On the 25th March 2019 the Dubai Financial Services Authority (DFSA) held a Financial Crime Conference for all Authorised Firms in the Dubai International Financial Centre (DIFC) as, part of their efforts to increase financial crime awareness amongst its regulated firms. The following agenda items were discussed:
UAE National Risk Assessment
The UAE National Risk Assessment (NRA) recently concluded. The NRA assesses Money Laundering (ML) threats, Terrorist Financing (TF) threats, sectoral vulnerabilities, national vulnerabilities and consequences by the Financial Action Task Force (FATF). This risk assessment is different for “on-shore” entities compared to those in the financial free zones.
Some Key Changes Under the New Federal Law and Cabinet Resolution
Key changes identified include:
- The inclusion and declaration of virtual and digital currencies.
- The introduction of Designated Non-Financial Business & Professions (DNFBPs) in addition to financial institutions.
- The preparation and submission of Suspicious Transaction Reports (STR) to the Financial Intelligence Unit (FIU) through the new on-line system (goAML).
- The definition of a perpetrator of a money laundering offence, which is a first in UAE legislation.
- The requirement to identify and verify natural persons who have a 25% or more Beneficial Ownership.
The DFSA acknowledged that there were some conflicts/clarifications in the DFSA AML Rulebook in relation to the requirements set out in the new AML Law, and so further amendments to the DFSA Rulebook may be made in due course.
Financial Intelligence Unit – UAE
Under the new AML Law, the FIU has been established at the UAE Central Bank. Its main function is STR analysis. Other functions are: international cooperation, domestic cooperation, outreach research and systems, and AML/Counter Terrorist Financing (CTF) oversight.
A representative of the UAE Central Bank (CB) confirmed that currently the FIU does not acknowledge receipt of STRs and many are “autoclosed” when the risk level is considered low. It was also noted that the statistics were drawn from the CB AML reporting system and therefore did not include manual submissions. Going forward the new goAML system will replace the current system and capture all STRs. It was also confirmed that Central Bank permission was not required should a firm wish to exit a relationship, subject to any limitations set out in the new AML Law.
During the presentation a few changes in relation to the DFSA rules were discussed, some of which have already been incorporated and other points are yet to be adopted. As such, firms should expect further changes to the DFSA AML rules, however most of the significant changes introduced under the new AML Law are already incorporated in the DFSA rulebook.
Some of the key points noted were:
- Certified Articles of Association required.
- Greater emphasis on the intended purpose and nature of the relationship with the client.
- Timing of Customer Due Diligence (CDD) slightly different under the new AML Law.
- Bi-annual reporting requirements to be determined between the DFSA and UAE CB.
- Confirmation that reporting requirements in relation to STR’s is directly to the FIU and only confirmation that such a submission has happened is required to be sent to the DFSA (the DFSA will want to review the substance of any STRs during visits).
- The Business and Client Risk Assessment were a central focus for both UAE CB and DFSA (see Business Risk Assessment below). Any firm lacking a detailed BRA risks regulatory action.
In June 2019, the UAE Central Bank’s FIU will adopt a programme called goAML. goAML is a software developed by the United Nations Office on Drugs and Crime (UNODC) for use by FIUs to counter Terrorist Financing and Money Laundering. The software is being used by approximately 50 FIUs globally and many more are adopting the programme. The goAML web application is a secure web-based interface between FIUs and their reporting entities. The benefits that this programme will bring to the FIU are extensive, the most important including the enhancement to the quality of intelligence produced and disseminated by:
- Helping to create statistics and charting
- Providing a task assignment and tracking tool
- Being a good data collection software
Entities will have two options when it comes to submitting an STR
- Filling out the online report form
- Uploading an XML file
Filling out the online report form is beneficial and less costly for small entities that do not normally have a lot of STRs to report (around 1 to 50 a year).
For larger entities completing the online form could be very time consuming, so these firms should instead develop a tool to extract information from their core systems such as transactions, KYC details, etc. and export them to the XML Schema to then be submitted to the FIU.
Once an STR is submitted, the UAE CB will send the reporting entity feedback or request additional information.
