Dear SEO Letters
The DFSA has sent several Dear SEO letters to authorised firms regarding operational and financial resilience during the COVID-19 pandemic.
On 8th March 2020, the DFSA sent out a Dear SEO letter in relation to “Operational Resilience Measures” which included matters that firms should be considering as part of their Business Continuity Plans (“BCP”). The letter also stipulated that the DFSA would expect a notification if an authorised firm invoked its BCP.
The BCP notification to the DFSA should include:
- when and why the BCP was invoked
- whether any offices have been closed
- the number of ill or absent staff
- the impact on critical functions, if any
- the location(s) from where operations will continue to be conducted
- how long the firm expects to operate under the BCP and/or the factors that impact on the duration of the BCP
- the financial impact, if any
- whether operating under the BCP results, or may result, in the firm breaching regulatory rules and/or laws imposed by the DIFC, DFSA, UAE local and federal authorities, or any other relevant regulator or government body.
Firms who did not invoke their BCP were requested to complete a survey through the DFSA E-portal of six questions regarding the same matter. If at any time there is a material change to the information previously submitted, firms are requested to update the survey through the DFSA E-Portal and resubmit. The form will remain available after 1st April to submit updated information.
On 23rd March 2020, the DFSA then sent authorised firms a Dear SEO letter regarding “Cyber Risk Monitoring and Reporting”. This letter explained the increase in cybercrime during the pandemic and reminded firms to remain vigilant and review and strengthen cybersecurity systems and controls, where necessary.
The DFSA also included a summary of matters that authorised firms should be thinking about:
- Continuing staff cybersecurity awareness programmes to ensure staff are equipped to identify security threats and know how to avoid, report, and/or remove them
- Maintaining appropriate controls to limit the risk of unauthorised access and maintain ongoing and effective network and perimeter monitoring
- Keeping up to date with hardware and software patches to prevent cybercriminals from leveraging vulnerabilities in VPN gateways
- Reviewing remote access controls and implementing enhancements were necessary. For example, where a firm has not already done so, it should implement two-factor authentication.
On 24th March 2020, the DFSA sent all authorised firms a Dear SEO letter regarding “The DFSA response to COVID-19”. This letter outlined measures implemented by the DFSA in response to the pandemic and actions the regulator is taking to adhere to the UAE government advice and guidance. The DFSA recommended that authorised firms should also be taking proactive steps to monitor their businesses and provided a non-exhaustive list of indicators to monitor for signs of deterioration.
Firms should make sure that any significant changes or deterioration must be reported to the DFSA, even if an event does not constitute a breach of a regulatory requirement as per the DFSA Rulebook. If firms anticipate any challenges in maintaining compliance or meeting obligations as they fall due, this must also be reported immediately to the DFSA. Firms are encouraged to provide as much available information as possible in such notifications.
On 9th April 2020, the DFSA issued a further Dear SEO letter to all authorised firms regarding reporting requirements for 2020, acknowledging that firms may face challenges in preparing and submitting reports within the specified deadlines. Firms anticipating a delay or issue in meeting the reporting deadline must send a request to the DFSA for an extension and the DFSA will consider requests on a case-by-case basis. Firms should submit requests via the DFSA e-Portal.
DFSA and DIFC Authority Economic Stimulus Initiatives
The DFSA has announced a number of support measures that are available to financial institutions in the DIFC.
New firms applying for a licence in the DIFC will:
- Be given more time to complete the application and authorisation processes and meet the set-up requirements to commence business
- Receive a 50% reduction in application fees for the remainder of 2020 and flexibility in requirements for permanent premises
- In the case of domestic funds, receive a waiver of registration fees for the remainder of 2020
Measures available to existing authorised firms include:
- An extension of time for filing a number of returns and reports, including both IRAP and ICAAP returns, the controllers report and the annual report of the Shari’a Supervisory Board, where applicable
- Additional time, where reasonable, for submitting annual accounts and financial statement auditor’s report, with the exception of reporting entities
- Flexibility in meeting authorised individual obligations, including extending the temporary cover period
- A waiver of fees for applications relating to authorised individuals and flexibility in considering the workload that may be carried by those offering outsourced compliance services
- Temporary relief from capital requirements for those firms which do not hold or control client assets or hold insurance monies
- A waiver of fees for waiver and modification applications for the remainder of 2020 and all automated late return fees will be waived for the remainder of 2020
- A waiver of the listing fees for new SME issuers in the DIFC for the remainder of 2020
The following measures have been announced by the DIFC Authority:
- Deferred payment on all leases for up to 6 months
- Full waiver of annual licensing fees for new entities
- 10% discount on renewal of licence applicable on existing entities with licences due for renewal between 1st April 2020 to 30th June 2020
- Reduction on fees for property registration from 5% to 4% for three months
- Free Movement of labour
For a full breakdown of the DFSA and DIFC initiatives and how your firm can benefit please read the CCL Regulatory Insight: DIFC Business Stimulus Initiative and DFSA Financial Community Support Initiative.
