DIFC and DFSA Latest Developments

The annual DFSA Supervision Outreach Session was held on 25 June 2018. Over 300 participants attended this year’s event, representing many of the 491 Authorised Firms, 121 DNFBPs and 16 Registered Auditors now operating in the DIFC.

The session was introduced by Bryan Stirewalt (Managing Director, Supervision) who provided updates on the increasing number of regulatory relationships the DFSA manages and the growth and development of the DFSA’s Emirati regulatory staff (through its Tomorrow’s Regulatory Leaders (TRL) initiative).  He also reported on international market situations, changes in the sanctions space, how the DFSA intends to promote a risk-based regime around disruptive technology and reiterated the DFSA’s participation with international standard setting bodies.

Mr Stirewalt delivered the DFSA’s key regulatory messages reiterating that the actions of global standard setters provide a waterfall effect on the DFSA’s focus. There has also been a shift by the Basel Committee from policy to focusing on emerging risks, highlighting cyber risk and proportionality. He summarised the priorities of the IAIS, IOSCO, IFIAR and FATF, and how these bodies have informed the DFSA’s focus on the FATF Mutual Evaluation of the UAE in 2019, suitability of investment advice, governance arrangements and the promotion of innovation, while at the same time protecting the interests of Retail Clients.

Adrianna Beer (HSBC) addressed the attendees on behalf of the Compliance Officer’s Networking Group, thanking its supporters over the years. She took the opportunity to invite the compliance community to reflect on their role as trusted advisors, including steering their firms through challenges, challenging inappropriate behaviour or poor policy, and acting as a bridge in respect of the ongoing regulatory relationship between their firms and the DFSA.

David Shepherd, Head of Market Development Risk at Thomson Reuters (TR), presented the key global FCR trends, highlighting the results of two recent papers published by TR on the true cost of financial crime and the costs of compliance report for 2018. Mr Shepherd also discussed a growing trend toward public-private partnerships designed to provide a globally coordinated approach intended to disrupt criminal networks. He highlighted the emerging trend in KYC utilities in the FinTech space and discussed how technologies that are being tested now will give users a competitive edge and allow cost savings once implemented.

Patrick Meaney, Head of Enforcement, identified the DFSA’s most recent investigation and enforcement actions relating to AML/CTF, market abuse and cases of firms misleading the DFSA.  He spoke of the DFSA’s views on settlement, which is to ensure the benefits in terms of saving time and resources, which must be weighed with the effect of a settlement on the credible deterrence of the wrongdoing.  Their focus is on serious breaches that are not responded to via remediation plans set by the Supervision team.  Enforcement is also keenly aware of ensuring there is individual accountability by senior business personnel, albeit that it takes longer to get results in individual cases.

Peter Smith, Managing Director, Head of Policy and Strategy, recapped recent consultation papers issued in respect of changes to the AML and Funds regimes. AML changes are expected to come into force late in the summer, but it was flagged that more changes may be implemented before the FATF Mutual Evaluation in 2019. Implementation of changes to the Funds regime are dependent on changes to the DIFC Companies Law and are anticipated later in 2018.

The DFSA community can expect a number of new initiatives from the DFSA policy team in the coming year, including:

  • consultation on a property crowdfunding regime
  • the introduction of fund platforms
  • more clarity on the resolution of banks and treatment of client assets on resolution
  • changes to the prohibition on the provision of Money Services
  • more changes relating to the suitability of investment advice on the back of the recent thematic review.

The morning session ended with an informative panel discussion on the evolving role of RegTech and FinTech.  Key FinTech themes in place or under consideration relate to mobile payment services, robo-advisors, digital asset exchanges and crowdfunding. In turn, RegTech is proving useful in AML and Risk management, with blockchain for KYCs, artificial intelligence and use of biometrics for client authentication offering time and human resource savings. However, the investment in RegTech lags behind FinTech applications. The panel broadly discussed the benefits and objectives of the DIFC FinTech Hive and circumstances in which a participant would need to consider a regulatory Innovative Testing Licence (ITL). 

The panellists considered the role of RegTech in helping firms evidence compliance with regulatory obligations, and that compliance officers should, prior to implementation, take into account the scalability of the solution, information security and data confidentiality, as well as training, awareness and understanding of the product. 

With the increased focus on cyber security risk, the DFSA’s Ken Coghill indicated a thematic review in 2019 to assess what cyber risk management framework firms are employing. The regulator will be gathering information on whether:

  • frameworks are compliant with ISO or other certifications
  • a firm is compliant with local regulatory requirements
  • vulnerability assessments are performed
  • the risk is captured in a firm’s risk register
  • the board is taking responsibility for cyber risk and where necessary mitigating the risk
  • firms have developed an incidence response plan
  • the firm is aware of cyber risk - this will be measured.

Following the introductions and high-level regulatory overviews, the DFSA held various break-out sessions as follows:


The Authorisations session gave an update on the internal structure and responsibilities of the Authorisations team, and provided information aimed at improving the quality of applications and preparedness of candidates for AI roles. 

Of key importance to any applicant, and to avoid any unintended expectations, the DFSA will no longer accept business plans or applications if there is no regulatory regime in place regarding a potential business activity, e.g. property crowdfunding, digital coins/tokens or the provision of money services.

Qualified Investment Manager applications will be handled by the Conduct of Business team, and Representative Office and Principle Representative application forms are now online. Simple Cat 4, QIF Manager and AI applications are expected to go live soon. 

The Authorisations team noted that the number of applications for 2018 is consistent with 2017 numbers. They also highlighted the sectors of prominence and improvements in the turnaround times to granting an Approval in Principle and noted that firms are still experiencing delays in satisfying in principle conditions affecting the granting of their full licence. The DFSA issued a reminder of its complex application rule and invited applicants to address this in the body of their Regulatory Business Plans (RBPs).

