Contributed by:
Please go through all the slides about training in compliance, AML, fraud prevention, sanctions, KYC, CDD, corporate governance, and cyber security.
1.
EXOTIX ADVISORY LTD -
ANNUAL TRAINING 2022
Compliance, AML and
MAY 2022
2.
01 Exotix Advisory in the DIFC
02 DFSA GEN and COB rules
03 DFSA AML rules
04 Cybersecurity
2
3.
Exotix Advisory in the DIFC
4.
4
Three Key Bodies in the DIFC
1. DIFC Authority
• Oversees strategic development, operational management and planning of the DIFC.
• Oversees development and administration of laws and regulations which apply in the
DIFC (other than those related to the provision of financial services).
2. Dubai Financial Services Authority (DFSA)
• Independent regulator of all financial services conducted in or from the DIFC.
• Authorises, supervises and monitors all financial services firms in the DIFC to ensure
they comply with applicable laws and rules.
• Enforce sanctions in the event of non-compliance.
3. DIFC Courts
• An independent legal system which follows an English common law framework to
deliver international standards of legal procedure and dispute resolution.
• A forum for all civil and commercial DIFC disputes.
5.
5
Dubai Financial Services Authority
• Administers the Regulatory Law, the legislative framework of the regulatory regime. This
Law:
o established the constitution of the DFSA and enabled the creation of the regulatory
framework in which all regulated firms operate; and
o gives the DFSA the power to enforce the Law and the Rules that apply to all regulated
participants within the DIFC.
• Strives to detect and prevent money laundering activities within the DIFC, and also works
closely with the UAE Central Bank in this vital area.
• Follows a principles-based approach to regulation.
• Using these principles as a guide, the DFSA expects all firms to implement their own risk-
based approach to operating within the regulatory regime.
6.
6
DIFC Public Register Extract
7.
7
DFSA Public Register Extract
8.
8
DFSA Public Register Extract -
Authorised Individuals
9.
9
EAL DIFC: Licensed Activities
The firm holds a Category 4 (lowest risk) license comprising the following permissions:
Arranging Deals in Investments Advising on Financial Products Arranging Credit and
Advising on Credit
(in respect of Certificates, (in respect of Certificates,
Debentures, Options, Shares, Debentures, Options, Shares,
Structured Products, Warrants, Structured Products, Warrants,
Units) Units)
• Making arrangements with a view to a • Giving advice to a client or a potential client • Making arrangements for
client buying an investment product on the merits of a particular financial product another Person, whether as
• Facilitating a transaction between • Advice includes a statement, opinion or principal or agent, to borrow
parties such as insurers writing Long- report where the intention is to influence a money by way of a Credit
Term Insurance and policyholders who client in their selection of a particular product Facility; or
wish to obtain such a product or products • Giving advice to a Person in his
• Assisting your client through this capacity as a borrower or
process e.g. completing the application potential borrower or as agent
form or any other processes in relation for a borrower or potential
to closing out the transaction borrower on the merits of his
• Negotiating and settling the terms of entering into a particular Credit
the contract between Facility.
insurer/policyholder
• Collecting premiums, fees,
commissions or any other payment in
relation to the transaction
10.
10
Compliance Officer/MLRO
Exotix Advisory Ltd (“EAL DIFC”) outsources its Compliance, AML and risk functions to Clarity
Consulting Solutions Ltd.
Vaishnavi Srinivasan is the Firm’s Compliance Officer/Money Laundering Reporting Officer
(“MLRO”) as well as Risk Officer.
Shamshad Khan is the Deputy MLRO.
Contact details:
+971 52 123 9486 - vaishnavi@claritysolutions.ae
+971 55 100 9758 - Shamshad@claritysolutions.ae
11.
