Regulatory Update November 2024 – ME Region

On 20 November, the Dubai Financial Services Authority (‘DFSA’) issued a Dear SEO Letter ‘Key Themes and findings from the Cyber Thematic Review 2024’. This letter notified Authorised Firms (‘AFs’) of the key findings from the thematic review conducted on cyber, encompassing a review of the governance, hygiene and resilience of firms’ respective cyber risk management frameworks.

The review identified weaknesses in the following areas:

• cyber risk management framework
  • a significant number of firms have not established a cyber risk management framework which mitigates cyber risks
  • there is a lack of a defined written approach to cyber risk management
  • in many instances, the governing body does not maintain adequate oversight of cyber risk management programmes
  • findings of cyber security audits, reviews and test are not always reviewed by senior management on a regular basis
• cyber risk identification and assessment capabilities
  • some firms failed to identify and classify information and communications technology assets, only considering end-point information technology (‘IT’) equipment
  • failure to consistently and regularly update their IT and information asset register
  • cyber risk assessments did not adequately calculate risk and were not aligned with industry standards
• third-party cyber risk management
  • there is a notable gap in third-party risk management processes
  • firms had not undertaken due diligence to ensure that third-party service providers (‘TPSPs’) meet cyber security requirements as defined by the firm
  • firms did not include formal cyber security requirements in contracts with TPSPs
• vulnerability assessments and penetration testing
  • firms did not perform cyber security tests such as vulnerability assessments or penetration tests of their critical information
  • firms that do conduct such tests, only conduct automated scans, without using any other methods such as scenario-based testing, penetration tests or red team exercises
• encryption of data stored on hard drives and removable devices
  • some firms have failed to enforce encryption of workstation hard drives and removable media devices such as USB flash drives
• cyber training and awareness campaigns
  • the majority of small and medium-sized firms do not have comprehensive cyber training
• cyber incident response planning and preparation
  • cyber incident response plans were not robust or tailored to the firm
  • the plans were not reviewed and updated on a regular basis
• continuous monitoring detection and response capabilities
  • 20% of firms do not have continuous identification and response capabilities for managing cyber incidents concerning their critical information systems
• incident response testing programme
  • 35% of firms do not conduct incident response testing on a regular basis
• cyber incident notification and intelligence sharing
  • some firms failed to notify the DFSA about material cyber incidents.

The DFSA expects all AFs to take note of this review and consider further improvements to their systems and controls where appropriate.

You can read the Dear SEO Letter here and the Thematic Review here.

On 19 November, the DFSA hosted its Annual Outreach session. The DFSA stated that its strategic focus for 2025-2026 will be on four pillars: delivery, engagement, innovation/cyber security and sustainability and financial crime. The DFSA is also planning a number of consultation papers and policy updates as many regulations were introduced approximately 10 years ago, therefore, requiring an update. This includes policy initiatives such as Basel III, operational resilience, corporate governance and Islamic finance.

The areas of focus for 2025 are:

• risk assessments
  • credit and funding concentration, operational resiliency
  • insurance compliance and conduct
  • high-risk firms
  • AML risk assessments
• thematic reviews
  • insurance monies
  • high-growth firms
  • conflicts of interest
  • financial crime including audit obligations
  • the effectiveness of compliance functions in the FinTech industry
• regulatory collaboration
  • Financial Action Task Force (‘FATF’) Mutual Evaluation 2024
  • GCC Regulatory College
• other key topics
  • newly licensed firm initiatives
  • continuous monitoring of technology and cyber security risk
  • audit firm governance, culture, workloads
  • data integrity and accuracy.

You can read the DFSA article here.

On 21 November, the Dubai International Financial Centre (‘DIFC’) announced the enactment of amendments to DIFC Law on the Application of Civil and Commercial Laws in DIFC (the ‘Application Law’).

