DIFC and DFSA Latest Developments

On 21st January 2020, the DFSA held an outreach session on the launch of its cyber threat intelligence platform.

Highlights

  • The DFSA has launched a cyber threat intelligence platform which will be available, free of charge and with voluntary participation, to all authorised firms within the DIFC.
  • Authorised firms can register on the platform now by logging into the DFSA ePortal and will need to sign up to a set of T&Cs and nominate an authorised user. Other DIFC registered companies may sign up from 1st March via the DIFC client portal.
  • Firms are encouraged to take a proactive approach to cyber security, including implementing monitoring systems, ensuring important updates and patches are implemented and making use of threat intelligence.
  • A guide on how to use threat intelligence is available on the platform.
  • Firms should be thinking ‘when’ and not ‘if’ a cyber threat materialises

Platform Summary

  • The DFSA has undertaken many recent measures concerning cyber security, including a thematic review, introducing a cyber incident notification form in the ePortal and hosting a roundtable discussion with a number of authorised firms.
  • The DFSA intends to commence phase two of the cyber security thematic review and host additional workshops in due course.
  • The DFSA has worked with aeCERT, DESC and partnered with HELP AG to introduce the new cyber threat intelligence platform.
  • Cyber risk affects everyone, making it a matter that should be addressed by everyone.
  • The DFSA emphasised the need to avoid the spreading of ‘cyber diseases’ in the region by encouraging firms to report information, incidents and attempted incidences via the platform.
  • Operators of the platform, HELP AG, will analyse and feed the portal with produced valuable threat intelligence which can be shared for the benefit of all members.
  • Firms can anonymise the information on the platform and can select with which members they wish to share information– for example within the organisation, within the DIFC community, or for all participants.
  • When cyber incidents occur, the DFSA expects the affected firm to prepare a detailed cyber incident notification form in the ePortal.
  • Guidance on how to use threat intelligence will be available in the platform, and this can be used for training purposes.
  • Sharing Indicators of Compromise (IOCs) can help firms to identify potentially malicious activity.
  • Having access to cyber threat intelligence enables firms to identify attacks quicker and make a more informed decision when responding. Threat intelligence may also enable firms to determine whether an attack is targeted or random.
  • Malware Information Sharing Platform (MISP) is another public threat intelligence platform to which firms can refer.
  • Firms who wish to sign up should have their senior management approve the T&C’s as these are binding.


Firms are urged to:

  • Take a proactive approach to cyber-attacks by checking for breaches, monitoring servers and apps for anomalies, running security alert reports and checking against known IOCs.
  • Make use of threat intelligence to prioritise its resource and efforts. Threat intelligence can help firms to identify potential cyber-attacks and predict why an attacker would target them, identify who could be targeted and which vulnerabilities could expose the firm to an attack. With more knowledge and understanding of the risks, firms will be better equipped to identify a cyber incident and respond more quickly.
  • Implement patches when they are released. Patches are designed to fix vulnerabilities and firms which do not implement patches or update systems regularly are more vulnerable to cyber incidents, as attackers are likely to target known vulnerabilities.
  • Discuss and consider how they will use and escalate threat intelligence as part of their Cyber Security Framework.
  • Consider the need for a process that governs information sharing with the platform and reporting cyber events, where necessary.

The DFSA has released a survey for all authorised firms to complete, in order to establish the DIFC’s link to the ‘Luanda Leaks’ investigative report released by the International Consortium of Investigative Journalists (ICIJ). The report was compiled by prosecutors in Angola following accusations that Isabel dos Santos, an Angolan businesswoman and Africa’s richest woman, was involved in embezzlement and money laundering.  Isabel dos Santos is the daughter of Angola’s former President José Eduardo dos Santos.

The report lists 440 companies in which Isabel dos Santos and her husband Sindika Dokolo hold or have held a stake as shareholders, either directly or through another company. The DFSA has requested all authorised firms to establish whether they have, or have had in the past, any business relationship directly or indirectly with any of the persons or companies listed in the report, specifically:

  • any persons identified in the report as a customer
  • any family members or close associates of any person identified in the report as a customer
  • through a transaction or other service involving any of the persons identified in the report

The survey can be accessed through the DFSA ePortal and should have been completed by all authorised firms by 9th February 2020.

