The Dubai Financial Services Authority (DFSA) has released Consultation Paper 120 with proposed changes to the its Anti Money Laundering Counter-Terrorist Financing and Sanctions (AML) Regime. This Consultation Paper is Phase 2 following No.118, released in February 2018. The proposed changes are designed to ensure that the DFSA’s AML regime is compliant with the 2012 Financial Action Task Force (FATF) Recommendations and the UAE Federal AML Legislation. The proposed changes come ahead of an FATF Mutual Evaluation of the UAE which has been scheduled for July 2019.
There have been extensive proposed changes to the AML rulebook and a small amendment to the Conduct of Business (COB) rulebook. Changes will impact AML systems and controls and, more specifically, onboarding processes, onboarding Customer Due Diligence (CDD), ongoing CDD, Suspicious Activity Report (SAR)s, and record keeping requests.
Senior management should be aware of all the changes and determine what systems and controls may need to be altered if the rules are enacted.
All Authorised Firms, Authorised Market Institutions, Designated Non-Financial Businesses or Professions (DNFBPs) and their advisors should read the Consultation Paper and provide feedback. The deadline for providing comments is 20th May 2018.
An overview of the proposed changes is as follows:
- Customer Due Diligence
- Anonymous or fictitious names
- The DFSA has proposed that financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names.
- There is a proposed new rule requiring persons who have responsibility and/or monitor transactions for suspicious activities, to have full information about these account holders.
- CDD measures for customers
- A proposed amendment and introduction of new rules which clarify the obligations relating to identifying and verifying a beneficial owner. This relates in particular to what steps should be taken to identify a beneficial owner of a legal person, such as a body corporate or foundation, and legal arrangements for a trust or similar.
- Requirement for financial institutions to verify that any person purporting to act on behalf of the customer is authorised to do so, and to identify and verify the identity of that person – this will be addressed explicitly within the AML rulebook.
- Specific CDD measures for legal persons and legal arrangements
- When undertaking customer due diligence, if the customer is a legal person or legal arrangement, an Authorised Firm is to understand the nature of its business, ownership, and control structure.
- There is a proposed addition to what CDD measures need to be taken into consideration when undertaking a risk based assessment. While it is expected that a firm should consider the nature of its customer, there will also be an extra rule that takes into consideration the nature of the customer’s business as well.
- Previously guidance in the AML rulebook set out what information is expected in respect to legal persons. The DFSA now proposes to add a rule which explicitly lays out what information needs to be obtained and verified in relation to the identity of the customer. There will be additional rules which set out the information required for natural persons, body corporates, trusts and foundations.
- The DFSA will be introducing AML 7.3.3 which explicitly explains the measures required to verify the identity of the beneficial owners for customers who are legal persons. This will be in line with the FATF Recommendation on beneficial owners.
- Guidance requiring a Relevant Person to carry out identification and verification in respect of actual and potential beneficial owners of a trust, will now become a rule. Taking into account the DIFC Foundations Law 2018 there is also a proposed rule setting out the information about beneficial owners that is required in the case of a foundation.
- CDD for beneficiaries of life insurance policies
- Regarding the beneficiaries of life insurance policies, the DFSA has proposed several amendments to the AML rulebook. These relate to financial institutions being required to carry out further CDD on the beneficiaries of life insurance and other investment related insurance policies. In both cases the verification of the identity of the beneficiary should occur at the time of the payout.
- It is proposed that financial institutions will be required to include the beneficiary of a life insurance policy as a relevant risk factor in determining whether enhanced CDD measures are applicable. If a beneficiary is a legal person, or if a legal arrangement presents a higher risk, firms will be required to take enhanced measures, which should include reasonable measures to identify and verify the identity of the beneficial owner at the time of payout.
- The AML rulebook will be updated to include a direct requirement for a firm to determine if a life insurance beneficiary, or a beneficial owner of the beneficiary is a PEP (Politically Exposed Person). Firms will have to further explain what is required when a customer, or a beneficial owner of a customer, is identified as a PEP.
- Timing of verification
- It has been proposed that firms will be required to put in place specific risk management procedures, relating to the conditions under which a customer may enter the business relationship prior to verification.
