DIFC and DFSA Latest Developments

Client Classification

The Dubai Financial Services Authority (DFSA) has conducted a four phase thematic review into how firms comply with the Client Classification rules: first, a survey to 217 firms who had been chosen due to having reported Professional Clients in their EPRS returns, the second phase was a desk based review, third, an onsite visit with 22 firms and, finally, an in-depth analysis of the findings and observations from the site visits.

The DFSA highlighted weaknesses in certain areas within firms’ Client Classification systems, such as the majority of firms passing responsibility for determining the correct Client Classification onto their Compliance Officer.

Correctly documenting Client Classification was another weak spot: too few firms were, according to survey responses and site visits, not recording the specific sub-category classification for Professional Clients i.e. assessed, deemed or service based.

Other Client Classification weaknesses involved reliance on classifications made by head offices or other members of their Group, which were found to be unsatisfactory assessments with insufficient information on file from clients about their financial knowledge and experience.

The DFSA has recommended that the following best practices be followed: 

  • Client Classification should involve qualitative assessments, with emphasis on knowledge and experience. These should be carried out by employees closest to the client or whoever completed the relevant KYC (Know Your Customer) and CDD (Customer Due Diligence).
  • Firms should keep relevant file notes which contribute to the decision-making processes.
  • Not relying solely on clients’ self-declaration of net assets
  • Obtaining account statements and tax returns to provide good insights into net assets
  • The development of appropriate policies and procedures, including operational procedures, to establish a framework that:
    • clearly delegates relevant maker/checker responsibilities
    • provides sufficient guidance on the steps required to carry out the assessments underlying Client Classification
    • adequately documents client assessments, including the final Client Classification
    • ensures all clients are notified of their right to be classified as a Retail Client.
  • Where Client Classification is performed by a group member, due diligence should be performed on the Client Classification procedures of each group member and should address any gaps between that group member’s practices and the requirements set out in the DFSA’s Client Classification Rules.
  • Where third party documentation is not available to support certain aspects of the client assessment, make detailed file notes on decision making and client specific details.
  • Avoid tick-box approaches and self-certification by clients.
  • Provide training to staff on what Client Classification entails, including practical elements and examples of how to carry out assessments for Client Classification and record keeping.


Whilst the DFSA agreed that there was a slight improvement in the quality of firms’ Suitability assessments in terms of provision of advice, execution of discretionary transactions and other related documentation, there are still weaknesses in this area. Firms which do not comply with Suitability assessments as laid out in COB 3.4 are putting themselves at severe legal and compliance risk.

The DFSA also noted firms recommending risk rated products to clients with a compatible risk rating, giving no consideration to any other client-specific factors. This problem is of great concern to the DFSA and it stresses that this practice should be changed within firms otherwise it may lead to the risk of a large compliance failure.

Suitability risks also included Client Agreements which contain language that limits the extent to which Suitability is considered, and agreements in which Clients can agree to waive Suitability altogether.

The DFSA has recommended that the following best practices be followed:

  • If an Authorised Firm or its client seeks to limit the extent of any Suitability assessments, the DFSA encourages firms to clearly stipulate the agreed limitations in a separate document ensuring clarity of the agreed Suitability approach. This will enable the firm to capture the client’s express consent only to those terms.
  • Suitability obligations and responsibilities cannot be waived by a firm’s client – there must be no attempt to include such waivers in client documentation.

Consider and document fully the merits of any recommendation or discretionary transactions in the interests of the particular client (being provided to, or performed on behalf of) The thematic review provides firms with key practices to use and. the DFSA continues to put Client Classification and Suitability at a high priority. Firms risk large legal and compliance repercussions if they are found to be conducting business that is contrary to these practices.

The DFSA has signed a Memorandum of Understanding (MoU) with the financial regulator of Bahrain, The Central Bank of Bahrain (CBB). This MoU signified the DFSA recognising the CBB as an equivalent regulatory body and spells the beginning of a full cooperation between both regulators sharing information and joint promotion of both financial sectors in the GCC region.

ADGM and FSRA Latest Developments

The Abu Dhabi Global Market (ADGM) has enhanced its Prudential Regime for Investment Firms, Insurance Intermediaries and Banks.