Business AML Risk Assessment (BARA)
The purpose of the BARA is to identify, evaluate and prioritise risks. All entities have an obligation to assess their AML risks and to take appropriate action to mitigate those risks.
Regulatory obligations are as follows:
- Article 16 of Federal Decree No. 20 of 2018 requires “…Financial Institutions and DNFBPs to identify the Crime risks within its scope of work as well as continuously assess, document and update such assessment based on the various risk factors established in the Executive Regulation…”
- Article 4 of Cabinet Resolution No. (10) of 2019 requires “…Financial Institutions and DNFBPs to identify, assess and understand their crime risks in concert with their business nature and size… and consider all relevant risk factors such as customers, countries or geographic areas; and products, services, transactions and delivery channels, before determining the level of overall risk and the appropriate level of mitigation to be applied…”
- FATF Recommendations 2012 requires “… financial institutions and DNFBPs to identify, assess and take effective action to mitigate their money laundering and terrorist financing risks.”
- Regulatory obligations in the DFSA Rulebook require all firms to assess and address the risks to which they are exposed and then adopt a proportionate approach to mitigate those risks.
The DFSA mentioned that it is their intention to be fully aware of the risks within all regulated entities and to help them identify which firms should be subject to more regular monitoring.
It is senior management’s responsibility to undertake an AML risk assessment using a Risk Based Approach (RBA). The RBA has been promoted since 2000 and is essential to ensure effective implementation of the revised FATF standards adopted in 2012. An RBA means implementing proportionate AML/CTF measures in response to identified inherent risks. An effective RBA allows firms to exercise informed judgment when meeting their AML/CTF obligations.
Completing a BARA is carried out by:
- Identifying inherent risks: this is the intrinsic risk of an event or circumstance that exists before the application of controls or mitigating procedures. (E.g. customers and activities, products and services, countries or geographic areas, distribution channels, new or developing technologies, transactions, etc.)
- Implementing internal controls: MLRO function, Customer Risk Assessment, CDD, record keeping, AML policies and procedures, Management Information, monitoring, training, audit, STR filing, governance, etc.
- Calculating your residual risk: the level of risk that remains after the implementation of mitigating measures and controls.
Some crucial points that the DFSA mentioned concerning the BARA are as follows:
- Firms need to take into consideration the findings of the UAE NRA. The DFSA will test for this when conducting risk assessments.
- BARA is a live document, it should be ever changing with rules or guidelines.
- Firms should revisit their AML risks annually.
- Senior management engagement in the BARA process is crucial.
BARA is not a high-level document. It has to be very specific to each firm.
Through the 2018 Annual AML Returns, 99% of firms stated that they were satisfied that they had adequately assessed their business AML risks in accordance with DFSA requirements. As a result of risk assessments carried out by the DFSA, the following was determined:
- 66% of the firms had deficiencies in their BARA
- 18% had observations
- 16% had adequate BARAs
In summary, what the DFSA expects from firms is that they demonstrate that:
- You know the business
- You know the risks
- You know your controls
- You know your residual risks
The DFSA hosted its Spring Authorisations Outreach on 26th March 2019. Martin Wilding, Director of Authorisation and Supervision introduced new members of, and changes to, the Authorisations team. As a follow up to the Autumn Outreach in 2018, the Authorisations team has introduced a number of initiatives designed to improve and assess service delivery.
The initiatives consist of the following:
- Improvements have been made to the Customer Satisfaction Survey which is issued to firms to assess their overall experience upon licencing. Currently, the DFSA has a 50% response rate to its surveys, of which, 70% indicate that applicants are satisfied with the process overall, separately 50% feel that improvements can be made in turnaround times for licencing
- Issuing of e-licences upon authorisation
- A number of application forms, the premises checklist and various notices are now available on the DFSA’s e-portal for online submission
- Pilot projects designed to improve the time taken to grant Approval in Principle as early as possible
The Outreach included a short update by Linda Davies, DFSA Senior Manager, on the UAE’s preparations for the FATF Mutual Evaluation in July 2019, and a presentation on the application of a risk-based approach, with particular focus on preparing a firm’s BARA as explained above. The Outreach was attended by industry practitioners and consultants who participated in a round table dialogue to identify improvements to the delivery of information on the use of technology in the application process, thereby allowing a quicker turnaround and licencing of Authorised Firms.