11
DFSA Principles
• 12 principles for Authorised Firms
o Applicable to activities carried on by the firm from an establishment maintained in the
DIFC
• 6 principles for Authorised Individuals
o Apply in respect of every Licensed Function (like Licensed Director, Senior Manager,
etc.) held by the individual
• Principles have the status of Rules
o Statement of fundamental regulatory requirements
o Rules are built on these fundamental principles
o Apply along with other DFSA Rules
o Also apply in situations that may not be covered by a specific Rule
• Breaching a Principle for Authorised Firms makes the firm liable to disciplinary action, and
may indicate that it is no longer fit and proper to carry on a Financial Service or to hold a
Licence
• Breaching a Principle for Authorised Individuals makes the individual liable to disciplinary
action and may indicate that he is no longer fit and proper to perform a Licensed Function
12.
12
DFSA Principles for Authorised
Firms 1. Integrity • Must observe high standards of integrity and fair dealing
2. Due skill, care and diligence • In conducting its business activities the Firm must act with due skill, care and diligence
• Must ensure that its affairs are managed effectively and responsibly by its senior management
3. Management, systems and controls • Must have adequate systems and controls to ensure, as far as is reasonably practical, that it complies with legislation applicable in the DIFC.
4. Resources • Must maintain and be able to demonstrate the existence of adequate resources to conduct and manage its affairs
5. Market Conduct • Must observe proper standards of conduct in financial markets.
6. Information and interests • Must pay due regard to the interests of its customers and communicate information to them in a way which is clear, fair and not misleading.
• Must take all reasonable steps to ensure that conflicts of interest between itself and its customers, between its Employees and customers and
7. Conflicts of interest between one customer and another are identified and then prevented or managed, or disclosed, in such a way that the interests of a customer
are not adversely affected
• Must take reasonable care to ensure the suitability of its advice and discretionary decisions for customers who are entitled to rely upon its
8. Suitability judgement.
• Must arrange proper protection for assets or money belonging to a customer which it is required to safeguard in accordance with the
9. Customer assets and money responsibility it has accepted
• Must deal with Regulators in an open and co-operative manner and keep the DFSA promptly informed of significant events or anything else
10. Relations with regulators relating to the Authorised Firm of which the DFSA would reasonably expect to be notified
11. Compliance with high standards of corporate • Must have a corporate governance framework as appropriate to the nature, scale and complexity of its business and structure, which is
adequate to promote the sound and prudent management and oversight of the Authorised Firm’s business and to protect the interests of its
governance customers and stakeholders
• Must have a remuneration structure and strategies which are well aligned with the long term interests of the firm, and are appropriate to the
12. Remuneration practices nature, scale and complexity of its business
13.
13
DFSA Principles for Authorised
• Must observe high standards of integrity and fair dealing in carrying out every Licensed
1. Integrity Function
2. Due skill, care and • Must act with due skill, care and diligence in carrying out every Licensed Function
diligence
• Must observe proper standards of conduct in financial markets in carrying out every
3. Market conduct Licensed Function
4. Relations with the • Must deal with the DFSA in an open and cooperative manner
• Must disclose appropriately any information of which the DFSA would reasonably be
DFSA expected to be notified
5. Management, • Must take reasonable care to ensure that the business of the Authorised Firm for which he
systems and controls is responsible is organised so that it can be managed and controlled effectively
• Must take reasonable care to ensure that the business of the Authorised Firm for which he
6. Compliance is responsible complies with any legislation applicable in the DIFC.
14.
DFSA GEN and COB rules
15.
15
Key DFSA Rulebook
General Module Anti-Money Laundering,
(Financial Services, Principles, Systems
and Controls, etc.)
GE Counter-Terrorist Financing
and Sanctions Module
N
(Customer and Business Risk
AM Assessments, Due Diligence, MLRO
Duties, SARs, etc.)
Conduct of Business Module
(Client Classification, Core Rules, Client CO L Prudential — Investment,
Money Provisions, etc.)
B Insurance Intermediation
and Banking Module
PIB (Capital and liquidity requirements,
EBCM rules, prudential reporting
requirements, etc.)
16.