The DIFC has introduced amendments to the Application Law to clarify the role of DIFC statute and common law in its legal framework through two new articles, 8A and 8B:

• Article 8A establishes that DIFC Law is determined primarily by reference to DIFC statutes and DIFC Court judgments interpreting these statutes
  • as DIFC law is not strictly statutory, it is supplemented by the common law, including equity principles
  • the DIFC Courts may refer to common law from jurisdictions such as England and Wales to develop or modify legal principles.
• Article 8B confirms that the interpretation of DIFC statutes can be guided by principles from analogous laws in common law jurisdictions
  • For example, if a DIFC statute is based on an international model law, interpretation may also draw on related international jurisprudence, commentary, and interpretative aids.

These amendments reinforce the integration of English common law and global legal developments, ensuring flexibility and alignment with international standards within the DIFC’s legal system.

The DIFC has implemented two key changes to its real property regulations:

• mortgage registration fee: a new fee of 0.25% of the mortgage value will be charged to purchasers registering a mortgage on real property
• extended off-plan sales registration period: the registration period for off-plan sales has been increased from 30 days to 60 days.

The Amendment Laws came into effect on 21 November.

You can read the DIFC article here.

On 5 November, the Abu Dhabi Global Market (‘ADGM’) announced that it has signed a Memorandum of Understanding (‘MoU’) with Singapore International Arbitration Centre (‘SIAC’) to strengthen international arbitration collaboration. Building on a 2021 MoU with ADGM Arbitration Centre, the agreement promotes arbitration as a preferred dispute resolution method. Key initiatives include exploring SIAC’s potential presence in ADGM, joint events on arbitration, and preferential rates for arbitration hearings across Abu Dhabi and Singapore.  The MoU was signed on 28 October 2024, during the 15th Abu Dhabi-Singapore Joint Forum, by SIAC CEO Gloria Lim and ADGM Courts CEO Linda Fitz-Alan.

You can read the ADGM article here.

On 11 November, the ADGM Registration Authority clarified that ADGM Registered Auditors can audit financial statements of Taxable Persons domiciled in ADGM for UAE Corporate Tax purposes. ADGM incorporated entities must prepare annual financial statements in line with International Financial Reporting Standards (‘IFRS’), unless exempt, and required audits must be conducted by ADGM Registered Auditors. These auditors are regulated under the ADGM Auditors’ Framework and the ADGM Companies Regulations (Auditors) Rules 2023.

You can read the ADGM article here.

On 12 November, the Financial Services Regulatory Authority (‘FSRA’) issued Consultation Paper No.10 of 2024 titled ’Proposed Miscellaneous Amendments to FSRA Regulations, Rules and Guidance’. The FSRA has issued this consultation paper to invite public feedback on proposed amendments to FSRA regulations, rules and guidance.

Proposed key amendments to Financial Services Market Regulations 2015 (‘FSMR’) include:

• Section 5A(2)
  • clarification regarding the FSRA’s decision-making authority over authorised persons conducting regulated activities related to virtual assets (‘VA’) or spot commodities (‘SC’), allowing the regulator to exercise its ‘Own-Initiative Requirement Power’ as outlined in section 42 of FSMR
• Section 133
  • removal of specific waivers introduced accidently by the FSRA for clearing houses and remote clearing houses that are not required to comply with the recognition requirements or remote recognition requirements, or where these institutions have failed to adhere to FSRA regulations
• Section 246
  • removal of the warning notice by the FSRA related to the proposed granting of a Financial Services Permission (‘FSP’)
  • clarification that the FSRA’s exercise of the Own-Initiative Requirement Power does not require a warning notice when imposing, varying, or cancelling a requirement
• refinement of several powers held by the FSRA in relation to the listing authority, which are currently phrased broadly, to better focus on specific regulatory objectives and ensure their prompt achievement for the benefit of listed entities and applicants
• reorganisation of section 247 dedicated to warning notices in numerical order for easier reference.