The DFSA pointed out recent changes to the Prudential (PIB) Rulebook which impact the preparation of financial projections for Cat 3A firms and above.  These are:

  • Credit Risk Capital Requirement (CRCOM) is now calculated at 8% (previously 10%)
  • The Risk Capital Requirement (RCR) is calculated on total risk weighted assets x12.5%, then x10%
  • The Capital Conservation Buffer (CCB) no longer applies to a 3A firm

The net result is that the CCB is now compensated for in the RCR, and that the higher a firm’s revenue, the higher its operational risk value will be, resulting in a higher capital requirement.

The Authorisation team noted improvements in the preparedness of candidates for AI interviews and took the opportunity to emphasise the key deliverables they expect from SEOs, finance officers and compliance resources.

Hamda AlSarkal, Senior Manager of Supervision, described the work of the Authorisations team in helping clients during transition from the DIFC FinTech Hive, to the ITL. Participants in the Hive can develop their technology and use the time to find investors, while an ITL gives participants the opportunity to live test their product in a regulated setting. An applicant to an ITL does not need to be in the DIFC FinTech Hive. 

Going forward, applicants of the ITL will be taken on a cohort basis every 6 months (unless they are coming from the Hive). An ITL applicant must:

  • involve technology
  • offer a financial service
  • be ready to live test and intend to roll out their services, post-testing, in the DIFC.

Applicants will need to prepare a Regulatory Testing Plan, and thereafter submit an ITL application and pay $5,000 in fees. The timeline for approval will vary depending on the quality of the application, the responsiveness of the applicant and if there are any policy issues that need to be addressed. 

Applicants can expect certain DFSA Rulebook requirements to be waived while they are testing, such as prudential reporting and audit obligations, the appointment of Compliance Officers/Money Laundering Reporting Officer (CO/MLRO).  No waivers are available for the AML Rules, client money provisions, maintaining DIFC premises or appointing a UAE resident SEO. 

The DFSA will issue restrictions on the activities a licensee licence can perform during testing. The DFSA will have a close and continuous reporting relationship with participants as they develop their governance, risk and compliance frameworks and test their controls over time proving controls are in place before any restrictions on their licence are lifted.  A participant must demonstrate that it can meet all the requirements that were waived as part of testing before a full licence will be granted by the Authorisations team.

CCL has assisted firms with ITL applications and helped firms meet the regulatory requirements required when migrating from an ITL license to a full DFSA license. If you would like any assistance with your firm please contact Clare Curtis (CCurtis@cclcompliance.com).

Conduct of Business Risks

The Conduct of Business Risks Session covered an array of Conduct elements as follows:

  1. Client Classification
  • stronger focus on higher areas of risk - the regulator will focus on the most complex firms
  • embedding subject matter experts (SMEs) into the DFSA’s framework
  • general trends and issues with regard to the Client Classification and Suitability thematic review findings which were published on the 31st January 2018. General points were regarding the following matters:
    • if reliance is made on the Group to classify the clients, or classification is made elsewhere, the DFSA expects firms to be able to demonstrate the equivalence of the client classification regime in that particular jurisdiction to the classification and suitability rules in COB (i.e. gap analysis, assessment of the variation between the jurisdictions etc);
    • having properly documented Client Classification clause in the Client Agreement letter which provides clients with the choice of classification as Retail Clients;
    • If and where firms offer new services and products to the existing customers, a reassessment of the client’s classification and suitability is expected by the DFSA, where relevant.

Overall, when assessing clients under classification and suitability, the DFSA expects firms to evaluate the following matters:

  • client specific situation
  • client objectives
  • financial knowledge and experience of clients

These points should be included in CO and MLRO’s notes/reports as well as assessments of classification and suitability.  CO & MLROs are also expected to include file notes and conclusions as to why a particular client was classified as a Retail, Professional or a Market Counterparty, as appropriate.

The DFSA found that there was a direct link between how firms structure their incentives and the failure of systems and controls which ultimately leads to a failure to observe client classification procedures.

Further, the DFSA expects firms to maintain the following information in their client files:

  • properly recorded attitude towards risk
  • updating and recording client information
  • net asset assessment (expected to study, evaluate and analyse rather than merely include bank account statements in client files)
  • procedures to address similar risk profiling for products of different risk nature (in cases when combined packages may not meet client risk appetite)
  • switching (in cases when clients switch to other products and/or services, proper analysis of costs and benefits associated with switching to new investment are expected)

The DFSA also recommends that firms include sample check reviews on the traded investments in their Compliance Monitoring Programme.

  1. Client Assets

The DFSA mentioned the “Dear SEO” Letter which was circulated on March 31st 2016 regarding the requirement for firms holding client assets or insurance monies to seek a Client Assets endorsement. Special attention was drawn to the rules in COB A5. 10, A6.8, and A6.5.2 Guidance (Client reporting and holding or arranging custody with third- party agents).

Where and if a reliance on a third-party agent (TPA) was made, the DFSA expects to be able to witness documented evidence in support of this whereby the firms can demonstrate to the regulator how the TPA was assessed to meet the criteria.

The DFSA reminded again that client classification forms and other related documents are subject to record keeping requirements, and that it expects to evidence documents in respect of the assessment of suitability and the analysis behind such assessment (Note: Documents alone are not the analysis of the classification and suitability). The regulator also expects the firm’s CO and MLROs to update this information periodically, including conclusions and dates as these are revised.

  1. Market Abuse

The DFSA noted a rather low number of notifications for market abuse across its regulated firms. Where notifications had been provided, the regulator repeated the importance of providing relevant, sufficient information, such as:

  • the order and the transaction itself
  • information regarding the client as well as their close links
  • client profile
  • their trading history.

Firms are also expected by the DFSA to include the following measures in their policies: -

  • Preventing market abuse
  • Detecting potential market abuse
  • Notification

The DFSA drew attention to the Rule GEN 11.10.12A in the event of a suspected market abuse.