The newly implemented changes include:

  • the introduction of revised capital requirements through implementation of the Countercyclical Capital Buffer, Credit Valuation Adjustment and Central Counterparties frameworks
  • the requirement for certain capital instruments to absorb losses at the Point of Non-Viability
  • full implementation of the Leverage Ratio floor
  • the disclosure of the Leverage Ratio and the Liquidity Coverage Ratio
  • the introduction of new reporting requirements, and further miscellaneous amendments that will provide greater clarity to institutions operating in the ADGM.

These changes are improvements based on the best practices and standards set by the Basel Committee on Banking Supervision and are part of the FSRA’s ongoing commitment to create a platform that is dynamic and well-regulated attracting firms looking for a positive and well-rounded environment in which to do business.

The first Middle East North Africa (MENA) FinTech agreement has been signed between the ADGM and the Bahrain Economic Development Board (EDB). With FinTech an increasingly growing area of financial services’ business, the ADGM and the EDB are keen to use this agreement to share information and facilitate the movement of start-ups, as well as to promote the knowledge and talent between the two jurisdictions. Predictions are that agreements such as these will be able to grow the current 1% that the MENA region currently receives in global FinTech investment.

The agreement symbolises the first platform in the region to exchange information on trends, services and products regarding FinTech, and to increase the development of Islamic Finance and FinTech initiatives. Certain growing areas within the FinTech arena are digital payments, blockchains, and start-ups which facilitate this technological innovation and which will now be able to access information between the two jurisdictions through one common point of contact.

In Bahrain, recent supportive measures include the establishment of a new Amazon Web Services (AWS) Region based in Bahrain. Key activities include the establishment of a new regulatory sandbox, the launch of a national e-wallet and the development of the MENA region’s “largest FinTech hub” which is set to open in the first quarter of 2018.

Following the establishment of the ADGM Office of Data Protection in December 2017 the Annual Data Protection Forum has been launched. The ADGM amended its Data Protection Regulations 2015 to enhance the regime and enhancements include:

  • Defined Terms
  • Data breach notification timeframes
  • Deadlines for notification to the Registrar
  • Expanded Enforcement Provisions

Enhancements also include an expansion of the list of jurisdictions designated in the Regulations which provide an adequate level of protection of personal data and include:

  • Andorra
  • Dubai International Financial Centre (DIFC)
  • The Faroe Islands

This designation facilitates the free flow of personal data from the ADGM to those jurisdictions and improves ease of doing business for ADGM firms.

These amendments take effect from the 1st February 2018.

The ADGM has asked the public for its feedback and comments to codify existing corporate beneficial ownership and control practices, in line with international standards and initiatives. Following a benchmarking analysis of the regimes in the UK, Germany and Jersey - jurisdictions which are often selected by others as having illustrative benchmarks that match the purposes of the ADGM - recommendations have been developed.

The regulations seek to implement new transparency measures on prevention of the use of the legal persons for the purpose of money laundering and terrorism financing. The regulations will create a register of beneficial owners and provide for specific safeguarding on accessibility to this register.

These regulations will help the ADGM to improve its legal persons regulations and implement measures that are often seen in other jurisdictions, further balancing risk based regulations with the needs of market participants.

The public is invited to submit their comments to the ADGM by 28th February 2018.

Middle East Regulatory Updates

United Arab Emirates has been removed from the EU’s list of non-cooperative jurisdictions for tax purposes, following UAE’s commitment to remedy EU concerns. On 23rd January 2018 the Council agreed that a delisting was justified in light of an expert assessment of the commitments made by UAE in addressing deficiencies identified by the EU.

In addition to UAE, the EU has also removed Barbados, Grenada, the Republic of Korea, Macao SAR, Mongolia, Panama and Tunisia. The decision leaves 9 jurisdictions on the list of non-cooperative jurisdictions out of 17 announced initially on 5 December 2017. These are: American Samoa, Bahrain, Guam, Marshall Islands, Namibia, Palau, Saint Lucia, Samoa and Trinidad and Tobago.