Proposed key amendments to FSRA Rulebooks include:

• Conduct of Business Rulebook (‘COBS’) 19.7.1 and Guidance under AML 6.1.1, 9.1.2 and 9.3.2
  • clarification that the prohibition on Payment Service Providers accepting physical cash in the form of banknotes and coins from any Payment Service Users extends to accepting and distributing physical cash indirectly, except through appropriately regulated financial institutions
  • addition of a signpost to the AML guidance to highlight the aforementioned prohibition
• General Rulebook (‘GEN’) 8.10.6
  • addition of a requirement for Authorized Persons to notify the FSRA if an individual performing a Controller Function is no longer fit and proper to carry out this role
• Market Rules (‘MKT’) (with associated changes to Fees Rules (‘FEES’) 9.1 and FSMR, section 64)
  • amendment to the relevant provisions in MKT to align with FSMR (section 64) by incorporating appropriate references to “admission to trading,” in relation to requirement for issuance of a Prospectus
  • clarification in FEES 9.1 in relation to filing fee applicable when a Prospectus is submitted for the purpose of seeking admission to trading.
  • amendment to section 64 of FSMR to clarify that it covers the use of foreign documents for the purpose of seeking admission to trading
• MKT 3.9.1
  • clarification that the disclosure of annual and interim reports must be prepared in accordance with the content requirements outlined in FUNDS but disclosed within the time periods outlined in MKT 10.1.8.
• Prudential — Investment, Insurance Intermediation and Banking Rules (‘PRU’)
  • amendments to the relevant references in PRU to refer exclusively to external credit ratings (‘ECAIs’) and eliminate the use of other terms
  • amendments to consistently use the corresponding ’Credit Quality Grades’ in relation to external credit ratings, as outlined in the FSRA mapping table, instead of explicitly referencing ECAIs
  • addition of a new rule (PRU 9.3.14) to grant the FSRA the power to adjust the application of the New Stable Funding Ration (‘NSFR’).

Other miscellaneous amendments to FSMR:

• in addition to the main changes outlined above, the FSRA intends to implement various other amendments to the FSMR, FSRA Rules, and Guidance to improve the clarity of the FSRA’s regulatory framework and address typographical errors and other inaccuracies that have unintentionally occurred.

You can read the Consultation Paper here. Comments are welcome until 10 December.

On 14 November, the FSRA published guidance for Environmental, Social and Governance (‘ESG’) focused Investment Vehicles.

The guidance aims to:

• establish clear standards for the management and marketing of ESG-focused investment vehicles and services, ensuring adherence to defined principles and regulatory requirements
• implement robust measures to prevent greenwashing, requiring that ESG-focused investment vehicles and services be marketed in a manner that is transparent, fair, and not misleading
• promote the disclosure of ESG-related information in alignment with international best practices, fostering accountability and enhancing investor confidence in ESG commitments.

You can read the ADGM article here and find the guidance here.

On 20 November, the FSRA published its IT Risk Management Guidance to strengthen technology risk management in the financial sector. Developed after extensive industry consultation, the guidance provides a comprehensive framework identifying best practices for IT risk management.

The four key focus areas within the guidance document include:

• culture of IT risk management: focuses on governance, incident management, audits, and oversight of third-party IT services
• IT environment management: covers IT assets, infrastructure, systems lifecycle, resilience, and cyber incident response
• secure interactions: addresses system access, cryptographic key management, and secure online transactions
• emerging technologies: explores the use of AI-driven solutions and decentralized systems like virtual asset platforms.

Aligned with international standards, the FSRA expects regulated entities to adopt these practices proportionately based on their size, complexity, and activities.

You can read the ADGM article here.

On 27 November, the FSRA issued an alert concerning recent fraudulent scheme in which individuals or entities made false claims to be associated with the FSRA and used false documents in order to solicit payments.

The FSRA would like the community to be aware of the following:

• the ADGM and its staff will never be involved in processing or facilitating wire transfers for third parties, and any request or communication suggesting otherwise is fraudulent
• scammers may falsely claim to represent the ADGM in an attempt to deceive individuals into providing personal or financial information or transferring funds
• if you receive unsolicited communications or requests involving wire transfers or financial transactions, especially those claiming to be from the FSRA or ADGM, please treat them with suspicion.

The FSRA has advised not to deal with any firm until it has been verified that the firm is authentic and has been granted the appropriate Financial Services Permission by the FSRA.