16
Client classification
• The DFSA Conduct of Business (COB) Module of the Rulebook
requires the firm to go through a process called Client
Classification before it can provide financial services to that
client
• There are 3 types of client recognised by the DFSA:
o Retail Clients, those deemed most in need of regulatory protection and for
whom firms need special permission to act (the Firm does not have
permission to service Retail Clients)
o Professional Clients
• ‘assessed’
• ‘deemed’
• ‘service-based’
o Market Counterparty – these would constitute government agencies,
regulated financial institutions, listed companies etc.
17.
17
Client classification (contd..)
• ‘Service-based’ Professional Client
o Only applicable for corporate clients; not for an individual
o Financial service provided is for the purposes of ‘corporate structuring and financing’
o Meaning providing advice (and arranging services) relating to an acquisition, disposal,
structuring, restructuring, financing or refinancing of a corporation or other legal entity;
• ‘Assessed’ Professional Client:
o Individual or Undertaking
o Net assets/own funds of at least USD 1 mil + relevant knowledge and experience
o Professional Client Analysis Form (template in the Compliance Manual) to be completed,
evidencing assessment
• ‘Deemed’ Professional Client/Market Counterparty
o Falls within the list prescribed by the DFSA which includes: a Regulated Financial Institution
or the management company of a regulated pension fund or a Collective Investment Fund
or a regulated pension fund or a Large Undertaking, etc.
o Separate notification of classification as Market Counterparty is to be provided to the client
18.
18
Client classification (contd..)
• Once a client has satisfied the Professional Client /Market Counterparty
test, the firm has a duty to inform the client of this classification
• This duty is discharged by sending a Client Classification Letter to the
client which:
o Informs them that they have been classified as a Professional Client/Market Counterparty
according to the DFSA’s client classification rules;
o Explains that the client does have a right to be classified as a Retail Client or a Professional
Client (if classified as a Market Counterparty) and avail greater regulatory protection;
o Gives them a time limit to request a change in classification e.g. 10 days; and
o Makes it clear that if they do not request a change in classification within the time limit,
they will be classified as a Professional Client/Market Counterparty
• If the client does request classification as a Retail Client, the firm can no
longer act as you do not possess the relevant Retail Endorsement to
your DFSA licence
19.
19
• DFSA COB Rule + Principle: requires the firm to undertake a Suitability Assessment every time advice is
given to a client
• The suitability of investment advice given to clients is a key focus for the DFSA, particularly given the effect
of the Coronavirus pandemic on people’s financial circumstances, their attitudes to risk and their plans for
the future
• This differs from the Client Classification assessment as while a Suitability Assessment does examine a
customer’s understanding of products and their investment history, its key focus for you as a Relationship
Manager is to document WHY you assessed a product/service you are selling to them as being suitable for
their needs
• Considerations to document are:
o Needs and objectives of the client (including their age)
o Their financial situation e.g. assets, liabilities, income, expenses
o Knowledge and experience of their investment history and their familiarity with relevant financial
products and financial services
o Their occupation, former professional experience, and level of financial education
o An assessment of how the product will impact the client’s investment portfolio and how it is likely to
meet the client’s investment objectives and financial circumstances
• Suitability Assessment note template available that is completed for all clients of EAL
20.
20
Marketing Material/Disclosure of Regulatory
• The Firm must ensure that marketing material:
o Is clear, fair and not misleading;
o does not contain information about a specific proposal (generic information about the platform is fine);
o Includes the Firm’s name and regulatory status
• If directed only at Professional Clients/Market Counterparties, is not sent or directed to any person who appears on
reasonable grounds not to be a Professional Client/Market Counterparty and contains a clear statement that only a
person meeting the criteria for Professional Client/Market Counterparty should act upon it.
• All new materials must be approved by Compliance prior to use.