- Existing customers
- Currently, firms are expected to review their pre-existing customer base, and take a risk based view on the extent to which they need to undertake ongoing CDD on certain customers. A new rule will be added to explain that a firm must ensure information is up to date, requiring firms to review its customers and their businesses and transactions against United Nations sanctions lists as well as against other relevant sanction lists when reviewing the adequacy of the CDD information it holds on customers and beneficial owners.
- Risk-based approach
- While the current AML rules permit a firm to undertake simplified CDD where a customer has been assigned as low risk, the proposed amendment removes previous guidance that a firm is not required to verify an identified beneficial owner and does not need to enquire into a low risk customer’s source of funds or source of wealth.
- Source of wealth (SoW) and Source of funds (SoF)
- The current rules requiring a firm to understand the nature of a customer’s SoF and SoW, sets an international standard. The new rules propose to remove the rule that a firm is required to understand a customer’s SoW and SoF when carrying out CDD. Only when carrying out enhanced CDD will firms be required to identify and verify a customer’s SoW and SoF. The definitions of SoW and SoF have been added to the AML glossary to reference a customer or beneficial owner.
- Record Keeping
- While the current AML rules refer to documents and information obtained during CDD, it does not reference records in relation to transactions. Therefore, the proposal seeks to include that all transaction records be recorded and kept. The DFSA will also include examples of what types of records they expect to be retained under the requirement.
- Currently, the AML rules do not require firms to hold either business correspondence or an analysis of the transactions/business relationships that did not result in a SAR being filed with the Financial Intelligence Department (FID). The DFSA has proposed that this is added to the list of records that should be retained.
- It is proposed that firms will be required to retain sufficient records in respect of a transaction, which is the subject of CDD or ongoing monitoring, in order to enable the transaction to be reconstructed should this be necessary in criminal matters.
- Currently should records be requested by the DFSA, it is expected that they be retrieved within a reasonable period of time. It has now been proposed that these records be retrieved and provided immediately following a request for records by the DFSA.
- New Technologies
- A new rule has been proposed regarding the development of new products and new business practices, including new delivery mechanisms, channels, partners, and the use of new or developing technologies. The rule will state that a firm must take reasonable steps to ensure that it has assessed and identified the money laundering risks relating to the product, business practice or technology and taken appropriate steps to manage and mitigate the risks identified. This needs to be completed before the firm launches or uses the new product, practice or technology.
- Wire Transfers
The AML rules regarding wire transfers are to be substantially amended. This part of the rulebook will now explain the application of this section, have definitions set out, and terminology updated. There will also be new headings to make the rulebook clear as to what the DFSA expects of different institutions facilitating or participating in wire transfers.
- Ordering financial institutions
- It is proposed that for a cross-border fund transfer where the amount to be transferred is $1,000 or less, the firm must include in the message or payment instruction that relates to the funds transfer:
- the name of the payer
- the account number (or unique transaction number)
- the name of the payee and the payee’s account number (or unique transaction number).
- For transactions over $1,000, the firm must also include: either the payer’s residential, registered, or business address where appropriate: the payer’s unique identification number
- the date and place of birth, incorporate or registration of the payer.
- It is also suggested that a firm should not be allowed to execute the wire transfer if it does not have the requisite information accompanying it.
- Beneficiary and intermediary financial institutions
- The AML rules do not currently mention the requirement to have risk based policies and procedures in place, such as risk-based procedures for determining when to execute, reject, or suspend a wire transfer which lacks both the required originator or required beneficiary, as well as the appropriate follow up action. It is proposed to add these additional risk-based procedures.
- Beneficiary financial institutions
- It is proposed that when dealing with wire transfers, a beneficiary financial institution should be required to verify the identity of beneficiary, if this is not already being done. This was previously not an explicitly required rule.
- Reliance on third parties
- Currently, provided the ultimate responsibility for the CDD measures remains with the financial institution, there is an allowance for relying on third parties to perform certain elements of CDD. It is being proposed that rules will be introduced setting out criteria on equivalent jurisdictions.