  1. Corporate Governance

The DFSA itemised the following organisations as its benchmark in terms of Corporate Governance and Oversight:

  • the International Organization of Securities Commissions (IOSCO)
  • the Basel Committee on Banking Supervision (BCBS)
  • the International Association of Insurance Supervisors (IAIS)

The DFSA debated the impact of failure of Corporate Governance and stated that firms must:

  • maintain a written charter to define roles, powers and responsibilities of the Governing Body and Committees
  • hold frequent meetings in line with their business needs
  • produce detailed minutes of the meeting where the minutes cover material aspects, issues raised, and discussions conducted by the members and then the resolutions achieved.

The DFSA reminded firms that Board Resolutions by circulation alone do not demonstrate the deliberations and brainstorming.

  1. Conflicts of Interest

The DFSA expects firms to identify conflicts of interest which are specific to their business and operations and explained that it would expect firms to have considered in their potential for conflicts of interest across Business Lines the following matters:

  • discretionary and non-discretionary business
  • funds related party transactions, valuations practices
  • proprietary and client business
  • soft dollar arrangements
  • sales practices

In terms of process on how to manage conflicts of interest, procedures to (1) Identify (2) Prevent and (3) Manage conflicts of interest must be embedded in the firm’s policies and procedures. Amongst other procedures the DFSA would expect firms to adhere to the following measures when structuring their conflict of interest framework:

  • Detection
    • Management, Front Office and Compliance
    • Identification of conflicts specific to the business
  • Prevention
    • Fit for purpose policies and procedures
    • Awareness and training
    • Chinese Walls
  • Management
    • Disclosure to clients
    • Written Policy of Independence
  1. Remuneration

The regulator once again discussed the importance of having a proper remuneration policy with risks weighted against the rewards and drew the attention towards Principle 12 – Remuneration Practices and GEN App A3.2 regarding best practices related to the remuneration.

In the context of incentives and remuneration the DFSA expects firms to have:

  • remuneration committee
  • remuneration policies and procedures
  • incentives connected to quantitative measures such as revenue generation
  • non-financial goals linked to appraisals (behaviour towards risk and compliance) as part of the performance measurement
  • well documented gift policy
  • annual declarations
  • disclosure to compliance, where relevant
  1. Reporting Obligations / Wealth Management

In order to avoid duplication and overlap of information, the DFSA discussed proposals to revise some of its PIB forms (B210/ B220). They anticipate the revision will:

  • provide more guidance
  • promote consistency of information
  • adopt a risk-based approach
  • focus on the financial service activity undertaken by a specific firm
  • identify who undertakes said activity
  • identify where said activity takes place
  • request for further breakdown of the information that is entered in the forms.

The regulator has already completed soft consultation with selected firms and their feedback and recommendations have been taken into account and have been considered, with formal consultation to commence later this year. New forms are expected to come into effect next year (subject to consultation and final approval). 

Prudential Risks

The Prudential Risks session covered an array of prudential matters and chapters within the DFSA PIB Module as well as Ad Hoc supervisory and corporate governance matters as follows:

  1. Insurance supervision update

The DFSA provided an update on the number of insurance firms in the centre:

  • Total number of insurance firms in the centre - 85
  • Firms effecting and carrying out contracts of insurance - 21 (including 7 subsidiaries, 14 foreign insurer branch)
  • PIB Cat 4 (insurance management) - 40
  • PIB Cat 4 - Insurance Intermediation (Broker) -24
  1. Common risk assessment findings:

The DFSA provided insight into the most common risk assessment findings:

  • Lack of Service Level Agreement with group entities
  • Lack of an updated Business plan
  • Lack of clarity of corporate governance arrangements - lack of reporting lines
  • Lack of a Business Continuity Plan and its testing
  • Risk management framework and risk register not customised for the firm
  • Compliance of waiver conditions/expiry- certain waivers have been granted to the Branches in the centre. Branches have the obligation to submit some Head Office (HO) reports to the DFSA however, the regulators have noticed that this is an oversight by the Branches in the centre.
  • Maintenance of robust and complete brokerage claim files - lack of documentation

Whilst reminding the audience of the Principles for Authorised Firms, the DFSA highlighted and stressed that robust procedures should be built to ensure that firms have oversight of the following Principles as per GEN 4.2:

  • Management systems and controls
  • Customer Assets and Money
  • High standards of Corporate Governance
  1. Enterprise wide risk management

The DFSA expects the Risk Management Framework of a firm to have a structured approach to manage uncertainty. The Framework should be designed to be proactive and have an iterative approach.

The management framework is expected to document:

  • Risk Identification and assessment
  • How the risk will be managed and mitigated
  • Risk governance
  1. Corporate governance- key DFSA expectations

The DFSA stressed the importance of corporate governance and management oversight. Firms are expected to have the following lines of defence:

  • Operational controls (first line of defence)
  • Risk management functions (second line of defence)
  • Internal Audit (third line of defence)

The Board and Senior management of a firm should have oversight of the aforementioned control functions. Firms are expected to seek an independent opinion from their external auditor.

  1. Prudential Risks

The DFSA considers the following as key focus areas in Prudential Risks:

  • Credit Risk - which includes asset quality, NPL & provisioning and asset concentration
  • Operational risk such as cybersecurity, technology risk
  • Capital and earnings - assessing the quality and composition of capital, ICAAP (including stress testing), profitability drivers
  • Liquidity Risk - systems and controls such as funding strategy monitoring, stress testing, contingency planning, funding maturities and concentrations
  1. Recent updates to the PIB module changes by year

The DFSA provided an update on the changes to the PIB Rules and the rationale of the changes made/to be made as follows:

Year 2017

  • Chapter on Capital Adequacy (PIB 3) was revised to align with BASEL III with the inclusion of Countercyclical Capital Buffer (CCyB) and High Loss Absorbency (HLA) buffer (D-SIB/G-SIB requirements)
  • Liquidity Risk (PIB 9) was revised to capture enhancements to the qualitative requirements, revision in Maturity Mismatch Ratio (MMR) and Net Stable Funding Ratio (NSFR) 

Year 2018/2019

Changes will be made to:

  • Credit Risk - to capture Counterparty Credit Risk and large exposures
  • Interest rate risk in the banking book