• Every key business document which is in connection with the Firm carrying on a financial service in or from the
DIFC must include one of the following disclosures:
o ‘Regulated by the Dubai Financial Services Authority’
o ‘Regulated by the DFSA’
• Key business documents include:
o Email signatures
o Letterheads
o Terms of business
o Written promotional materials
o Business Cards
o Websites
21.
21
Conflicts of Interest
• Could arise between firm and clients, employees and clients, or between clients
• The firm must have systems and controls in place identify and prevent/manage conflicts
(DFSA rule and principle)
• These typically consist of implementing Chinese Walls where relevant; disclosing conflicts to
the client in writing, requiring employees to disregard any conflict of interest when advising a
client, etc.
• Where a conflict cannot be prevented/managed, the firm must decline to act for that Client
• Systems and procedures include the following measures for preventing and managing
conflicts:
o Conflicts of Interests Policy in the Compliance Manual
o Policy to disclose personal account transactions
o Policy to disclose gifts and entertainments
o Policy to disclose external business interests
o Maintaining Insider List
22.
22
Conflicts of Interest (contd..)
• Gifts and hospitality
o Employees are not allowed to accept gifts, entertainment or any other inducement from any person
which might benefit one customer at the expense of another
o Compliance Officer to be consulted before providing or receiving any sort of inducement to or from
another
o Gifts may be received/given only when they are consistent with business practice, are of reasonable
value and do not violate any law/ethical standards
o Cash/cash equivalent gifts are prohibited at all times
• Outside business activities
o Could be other employment/directorships/political activity/shareholding, etc.
o Employees are required to disclose external business interests upon joining the firm
o For any new activities contemplated during employment with the firm, prior approval needs to be
sought using form in the Compliance Manual
• Insider list
o Firm maintains insider lists for projects where customers or companies involved have publicly listed
financial instruments to ensure the people with knowledge of the situations are clearly identified
23.
23
Conflicts of Interest (contd..)
• Personal account dealing
o All trade pre-approval must be sought (in writing) from the SEO (or the Compliance
Officer)
o Once pre-approval is granted, employees have up to 5 business days to execute your
trade
o PA transactions over which you have no discretion should be reported to the Compliance
Officer as soon as possible
o This reporting requirement extends to any trading in bonds, equities, swaps, warrants,
contracts for difference and spread bets (but not non‐financial spread bets such as those
on sports events)
o The restrictions also apply to any transaction undertaken by members of your family
(e.g., your spouse, children under 18 and those with close links to the employee)
o Copies of contract notes (similar) should be provided to the Compliance Officer post-trade
• Starting July 2022, EAL will be obtaining declarations from employees twice a year in
relation to matters such as personal account transactions, outside business interests,
etc.
24.
24
Complaints handling
• A customer complaint is any expression of dissatisfaction about
any aspect of the Firm’s business or about the activities of any
employee:
o Verbal or written
o Justified or not
o From a client/prospect/service provider
• All complaints should be investigated and resolved fairly,
consistently and promptly
• Where systemic problems are identified, systems and controls
should be reviewed and enhanced to ensure there is no repetition
• Appropriate records (including Complaints Notification Form)
should be maintained.
25.
25
Complaints handling (contd..)
Notifies CO/line manager
Employee receives a using Complaints CO begins assessing the
complaint Notification Form in complaint
Compliance Manual
Acknowledges receipt to
Firm to endeavour to resolve complainant within 7 days of
Send update to the
complaint within 60 days of receipt + mentions who is
complainant every 30 days
receipt responsible for handling +
timelines
CO updates Complaints
Upon conclusion, notify Register and keeps SEO
complainant in writing + updated.
provide terms of
redress/alternative options DFSA also notified where
required.
26.