- Internal controls and foreign branches and subsidiaries
- The DFSA proposes that firms ensure that their foreign branches and majority-owned Subsidiaries apply AML/CTF measures consistent with the home country requirements, where the minimum AML/CFT requirements of the host country are less strict than those of the home country.
- Higher risk countries
- The DFSA has proposed to amend its AML rulebook regarding higher risk countries, removing guidance relating to the factors that should be considered in determining if there is a high or low risk of money laundering. Instead, the DFSA wants to create two new rules which will set out these factors, giving firms a wider range of customer risk factors to be considered when assessing money laundering risks. This will also help reinforce the principle that firms need to pay closer attention to customers, for example, located in countries that present higher money laundering risks.
- A further amendment by the DSFA includes the inclusion of firms to apply ‘countermeasures’ when called upon by the FATF or by any authorised body. They also propose to include a list of example countermeasures, such as enhanced due diligence, increased reporting of financial transactions or limiting business relationships with persons in a specified jurisdiction.
- Transparency and beneficial ownership of legal arrangements
- The proposed small amendment to the COB rulebook is regarding Trust Service Providers and the information they must retain in order to allow the recreation of transactions of the business and its clients. The DFSA proposes to amend a rule in COB to address the need to hold the information and sufficient detail about agents and service providers to the trust.
In April, Hawkamah hosted the Overcoming Governance Challenges event. The event focused on the challenges posed by technological innovations such as artificial intelligence, FinTech and cryptocurrencies, data capturing and operation technologies.
The panel discussion focused on many of the technological and regulatory challenges currently facing the UAE.
Speakers from the DFSA focused on the differences between the big technological companies who have a large focus on the consumer, compared to financial institutions such as banks who have lost this focus.
The DFSA believes that FinTech introductions into the DIFC helps bridge the gap between consumers and financial institutions and highlighted the Innovation Testing License. This is the DFSA licence that allows FinTech firms to apply for a class of financial services licence in order to test innovative concepts, without being subject to all of the regulatory requirements normally applicable to regulated firms.
The DFSA also discussed the bespoke framework that has been implemented for crowdfunding platforms, as well as for the FinTech Hive, which is the regulatory sandbox for firms to test out innovative concepts under the strict guidance of the DFSA and its affiliated partners such as CCL Limited.
The biggest risks include data protection, an increasingly discussed topic. Regimes such as the General Data Protection Regulation, implemented by the European Union, are focusing on protection and privacy for all individuals within the EU and addresses the export of personal data outside the EU.
The panel placed a large focus on the speed that technology is advancing and the necessity for financial institutions to keep pace. Whilst cyber security keeps advancing with technology, and technologies such as Blockchains, Smart Contracts, Dividend Distribution and ICOs become more profound within the UAE, regulators must follow this advancement with regulatory frameworks to help develop the market yet still protect investor and consumer rights.
The DFSA hosted a meeting with the International Accounting Standards Board’s (IASB) Islamic Finance Consultative Group (IFCG) in April with a view to improving the communication and involvement of Islamic Finance within Dubai.
The DFSA has been supporting efforts by the Dubai Government in developing Dubai as a hub for Islamic Finance. The Regulator has worked considerably to produce a framework which will support Islamic Finance firms with regulatory rules and boundaries, which will make doing business within the DIFC clear, easy and efficient, including listing of Sukuk on Nasdaq Dubai.
The IFCG was formed in 2013 and includes members from Bahrain, Indonesia, Malaysia, Pakistan, Saudi Arabia, UAE and the United Kingdom, and together these jurisdictions focus on challenges that may arise when applying International Financial Reporting Standards (IFRS) to Islamic Finance.
The IASB has been actively seeking to improve their support for firms who do Islamic Finance and need to implement IFRS. Meetings like the one between the DFSA and the IASB for IFCG are encouraging steps to strengthen regulatory framework surrounding Islamic Finance.
The ADGM has approved new regulations updating the existing corporate Beneficial Ownership and Control (BOC) regulations.
All ADGM firms have a large responsibility to receive information regarding corporate BOC in their systems and controls in order to detect and avert financial crime. The implementation of the new codified corporate BOC regulations aims to enhance transparency and accountability nationally and internationally.