Year 2019/2020

Amendments will be made to:

  • Market risk- review of trading book and capital requirements
  • Leverage ratio 

Upcoming updates to EPRS and PRU

PIB Returns will be enhanced to:

  • Include new prudential requirements e.g.- CCyB, NSFR
  • Align with new international accounting standards IFRS9
  • Align with development in activities conducted in and from the DIFC 

Overview of the updated capital requirements

The DFSA provided the rationale and a brief on the amendments to the PIB module (which came into force on 1st January 2018) in respect of capital requirements. Amendments were made to align DFSA rules with the capital standards developed by the BASEL Committee on Banking Supervision. The amendments were made to capture:

  • The calculation and expression of capital adequacy - previously the PIB module monitored the Risk Capital Requirement based on absolute figure terms which is now aligned with the Basel III framework which expresses the regulatory capital as a percentage of Risk Weighted Assets(RWAs)
  • The calculation of capital requirements- calculation of capital requirement will be expressed as RWAs.
  • Capital Buffers – the new PIB rules require the Firm’s minimum capital requirement to include capital buffers. Capital buffers include any or more of the following:
    • Capital Conservation Buffer (CCB) - CCB previously applied to CAT 1, 2, 3A and 5. Effective 1st January 2018 it does not apply to CAT 3A
    • Countercyclical Capital Buffer (CCyB) - CCyB applies CAT 1, 2 and 5 Firms- This was introduced based on jurisdictional reciprocity as it applied to credit exposure of the firm in the jurisdiction which imposes CCyB. Currently 9 jurisdictions impose CCyB 
    • Higher Loss Absorbency Capital Buffer (HLA) - HLA applies to CAT1, 2 and 5 Firms. It is targeted at Globally Systemic Important Bank (G-SIBs) and Domestically Systemically Important Banks (D-SIBs)

Finally, the DFSA iterated that they expect timely submission of EPRS returns by firms. Firms are expected to provide the DFSA with accurate information and are advised to consult the PIB Rulebook and the PRU sourcebook before filing.

Financial crime risks

The Financial crime risks session covered the following:

  1. Financial crime priorities 2018/2019
  • The regulator is preparing for the upcoming FATF Mutual Evaluation. The UAE will be subject to the joint FATF-MENAFATF Mutual Evaluation in June/July 2019.
  • The DFSA is moving further towards the risk-based supervision of authorised firms and DNFBPs, concentrating on:
    • Information provided in the Annual AML return;
    • AML focused risk assessments; and
    • Sectoral reviews

The DFSA reminded firms to make sure that the contact details for MLROs are kept up to date (the regulator noted returned emails when communicating with some firm’s MLROs).

The regulator provided background on the review techniques they expect as part of the FATF Mutual Evaluation, which will be based on the “FATF 40 Recommendations of 2012”.

 The DFSA further outlined 7 themes that the FATF 40 Recommendations of 2012 have: -

  • AML/ CTF policies and coordination;
  • money laundering and confiscation;
  • preventative measures;
  • terrorist financing and financing of proliferation;
  • preventative measures;
  • transparency and beneficial ownership of legal persons and arrangements;
  • powers and responsibilities of competent authorities and other institutional measures;
  • international cooperation.

The DFSA mentioned that in 2017, the UAE’s National Anti-Money Laundering and Combating Financing of Terrorism Committee (NAML CFTC) engaged a team of AML/CTF experts to assist in the preparation process for the FATF Mutual Evaluation in 2019.

  1. Consultation Paper 118 & 120

The DFSA provided a short overview of Consultation Paper 118 and Consultation Paper 120 which were published in February 2018 and April 2018 respectively. The Consultation Papers (CPs) cover the following points:

CP 118: -

  • Clarifications of the DFSA AML remit in the DIFC
  • Changes to deal with the DFSA powers relating to DNFBPs 

CP 120: -

Outline changes designed to align the DFSA’s regime with FATF recommendations, including:

  • Customer Due Diligence (CDD) fatf recommendation 10
  • record keeping -  FATF recommendation 11
  • new technologies FATF recommendation 15
  • wire transfers – FATF recommendation 16
  • reliance on third parties – FATF recommendation 17
  • internal controls and foreign branches and subsidiaries – FATF recommendation 18
  • higher risk countries – FATF recommendation 19
  • transparency and beneficial ownership of legal arrangements – FATF recommendation 25

DFSA alerted the attendees of the session that changes to the Regulatory Law and AML Module will come into force in Q3 2018.

  1. Market Abuse

The DFSA drew attention to the Rule GEN 11.10.12A which requires firms to notify the DFSA immediately if they:

  • Receive an order from a client, or arranges or executes a transaction with or for a client; and
  • Has reasonable grounds to suspect that the order or transaction may constitute market abuse under Part 6 of the Markets Law.

Subject to Rule GEN 11.10.12 A, such notifications must specify: -

  • sufficient details of the order or transaction;
  • client profile and information concerning their trading history as well as close links; and
  • reasons for suspecting that the order or transaction may constitute a market abuse.

The regulator reminded the attendees of the session that authorised firms may be subject to notification requirements in another jurisdiction under the relevant market abuse laws of that jurisdiction (under any corresponding obligations to notify).

The DFSA also pointed out that under the Article 67 of the Regulatory Law and GEN Rule 11.10.7 an authorised firm has an obligation to notify the DFSA if they become aware that the firm itself or an employee of the firm has engaged in conduct that may constitute market abuse in the DIFC or elsewhere.

  1. Annual AML Return

The DFSA highlighted that the overall responsibility for the governance of AML systems and controls lies with the senior management of the firm and that the “Tone is set at the top”.

The importance of accurate and timely reporting and recording of the accurate and correct information in the Annual AML return was also highlighted because the DFSA will be comparing the results and information provided in this year’s reporting to the data and information provided back in 2018.