26
Other Systems and Controls
Organisation Risk management
clearly define and communicate roles, establish and maintain risk Internal audit
responsibilities and reporting lines and management systems and controls to establish and maintain an internal audit
ensure appropriate segregation of enable the Firm to identify, assess, function to monitor the appropriateness
duties (signed job descriptions, mitigate, control and monitor its risks; and effectiveness of its systems and
maintain org chart) appoint an individual to report to senior controls
management on risks
Management information
Business plan and strategy Fraud
establish arrangements to provide
produce an annual business plan which establish and maintain effective
senior management with the
enables the Firm to manage the risks to systems and controls to: deter and
information necessary to organise,
which it and its customers are exposed; prevent suspected fraud and report
monitor and control the Firm’s
take into account the Firm’s current suspected fraud and other financial
activities, to comply with legislation
business activities, those forecast for crimes to the relevant authorities
applicable in the DIFC, and to manage
the next 12 months, and potential
risks (Compliance, Finance, Risk and
changes in the business
SEO reports)
27.
27
Other Systems and Controls (contd..)
Staff and agents Conduct
establish systems and controls to establish and maintain systems and
controls that ensure, as far as Outsourcing
enable the Firm to satisfy itself as
reasonably practical, that it and its undertake appropriate due
to the suitability of anyone who
Employees do not engage, or facilitate diligence in choosing suitable
acts for it. These include ensuring
others to engage, in conduct which service providers and inform the
that its employees are fit and may constitute market abuse, whether
proper, competent and capable of DFSA about any material
in the DIFC or elsewhere or a financial outsourcing arrangements
performing their functions and crime under any applicable U.A.E.
trained in the requirements of the laws; any suspected instances of
legislation applicable in the DIFC market abuse must be reported to the
DFSA
Compliance
Business continuity and Records establish appropriate compliance
disaster recovery arrangements, processes and
maintain appropriate records of its
procedures (Compliance Manual and
maintain a Business Continuity Plan matters and dealings; records must
related policies/procedures); ensure
(‘BCP’) to ensure that the Firm can be capable of reproduction on paper
monitoring and reporting processes
continue to function and meet its within a reasonable period not
and procedures are in place
obligations under DIFC legislation in exceeding 3 business days; normally
(Compliance Monitoring Programme);
an unforeseen interruption; keep the need to be maintained for 6 years
ensure Compliance function is
BCP up-to-date and regularly test its from date of last transaction or
independent and has adequate
effectiveness termination of client relationship
resources and unfettered access to
the Firm’s records
28.
28
• DFSA introduced new rules that came into effect on 07 April, 2022
• Compliance Manual will be updated in May 2022 to reflect the same
• Procedure described for reporting instances internally within the firm in the first instance
• Employees can also approach the DFSA or other relevant authority directly instead, or
simultaneously, if deemed necessary
• Reports to the DFSA can be sent at whistle@dfsa.ae
• Regulatory Law provides legal protection to a whistleblower who discloses information about
suspected misconduct in good faith under certain circumstances.
o Protection is from liability, dismissal or detriment for making that disclosure
o Does not prevent the Firm from taking action against an employee for other legitimate reasons, such
as if the employee has engaged in misconduct.
• No employee who in good faith reports a violation shall suffer harassment, retaliation or
adverse employment consequence.
30.
30
Anti-Money Laundering in the DIFC
UAE Federal AML UAE cabinet UAE Federal law DIFC Regulatory DFSA Rules
legislation resolutions/decisi Law
ons
• Laws and • Supplement
regulations the federal • No. 8 of 2004 • DFSA has • AML module of
issued by the laws/regulation (Financial Free jurisdiction for the DFSA
country s Zones) the regulation Rulebook
relating to AML • No. 10 of 2019 • UAE Federal of AML and CTF • Applies to all
and CTF • No. 74 of 2020 AML in the DIFC Relevant
• No. 20 of 2018 Legislation • Requires Persons
• No. 7 of 2014 apply in the Relevant (Authorised
DIFC and the Persons to Firms, DNFBPs,
DFSA is comply with Registered
obliged to the Federal Auditors, etc.)
supervise and AML
monitor Legislation as
Relevant it applies to
Persons for them
compliance
with the same
31.