International Developments

Pressure of international compliance with the MiFID II and MiFIR regulations will be pressing matters for most financial services providers in the EU and the UK as well as the wider region. In January 2018, MiFID II and MiFIR went live and this will be followed by overhauls to the EU payments regulation as well as both the IOSCO regulation on the distribution of the retail products, and compliance with the General Data Protection Regulation (GDPR).

Several thematic issues can be picked up across all sectors in the financial services industry including:

  • Brexit and its implications on the financial services stability
  • the sound relationship between the required information exchange and GDPR
  • customer classification regimes
  • treatment of certain types of customers
  • cyber security risks

A wide number of firms may find themselves under significant resource pressures in ensuring the deadlines are met for multiple new regulations which commence in 2018 and a number of regulators around Europe- the UK’s Financial Conduct Authority (FCA) included - have recognised the pressures and challenges firms will be facing throughout 2018. Firms are reminded to take steps in identifying the areas of risks of non-compliance and to plan accordingly. Firms are also advised to implement and maintain a comprehensive compliance strategy in order to meet the tight deadlines associated with MiFIR, MiFID and GDPR.

The FCA and the Prudential Regulation Authority (PRA) are expected to clarify their stances on the treatment of branches of European Economic Area (EEA) firms in the UK post-Brexit. The regulators can be expected to continue to concentrate on firms’ management of cyber security resilience, FinTech and Robo-advisory initiatives, data privacy, activity of cryptocurrencies, and AML/CTF issues, as well as routine matters regarding disclosure of beneficial ownership, policies and procedures to manage third-party risk, and bribery and corruption. Prudential regulation will still remain at the core of PRA’s supervision, with the authorities looking into complaints handling and remediation of consumers’ issues.

Improvement in communication and information-sharing between the cross-jurisdictional financial services providers and their respective regulators and other government agencies, will become critical in combating money laundering, terrorist financing, cyber and data attacks and other complex international commercial fraud and corruption.

The European General Data Protection Regulation (GDPR) will come into effect on 25th May 2018, requiring many companies to appoint a Data Protection Officer (DPO), be it a company employee appointed as an internal DPO or an external Data Privacy Advisor appointment. Violating the requirements relating to the appointment of a DPO can be sanctioned with fines of up to EUR 10 million or up to 2 percent of the total worldwide annual turnover, whichever is higher.

The appointed DPO must have the necessary knowledge and expertise in data protection law and must be reliable as well as independent. The DPO is expected not to have any duties which would conflict with their monitoring obligation and if a legal representative or member of a legal team is appointed as a DPO, a company must ensure that the internal legal representative is excluded from representing the company in any legal proceedings which may cause a potential conflict of interest.

Despite GDPR compliance already being underway, currently there is no regulatory requirement under the Data Protection Law (DPL) for organisations to appoint a DPO. Firms should note, however, the general obligation of a Data Controller to implement appropriate technical and organisational measures to protect personal data, as further detailed below. Whilst a handful of countries will provide sector specific DPO requirements, most national data protection laws across the EU do not mandate the appointment of a DPO. For example, EU countries like the Netherlands, Luxembourg, Poland and Sweden, provide for voluntary DPO appointment.

Data Controllers in DIFC firms must implement appropriate technical and organisational measures to protect personal data against accidental loss, wilful, negligent, accidental or unlawful destruction, alteration, unauthorised disclosure, or access to sensitive personal data. This includes all other unlawful forms of processing Sensitive Personal Data, in particular where it is being transferred out of the DIFC (DPL, Article 16(1)). When applying for a permit to Process Sensitive Personal Data, or Transfer Personal Data out of the DIFC, Data Controllers must include detail regarding the safeguards employed to ensure the security of such Sensitive Personal Data (respectively, Articles 12.1 (a) of the DPL).

The measures implemented ought to ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected (DPL, Article 16(2)).

Since 3rd January 2018, the European Union requires entities trading in, through or from, the EU and the UK and which are engaged in securities trading activities to obtain a Legal Entity Identifier (LEI Entities which did not obtain an LEI will not be able to trade with the EU and UK market. In order to support the smooth transition, the European Securities and Markets Authority (ESMA) has offered a temporary period of 6 months for firms to get their LEIs, provided that certain conditions are met by the firms seeking an extension.