This survey highlights the importance of record keeping controls and the ability to retrieve customer records without delay.  Firms should ensure they are maintaining adequate records for 6 years after the customer relationships have ended, in compliance with the DFSA record keeping requirements.   

The DFSA has amended the AUD7 Annual Information Return, accessible on the DFSA ePortal. This return must be completed within four months of financial year end.

Previously firms needed to include detailed information and percentages about each controller, however as this information is now on record, the DFSA has amended the form so that firms need only confirm that the controller information is the same as the previous return.

If the controllers have changed during the reporting period, firms will be expected to populate the form with the detailed information and percentages.

The DFSA has released Consultation Paper No. 131Early Intervention, Recovery and Resolution in the DIFC’. This follows Discussion Paper 3 – Recovery and Resolution Framework for Financial Institutions in the DIFC released in December 2017 and seeks to enhance the DFSA’s early intervention powers by introducing a new framework for recovery and resolution in the DIFC.

The framework is based on international standards, including the Basel Committee on Banking Supervision (BCBS) and the Financial Stability Board’s (FSB) Key Attributes (KAs).  

The changes will be of specific interest to firms providing the following financial services:

  • Accepting deposits
  • Providing credit or dealing in investments as principal
  • Managing a profit-sharing investment account, where that account is received on an unrestricted basis

The proposed framework will be established in a new rulebook for Recovery and Resolution (RAR), with focus on four key stages:

  1. Business as Usual (BAU)

During the BAU phase firms will be required to undertake crisis preparations, including recovery planning. Firms will be expected to co-operate with the DFSA in resolution planning and resolvability assessments.

  1. Early Intervention

Early warning indicators will be introduced for the purpose of highlighting to the DFSA any firms experiencing weakness. Early intervention indicators may include for example, where a firm’s liquidity or solvency is impaired or may soon be impaired. The DFSA proposes to introduce a mix of supervisory early intervention indicators instead of ‘hard triggers’ used in other jurisdictions.

With early intervention indicators, the DFSA also proposes additional powers to direct firms to carry out a set of actions including for example:

  • Submit a corrective action plan to the DFSA
  • Call a general meeting of shareholders to set and propose possible resolutions
  • Search for and communicate with potential purchasers of the firm’s business or part of the business
  • Remove directors or senior management who have failed to meet their obligations
  • Limit or claw back compensation of directors or senior managements
  • Obtain the DFSA’s approval prior to any major capital expenditure or material commitment
  1. Recovery

In more severe circumstances the DFSA may instruct the activation of a recovery plan.

  1. Resolution

If the recovery phase does not resolve the firm’s liquidity or solvency issues and the firm is facing failure, the DFSA will be able to decide, in co-operation with other relevant authorities, that the firm may need be put into resolution.

The DFSA has proposed detailed recovery plan requirements and firms deemed to be of importance to the financial stability of the DIFC will need to:

  • Prepare and update a recovery plan at least annually or when there are material changes to the business or structure.
  • Submit a copy of the recovery plan to the DFSA annually. If the DFSA is not satisfied with the recovery plan they may request firms to rectify deficiencies.
  • Designate a member of senior management based in the DIFC to be responsible for the recovery planning process.
  • Ensure management information systems can provide timely, up to date, accurate accounting, financial and prudential information.

In some cases, the DFSA may prepare resolution plans, including their operational implementation plans.

The DFSA’s deadline for providing comments on the consultation paper is 13th April 2020.

The DFSA has fined Morgan Gatsby Limited (MGL) $246,000 for multiple breaches of DFSA legislation.