31
Definitions of terms
Money Laundering
The process of concealing the origins of funds obtained through some form of illegal activity,
typically through transactions involving foreign banks or legitimate businesses, in order to
make the funds appear legitimate
• Must involve criminal activity which generates proceeds of crime to be laundered
• Must involve some element of transfer or usage of funds with intent either to hide
their criminal origins or to use them for their own ends
• The laundering of money makes it appear legitimate so that those doing the
laundering benefit directly from it by funding their lifestyle e.g. purchasing goods,
making investments etc.
Terrorism Financing
The provision of funds or ongoing financial support to enable individual terrorists or terrorist
groups to carry out unlawful terrorist activity
• Funds used do not have to be proceeds of crime, can have been earned legitimately
• Funds are used to support criminal activity
• The beneficiaries are the terrorists, not those who raise the funds
32.
32
What constitutes “Criminal Activity”?
Narcotics
Any other and
related psychotropic
offences in substances
international Kidnapping
agreements to
which UAE is
party
Fraud, breach
of trust and
related
Piracy
offences
Criminal
Activity
Embezzle-
Terrorism
ment
Violation of
Bribery and
Corruption
environ-
Illicit dealing mental law
in firearms
and
ammunition
33.
33
Money laundering is a Crime all by itself
Offence 1: Initial crime (predicate offence) Offence 2: Laundering the proceeds of the
which generates the proceeds to be laundered predicate offence
Criminals can be punished for both the commission of the predicate offence AND
laundering the proceeds of that crime. Even if not successfully convicted of the
predicate offence, a conviction can still be achieved for laundering the proceeds.
34.
34
The Three Stages of Money Laundering
35.
35
Preventative AML Measures
Who is responsible? Everyone!
Each member of Senior Management (SEO, Finance Officer,
CO/MLRO) is responsible for delivering compliance with the
relevant AML requirements by the whole office
• All staff are responsible for complying with policies and procedures,
attending training, and reporting suspicious activities (first line of
defence)
• The MLRO is responsible for the implementation of the AML
framework and day to day oversight of compliance with AML Rules
(second line of defence)
36.
36
DFSA – Risk-Based Approach
• The DFSA promotes a risk-based
approach to AML compliance in the
DIFC
o Dynamic process involving regular
reviews
o Look at each customer on their
individual merits
o Arrive at a risk rating proportionate to AML
Customer
the risks involved with each customer Business Customer
Risk
o Document this assessment of Risk Due
Assessme
customer risk properly Assessme Diligence
nt
o Never follow a ‘tick box’ approach to nt
AML
• Your exposure to this approach will be
during the customer on boarding
stage
o Where is the customer based?
o How long have you known the
customer?
o What do you know about their
business and operations?
o Is there any sanctions, AML or terrorist
financing risk?
o Documentation of all these things is
37.
37
Three Pillars
AML Business Risk Customer Risk Customer Due
Assessment Assessment Diligence
• Low risk • Low risk • Simplified
• Medium • Medium • Standard
risk risk • Enhanced
• High risk • High risk
38.
38
AML Business Risk Assessment
• Annual mandatory assessment of AML risks to your business
• Clearly documented and approved by Senior Management
• The MLRO assesses the AML risks across 7 key areas:
o your clients and their activities;
o the countries in which you do business;
o your products, services and activity profiles;
o your distribution channels and business partners;
o the complexity and volume of business transactions;
o the development of any new products, business practices,
channels and partners; and
o the use of new or developing technologies for both new
and existing products.
• The information gathered then helps the business:
o develop, implement and sustain effective AML policies,
procedures, systems and controls in order to mitigate the
risks identified;
o review the effectiveness of these controls at least annually;
o prioritise the allocation of AML resources; and
o assist in the carrying out of the Customer Risk Assessment.
39.
39
Customer Onboarding
Identification Risk assessment Verification
(information (gathering
gathering) evidence)
• Who is the • Customer risk • What
customer? • Jurisdiction risk documents or
• Who • Service/product other details do
owns/controls risk you need to
them? • Sector risk verify and what
• What to they • PEP risk information you
do? already have
• Tax crime risk gathered?