As part of the DIFC community CCL will continue to provide support and expertise to new applicants and existing firms to help them understand the evolving economic and regulatory landscape. We will continue to provide updates on any additional initiatives announced by the DIFC Authority and DFSA on our website
Consultation Paper 125 – Proposals for Money Services (“PMS”)
Following the consultation period for Consultation Paper No. 125, the DFSA has made final amendments to the DFSA Rulebook.
The proposed changes to the rules expand on the current definition of PMS to include:
- Providing a payment account
- Performing transactions on a payment account held by another person
PMS activities will be allowed in respect to electronic currency only, i.e. no cash.
A new financial service has also been introduced “Arranging or Advising on Money Services” (“AAMS”) and will fall under prudential category 4. The prudential category for a firm “Providing Money Services” will depend on the specific services being offered and could fall under Category 4, 3C or new prudential Category 3D.
The proposed changes will require amendments to the GLO, GEN, COB, AML, FER, PIB and AUD Modules and include:
- In addition to the client money auditor’s report, firms providing and arranging money services will be subject to an independent annual money services auditor’s report. This can be combined into one report.
- Firms providing and arranging money services will have tighter timeframes in which to resolve disputes. Additionally, if a complaint is not resolved to the satisfaction of the complainant, access should be made available to an independent third-party complaints’ resolution service (such as the DIFC Court’s ‘small claims’ section), free of cost to the complainant (unless unsuccessful).
- Money services are by nature retail services, so firms providing and arranging money services will generally need a Retail Client Endorsement to provide services to Retail Clients.
- Firms providing money services will also require a Client Asset Endorsement to hold client money. This is not applicable to firms arranging money services.
- Sections 4 - 14 of the AML Module will be apply to firms providing money services.
 GLO: Glossary Module, GEN: General Module, COB: Conduct of Business Module, AML: Anti-Money Laundering Module, FER: Fees Module, PIB: Prudential Investment Business Module, AUD: Auditor Module
Consultation Paper 129 – SME Listing Regime
The DFSA has made final amendments to the DFSA Rulebook introducing the regulatory regime that will permit Small or Medium Sized Enterprises (“SMEs”) to list their shares on an Authorised Market Institution (“AMI”) in the DIFC.
Minor changes have been made to the DFSA Rulebook as many of the current modules contain provisions for SMEs and include:
- introducing a definition of an SME
- minimum market capitalisation requirements for regular listing
- trading record
- lock-in arrangements
- prohibition on share repurchases
- website disclosures
- allowing the appointment of a compliance adviser
- a new fee structure
Consultation Paper 130 – Miscellaneous
The following miscellaneous changes have been made to the DFSA Rulebook:
- Amendments to the classification of “assessed” professional clients to recognise industry and professional associations. Previously, industry associations who may represent the financial services industry in the DIFC, have had difficulty meeting the criteria of holding a certain quantity of assets in order to be classified as an assessed professional client. Therefore, the DFSA has amended COB 2.3.8 to allow industry associations and other professional associations established in the DIFC which have sufficient knowledge and experience to be classified as an assessed professional client, but without having to meet the additional minimum assets requirement.
- Amendments to the Collective Investment Rules and Islamic Finance Rules Modules regarding an increase in borrowing limited from 50% Gross Asset Value to 65% for a Fund Manager of a Property Fund and Islamic Real Estate Investment Trust.
- Clarification that Employee Share Schemes fall outside the scope of the definition of a financial promotion.
Firms should ensure they implement the amendments in their documentation, where necessary.
The DFSA has signed a Memorandum of Understanding (“MoU”) with the Isle of Man Financial Services Authority (“IOMFSA”). The MoU replaces two previous agreements signed in 2005.
As with previous MoUs, the understanding provides a formal agreement and symbolic strengthening of relationships between the two entities and are a traditional method of formalising cooperation between authorities.
The DIFC Authority issued a public consultation on its proposed new Data Protection Law (the "Proposed Law") in August 2019. The Proposed Law will replace the 2007 DIFC data protection law (as amended) (the "2007 Law") and aligns the DIFC's regulatory framework more closely with international data protection developments including the GDPR. The new law is nearing final enactment and is intended to be in force from 1st July 2020.
Key updates include:
- Enhanced Accountability
Introduction of Data Protection Officer (“DPO”) and other controls such as prior consultation and processor provisions.
- Data Subjects Rights
Data subject rights shall remain in line with the 2007 Law but aligned to absorb impact of emerging technology.
- Enhanced Security breach reporting
The processor must now play a larger role in accountability overall and for breach reporting, and the data subject must be informed in certain cases.