  1. AML Business Risk Assessment

The regulator discussed the importance of keeping abreast of all of the emerging risks to the business and mentioned that it would expect to see firms incorporate the use of cryptocurrencies and cybersecurity risks in their business risk assessment. Further, firms are expected to incorporate cryptocurrency exposure when it comes to their clients and include the results in their Know-Your-Customer checklists and Due Diligence documentation.

The regulator articulated that Risk Officers and senior management of the firm must also be engaged at the point of approving any new products for the firm.

The DFSA expects the firm to have followed an AML Business Risk Assessment Process that: -

  • identifies their specific, relevant risks;
  • creates the risk library;
  • identifies the risk owners;
  • identifies controls and reduces risks;
  • assesses risk potential and impact; and
  • revisits AML risks annually 

Key Message: Keep AML Business Risk Assessments up to date.

Ultimately, the regulator appreciates that AML risks change over time and firms have an ongoing obligation to review their policies and procedures to ensure they cover emerging risks. The AML Business Risk Assessment is a living document and the DFSA expects firms to adopt a risk-based approach when drafting their AML Business Risk Assessment manuals and exercise constant vigilance.

The DFSA confirmed that firms with any activities between them and/or their customers in connection with the 6 named Qatari banks from the June 2017 Circulars (circulars 156/2017 and 157/ 2017), by the Central Bank of the UAE, are no longer required to send reports to the Financial Intelligence Department (FID) at the Central Bank. 

Firms should keep the reports stored internally and continue to subject the identified banks ((1) QNB, (2) Qatar Islamic Bank, (3) Qatar International Islamic Bank, (4) Barwa Bank, (5) Masraf Al Rayan and (6) Doha Bank) to enhanced due diligence requirements while dealing with them.

  1. SARs/ STRs, Audit and AML Training

The DFSA expects firms to conduct regular, more frequent STR/SAR training for their employees and update their policies and procedures relating to SARs and STRs.

AML training must be tailored and specific to the firm’s products, services and types of customers it deals with.

The DFSA noted the importance of regular Internal Audit (3rd line of defense) reviews and stated that frequency of the Internal Audit reviews must be aligned with the regulated activity that the firm undertakes.

The DIFC has released three Consultation Papers in order to amend the current regulatory framework so that there is a clear distinction between Companies Law, Companies Regulations and DIFC Operating Law. The Companies Law and Regulations deal with matters which affect companies generally, while matters affecting all DIFC Registered Entities under the supervision of the Registrar of Companies will be regulated under the proposed DIFC Operating Law and DIFC Operating Regulations, unless there are particular reasons to have a stand-alone regulation, as is the case with the proposed Ultimate Beneficial Ownership Regulations.

1.2.1 Consultation Paper No.5 on Companies Regulation

Consultation Paper No.5 focuses on the main changes to Companies Regulation.

  • Changes to the Regulations to include the new types of companies: Public Company and Private Companies
  • Certain incorporation forms will change requesting more information about Directors (i.e. previous names)
  • Extension of the period to start operations following the Company’s incorporation approval from 30 days to 60
  • When the Articles of Association (AoA) deviate from the standard template version, a statement stating that the Articles comply with the requirements of the Law will be accepted by the Registrar. Legal opinion will no longer be required.
  • Extension of the period to notify of the allotment of shares from 14 days to 30 days
  • Changes to the content of the Register of Directors and Secretary
  • Change of period of notice of change of Directors and Secretary from 14 days to 30
  • New chapter related to Mergers
  • Changes to the content of Public Register
  • Regulation’s section on Protected Cell Company and on Investment Companies has been removed. A new Regulation for Protected Cells Company and on Investment Companies has been issued in conjunction with the DFSA.
  • All LLC, LTD or Recognised Company will automatically convert into a Private Company, Public Company or Recognised Company as the case may be, once the New Company Law comes into force
  • Changes to the standard version of the Articles of Association
    • Includes a chapter on Transmission of Shares
    • The Company’s minimum number of Directors has gone from two to one
    • Shareholder reserve power - shareholders may, by special resolution, direct the Directors to take, or refrain from taking, specified action.
    • Notices to Shareholders can be done in electronic form
  • All LTD and LLCs will have 12 months to amend their articles of association in accordance with the new law. Failure to comply may result in a fine. 

1.2.2 Consultation Paper No.6 on DIFC Operating Law

The new DIFC Operating Law and enhanced Operating Regulation is intended to be a legislative framework for matters of a more general nature affecting all DIFC Registered entities.  This new Law covers the following matters:

  • names trading names and registered offices - The names of all DIFC entities must be approved by the Registrar as part of the application for incorporation/registration. Approval is not required for change of name however; the Registrar may object to the use of the changed name.
  • confirmation statements - the annual return is replaced by the requirement to provide an annual confirmation statement to the Registrar, via the Client Portal, confirming the registered details of the entity on the Public Register are current and accurate.
  • There is a new general prohibition to conduct business in or from the DIFC unless the person is incorporated, registered in the DIFC. The Registrar may exempt a person from the requirement to hold a license. Short term licenses can be issued as well as licenses subject to certain conditions or restrictions.
  • Auditors registered in another jurisdiction will be required to have been so registered for 8 years in a Relevant Jurisdiction before an application for registration in the DIFC can be made. 

1.2.3 Consultation Paper No.7 on Ultimate Beneficial Ownership (UBO) Regulations

This new regulation is issued as part of the global trend towards transparency through the application of information disclosure and record keeping obligations and has taken into consideration FATF Recommendations for the identification of beneficial ownership of legal persons, as well as EU new standards as established in AMLD4 and AMLD5. The purpose of this regulation is to harmonise the UBO approach across all DIFC registered entities.

This Regulation applies to:

  • companies incorporated under the Companies Law
  • partnerships incorporated under the Partnership Laws
  • organisations incorporated under the Non- Profit Incorporated Organisation Law
  • foundations incorporated under the Foundations Law; and officers and owners of persons incorporated under the Laws mentioned above.