  • Investment firms may provide a service triggering the obligation to submit a transaction report to the client, from which it did not previously obtain an LEI code, under the condition that before providing such service the investment firm obtains the necessary documentation from this client to apply for an LEI code on its behalf
  • Trading venues report their own LEI codes instead of LEI codes of the non-EU issuers while reaching out to the non-EU issuers”.

Entities trading in, through or from the UK and EU that are legally and/ or financially responsible for financial transactions, regardless of their for-profit or non-profit status, are eligible to obtain a LEI. Particularly under MiFIR, the entities which are required to obtain a LEI include investment firms executing transactions in financial instruments, as well as clients on whose behalf an investment firm executes the transaction. Furthermore, a LEI will be required for investment managers acting under a discretionary mandate on behalf of their underlying clients.

The new regulations aim to make the EU financial markets more transparent and integrated, with continuous focus on strengthening the protection of investors and will have significant implications for the technologies deployed in electronic order executions, real time monitoring of orders and trades, intervention, reporting, and recordkeeping.

The double impact of MiFID II and Market Abuse Regulation (MAR) will inevitably result in increased pressure on both firms and regulators to meet the increased demands of monitoring and reporting of suspicious transaction obligations. Notably, MiFID II introduces greater demands in terms of both the richness and accuracy of data that must be reported. ESMA stated that it will “closely monitor the accuracy and completeness of the submitted reference data and pay particular attention to the frequency and the number of trading venues’ own LEIs used instead of non-EU issuers’ LEIs”.

In addition, the concept of including the instruments traded on an organised trading facility (OTF) is found in MiFID II and consequently, unregulated commodities firms will more likely be coming within the scope of MAR than they previously did under MAD (Market Abuse Directive).

Europe's financial markets watchdog, the European Securities and Markets Authority (ESMA), accused top credit rating agencies like S&P Global, Moody's, and Fitch of not providing enough clarity or consistency on the fees they charge. The Paris-based watchdog required clearer explanations and transparency on the fee-setting process as well as how sister companies that provide supplementary ratings-related services, such as bulk provision of ratings data, set their prices.

ESMA was concerned with whether there had been an apparent link between the fees that were charged and the costs which were involved in calculating and providing the rating, adding that it aims to provide agencies with “further supervisory guidance to ensure compliance with the relevant requirements”.

On January 5th, the Finance Ministry announced that Charles Randell, an ex-lawyer who advised the British government during the financial crisis, had been appointed chair of Britain's Financial Conduct Authority.

Formerly a partner at international law firm Slaughter & May, Randell will face the tricky task of helping Britain's financial services sector to navigate the country's departure from the European Union, which could potentially put UK finance jobs at risk.

Randell will be responsible for authorising exchanges, asset managers and consumer credit companies.

ESMA has proposed to ban the retail distribution of binary options and to regulate the retail sale of Contracts For Difference (CFD) following its assessment of the potential product intervention measures. The proposal followed earlier comments made by ESMA which addressed achieving adequate investor protection by applying restrictions on the provisions of CFDs to retail clients, rather than simply prohibiting a product, a move which had previously been considered by the FCA.

Prior to voting in favour of the ban to sell the products to UK investors, the FCA indicated that it will first assess the impact of ESMA’s measures. A “Dear CEO" letter from the FCA highlighted regulatory concerns and noted that the majority (76 percent) of retail customers who bought CFDs products lost money over the 12-month period under review.

ESMA considers CFDs as complex products which lack transparent information at point of sale thus exposing retail investors to significant risk of loss from trading and transaction fees which are also further magnified by leverage. However, it believes that adequate investor protection can be achieved by imposing restrictions around the provision of CFSs to Retail Clients.

ESMA is proposing a prohibition on the marketing, distribution, or sale of binary options to retail clients as these high risk products expose investors to losses through the short duration of trades which, when combined with the extreme pay off distribution, raises the risk of addictive behaviour.  Aggressive, highly incentivised marketing techniques designed to encourage trading make retail customers more likely to lose money. The ban would not include professional clients since ESMA has insufficient evidence of harm to them.

Nordea, the financial services group operating in Northern Europe, has forbidden all of its 31,000 employees from trading in cryptocurrencies such as Bitcoin due to high risks and the ban will be imposed from February 28th onwards.