You can read the ADGM article here.

On 28 November, the FSRA issued Dear SEO Letter ‘Thematic Review on Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) – Overall Observations’. This letter notifies all Authorised Persons  of the key findings and general observations from the thematic review to promote best practices and high standards of regulatory compliance.

A summary of the key findings are as follows:

• Business Risk Assessment (‘BRA’)
  • while some firms have structured BRA approaches, they often lack sufficient evidence of implementation, such as effectiveness testing results for each control
  • not all BRAs address all risks including anti-money laundering (‘AML’), terrorist financing and proliferation financing
  • some firms have not conducted a BRA before launching a new product
• Customer Risk Assessment (‘CRA’)
  • not all firms have established a CRA methodology that is thoroughly documented and transparent, outlining each step of the risk assessment process in detail
  • CRAs should be designed to offer a balanced and comprehensive view of customer risks, capturing the entire range of money laundering risks without being structured to produce predominantly low-risk ratings
  • there were instances where CRA tool-generated ratings were overridden without documented justification, thereby undermining the entire CRA process
• Customer Due Diligence (‘CDD’)
  • firms should have strong controls to ensure Ultimate Beneficial Owners are thoroughly identified
  • documentation for address verification should be standardised to ensure accuracy
  • for firms that have adopted digital onboarding for clients, it is imperative to integrate advanced verification techniques, such as facial recognition or equivalent biometric authentication methods, into their onboarding processes
• Targeted Financial Sanctions (‘TFS’)
  • firms must retain documented evidence of the screened clients against relevant sanctions lists, including the UAE Executive Office of the Committee for Goods and Materials Subject to Import and Export Control lists and UN sanctions
  • firms must conduct transaction screening of all parties involved in a transaction
  • regular assessments of sanctions screening systems should be conducted and documented to ensure effectiveness
• Suspicious Activity Reporting
  • firms are expected to maintain comprehensive documentation and due diligence for third-party transactions to justify their purpose and nature
  • fund managers are expected to establish specific procedures for monitoring suspicious transactions related to fund activities, including subscriptions and redemptions.

On 14 November, the FSRA hosted an outreach session on AML, CFT and TFS.  The FSRA communicated its strategic focus for 2024 – 2027, which includes  fostering a secure, resilient financial environment, collaboration with stakeholders and federal authorities to combat money laundering (‘ML’) and terrorism financing (‘TF’) and strengthening the credibility of the financial system.

The FSRA indicated that it is planning several framework enhancements, including a revision of the National Risk Assessment (‘NRA’) methodology, incorporating input from stakeholders, and the identification and mitigation of risks across various sectors, including Virtual Asset Service Providers (‘VASPs’).

The areas of focus for 2025 are:

• UAE AML/CFT NRA
  • building upon the risks identified in the first NRA in 2018 which led to reducing the overall risk from high to medium, as reflected in the updated legal and regulatory frameworks
  • improvements to transparency and accountability in virtual assets
  • enhancements to supervision mechanisms to address breaches and impose fines
  • issuance of new guidance for law enforcement on predicate offences and TFS
• Updated FATF methodology and key recommendations
  • enhanced focus on effectiveness of risk-based approach (‘RBA”) adopted by firms with the aim to achieve intended outcomes
  • considerations given to unintended consequences of mutual evaluations which may affect financial inclusion and cause privacy concerns
  • alignment of methodology with frameworks such as the United Nations Convention against Corruption to ensure consistency in global efforts against financial crimes
  • prioritisation of several of the FATF recommendations, including non-profit organisations (recommendation 8), risk of new technologies (recommendation 15), and beneficial ownership of legal entities (recommendation 24).

The Outreach Session provided a valuable insight into the key areas of focus for the FSRA, key challenges faced by the financial sector, and useful suggestions for best practice for firms to take away.

On 25 November, the ADGM Registration Authority informed licensees that on the 29 November they plan to implement a late fees regime. This regime will be implemented in a phased approach and will replace the current late filing fines.

