- Dubai International Financial Centre/Dubai Financial Services Authority
- Abu Dhabi Global Market (“ADGM”)
- The UAE Securities and Commodities Authority (“SCA”)
- The GCC
Dubai International Financial Centre/Dubai Financial Services Authority
The DIFC continues to grow with the number of DFSA regulated firms in the Centre increasing from 405 to 440 this year. The growth is impressive especially since it is set against weak economic fundamentals in the broader UAE, struggling with the effects of the strong dollar and weak oil prices.
Several events impacted on DIFC firms during the year. These included:
- A new requirement introduced by the DFSA for firms to seek an endorsement for holding or controlling client assets, and for disclosure of firms with the endorsement to be available, for the first time, on the DFSA public register. The new client assets endorsements regime has resulted in the spotlight focussing on the current client money and client assets rules in the COB section of the DFSA Rulebook, and several anomalies therein have been brought by CCL to the attention of the DFSA.
- The DFSA issued a consultative paper outlining proposed changes to its AML rulebook. Many of the changes are a consequence of the new Federal Law on AML, which is more prescriptive in its requirements than the risk based approach hitherto adopted by the DFSA following its own AML rulebook revision in 2013. This includes a mandatory requirement to identify all beneficial owners holding in excess of 5% ownership interest, irrespective of the risk of the customer. This would require firms to identify UBOs even where the counterparty had been classified as a “prescribed low-risk customer”, such as a regulated firm. The Prescribed Low-Risk Customer (PLRC) classification is to be removed.
- The DIFC Court of Appeal upheld the original 2014 ruling by the DIFC Court of First Instance against Sarasin-Alpen ME Limited, a DIFC company regulated by the DFSA, and Bank Sarasin, a Swiss bank and 60% parent of the DIFC company. The Court of First Instance had ruled that Sarasin-Alpen ME Limited had exceeded the scope of its DFSA authorisation by providing services to the Claimants who it contended were retail customers (Sarasin-Alpen had a non-retail licence), and had not considered ‘suitability’ in selling a leveraged structured product to the Claimants in 2007/8. It had also ruled that Bank Sarasin had provided financial services to the Claimants when it had no licence to do so. The Court had awarded compensatory damages to the Claimants of approx. $35 million. Sarasin-Alpen ME Limited was subject to a compulsory winding up order after failing to pay the damages by the due date. The ruling has lessons for the importance of diligent client classification, and for delineating and clearly documenting the roles and responsibilities of intermediaries introducing clients to overseas affiliates.
- Reduced base capital requirements were proposed for firms whose activities are limited solely to acting as the manager for collective investment funds domiciled in the DIFC. The proposed new base capital thresholds are $70,000 for managers of non-public funds and $140,000 for managers of public funds (previously $500,000 in both cases. The reductions bring the DIFC into line with equivalent international markets.
Abu Dhabi Global Market (“ADGM”)
The UAE’s second financial free zone authorised their first firm at the start of the year. It is an alternative to the DIFC/DFSA route with a similar structure and rulebook. At the dte of writing, there are now 10 firms authorised by the ADGM regulator, the Financial Services Regulatory Authority (“FSRA”).
The UAE Securities and Commodities Authority (“SCA”)
In 2016, the SCA issued a consultative paper outlining proposed new regulations prohibiting the arranging and promoting of financial services in the UAE outside of the financial free zones (DIFC and ADGM). The new regulations would require firms that arrange services and/or promote financial products in the UAE to (i) be appropriately licenced by SCA and (ii) obtain pre-approval from SCA for any financial products to be marketed. While some exemptions were noted in the original consultation, principally in terms of promoting to government entities and wholly owned government related entities, and in terms of ‘reverse solicitation’, the proposed regulations would impact not only on foreign firms relying on ‘tolerated practice’ to conduct fly-in business but also on firms authorised in the DIFC and ADGM. An updated consultation document is promised shortly and the new regulations may well come into force early in 2017.
The fall in the oil price has placed a strain on government budgets over the last two years. This has led the GCC nations to consider alternative sources of funding to reduce dependence on oil and gas revenues. The UAE has announced that it will be introducing a Value Added Tax on goods and services from 2018. In the Kingdom of Saudi Arabia (KSA), 2016 saw the largest ever emerging market bond issue for $17.5 billion, being 4 times oversubscribed.