The banking group believes that the risks are seen as too high and the protection insufficient for both the co-workers and the banks.  Nordea’s spokeswoman told Reuters in an e-mail, confirming that employees who currently own cryptocurrencies will not be forced to sell them, although they are recommended to do so.

Wall Street has taken a cautious approach to digital currencies, which are unregulated and have very volatile trading patterns. Bank of America and Merrill Lynch banned clients from investing in one of Bitcoin mogul Barry Silbert's top funds last month, according to a memo seen by Reuters.

Islamic finance is expanding in both established and new markets, having 75 regulator and supervisory authorities and over 180 members and the Malaysia-based Islamic Financial Services Board (IFSB) plans to develop more detailed guidance on financial safety nets to help harmonise Islamic principles with existing legal systems, as the industry body strengthens ties with financial regulators. The IFSB, one of the main standard-setting bodies in Islamic finance, is seeking to further clarify the issues relating to sharia-compliant transactions in areas such as insolvency and bankruptcy.  Transactions are under heightened scrutiny due to the perceived risk of non-sharia compliance or sharia risk.

Last month, the IFSB admitted eight new members, including Saudi Arabia's Capital Market Authority, the Abu Dhabi Global Market and German financial watchdog Bafin. Half of the IFSB's 2018 implementation workshops will be held in African countries.

The IFSB has issued three working papers exploring safety nets, with the latest paper going over recovery, insolvency and bankruptcy issues in sharia-compliant transactions. Various issues were raised, ranging from the bail-in features embedded in capital-boosting Islamic bonds, to the regulatory treatment of profit-sharing investment accounts offered by Islamic banks.

Islamic contracts have given way to some other issues, as dispute resolution can differ from conventional transactions. This relates to the Islamic principle of insolvency, known as iflas (or “bankruptcy” in Arabic), which states that debt cannot be written off unless there is specific forgiveness by a creditor. Under this principle, insolvency requires a declaration by a competent authority, meaning it cannot be unilateral or voluntary.

In December 2015, the President of the Republic of Kazakhstan, Nursultan Nazarbayev, signed the Constitutional Law on the establishment of the Astana International Financial Centre (AIFC). The purpose of the AIFC is to form a leading centre of financial services of an international level. For the first time in the post-Soviet space, the principles of English law will be introduced: the official language of the financial centre will be English and the AIFC is structured in a similar way to the DIFC which is based on the laws of England and Wales and has an independent regulator whose regulations are principles based, and similar to the DFSA.

AIFC's tasks are to assist in attracting investments in the country's economy by creating an attractive environment for investing in financial services, and developing the securities market of the Republic of Kazakhstan, ensuring its integration with international capital markets.

Last year AIFC announced it had signed a memorandum of cooperation with EXANTE to develop the cryptocurrency market in Kazakhstan and to position the AIFC as an international technology expertise centre.  The AIFC and EXANTE will launch the Stasis platform that will serve as the foundation for a new digital asset secured by fiat currency (legal tender issued by a government) as well as cooperating in developing the AIFC Act on the regulation of the digital assets market, and supporting the evolution of the FinTech-ecosystem of the AIFC. 

AIFC has also announced its intention to create a crypto-valley on the territory of EXPO-2017. In establishing Astana as a crypto-valley a draft of rules and regulations is being prepared, regarding digital assets - something other regulators are also working on, given the popularity of these products and the flexibility as to where these products can be “based”.

The Astana Financial Services Authority (AFSA) is already accepting applications for new financial services firms and given the potential geographical reach of this centre - Central Asia, the Caucasus, EAEU, the Middle East, West China, Mongolia and Europe - this is an interesting proposition which local and international firms are monitoring.  Mr Stephen Glynn, previously at the DFSA, is heading up the AFSA and CCL is maintaining its strong relationship with Mr Glynn and is also working with firms in their initial discussions and, ultimately, with applications for those who may be interested in setting up here.