- Realigned International Transfers
International transfers enhanced to align with current international adequacy standards, processors more accountable, additional mechanisms (i.e., BCRs) recognised.
- Data Protection Principles
Same principles as 2007 Law, but new law promotes concepts of structure, governance and risk-based approach to compliance for example through privacy impact assessments.
DIFC-based firms should:
- Review documentation in line with before the proposed law which is intended to be enacted on 1st July 2020.
- Ensure procedures include the requirement to report all security breaches to the Office of the Commissioner of Data Protection.
- Firms should ensure a DPO is appointed and identify whether any “High Risk Processing Activities” are being carried out.
- Introduce data protection testing into the Compliance Monitoring Programme.
The Abu Dhabi Global Market (“ADGM”) has launched a set of financial and support measures to mitigate the adverse impact of the COVID-19 pandemic on registered entities operating in the ADGM. This is part of the UAE’s economic stimulus package to support the economic activity and facilitate business across the Emirates.
The ADGM support measures include:
- 100% waiver on commercial licence renewal fees (with exception of Special Purpose Vehicles (“SPVs”) and foundations licences) until 25 March 2021
- 100% waiver on business activity renewal fees until 25 March 2021
- 100% waiver on data protection renewal fees until 25 March 2021
- 100% waiver on new temporary work permits issuance, renewal and late application fees until 25 March 2021
- 100% waiver on annual funds fees until 31 December 2020
- 100% refund of annual funds fees already paid by FSRA regulated entities for 2020
- 50% refund of supervision fees already paid by FSRA regulated entities for 2020
- 50% waiver on any new FSRA supervision fees to be collected until 31 December 2020
- Deferment of rental payments and service charges for office tenants at ADGM Square on Al Maryah Island for 2020
For a full breakdown of the ADGM initiatives and how your firm can benefit please read our Regulatory Insight: ADGM Business Support Initiative. As part of the ADGM community CCL will continue to provide support and expertise to new applicants and existing firms to help them understand the evolving economic and regulatory landscape.
Following the proposed changes in the FSRA’s Consultation Paper No. 5 of 2019, changes have been enacted into the Prudential – Investment, Insurance Intermediation and Banking Rulebook.
The changes include the introduction of a “Net Stable Funding Ratio” for firms in the ADGM as well as amending terminology throughout the rulebook to be more consistent with that used in Basel Framework’s Reporting requirements for Large Exposures. The disclosure requirements for authorised persons within scope of the Net Stable Funding Ratio have also been revised.
Miscellaneous amendments were also published to provide greater clarity and correct inconsistencies, errors or omissions.
A full breakdown of the changes can be read in CCL Regulatory Update: Middle East Edition - January 2020.
The UAE’s Securities and Commodities Authority (“SCA”) has granted listed firms an additional 45 days to report financial statements and earnings for the 2019 financial year and Q12020. This allows firms to “address potential compliance issues stemming from the impact of the coronavirus on investors and capital markets”.
All listed local and foreign companies in the United Arab Emirates as well as licensed investment funds registered
2019 financial year statements must be reported no later than 14th May 2020 and Q12020 earnings reported no later than June 30th, 2020.
Listed companies should amend their regulatory calendars and reminded to report within the revised deadline.
The Saudi Arabian Monetary Authority (“SAMA”) has introduced a Private Sector Financing Support Programme in order to:
- support the growth of the private sector
- support the efforts of the government in combating COVID-19
- mitigate expected financial and economic impacts on the private sector (with an extra focus on small-medium enterprises.
The programme includes several measures to drive the growth of the above areas including:
- An SME package to mitigate the impacts of precautionary COVID-19 measures including reducing the burden of cash flow fluctuations, supporting working capital, enabling the sector to grow during the coming period, contributing to supporting economic growth and maintaining employment. This will be carried out through a three tier programme including deferred payments, funding for lending programme and loan guarantee.
- Secondly, SAMA will be supporting the payment fees of all stores and entities in the private sector for 3 months and will pay fees to payment service providers.
- Thirdly, SAMA is coordinating with banks and finance companies in the cities of Makah and Medina to facilitate their customer’s finance repayments.
The Central Bank of the UAE has issued the Dormant Accounts Regulation, a regulation to control and protect dormant funds in banks in the UAE.
The new regulation will ensure funds in dormant accounts are secure and are available when a customer requests funds from the account. Regardless of the length of dormancy, an account which is classified as dormant and remains so for a period of five years, will have the funds transferred to the Central Bank for safeguarding. Account holders will still have full ownership of the account and the funds will remain available.
Funds transferred to the Central Bank will no longer receive interest and thus customers are encouraged to keep their accounts active. Following the introduction of this regulation, banks are expected to put in place appropriate governance policies and procedures to manage dormant accounts.