Following the ADGM, DFSA and Emirates Securities and Commodities Authority’s (ESCA) agreement to facilitate and promote the licensing of domestic funds across the UAE as proposed in the DFSA’s Consultation Paper No. 123- Fund Protocol Rules and discussed in the November 2018 Middle East Regulatory Update, the three authorities have announced that the new fund passporting facility is now available.
The new facility changes the way registration occurs for domestic funds, amends the types of custodians which can be chosen for funds opted into the regime, standardises text for prospectus of funds and changes how firms must notify the DFSA of their domestic funds. The aim is to assist firms who promote and market domestic funds across the whole of the UAE.
Following the legislation, the DFSA has also added the “Fund Passporting Form” to its forms.
The DFSA has signed a Memorandum of Understanding (MoU) with the Moroccan Central Bank, Bank Al Maghrib.
Both the DFSA and Bank Al Maghrib are members of the Islamic Financial Services Board and have been working closely together. The MoU is the sixth to be signed between the DFSA and a Middle East and North Africa (MENA) Central Bank.
The understanding provides a formal agreement and symbolic strengthening of relationships between the two entities and is a traditional method of formalising cooperation between authorities.
A former relationship manager at a DFSA Authorised Firm has been restricted from performing any functions in relation to Financial Services in or from the Dubai International Financial Centre (DIFC).
Arnab Mukherjee was found to have lacked integrity by producing inaccurate information regarding the amount of a client’s total net assets and for making unauthorised investments for another client which he then tried to conceal.
Previously unaware of Mr Mukherjee’s misconduct, the firm he worked for took appropriate action when discovering it and informed the DFSA.
The DFSA has published its Business Plan 2019/2020 which outlines the areas it will be focusing on to continue the growth and development of the DFSA.
The DFSA will focus its themes of Delivery, Sustainability, Engagement and Innovation on:
The DFSA continues to ensure its regulatory regime is in line with international standards. It is developing a resolution regime for DIFC banks and continues to adopt a supervisory approach promoting adequate implementation and effective supervision. The DFSA’s priorities for the banking sector include ensuring adequate implementation of liquidity requirements and paying closer attention to entities considered systematically important to the local and regional area. The DFSA also seeks to complete the implementation of IFRS 9, an international Financial Reporting standard, which addresses the accounting for financial instruments and will continue to monitor asset quality and concentration risk. One of the key aims of the DFSA is focusing its assessments on emergent risks such as new technologies in the banking sector and providing a balance between innovation and proper regulation.
The DFSA’s priorities for the insurance industry in the DIFC include the development and implementation of IFRS 17, the financial reporting international standard for insurance contracts which has been deferred for one year but is still set to be introduced. The DFSA plans on conducting a thematic review of the professional indemnity insurance required of some regulated entities, which will assess whether such cover mitigates risks in the way the DFSA anticipates when requiring firms to hold it.
3. Wealth Management
The DFSA continues to facilitate the development of the wealth management sector by improving the licensing and registration process of fund managers and funds. It aims to introduce online forms for all fund managers and funds in order to create a “seamless application process”. The DFSA will also undertake a thematic review on asset management firms, with the focus being on firms acting as an asset manager, or advisor providing asset management services to foreign funds.
The DFSA plans to prioritise investigations and enforcement activity where there is credible suspicion of market abuse. The regulator will also be monitoring and scrutinising equity future markets in the DIFC, in respect to futures where the underlying securities are traded on another market outside the DIFC.