Similarly, KSA announced further measures in 2016 to ease access to foreign investors wishing to participate in its stock market, Tadawul, in a move which may help in earning Tadawul emerging market status by index company MSCI.
The Joint Comprehensive Plan of Action (“JCPOA”), or the Iran Nuclear deal as it is more commonly known, resulted in a reduction of the number of counter measures put in place by certain FATF Member States against the country. However, the position is still unclear and indeed the US Senate has recently voted to extend sanctions against Iran notwithstanding the JCPOA. As a result many banks, particularly those with US interests, are reluctant to relax their stance in terms of doing business in Iran or with Iranian institutions and companies.
The so-called Panama Papers leak has led governments to focus on the issue of transparency in tax haven and secrecy regimes. Consequently, regulators have been placing more emphasis on identifying ultimate beneficial owners and identifying the underlying business rationale for complex structures, including establishing whether the structure is set up to hide the proceeds of crime, including tax evasion or corruption.
The need for regulations to cater adequately for digital currencies is increasingly evident. There is concern that such virtual currencies outside of the traditional banking framework provides scope for use in financial crime and terrorist activities. The Brussels and Paris attacks have sparked renewed calls for stronger effective controls to prevent terrorist activity.
- Embedding Compliance into the Corporate Culture of Regulated Firms
- Product Governance
- Anti-Money Laundering, Counter Terrorist Financing and Sanctions Compliance
- Client Classification and Suitability
- Data Protection
- Costs of Compliance
Embedding Compliance into the Corporate Culture of Regulated Firms
Regulators are increasingly looking to see evidence that the Board and Senior Management of regulated firms are taking active steps to foster a culture within the organisation that has compliance and risk management fully embedded within it. Globally, numerous well-publicised cases of misconduct show that financial institutions continue to be involved in product mis-selling, market-rigging, facilitating tax evasion, sanctions violations and money laundering (sometimes on a massive scale) and this has prompted regulators to demand change in the ‘tone from the top’.
What are the regulator’s expectations in this regard? They would regard an organisation which adopts a culture of compliance as one which places legal, regulatory and ethical outcomes at the heart of its considerations and incorporates that goal in its corporate governance arrangements, strategic planning and decision-making processes. A culture of compliance requires at least the following essential components:
- Effective corporate governance and ‘tone from the top’
- Rigorous recruitment, training and supervision processes
- Appropriate remuneration strategies and effective disciplinary policies
- Management accountability for effective supervision (First Line of Defence controls)
- Effective Second Line of Defence control structures
- Effective Audit function as the Third Line of Defence
- Whistleblowing, monitoring and feedback systems.
Product Governance is essentially a marriage between strong corporate governance and product lifecycle management and applies in particular to structured products and funds aimed directly or indirectly at the retail market. The concept applies both to the product ‘manufacturer’ and to the product ‘distributor’ noting that both roles could be performed by the same entity but need not be. MiFID II will introduce specific requirements re product governance and it is likely that regulators globally will follow suit.
At its heart is the requirement for product manufacturers and distributors to consider responsibilities at all stages of the product lifecycle:- pre-sale (including policies and product design for the target market); at sale (determining the appropriate distribution strategy for the target market, marketing material and fees and incentives paid to the distributor), and post-sale (delivery of consumer value, exit costs, complaints monitoring). Firms should be prepared to demonstrate that they have clear, effective policies and controls to evidence the manner in which products are brought to the market which are compatible with the identification of consumer needs.
Anti-Money Laundering, Counter Terrorist Financing and Sanctions Compliance
We can continue to see regulators demanding ever stronger controls in the AML, CTF and Sanctions arena, particularly given the terrorist atrocities that have beset the globe in the last year. Firms that do not invest in robust control frameworks will face increased regulatory risk and consequences whether that be in the form of disciplinary action and fines, or in damage to reputation. Costs of compliance will doubtless increase but failure to invest adequately in these areas is a false economy. In some cases, fines for non-compliance are now running into the billions of dollars.