As with many other international bodies, the Financial Action Task Force (“FATF”) are applying resources to help combat the COVID-19 pandemic. The FATF encourages governments to work with financial institutions and other businesses to “use flexibility built into the FATF’s risk-based approach to address the challenges posed by COVID-19, whilst remaining alert to new and emerging illicit finance risks.”
The FATF has released the following guidance for financial institutions on how to continue business in the current situation:
- The FATF encourages the use of responsible digital onboarding and delivery of digital financial services in light of social distancing measures as well as other Financial Technology (“FinTech”), Regulatory Technology (“RegTech”) and Supervisory Technology (“SupTech”).
- Governments and citizens should remain vigilant to criminals taking advantage of the COVID-19 pandemic to carry out fraud and exploitation scams, including advertising and trafficking in counterfeit medicines, offering fraudulent investment opportunities, and engaging in phishing schemes that prey on virus-related fears. All individuals and businesses should stay cautious of any potential scams and raise concerns to their regulatory authority or raise a Suspicious Activity Report (“SAR”) where needed.
- Supervisors, financial intelligence units and law enforcement agencies should continue to share information with the private sector and Money Laundering (“ML”) risks, particularly those related to fraud, and terrorist financing (“TF”) risks linked to COVID-19 should be prioritised.
- Financial institutions and other businesses should remain vigilant to emerging ML and TF risks and ensure that they continue to effectively mitigate these risks and are able to detect and report suspicious activity.
- The FATF calls on countries to explore the use of digital identity, as appropriate, to facilitate financial transactions while managing ML/TF risks during this crisis.
- Where lower ML/TF risks are identified, the FATF encourages countries and financial service providers to explore the appropriate use of simplified measures to help adapt to the current situation.
The FATF has released a full guidance document on the use and expectations for firms using Digital ID as part of their AML and Customer Due Diligence (“CDD”) processes. The use of digital payments is growing and it is estimated that by 2022, 60% of the world Gross Domestic Product (“GDP”) will be digitised, therefore there is a growing need to understand how individuals are identified and verified in digital transactions.
The guidance will assist governments, regulated entities and other stakeholders in their understanding and analysis of how digital ID can be used to conduct CDD.
The guidance includes:
- Digital ID terminology and key features
- Benefits and risks of digital ID systems for AML/CTF compliance tasks
- Assessing whether digital ID systems are sufficiently reliable and independent
- Using Digital ID as part of a risk-based approach to CDD
The guidance will assist firms who use digital ID as part of their CDD process. Firms should also consider the benefits of incorporating trustworthy digital ID into their CDD process to improve the security, privacy and convenience of identifying people and for use in transaction monitoring and minimising human control weaknesses.
The UK’s Financial Conduct Authority (“FCA”) and Prudential Regulation Authority (“PRA”) have released guidance for dual-regulated firms and introduced provisions regarding the following matters:
- Notifications about changes to Senior Manager responsibilities
- Flexibility around temporary arrangements for Senior Management Functions (“SMFs”)
- Notifications about temporary arrangements (including allocating Prescribed Responsibilities to unapproved individuals acting as SMFs under the 12-week rule)
- Furloughing Senior Management Functions
- Certification requirements for dual-regulated firms
Firms regulated by both authorities are encouraged to read the complete measures and expectations provided by the authorities and incorporate the necessary decisions and actions in order to meet governance expectations.
Swedbank has been fined $39 million by the Swedish financial regulator, Finansinspektionen, after an investigation concluded that the bank’s branches in Estonia, Latvia and Lithuania had serious deficiencies in its AML measures.
The investigation, which started in 2019, found that the bank’s awareness of the processes, routines and control systems necessary for a resilient AML framework were lacking and insufficient. The regulator also found that the branches were also lacking adequate resource to combat money laundering.
While the bank invested in money laundering controls Swedbank acknowledged that there is further work to be carried out to strengthen the systems in place.
The investigation found that:
- The bank was aware of suspected money laundering activities in these branches and failed to act.
- Several internal and external reports were made but sufficient action was not taken.
- The bank withheld documentation and information from the regulator that revealed the seriousness of the situation.
The bank has been fined and requested to take comprehensive measures to properly understand and mitigate the risks it faced in the past and those it faces now.
HSBC has reported to the Australian financial crime agency, Austrac, that its Australian subsidiary may have broken AML and CTF laws by failing to report transactions it facilitated with foreign banks and institutions.
HSBC’s 2019 annual report raised the potential breach but did not specify the number of breaches. However similarly to the highly publicised Commonwealth Bank of Australia case, which led to its bank’s chief executives resigning, there may have been a large amount of financial transactions that were not reported to regulators.
Firms are reminded that:
- All transactions should be reported in their annual regulatory reporting where necessary.
- Firms should be conducting periodical transaction monitoring and raising concerns or observations with senior management.
- Senior management should act swiftly on concerns and report any issues to their relevant financial services regulator.