The codification will help bring the ADGM’s regulation regarding BOC closer in line with the Financial Action Task Force’s (FATF) recommendations. The main feature of the new regulations includes the creation of a new registry that maintains thorough, accurate and up-to-date information and also includes the amendment of the definition of beneficial owner to include any person with 25% or more of shares or voting rights in a company.
Firms registered in the ADGM will be expected to obtain, maintain and report up to date BOC information.
The ADGM has released Consultation Paper No.2 Introduction of Crypto Asset Regulatory Framework. Following the ADGM being the first jurisdiction in the region to publicly support the development of certain digital assets, including ICOs, the FSRA has now proposed a framework for the regulation of crypto asset activities conducted in or from the ADGM. This framework includes exchanges, custodians and other intermediaries engaged in crypto asset activities.
The Paper sets out plans to introduce a new Regulated Activity of Operating a Crypto Asset Business, the guideline of what the fees will be for operating a crypto-asset business, a new set of rules in the Conduct of Business (COB) Rules and the amendments of the Market Infrastructure Rulebook (MIR).
Firms seeking to implement or operate crypto asset businesses in the ADGM will need to read the Consultation Paper and provide feedback by the 28th May 2018. The proposal may also impact individuals, organisations and investors looking to carry on crypto asset activities and their professional advisors.
In April, the ADGM and the Abu Dhabi Judicial Department signed a Memorandum of Understanding (MoU) to strengthen the regime for the enforcement of judgements, decisions and orders ratified or recognised by them.
The ADGM has also signed an MoU with Anaklia Special Economic Zone/City - the financial regulator of Georgia - with the idea of sharing expertise, information on banking, financial services and securities legislation and regulations in both jurisdictions.
Finally, an MoU was signed in April between the ADGM and the Shanghai Stock Exchange (SSE). This MoU seeks to represent the cooperation between the two authorities using the ADGM’s global position along the Silk Road Economic Belt and the SSE’s position as one of the largest and fastest growing exchanges.
As with previous MoUs, the understanding provides a formal agreement and symbolic strengthening of relationships between the two entities and are a traditional method of formalising cooperation between authorities.
The ADGM has been granted membership of the Global Privacy Enforcement Network (GPEN) as of March 29th, 2018. GPEN is an internationally recognised network of data protection authorities, comprised of members from over 50 countries. The purpose is to facilitate cross border enforcement of privacy protection laws and strengthening personal privacy and data protection in a global context.
Membership provides a platform to share best practice and facilitate cooperation on privacy law enforcement. The ADGM’s membership comes at a good time, considering the importance being placed globally on data protection such as the European Union’s General Data Protection Regulation.
The UAE government, through their 2021 Blockchain Initiative, is aiming for 50% of government transactions to be conducted through the blockchain platform over the next 3 years.
The blockchain system is a form of digital cryptography which keeps exchanges and documents secure by providing a decentralised database and is also referred to as a digital ledger. A blockchain keeps a record that all of those with permission to the network can see and all must approve an exchange or movement within this network before it is verified and recorded. The system is considered very secure for a new IT technology and should help reduce fraudulent documents and transactions as all movement is recorded and distributed on a public ledger for anyone to see.
The UAE’s plan in revolutionising its own framework is expected to save Dh11 Billion in transactions and documents processed routinely. It is also expected to save 398 million printed documents and 77 million work hours annually.
The idea of blockchain has been embraced by many sectors including the Finance sector and is aimed at dropping the cost and complexity of transactions between financial institutions and create a more transparent and regulated framework.
Dubai has been pitched as the market to design and implement new initiatives in order to become a leading global hub for Islamic Sukuk. The Dubai Islamic Economy Development Centre (DIEDC) has announced its collaboration with Nasdaq Dubai to outline the plans and increase the issuances and listing of sukuk to boost the economic growth of the UAE.
Part of the reason behind the initiative is due to the 2013 government goal to have Dubai as the number one platform for attracting and listing Islamic Sukuks.
Dubai’s previous success in Sukuk issuance has been due to the confidence other jurisdictions in the region have in the UAE as an advocate for responsible investments.
