exchange
• use of cyber-attacks to steal funds
• transfer through a country with weak export controls
• undervalued shipment declaration
• use of a personal account for business export items
• rapid movement of high-volume transactions and a small end of day balance with no business reason
• unnecessary third-party involvement without reasonable cause
• customer activity which does not match customer business profile
• inconsistence across contract involves or other trade documents.

The guidance also provided insight into more global red flags to be considered for both regional and international firms.

You can read the article in full here.

Between 19-21 September, the EOCNP held a workshop on ‘technical risk assessment of dual-use exports’ in partnership with the United States of America (‘USA’) Bureau of exports and border security. The workshop form part of a series of qualifications and training programmes aimed to understand proliferation threats, risk analysis, classification of goods, the role of licensing, and end-user assessment.

You can read the EOCNP article here.

On 14 September, the Kingdom of Saudi Arabia (‘Saudi Arabia’) enacted new data protection laws. The Personal Data Protection Law (‘SPDPL’) will apply to personal data taken from residents of Saudi Arabia, businesses processing data on behalf of Saudi residents and business incorporated in Saudi Arabia processing personal data. Applicable businesses will have until 14 September 2024 to comply with the new law which requires extensive policies, procedures, system and contractual updates in addition to the appointment of a data protection officer.

You can read the SPDPL and its supporting regulations here.

On 19 September, the Saudi Central Bank (‘SAMA’) launched its cyber anti-fraud programme. The intensive programme will span three-months and will focus on key local and international trends. Attendees will consider international and standard practices in the industry.

You can read the SAMA article here.

On 21 September, SAMA hosted the Anti-Money Laundering Permanent Committee (‘AMLPC’) to discuss AML/Counter Terrorist Financing (‘CTF’) and Counter Proliferation Financing (‘CPF’) efforts in the Kingdom. Attendees discussed the use of coordination and cooperation mechanisms between authorities to strengthen

compliance in line with international standards such as the Financial Action Task Force (‘FATF’). Attendees also discussed the effectiveness of collaboration of public and private sectors in complying with AML requirements.

You can read the SAMA article here.

On 27 September, the Financial Action Task Force (‘FATF’) reviewed the progress made by Luxemburg to meet its 40 FATF Recommendations on the countries AML and CTF efforts. The Mutual Evaluation Report (‘MEP’) was updated to be compliant in (28), largely compliant in (11), and partially compliant in (1) recommendations.

You can read the MEP here.

On 27 September, the FATF updated its consolidated mutual evaluation reports. The consolidated table represents the jurisdictions’ efforts to improve compliance effectiveness and technical compliance in line with the 40 FATF Recommendations.

You can read the consolidated ratings here.

On 8 September, the ADGM Registration Authority (‘RA’) issued a decision to revoke the licence of Terra Nova Holdings Ltd (‘Terra Nova’).

The RA found several failings including:

• failing to meet conditions of its licence
• failure to maintain adequate accountancy records
• misrepresentation of annual accounts for 2019-2021
• failing to meet transparency expectations
• failing to apply suitable assessments and mitigate risks regarding business activities.

You can read the ADGM article here. You can read the decision notice here.

On 1 September, the Irish Data Protection Commission fines TikTok Technology Limited (‘TTL’) EUR 345M for General Data Protection Regulation (‘GDPR’) violations.  In addition, TTL received a public reprimand and an order to comply within three months.

During 31 July 2020- 31 December 2020, the DPC found that TTL failed to:

• protect children’s personal data by setting default public settings
• verify users age prior to access
• implement suitable transparency with the use of notifications.

You can read the decision notice in full here.