Key breaches identified are listed below:

  • Illegal promotion of an unregulated foreign fund
  • Making unauthorised transactions on behalf of clients and engaging in misleading and deceptive conduct in relation to those transactions
  • Failing to ensure that the Board of Directors was provided with accurate information
  • Failing to comply with certain restrictions on business imposed by the DFSA
  • Failing to properly classify a client and failure to conduct adequate inquiries into a client’s source of funds and rationale for entering into transactions
  • Failing to comply with DFSA Rules relating to the safe custody of client assets

Firms are encouraged to review and enhance their internal controls to prevent the same breaches from occurring in their own business by:

  • Developing procedures for reviewing fund prospectuses against the Foreign Fund Criteria and obtaining compliance approval before distribution of promotional information
  • Implementing robust controls for safeguarding client assets and ensuring procedures surrounding this area are properly documented
  • Undertaking regular compliance monitoring programmes to test controls, identify breaches and remediate control weaknesses
  • Conducting regular training so that employees understand the firm’s financial service permissions, restrictions on business and the customer onboarding process
  • Improving onboarding procedures to ensure net asset, source of wealth and source of funds assessments are supported by documentary evidence, where necessary
  • Reviewing the management information framework to ensure adequate information is being reported to the board by control functions such as compliance and risk

Firms are reminded that the DIFC Employee Workplace Savings (DEWS) scheme, the new end-of-service benefits plan introduced within the DIFC, came into force on 1st February 2020. All firms should have now appointed an authorised signatory via the DIFC Portal and the first contribution by employers must be paid by 21st March 2020.

Any questions regarding the scheme should be directed to the DIFC through the assigned DEWS email and firms and employees should read the FAQ to further understand the scheme.

Firms enrolling in the DEWS scheme must ensure they:

  • Identify an individual within the organisation who will complete the online submission process. This person can be from HR, Finance or any other relevant department and should be authorised to submit the DEWS application on behalf of the company.
  • Identify one of the firm’s authorised signatories as the individual who will electronically sign the ‘Deed of Participation’ for the DEWS Master Trust. You will need to notify the DIFC as to which of your registered authorised signatories would be responsible for signing the DEWS Deed of Participation in advance of enrolment.
  • Provide information regarding all the Ultimate Beneficial Owners (UBO) of the DIFC entity you are enrolling, including details such as title, first and last name, date of birth, gender, nationality and UBO type.
  • Provide details of the bank account from which you will be making the contributions as well as the name of your bank, location, the account name and the account number (IBAN).

Three federal legislations (collectively referred to as the ‘Economic Substance Regulations’) have been passed to implement the ‘Multilateral Convention to Implement Tax Treaty Related Measures to Prevent Base Erosion and Profit Shifting’ convention.

Please refer to article 3.1 below for the full synopsis and action required by DFSA Firms.

ADGM and FSRA Latest Developments

Following the ADGM Financial Services Regulatory Authority’s (FSRA) release of Consultation Paper No. 5 of 2019Updates to the Prudential – Investment, Insurance Intermediation and Banking Rulebook’ proposed changes and recommended actions – currently still in the public consultation phase - are detailed below:

Net Stable Funding Ratio

  • The FSRA is proposing to introduce the Net Stable Funding Ration (NSFR) in the ADGM. Currently NSFR is calculated by dividing the available stable funding (ASF) of a bank by its required stable funding (RSF). The items falling under the ASF and RSF are weighted to reflect the degree of stability of liabilities and assets respectively, with the resulting ratio always needing to have a minimum value of 100%.
  • The introduction of NSFR means firms will not be required to use the Maturity Mismatch approach in the Prudential rulebook (PRU).

Large Exposure

  • In the PRU rulebook, the term ‘Concentration Risk’ will be replaced throughout with ‘Large Exposures’ (LE).
  • The FSRA will make the terminology more consistent with that used in the Basel Framework’s Reporting requirements for Large Exposures.
  • Reporting requirements will be updated to incorporate the LE changes to PRU.

Disclosure Requirements

The FSRA is proposing to revise the set of disclosure requirements for those authorised persons within its scope.

The proposed disclosure requirements would cover:

  • Scope of application
  • Capital Resources
  • Capital Adequacy
  • Liquidity Risk

Miscellaneous Amendments and Clarifications

There are also a number of areas where the FSRA is proposing miscellaneous amendments to provide greater clarity to authorised persons of the requirements that PRU places on them, alongside corrections where the existing text contains inconsistencies, errors or omissions.