The obligations under this Regulation are not applicable to DIFC entities which:

  • have its securities listed or traded on a recognised exchanged, or is a wholly owned subsidiary of such an entity
  • are regulated by a Recognised Financial Services Regulator
  • are a Recognised Company subject to equivalent international standards which ensure adequate transparency of ownership information in it home jurisdiction
  • are a Non-Profit Incorporated Organisation which does not, as its primary function, engage in raising or disbursing funds for charitable, religious, cultural, educational, or similar purposes;
  • are wholly owned by a government or government agency of any jurisdiction.


  • take at all times reasonable steps to obtain, maintain and hold adequate, accurate and current UBO Particulars in relation to each of its UBO and maintain a Beneficial Ownership Register (BOR).
  • maintain a Register of Nominee Directors (RND)
  • notify the UBO that his name has been included in the BOR if his/her information was not provided by either him/her or with his or her knowledge.
  • changes to the BOR or RND shall be made within 30 days and notified to the RoC.
  • DIFC entity should not register, recognise or give effect the transfer of ownership unless it is also provided with a statement by or on behalf of the transferee, which states whether the transfer will result in a change in the UBO.
  • where the DIFC entity has reasonable cause to believe that any person is a UBO or the UBO details are not correctly recorded a notice requesting to state whether he is a BO or not, confirm whether the information maintained is correct or not, and request missing information.
  • RoC has the power to inspect and request the DIFC entity to produce information or documents related to UBOs.
  • Not to disclose information of the BOR, or RND to any person except: (i) as provided in the Regulations, (ii) as required under any applicable law: or (iii) with the consent of the UBO or Nominee Director.
  • The term “Ultimate‎ Beneficial ‎Owner” is defined as; 

“a Relevant Person means a natural person (other than a person acting solely in the capacity of a professional adviser or professional manager) who:

(a) in relation to a Company, holds or controls (directly or indirectly):

(i) Shares or other Ownership Interests in the Relevant Person in excess of the Relevant Percentage

(ii) voting rights in the Relevant Person in excess of the Relevant Percentage;

(iii) the right to appoint or remove the majority of the Directors of the Relevant Person

(b) in relation to a Partnership, has the legal right to exercise, or actually exercises, significant control or influence over the activities of the Partnership

(c) in relation to a Foundation or a Non- Profit Incorporated Organisation, has the legal right to exercise, or actually exercises, significant control or influence over the activities of the Governing Body, person or other arrangement administering the property or carrying out the objects of the Foundation or the Non- Profit Incorporated Organisation.”

  • If no natural person is identified as an Ultimate Beneficial Owner, the UBO shall be any natural persons upon whose instructions or its Governing Body is required to act.
  • If there is no UBO each member of the Governing Body or UBO of a member of the Governing Body shall be deemed as UBO.

The DFSA and the Astana Financial Services Authority (AFSA) have signed a Memorandum of Understanding (MoU) to cooperate in the supervision and authorisation of firms operating in both markets. AFSA was established between the DIFC bodies and Republic of Kazakhstan to establish the AIFC which has been modelled on the DIFC.

In March 2018, the DFSA released Consultation Paper No.117. Following the consultation period, amendments have been made to the Glossary Module, Prudential Rulebook, Fees Rulebook, General Rulebook and Markets Rulebooks.

The DFSA has fined Al Ramz Capital LLC $205,200 for serious failures to provide complete and accurate information pursuant to a DFSA investigation.

Najim Al Attar, Al Ramz's former Head of Information Technology, was fined $32,640. The DFSA also imposed costs of $100,000 on Al Ramz, to contribute towards the costs of its investigation.

In February 2014, the DFSA began an investigation under Article 78 of the Regulatory Law 2004 as it suspected that Al Ramz and others may have engaged in trading on NASDAQ Dubai on September 30, 2013, which contravened Part 6 of the Markets Law 2012.

While there was no wrongdoing found as part of the initial investigation, the DFSA found that during the investigation Al Ramz had failed to comply fully with requirements to provide the DFSA with information relevant to the investigation and deal with the DFSA in an open and cooperative manner.

ADGM and FSRA Latest Developments

Following the successful completion of the public consultation on the introduction of a robust crypto asset regulatory framework in May 2018, the Abu Dhabi Global Market (ADGM) has launched its framework to regulate spot crypto asset activities. This framework includes exchanges, custodians and other intermediaries engaged in crypto asset activities.

After public consultation, the ADGM made several refinements: a key change to the proposed framework is the implementation of the Daily Value Trading Levy imposed on Crypto Asset Exchanges on a sliding scale basis.

The framework addresses all risks associated with running a crypto asset business including compliance and AML risks such as money laundering, financial crime, consumer protection, technology governance, custody and exchange operations.

Full guidance, the application form and FSRA rules and regulations have been released by the ADGM.

The ADGM has accepted 36 local and global FinTech applications for review in the 3rd cohort of its Regulatory Laboratory programme - the most active FinTech regulatory sandbox in the region and second most active regulatory sandbox globally. The sandbox allows firms to live-test their FinTech solutions with real clients.

The 3rd cohort was promoted with a theme to promote inclusion and access to quality financial services for the Small-Medium Enterprise (SME) sector. The areas that have been promoted in this cohort include:

  • payment solutions
  • supply chain financing
  • Islamic finance solutions
  • advanced analytics and machine learning to provide new insights and deeper risk evaluation to cash flow and risk management solutions.

The focus on SMEs by the ADGM aims to enhance the digital capabilities of these smaller firms and enable financial institutions to “extend quality financial services to SMEs through better access to data and analytics solutions, deepen financial inclusion and accelerate economic growth”.

The ADGM and the Hong Kong Securities and Futures Commission (SFC) have entered into a cooperation agreement to jointly promote and support financial services innovation in Hong Kong and the UAE.

This agreement reflects the HK- SFC’s continued efforts to collaborate with international regulatory counterparts to promote innovation in financial services. The new collaboration includes the sharing of relevant information on innovation, providing support in the authorisation processes where appropriate, and referring cross-border activities that will accelerate the growth of the financial and FinTech industries in both jurisdictions.