5. Anti-Money Laundering/ Financial Crime
The DFSA will continue to carry out and focus its AML and CTF oversight through desk-based reviews, on site risk assessments, thematic reviews and reporting obligations such as the annual AML Return. The DFSA will also be prioritising its preparation for its FATF Mutual Evaluation in 2019 which will include:
- Checking that the regulated community has implemented changes the DFSA has made to its AML regime
- Developing its risk-based approach to supervision of AML/CTF risks and further engaging with regulated firms in relation to such risks
6. Financial Technology and Cyber Resilience
The DFSA plans to continue the development of its relationship with the FinTech Hive at DIFC while supporting and meeting with firms in the accelerator programme and startup firms who wish to obtain financial service licences. The DFSA will also be developing its knowledge and support of both FinTech and RegTech firms.
Regarding cyber security, the DFSA strongly expects all regulated firms to have sufficient safeguards in place to shield against the risk of a cyber-attack, as well as be sufficiently prepared to respond to a cyber-attack. The DFSA’s focus will include the development of industry level guidance on cyber risk and a cyber-security thematic review.
Following concerns in other jurisdictions on the standards of work carried out by audit firms, the DFSA will consider the risks that exist to markets. The DFSA will continue monitoring the quality of audits of listed entities, with focus on annual reporting and corporate governance arrangements.
8. Rulebook Reviews
The DFSA plans to:
- build on its crowdfunding regime, including extending the crowdfunding regime to allow for different assets to be crowdfunded
- develop a regulatory regime for digital assets
- review its Client Assets regime, which will include identifying gaps and loopholes in the current regime and amending the Rulebook accordingly
- inform firms and auditors on their expectations regarding the treatment of Client Assets through its Outreach sessions to promote better compliance
- introduce new rules on highly leverage products for Retail clients, which will aim to require that suitable disclosure of the risks of such products are better communicated, that the products meet the needs of the Retail clients and that firms offering such products have all appropriate systems and controls in place
The DFSA will be prioritising its enforcement actions towards certain activities including:
- financial crime, such as money laundering, terrorism financing, deliberate breaches of United Nations sanctions or any breaches of Federal Law
- any instance of market abuse in trading, such as market manipulation and insider trading
- misappropriation and mismanagement of client assets
- misleading or deceiving the DFSA or obstructing a DFSA-wide investigation
The DFSA will further align itself with the Smart Dubai initiative which will include the Paperless Initiative, improving and automating processes and placing more emphasis on further digitalisation of online authorisation firms and the licensing process.
Following a change in the Prudential regulated firms, the Prudential Returns Module has been updated with guidance and includes the amended tables that firms will be required to fill in.
Although the impact on category 4 firms is less than on others, wholesale changes to the forms include changes to the numbering of the forms and to some of the row labels, for example some have been added, others have been modified and some have been removed.
The regulatory returns audit report for 2018 will be based on the new formats and it may not be possible to reconcile all the numbers from each of the quarterlies to the annual total, since the quarterly returns were in a different format.
The Finance Officer completes the returns through the EPRS system and this has been updated with the new forms.
The DFSA has partnered with Standard Chartered Bank to discuss how financial institutions and the regulator can work together to curb illegal wildlife trade and disrupt the flow of illegal funds which arise from such trades. Both the DFSA and Standard Chartered hope to campaign and identify methods of helping authorities investigate and prosecute criminals who are involved in the illegal trade.
The ADGM has opened its 4th Cohort for its Regulatory Laboratory (RegLab) with a focus on themes “API Economy” and “Sustainable Finance”.
Automated Programming Interfaces (APIs) are programs which allow software programs to interact with other software. The ADGM is encouraging firms who would be able to use APIs within the financial services sector to explore their solutions within the controlled regulatory environment of the RegLab.
Similarly, firms with innovative ideas which also provide sustainable solutions within the financial services sector are also encouraged to apply. Applicants accepted into the cohort will be able to test their product according to regulatory requirements, which are specifically tailored to the risk and impact of their tests.
The ADGM’s Office of Data Protection took part in an intelligence data gathering operation known as a “Sweep” with the Global Privacy Enforcement Network (GPEN). The ADGM is one of its 18 members. The operation is designed to evaluate how well organisations have abided by data protection laws. The findings indicated that although organisations had good monitoring programmes in place and offered good initial training to staff regarding data protection, most did fail to offer refresher training. 90% of organisations within the sample in the ADGM were marked good or satisfactory with regards to maintaining a data protection framework. Improvements identified included needing to make privacy policies accessible to the public and to offer ongoing training.