Cybercrime is an increasing threat to financial services firms and their customers. In fact, the National Crime Agency of the UK estimates that cybercrime has now surpassed all other forms of crime experienced in that country. The Office of National Statistics reported that there were 2.46 million cybercrime incidents and 2.11 victims of cybercrime in the UK in 2015. TalkTalk, a telecoms provider in the UK, was subject to a hacking attack in October 2015 with the personal details of more than 150,000 customers were accessed illegally. The fallout from the incident was reportedly a loss of more than 100,000 customers and exceptional costs estimated in the region of £60 million, including a £400,000 fine from the Information Commissioner’s Office for failing to safeguard customer information.
More recently, Tesco Bank halted online transactions from all of its customers’ current accounts in November after money was stolen from 20,000 accounts.
Cyber risk can be broken down into 3 types: fraud and theft; system destruction or corruption; loss or misuse of sensitive data.
Managing cyber risk should not be regarded solely as an “IT” matter. An enterprise wide response is required which must be driven by the governing body of the institution. It should, therefore, be a key part of the firm’s Enterprise Risk Framework, with the firm applying the same principles to cyber risk as it does to say credit risk or market risk, including:
- A documented statement of policy
- Identification of material risks
- Assessment of inherent risk being the product of the impact should the risk occur multiplied by the probability of occurrence
- Identification of key controls to mitigate the impact and probability of the risk
- Calculation of residual risk
- Assessment of residual risk compared with risk appetite set by the Board
The Financial Crimes Enforcement Network (“FinCEN”) issued an advisory note in 2016 reminding firms of their obligation to treat cyber-enabled crime events as reportable items under Suspicious Activity Reporting legislation.
Client Classification and Suitability
The Bank Sarasin case mentioned previously highlights the importance of firms having robust procedures to correctly classify clients based on their experience, knowledge and understanding, and then recommending products which meet the client’s needs and objectives. The DFSA has indicated concern that firms do not have sufficiently robust procedures in this area, with the consequence that firms may be doing business outside the scope of granted permissions, including, for example, where a firm only has a licence to deal with professional clients, or markets products which are not suitable for the client concerned. The DFSA has also indicated that it does not accept that it is appropriate for firms to carve out their responsibility to provide suitable advice to clients by way of contract.
The Bank Sarasin case also highlighted another potential risk - if a firm conducts business without an appropriate licence then there is not only a regulatory risk involved but also a real commercial risk - it is quite likely that the investment contract would be regarded as being unenforceable.
Data Protection legislation has been with us in many jurisdictions for many years now but in recent months it is clear that the regulators are now taking active steps to monitor compliance and impose disciplinary measures where non-compliance is discovered. TalkTalk was fined approx. £400,000 by the UK's Information Commissioner's Office.
Under the EU General Data Protection Regulation, which comes in to force in 2018, the maximum potential fine could be as high as 4% of total group turnover.
In the UAE, the DIFC Data Protection Commissioner has commenced monitoring visits to ensure that firms are handling and safeguarding personal data in accordance with the Data Protection Law.
The issue of data protection is complicated by several factors. Data protection legislation typically restricts the transfer of data across boundaries without permission and/or disclosure. This requires analysis in the context of global firms operating centralised systems. The use of cloud storage also raises issues – where exactly is that server located?
Firms should also consider the data protection issues involved when outsourcing functions to an overseas group affiliate, or to a third party. Although the transfer of data may be to a group company does that affiliate reside in a jurisdiction with adequate data protection requirements?
In short, all firms should have a documented data protection policy, should carry out a firm-specific risk analysis of all its different business lines and the data used and produced by it as part of its Enterprise Risk Framework programme, and should ensure that it has developed and maintained effective systems and controls in this area.
Costs of Compliance
Financial Institutions will face an increasing compliance burden in 2017 and beyond. Investment will be required to enhance systems and controls to protect firms from the consequences of financial crime such as money laundering and cybercrime. Investment will also be required to refine product governance and sales practices to meet increasing regulatory expectations. This investment will have to be made in the context of weak macroeconomic fundamentals and set against significant elements of political uncertainty such as the impact of Brexit and the results of the recent US Presidential election.
Despite a challenging environment, those firms that take the appropriate measures, in terms of culture, senior management responsibility, effective risk identification and risk management, will be well placed to succeed in 2017.