The ADGM and the Abu Dhabi Monitoring and Control Centre (MCC) has signed a Memorandum of Understanding (MoU) to facilitate the exchange of information and co-operation in relation to monitoring and control compliance within the ADGM.

The MoU between the bodies establishes a strategic platform for the mutual exchange of information in connection with common tasks and duties, compliance reports and confirmation and verification of information in the event of non-compliance.

The ADGM has also signed an MoU with the Companies and Intellectual Property Commission (CIPC) in South Africa.

This MoU seeks to provide the mutual understanding of the legislative, procedural and information technology frameworks in each party’s respective jurisdictions in the area of registering companies and other legal entities.

MoUs are the traditional method of formalising cooperation between global regulators or organisations and provide a formal basis for cooperation between authorities based on existing laws.

The ADGM has been granted “observer status” to the Consultative Committee of Convention 108 during its plenary meeting.

Convention 108, entitled the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, sets out principles regarding the protection of automated personal data files and automatic processing of personal data in the public and private sectors.  The committee exceeds 50 member countries and over 25 observers.

ADGM is the first jurisdiction in the Middle East to become an observer and will be able to participate in dialogue with other members, observers and experts concerning international standards on issues including artificial intelligence, “Big Data Analytics”, processing of genetic data and privacy on the internet.

The status comes as the ADGM focuses on data protection as a key element in its regime and continues to play a role as a key leader among the data protection and privacy figureheads.

Following the Discussion Paper released by the ADGM in March and discussed in the CCL Regulatory Update: Middle East Edition - March 2018 the ADGM has now released a consultation paper setting out its proposed regulatory framework for operators of financing platforms for non-public companies, also known as Private Financing Platforms (PFPs).

The move comes as part of the FSRA’s ongoing initiatives to provide an inclusive regulatory platform that bolsters the growth and development of start-ups and small and medium-sized enterprises (SMEs) in Abu Dhabi and greater MENA region.

Middle East Regulatory Updates

The Central Bank of Oman has issued new guidelines concerning remittance and currency exchange for transactions over OMR400.

Transactions over this amount now need to undergo enhanced due diligence specifically designed to deal with high-risk or high net worth customers and large transactions.

Source of funds will also be analysed and the sender will need to process both legal and financial status in the country via bank account details and/or resident card. The purpose of the transaction will also need to be provided for every transaction, and every exchange must have an internal built-in system that filters any transaction that detects whether the sender or receiver is on the blacklist.

The move comes in line with Oman tightening its systems and controls on potential money laundering and terrorist financing risks and making sure that all transactions are for transparent and honest reasons.

The Central Bank of Bahrain (CBB) has issued a Regulatory Sandbox Licence to Palmex under the sandbox regulation framework in the Kingdom of Bahrain.

The CBB launched its FinTech regulatory sandbox in June last year, to allow start-ups in the financial sector the ability to test new banking and financial business models.

Palmex, a professional digital asset exchange powered by ArabianChain Technology, is the first cryptocurrency exchange in the Middle East and North Africa to receive a Regulatory Sandbox Licence.

The newly permitted license which came into effect on 15th July, allows the Palmex Exchange to test its platform and services in a controlled environment with a live user base. Palmex and the CBB will have time to revise the regulatory framework surrounding the operation of a digital asset exchange, as well as make any necessary changes to the exchange to ensure the platform is secure for commercial use.

Inside the sandbox, Palmex will be governed by CBB regulations which include typical security requirements such as KYC and AML user checks and additional Counter Terrorist Financing measures.

The Central Bank of Jordan (CBJ) has released an amended set of anti-money laundering and counter terrorism financing (AML/CTF) regulations applicable to licensed banks, after they were endorsed by the National Committee for Anti-Money Laundering and Terrorism Funding.

The CBJ said the new regulations were in response to the amendments recommended by the Financial Action Task Force in 2012, and to the developments in domestic and international markets and to support and strengthen the AML/CTF framework in the Kingdom.

One of the most important amendments introduced by the new regulations is to frame and enhance the risk-based approach. The CBJ noted that this move will make the scope and strength of the risk management function commensurate with the nature, size and complexity of any bank's operations and activities and with money laundering and terrorist financing risks.

The new regulations demand the development of policies, controls and procedures to manage and reduce the risks of money laundering and terrorist financing and to take due diligence measures consistent with the degree of the risk identified.

They also detail the procedures required to verify and identify the customers whether they are natural or legal persons and the timing of such verification. The regulations require banks to identify the real beneficiary and take reasonable procedures to verify this identity according to the nature of the customer's risks.

The regulations also demand banks to establish a risk system to determine which of its customers or real beneficiaries fall within the category of high-risk political persons, be they foreign or nationals.

The regulations came into force on 26th June 2018.

Saudi Arabia’s securities regulator, the Capital Market Authority, has approved its first two trial financial technology licenses for start-ups. Licenses were granted to Manafa Capital and Scopeer which will now allow them to offer crowdfunding investment services on a trial basis

Financial Technology Laboratory Licenses, are aimed at firms who want to provide opportunities to invest in small to medium size companies and finance their activities; by bringing them together with interested investors through electronic platforms.

The Kingdom is driving development in the financial services sector as part of its plan to diversify the economy away from oil and meet the targets outlined in the Vision 2030 reform plans. The ventures serve two aspects of Saudi Arabia’s reform program: broaden its capital markets and create jobs by helping entrepreneurs obtain funding for new ventures.

The CMA said it would receive applications for more FinTech licenses later this year.

International Developments

The Financial Action Task Force (FATF) held a Plenary meeting on 29th June 2018. The meeting covered a vast array of issues pertaining to money laundering and terrorist financing.

In the fixed agenda item of “Identifying jurisdictions with strategic AML/CFT deficiencies”, FATF maintained its February 2018 public documents which identify jurisdictions that may pose a risk to the international financial system, with the following amendments:

  • Jurisdictions no longer subject to monitoring

The FATF congratulated Iraq and Vanuatu for the significant progress made in addressing the strategic AML/CFT deficiencies identified earlier by the FATF and included in their respective action plans.