The first phase will include the following fees:

• a late commercial licence renewal fee when an application is made more than one month after licence expiry
• late fees for late filings of changes in beneficial ownership information, nominee directors or directors

Late fees will increase for each month that the licence renewal/filing is late. The first fine will be US$ 150 applied after 1 month, which will increase by US$ 150 for every month that it is late.

Details of the current fees can be found here.

On 4 November, the Abu Dhabi Securities Exchange (‘ADX’) announced that it had signed an agreement with the Armenia Stock Exchange (‘AMX’) and the Central Depository of Armenia (‘CDA’) to integrate AMX into the Tabadul Digital Hub. This integration makes AMX the seventh exchange on the platform, enhancing ADX’s global network and attracting international investments by providing strategic market access.

The partnership facilitates direct cross-border trading between ADX and AMX for investors and brokers, enabling remote access to each market via Tabadul.

You can read the ADX article here.

On 20 November, the Securities and Commodities Authority (‘SCA’) announced that the financial market authorities of the Gulf Cooperation Council (‘GCC’) has approved a regulatory framework for fund passporting, set to take effect in early 2025 in member states that have completed the legislative procedures.

This initiative, adopted during the 29^th meeting of the GCC Committee of Heads of Financial Market Authorities, aims to foster deeper integration among GCC financial markets and facilitate cross-border investments.

This is the first GCC-level regulation of its kind, and the framework will assist in streamlining processes and expediting procedures, which is expected to create a wealth of investment opportunities within the GCC financial markets.

The regulations aim to establish a robust framework for investment funds in the GCC. They mandate transparency, good governance, and fair practices for fund managers and promoters. The regulations also empower regulators to oversee fund operations, protect investor rights, and enforce compliance with regulatory standards.

You can read the SCA article here.

On 15 November, the Central Bank of the UAE (‘CBUAE’) signed a MoU with the National Security Institute (‘NSI’). The agreement focuses on collaboration in security, awareness, and occupational safety and health. The MoU aims to enhance cooperation through training programs, joint activities, and initiatives to improve workplace security and safety standards.

You can read the CBUAE article here.

On 13 November, the Saudi Central Bank (‘SAMA’) has issued the ‘E-Wallets Rules’ to strengthen its regulatory oversight of Electronic Money Institutions (‘EMIs’) and support the financial sector’s development. These rules establish regulatory requirements for licensed EMIs to enhance the safety, stability, and protection of market participants.

The provisions cover key areas such as the criteria for opening electronic wallets, client identity verification, and managing inactive wallets. SAMA incorporated public and expert feedback into the final version of the rules after an earlier consultation process, reflecting its commitment to transparency and stakeholder participation.

You can read the SAMA article here.

On 20 November, SAMA and the Oversight and Anti-Corruption Authority (‘Nazaha’) signed a Memorandum of Cooperation (‘MoC’), to enhance collaboration in addressing corruption crimes involving financial institutions under SAMA’s supervision and within Nazaha’s jurisdiction.

The agreement, signed by SAMA Governor H.E. Ayman Al-Sayari and Nazaha President H.E. Mazin Al-Kahmous, aims to align their efforts in combating financial and administrative corruption. It leverages SAMA’s regulatory authority over financial institutions and Nazaha’s mandate to address corruption, fostering an integrated approach.

You can read the SAMA article here.

On 26 November, the UAE Financial Intelligence Unit issued its fraud report to update on previously identified fraud trends for 2022. This includes a detailed analysis of approximately 10% of fraud-related Suspicious Transaction Reports (‘STRs’) and Suspicious Activity Reports (‘SARs’) submitted by reporting entities between July 2023 and June 2024. The FIU reviewed 879 suspicious reports to identify emerging fraud types, trends, and other risk factors.

Additionally, the FIU analysed fraud-related cases shared with law enforcement authorities through the Integrated Enquiry Management System (‘IEMS’), as well as intelligence reports exchanged with other FIUs concerning fraud-related crimes and issues.