Enforcement Action

European Union Leaders have collectively agreed to extend economic sanctions against Russia until July 2018. These measures target the financial, energy and defence industries and would have otherwise expired at the end of January 2018. The European Union considers that not enough progress has been made to remove the current sanctions. The EU, along with the United States, initially imposed these sanctions in the summer of 2014 over Moscow’s actions in Ukraine and these have been extended every 6 months since then. The sanctions are due for a further renewal in July 2018.

Interactive Brokers, an authorised online broker, offering retail and institutional clients ability to trade on various worldwide exchanges, was fined £ 1,049,412 by the FCA for not maintaining sufficient controls over its market abuse outsourcing delegate. The FCA identified instances of potential market abuse which were not reported as required to the regulator. Interactive Brokers UK Ltd (IBUK) as an authorised broker was found to have serious deficiencies in post trading surveillance, in particular identifying potentially suspicious transactions by its clients.

The FCA was concerned among other things that the IBUK’s policy covering market abuse “restated the law without consideration of the IBUK’s own market abuse risks” and had “no evidence of consideration or challenge by IBUK's board or senior management as to the extent to which the policy met UK legal and regulatory requirements”. In addition, IBUK was found to not provide sufficient training to the members of its compliance staff on the relevant laws of the UK or how to carry out a review of transactions by UK clients and the FCA suspects that potentially suspicious transactions were missed as a result of inadequate systems and controls in relation to the surveillance system.

The firm was found to have breached Principle 3 (management and control) and SUP 15.10.2R, now delegated and replaced by article 16 of the Market Abuse Regulation, which required a firm which arranges or executes a transaction to notify the FCA without delay where the firm has reasonable grounds to suspect that market abuse may be occurring.

It is evident from this case that FCA has no tolerance for firms that breach the market abuse requirements and do not comply with the new Market Abuse Regulation.

It is advised that firms that are part of an intra-group delegate or have other outsourcing arrangements, review the operational risks, controls and monitoring mechanisms to ensure full compliance with the relevant laws at all times. Firms are reminded that the quality of internal control must not be impeded by outsourcing important operational functions. Delegation does not absolve the delegating entity of its responsibility to ensure compliance with relevant rules and appropriate monitoring of the arrangement on a continuous basis. Firms may also wish to consider whether their own policies and procedures are adequate. In contrast, most firms will have considered their policy and procedures in preparing for the application of the new Market Abuse Regulation.

The UK’s audit watchdog, the Financial Reporting Council (FRC), has opened an investigation into KPMG's audit of collapsed construction listed giant Carillion. The investigation will cover the years ended December 31, 2014, 2015 and 2016, and additional audit work carried out during 2017. It is also looking at the conduct of individual accountants within Carillion.

The FRC’s investigation will "consider whether the auditor has breached any relevant requirements, in particular the ethical and technical standards for auditors". Several areas of KPMG's work will be examined including the audit of the company's use and disclosure of the going concern basis of accounting, estimates and recognition of revenue on significant contracts, and accounting for pensions.

Back in 2012 HSBC was the subject of a huge investigation into its role in the United States' vulnerabilities to money laundering, drugs and terrorist financing. The investigation included the issue of multiple subpoenas and the collection and review of more than 1.4 million documents which included bank records, correspondence, emails and legal pleadings. The investigation resulted in multiple enforcement actions and a deferred prosecution agreement.

Since then HSBC has allocated considerable resources to remediating the issues which appeared in 2011 and earlier. The bank is understood to have spent $3 billion on improved compliance controls in 2016 alone. In December 2017 HSBC announced the successful expiration of the deferred prosecution agreement, noting that it has put in place the reforms which are effective and sustainable over the long term.

The U.S. Department of Justice in December 2012 took action under which HSBC Holdings Plc and HSBC Bank USA N.A. admitted to anti-money laundering and sanctions violations and forfeited $1.256 billion as part of a deferred prosecution agreement. HSBC also agreed to enhanced compliance obligations and oversight since then for five years. Since 2012, further U.S. investigations have also led to multiple enforcement actions during the course of January 2018, November 2017, September 2017 and January 2017 where HSBC had entered into more deferred prosecution agreements to resolve money laundering and other breaches in various jurisdictions between 2006 and 2011.

This demonstrates the regulator’s standpoint in relation to poor compliance practices and controls and once again reminds the firms to commit to stringent risk and compliance practices.

Share this