The Iranian Central Bank has banned all of the country’s banks from dealing in cryptocurrency due to money-laundering concerns.
Concerns regarding cryptocurrency and money laundering lie in the fact that the currency is semi-anonymous and decentralised, which many authorities such as the Iranian Central Bank fear will lead to the currency being used for illegal activities by criminals and passed through Iranian banks.
Cryptocurrency has also been used a lot in the past for criminal activity online due to its anonymity. The Dark Web and other illegal websites which deal in criminal trade, accepted Bitcoin in order to ensure anonymity. Subsequently, Iran’s move is not a surprise to many other global authorities who are treading carefully around crypto-currencies.
Following the drive in Artificial Intelligence (AI) by the UK’s Financial Conduct Authority (FCA), the regulator has increased the scope of its AI tests to cover regulatory technology tasks such as automated supervisory tasks and surveillance applications.
As explained in their 2018/19 business plan, the regulator is seeking to use this technology to “automate what would otherwise be manual supervisory tasks”.
Together with advanced analytics they are seeking to be able to automate detection of unauthorised business activity on the internet through automated evaluation and detection of misleading advertising. Other plans are to make the rules less reliant on human interpretation, thus easing the compliance burden and attempting to make current standards more automated.
As part of the FCA’s business plan the regulator is focusing on making sure that the third parties working with financial services can readily withstand cyber-attacks.
Cyber-attacks are becoming one of the biggest risks for financial institutions globally and all firms should be surveying how they can reduce this risk as much as possible.
The UK Regulator is launching a full review of firms’ current outsourcing arrangements along with oversight that firms have over these third parties, in order for a smooth-running system and minimal disruption. Part of the FCA’s investigation includes establishing how firms use third-party providers, the number and size of them, and the likely impact on the financial system of a cyber-attack or other attacks on third party providers.
The European Securities and Markets Authority (ESMA) has released details of the measures it has taken regarding the sale, distribution and marketing of contracts for differences (CFDs) and binary options to retail customers.
ESMA has repeatedly shown concern for retail investors in speculative products and is seeking to protect investors though temporary invention measures on a three-monthly basis.
The product intervention covers two areas: a restriction on CFDs and a ban on binary options. CFDs will have a three month restriction imposed on the marketing, distribution or sale of CFDs to retail investors. The binary option intervention is an outright ban on the marketing, distribution or sale of binary options to retail investors.
Firms who currently deal in binary options and CFDs in the EU are advised to follow the ESMA website for updates regarding the measures, which do not come into immediate effect but will be adopted mid-year during 2018.
Similarly the FCA had intended to publish a policy statement regarding CFD products after issuing a Dear CEO letter in February 2016. The letter identified concerns within UK firms and CFDs including:
- Firms’ approach to completing the appropriateness assessment was not in line with the requirements
- Most risk warnings issued to clients who failed the appropriateness assessments were not adequate
- Anti-money laundering controls in place to manage the increased risks posed by higher risk clients were insufficient
The FCA stated that they would delay any final policy statements until ESMA’s discussions are finalised.
Wells Fargo have agreed to a fine levied against them by two US regulators, the Consumer Financial Protection Bureau and the Office of the Comptroller of Currency.
The fine comes after 20,000 customers may have defaulted on their car loans and had their vehicles repossessed because of unnecessary insurance costs placed on them by the bank.
The bank has been given a roadmap by the regulators to fix its practices, including the creation of a compliance committee to oversee the process as well as showing customers its plans to identify those hurt by the misconduct and explaining plans to compensate them.
This is the largest fine handed out under the Trump administration against a Wall Street bank.
Following a whistleblowing incident in 2016 which raised concerns about the recruitment of Barclays bank’s Head of Financial Institutions Group, the chief executive of Barclays, Jes Staley has been fined an undisclosed amount after his attempts in unmasking the whistleblower.
Using the bank’s internal security unit, Jes Staley, tried to track down on two occasions the author of two letters and admitted getting personally caught up in the situation.
The fine signals the end of the investigation and it is expected it will be the conclusion. Regulators are not alleging that he acted with a lack of integrity or that he lacks fitness and propriety to continue in his role as chief executive.