As a result of the review, the FIU identified 15 common fraud types and their associated patterns, with phishing and vishing being the predominant methods used in reported fraud cases, based on the analysis of STRs/SARs, questionnaire responses, and international intelligence. Other fraud types included impersonation, business email compromise, account takeover, investment fraud, advance fee scams, employment/task fraud, online scams, and occupational fraud, although their prevalence varied. Furthermore, the FIU developed 60 risk indicators to help reporting entities monitor, detect, and report suspicious transactions and activities related to fraud. These indicators are categorised into four groups: transactional patterns, behavioural patterns, unusual or inconsistent information, and crypto-related activities.

You can access the full report here.

On 19-20 November, the Executive Office for Control and Non-Proliferation (‘EOCN’) held its second summit on ‘Countering Proliferation Financing’, convening a distinguished group of experts and specialists from the public and private sectors to address critical issues in combating proliferation financing crimes. This two-day event focused on the latest updates from the FATF concerning international standards for counter finance proliferation.

Discussions emphasised the importance of adhering to evolving FATF requirements in order to prepare effectively for the next round of mutual evaluations. The summit highlighted strategies and collaborative measures to ensure compliance with these standards and improve global efforts to prevent the misuse of financial systems in support of proliferation activities.

You can read the EOCN article here.

The United Nations Security Committee (‘UNSC’) updated an entry on its sanction list in light of the global political landscape. As a member of the UN, the UAE is committed to implementing the UNSC resolutions, and all firms must report on their involvement with sanctioned entities.

On 8 November, the Security Council Committee added two entries to its sanctions list.

Further details can be found here.

On 7 November, the FATF published an updated consolidated ratings table. The table summarises jurisdictions’ progress against the 40 FATF recommendations. The recommendations assess the jurisdiction’s maturity against AML, CTF and PF measures.

You can read the consolidated rating table here.

On 7 November, FATF published ‘Money Laundering National Risk Assessment Guidance’. The purpose of the guidance is to assist countries to assess money laundering risks through a NRA. Good practices that may be adopted by countries into their own national context can be found within the guidance.

Key sections of the guidance include:

• NRA preparation and setup
  • this identifies the prerequisites for a successful NRA
• assessment of money laundering risks
  • having a structured yet flexible methodology is key
• post-NRA actions
  • follow-up actions are an important step, including aligning mitigation measures with identified risks and communicating findings.

You can read the FATF article here and the guidance here.

On 5 November, the DFSA issued a Decision Notice against Vedas International Marketing Management (‘Vedas Marketing’), imposing a US$100,000 penalty for unauthorised financial promotions and deceptive practices related to the Multibank Group. Vedas Marketing misled individuals in the DIFC by falsely claiming that certain Multibank Group entities were regulated by the DFSA, though no wrongdoing was alleged against Multibank Group itself. Vedas Marketing challenged the decision but failed to proceed after not paying the required filing fee, leading the Financial Markets Tribunal (‘FMT’) to dismiss the referral.

You can read the DFSA article here.

On 22 November, the Registration Authority (‘RA’) of the ADGM announced that it issued a fine of US$16,000 against Avante Limited and its director Khaldoon Bushnaq respectively, totalling US$32,000. Avante Limited is also required to pay an additional US$10,000 towards the RA’s investigation costs.

A summary of the contraventions are as follows:

• providing false or misleading information
  • Avante Limited submitted a false document to a UAE-based bank which contained a falsified stamp and authentication code purporting to have been issued by the RA
• concealment of documents
  • Mr Bushnaq concealed documents and failed to take adequate precautions to guard against the falsification of company records.

You can read the ADGM article here. You can find the Avante Final Notice here and Mr Bushnaq Final Notice here.

On 22 November, the CBUAE announced that it has suspended Al Razouki Exchange’s currency exchange operations for three years and closed its Deira and Al Murar branches, citing Article 14 of the AML/CFT Law. These measures reflect the CBUAE’s commitment to ensuring exchange houses comply with UAE laws, regulations, and standards to maintain the transparency and integrity of the financial system.

You can read the CBUAE article here.