The most substantive of the proposed miscellaneous amendments are as follows:

  • Clarification that authorised persons should calculate their minimum capital requirements for operations risk in the 3-year period after receiving their Financial Services Permission
  • Maturity Mismatch approach shall be known as the ‘Liquidity Mismatch Approach’
  • ‘Concentration Risk’ shall be replaced throughout the PRU with LE ‘Large Exposures’
  • Changes to risk-weighting and qualifying holdings requirements (PRU 3.14.1)
  • Business estimates must be used for the calculation of the minimum capital requirements where historical data is not available (e.g. for start-ups)
  • Introduction of a threshold of US $100 billion for the aggregate notional amount of OTC Derivatives before the minimum capital requirements applies.

 

Three federal legislations (collectively referred to as the ‘Economic Substance Regulations’) have been passed to implement the ‘Multilateral Convention to Implement Tax Treaty Related Measures to Prevent Base Erosion and Profit Shifting’ convention.

Please refer to article 3.1 below for the full synopsis and action required by ADGM Firms.

Middle East Regulatory Updates

In its commitment to comply with the Organisation for Economic Co-operation and Development (OECD) framework, on 27 June 2018 the UAE signed the ‘Multilateral Convention to Implement Tax Treaty Related Measures to Prevent Base Erosion and Profit Shifting’, which came into force on 1 September 2019. Three federal legislations (collectively referred to as the ‘Economic Substance Regulations’) were subsequently passed to implement the convention that applies across the UAE and includes financial free zones:

  • UAE Cabinet of Ministers’ Resolution No.31 of 2019 ‘Concerning Economic Substance Regulations’, issued on 30 April 2019
  • Ministerial Decision No. 215 for the year 2019 ‘Providing guidance on Cabinet of Ministers' Resolution of 2019’, issued on 11 September 2019
  • UAE Cabinet of Ministers’ Resolution No. 58 of 2019 ‘Identifying the relevant Regulatory Authorities responsible for supervision and enforcement of the Regulations, issued on 4th September 2019.

Economic Substance Regulations apply to any legal person licensed by the DFSA or FSRA and if they are carrying out a “Relevant Activity” in the UAE. The regulations also apply if a firm is earning income from two of more Relevant Activities.

Relevant Activities include:

  • Banking Business
  • Insurance Business
  • Investment Fund management Business
  • Lease - Finance Business
  • Headquarters Business
  • Shipping Business
  • Holding Company Business 
  • Intellectual property Business (IP)
  • Distribution and Service Centre Business​

There are certain exemptions specified in the regulations, such as:

  • firms which are directly or indirectly at least 51% owned by the Federal or an Emirate Government, or a UAE Government body or authority
  • firms which carry out Relevant Activity but do not earn income from it

All UAE Firms may be affected by the Economic Substance Rules:

For all UAE Firms:

  • The Relevant Activities can be found on the UAE Ministry of Finance’s website here. All UAE Firms are encouraged to compare their activities against the published list. The Ministry of Finance also released a flowchart for firms to identify if they meet the regulations.
  • Firms within scope of the regulation shall be required to demonstrate Economic Substance in UAE.
  • Firms are recommended to seek guidance from their tax advisors for definitive guidance.

For DIFC Firms:

  • All firms, regardless of whether they conduct a Relevant Activity, must notify the DIFC Registrar of Companies (RoC) by 31st March 2020 through the DIFC Client Portal.

For ADGM Firms:

  • Firms who have assessed that they are carrying out a Relevant Activity, must notify the ADGM Registration Authority by 31st March 2020 through the ACCESSADGM Client Services Portal. ADGM Firms who carry out Category 1,2,3A and 3C Fund Managers should assess their own activities against the Relevant Activities before the 31st March 2020.

The Saudi Arabian Monetary Authority (SAMA) has launched two new financial licences: Electronic Wallet Licence and Payment Service Company Licence. The regulator has issued the financial licences to two companies who completed a successful period in SAMA’s regulatory sandbox.

Saudi Digital Payments Company (STCPay) was granted an electronic wallet company licence and GEIDEA Technology Company were licensed as a payment services company. The new licences are examples of the Kingdom’s desire to grow its financial services outside of banking and support the national economy. 