The Central Bank of Bahrain (CBB) has implemented new rules to allow short selling and securities lending. Under the new regulations the CBB “shall specify the types of securities, which may be traded by loan and short sale, the terms and procedures of such transactions and the rights and obligations of all concerned parties.” The aim of the regulation is to enhance market liquidity within Bahrain and attract international investment interest.
The Bahrain licenced exchange and licenced clearing house are expected to issue their own rules and guidelines soon related to lending and borrowing in securities and short-selling.
A study carried out by Gartner has concluded that owing to a lack of skilled security professionals in the region, it currently takes an average time of 260 days in the Middle East to identify and contain a data breach. While the number of data attacks has fallen, the number of publicly disclosed attacks has increased and organisations are being strongly encouraged by regulators in the Middle East and North Africa to comply with security controls. However, the UAE specifically has been praised for the number of laws and regulations that encourage strong data protection systems and controls. They were also identified as having regulatory authorities that prescribe severe fines and imprisonment for data privacy offences.
The UK Financial Conduct Authority (FCA) has confirmed all firms acting in or from the UK are henceforth prohibited from selling, marketing or distributing binary options to retail customers.
Following concerns that the high risk of binary options and the poor conduct of firms selling them had detrimental consequences for retail customers, the FCA has placed a ban to avoid consumer harm and trading losses.
The ban follows the European Securities and Market Authority’s (ESMA) existing EU wide temporary restrictions on binary options. However, the UK regulator has gone further and also banned “securitised binary options” which were excluded from ESMA’s prohibition.
The FCA estimates the ban will save retail customers up to £17m per year as well as reduce fraud.
The new rules came into force on 2nd April 2019.
The Australian Government has included an additional $390 million in its budget to boost its financial regulation sector.
Following an inquiry into greed and malpractice in the financial sector recommendations were made to Australia’s corporate regulators one of which was to implement a new oversight body and remuneration structure.
Several Australian firms have been found to lack sufficient controls in Anti-Money Laundering as well as misappropriation of funds and the Government is hoping that the injection of funds to improve the system will help strengthen regulation and reduce cases of non-compliance.
The German Ministry of Finance has published a paper on the regulation and treatment of blockchain-based securities. The paper discusses the introduction of regulations for electronic securities and the issuance of crypto tokens. The regulation will be separate to existing regulation due to crypto tokens not representing securities, investment or other financial instruments.
Germany’s plans to introduce a blockchain strategy will start in mid-2019 and are part of its aims to put Germany as one of the leading FinTech countries.
The FCA has fined UBS AG (UBS) £27,599,400 for failures in its transaction reporting.
The firm failed to properly:
- identify what transactions had been carried out
- identify in what markets transactions occurred
- detail the price at which transactions took place
- stipulate the quantity of transactions
- document with whom the transactions occurred
UBS failed to take reasonable care to organise and control its affairs responsibly and effectively in respect of its transaction reporting. The failings were also in relation to UBS’s change management process and maintenance of the reference data used in its reporting.
Goldman Sachs International (GSI) has been fined £34,344,700 by the FCA for failing to provide accurate and timely reporting relating to failures in transaction reporting. The firm failed to ensure it provided accurate and timely information in relation to approximately 213.6m transactions. 6.6m transactions were also reported which did not need to be.
The Reserve Bank of India (RBI) has fined Yes Bank Rs 1cr ($144,600) for non-compliance in regards to its “Swift” operations. Swift is a global messaging software used for transactions by financial entities. While assessing the implementation of Swift-related controls the regulator observed clear weaknesses in the existing procedures.
The FCA has fined UK company Carphone Warehouse £29,107,600 for the mis-selling of phone insurance. The investigation into how the firm was selling insurance stems from whistleblowing reports whereby sales consultants were not given the right training to give suitable advice about insurance and were not trained to adequately assess a customer’s needs to determine whether the insurance was necessary.