Both countries will no longer be subject to the FATF’s monitoring under its on-going global AML/CFT compliance process and will work with their FATF-Style Regional Bodies MENAFATF (Iraq) and APG (Vanuatu) as they continue to further strengthen their AML/CFT regime.

  • New Jurisdiction subject to monitoring

FATF has identified Pakistan as a jurisdiction with strategic AML/CFT deficiencies. The country has developed an action plan with the FATF to address the most serious deficiencies. The FATF welcomed the high level political commitment of Pakistan to their action plan.

Therefore, the jurisdictions identified by FATF as having strategic deficiencies are as follows:


Jurisdiction with strategic deficiencies (Grey List)                                  

Jurisdiction subject to a FATF call on its members and other jurisdictions to apply counter-measures (Black List)                 Jurisdition subject to a FATF call on its members and other jurisdictions to apply enhanced due diligence measures (Black List)                                        
Ethiopia Democratic People's Republic of Korea (DPRK) Iran
Sri Lanka    
Trinidad and Tobago    

In the Anti-Money Laundering Annual Report 2017/18, the regulator identified the anti-money laundering weaknesses it found in its second-round of deep dives of major banks. Over the next year, the regulator will make AML and financial crime a major priority. The second round of the systematic AML programme has labelled the Client risk assessments, recordkeeping, and weaknesses in anti-bribery and corruption networks as problem areas. FCA has completed three second-round reviews.

Poor identification and monitoring of customers who were PEPs or high risk was the most common outcome of ineffective application of enhanced due diligence. Weaknesses in the way some firms designed their processes and allocated responsibilities to staff were also found. Furthermore, a number of customer facing staff had no responsibility for assessing customer money laundering risk.

Failing to identify weaknesses by smaller firms was due to the absence of testing AML controls effectiveness by the compliance and financial crime departments. Seventy-five individuals and firms are under FCA investigations for AML issues, in many cases using both civil and criminal powers.

The FCA has expressed that AML and financial crime will continue to be a main priority over the next year and stated

 "We will continue to review our approach to AML supervision, using the information from our new data return to improve further how we target our work and taking account of the findings of the FATF mutual evaluation.".

Enforcement Action

In June, the New York State Department of Financial Services (DFS) fined Deutsche Bank AG $205 million over allegations it sought to manipulate currency prices and mislead clients while failing to protect confidential customer information between 2007 and 2013.

Traders took advantage of Deutsche Bank’s status as the biggest player in the forex market to manipulate currency prices at those periods when the prices would be "fixed". This practice, known as "jamming the fix" was a frequent topic of conversation among some Deutsche Bank traders and their counterparts at other banks.

The bank’s electronic trading platform also had the potential to disadvantage customers over certain periods, the regulator said, bringing an end to the DFS’s look into algorithmic trading that dates back at least four years. Deutsche Bank’s foreign exchange settlement amount is well below the $635 million that Barclays Plc paid to the state to resolve probes into similar matters in 2015.

The US Financial Industry Regulatory Authority (FINRA), has fined Betterment, a robo-advisor platform, $400,000 for alleged violations that took place between 2012 and 2015 including window dressing, failure to segregate client-owned securities in a good control location and improper book-keeping and record-keeping.

The regulator also fined former Betterment president and the firm’s former financial and operations principal Eli Broverman and Richard Feldman, $10,000 and $5,000 fine against, for improprieties of their own. All fines were accepted without admitting or denying the findings.

Appian Asset Management was fined €443,000 by the Central Bank of Ireland (CBI) after the company left a client open to cyber fraud by a third party resulting in the loss of €650,000 of the client’s funds. Although the client was fully reimbursed after the scam was uncovered, the Central Bank said the loss was caused by Appian’s “defective controls to protect client assets against fraud”, as well as “inadequate policies and procedures to monitor transactions, detect and report money laundering and provide its staff with appropriate training”.

This is the first time the Central Bank has imposed a fine on a firm where there has been a loss of client funds from cyber-fraud as a direct result of the firm’s significant regulatory breaches and failures. Europol, the EU-wide police network, has warned the global impact of cybercrime has risen to €2.5 trillion, making it “more profitable than the global trade in marijuana, cocaine, and heroin combined”.

The CBI’s Director of Enforcement and Anti-Money Laundering said that it was imperative that the people who run firms are vigilant as to their vulnerabilities around cybercrime and should ensure that all appropriate regulatory safeguards are in place to protect their clients’ assets.

The Financial Conduct Authority has fined Canara Bank £896,100 and has imposed a restriction, preventing it from accepting deposits from new customers for 147 days.

The bank failed to maintain adequate AML systems and failed to take sufficient steps to remedy identified weaknesses, despite having been notified of shortcomings in its AML systems and controls.

Specifically, the FCA found that Canara failed to maintain adequate systems and controls to manage the risk of money laundering.

These failures were systemic and affected almost all levels of its business and governance structure including:

  • senior management;
  • governance/oversight;
  • three lines of defence;
  • money laundering reporting function; and
  • AML systems and controls.

Canara breached Principle 3, taking reasonable steps to organise its affairs responsibly and effectively, with adequate risk management systems, of the FCA’s Principles for Businesses.

The FCA acknowledges that senior management at Canara have fully co-operated and engaged with the investigation and that the firm’s substantive AML deficiencies have been rectified.

Financial Crime

Australian Securities and Investments Commission (ASIC) banned former National Australia Bank (NAB) branch manager Rabih Awad from engaging in credit activities and providing financial services for seven years. This follows the ASIC banning of Danny Merheb and Samar Merjan on June 29, 2018. All three were banned in relation to false documents for home loans. The case was prompted by a whistle-blower who tipped off the bank about fraudulent activities in a network of branches across greater Western Sydney.

These bans come in the wake of the Royal Commission, which has also seen issues such as rogue financial planners who forged the initials of customers on a superannuation document, setting off a chain of events that uncovered a practice of false witnessing of documents by NAB staff.

Share this