The guidelines around payment service provider companies and electronic wallets were issued through the Payment Services Provider Regulatory Guidelines and provide a clear regulatory structure which includes minimum requirements payment services and minimum capital requirements.

International Updates

FATF hosted a forum on 9th January 2020 with global financial supervisors to discuss the supervision and regulation of virtual assets and Virtual Asset Service Providers (VASPs).

FATF, who implemented new virtual asset measures in June 2019, brought together supervisors in order to agree new global standards that will prevent virtual assets and VASPs from being misused in transactions linked to crime or terrorism.

The forum facilitated discussions between supervisors about how virtual assets are effectively supervised in their respective jurisdictions. The supervisors discussed lessons learned, common issues and approaches to developing an effective anti-money laundering and counter terrorist financing regime for virtual assets and VASPs. The supervisors also discussed the tools, skills, procedures and technology required to effectively supervise this area. These discussions enable a consistent approach to be adopted globally and help to align international standards for the supervision of VASPs going forward.

The forum identified a number of areas that require further action which will be taken forward to the May 2020 FATF plenary, allowing FATF to begin structuring and producing international guidance and standards for virtual asset and VASPs supervision.  VASPs and other firms dealing in virtual assets should pay close attention to further regulation and guidelines to be released by FATF.

Enforcement Action

An independent study found that in 2019, global AML fines issued by regulators totalled $8.14 billion. These fines were a result of 58 AML cases in jurisdictions across the world. 25 of the penalties were given by US authorities (totalling $2.29 billion) while the UK authorities gave 12 fines totalling $388.4 million. 28 of 58 fines were issued to banks, an increase from 2018, where 20 fines were issued to banks.

The largest monetary fine was given to UBS in France. UBS was fined $5.1 billion for illegally soliciting clients and laundering tax evasion proceeds. 

Regulators are increasing the regularity with which they are giving fines for money laundering breaches and this global trend is expected to increase along with the monetary amounts for the fines.

Regulatory risk resulting from money laundering failures continues to increase and the value of global enforcement action in 2019 should stand to highlight the importance of building and maintaining robust procedures to combat money laundering risk. Firms are reminded to:

  • Conduct detailed Business AML risk assessments and identify the key AML risks faced by the firm
  • Implement adequate AML policies and procedures that are commensurate to AML risks faced by the firm
  • Carry out relevant training to educate employees and senior management about their responsibilities
  • Undertake regular monitoring reviews and test controls to identify weaknesses and breaches
  • Establish effective remediation plans when issues are identified
  • Maintain a transparent relationship with the regulator

The French National Financial Prosecutor's Office (PNF), the French regulator responsible for serious economic and financial crime investigations, has settled a money laundering probe with Bank of China for $4 million. Bank of China failed to notify the authorities about millions of euros its clients had transferred between France and China. The charge alleged the bank had engaged in “aggravated money laundering” for the transfer of €40m across 168 accounts between 2012 and 2014 without paying necessary European taxes. The Chinese bank was accused of failing to request any proof of earning from account holders and not carrying out adequate transaction monitoring.

While the case has been settled between Bank of China and the PNF, the case will continue against 28 business owners and intermediaries involved in transferring the funds to China.

Bank of China said in a statement that “it always strives to comply with anti-money laundering laws and is constantly reinforcing measures to do so”.

 

The Swiss Financial Market Supervisory Authority (FINMA) has concluded its proceedings against the former CEO of Swiss bank. The CEO of an unnamed Swiss Bank was found to be insider trading by executing transactions through deposit accounts held in his wife’s name at other banks. FINMA ordered the confiscation of approximately 730,000 CHF ($755,000 USD) and has imposed a ban of four years on him acting in a management capacity and six years in trading in securities.

FINMA’s Head of Enforcement has reminded firms that employees who have access to privileged information must abide by supervisory law and may not trade in the shares concerned and may not disclose such knowledge. They are reminded that insider trading undermines confidence in the market and regulators will continue to investigate any evidence of violations to these laws.

Firms are reminded to maintain adequate procedures for identifying, mitigating and managing conflicts of interests. Procedures should include personal dealing controls and maintaining insider lists and Chinese walls, where necessary.

Share this