• Can you
describe their • What steps do
activities? you need to
• What will you be take to mitigate
doing for them? any specific
• What is their risks that you
have identified?
legal structure?
40.
40
Customer Risk Assessment
Source: DFSA Rulebook
41.
41
Customer Due Diligence (CDD)
Source: DFSA Rulebook
42.
42
On-going CDD
TRANSACTIONS
- Monitor transactions continuously
- Are they consistent with your knowledge
of the customer and expected activities?
- Pay attention to anything that strikes you
as unusual or out of the ordinary/complex
PERIODIC CDD REVIEWS
ONGOING SCREENING
- Ensure that material held on customers
- Screen the customer and related parties
and their owners is up-to-date
against sanctions lists
- Assess whether the original risk rating
- Receive updates to relevant sanctions list
remains appropriate
like the UNSC
- Low risk reviewed every 3 years, medium
- Review customer database against such
risk every 2 years and high/PEP risk every
updated lists
year
43.
43
Politically Exposed Persons (PEPs)
Definition (DFSA AML glossary):
“A natural person (and includes, where relevant, a
family member or close associate) who is or has been
entrusted with a prominent public function, whether in
the State or elsewhere, including but not limited to, a
head of state or of government, senior politician, senior
government, judicial or military official, ambassador,
senior person in an International Organisation, senior
executive of a state owned corporation, an important
political party official, or a member of senior
management or an individual who has been entrusted
with similar functions such as a director or a deputy
director. This definition does not include middle ranking
or more junior individuals in the above categories.”
44.
44
Politically Exposed Persons (contd..)
• Presence of PEPs does not automatically make a customer high risk. But firm
has to assess whether there is a possibility that individuals holding such
positions have misused their power and influence for personal gain or
advantage.
• Factors to be considered include:
o Position of the PEP
o Domestic or foreign PEP
o Associated jurisdiction risk
o Adverse news relating to the PEP
• DFSA rules require additional action to be taken where PEPs are identified:
o Senior management approval to onboard
o Increased monitoring
o Reasonably establishing source of funds and wealth
45.
45
Sanctions compliance
• The firm must maintain effective systems and controls to make use of relevant
findings, recommendations, guidance, directives, resolutions or sanctions issued
by:
o UN Security Council
o the government of the U.A.E. or any government departments in the U.A.E.;
o the Central Bank of the U.A.E. or the FIU;
o FATF;
o U.A.E. enforcement agencies; and
o the DFSA
• The firm must immediately notify the DFSA when it becomes aware that it is:
o carrying on or about to carry on an activity;
o holding or about to hold money or other assets; or
o undertaking or about to undertake any other business whether or not arising
from or in connection with the above points;
for or on behalf of a person, where such carrying on, holding or undertaking
constitutes or may constitute a contravention of a relevant sanction or resolution
issued by the UN Security Council.
46.
46
Targeted Financial Sanctions (TFS)
• The term ‘targeted sanctions’ means that sanctions are imposed against specific
individuals or groups, or undertakings.
• The term ‘targeted financial sanctions’ (TFS) includes both asset freezing and
prohibitions to prevent funds or other assets from being made available, directly
or indirectly, for the benefit of individuals, entities, groups, or organization who
are sanctioned.
• The freezing measures, including the prohibition of making funds available, apply
to:
o Any individual, group, or entity listed in the Local (UAE) Terrorist List or listed
by the UNSC.
o Any entity, directly or indirectly owned or controlled by an individual or entity
listed under A.
o Any individual or entity acting on behalf of or at the direction of any individual
or Entity listed above.
47.
47
Targeted Financial Sanctions (contd..)
All UAE Financial Institutions including the Firm must:
• Register at the Executive Office website to receive automated email notifications
https://www.uaeiec.gov.ae
• Undertake ongoing and daily checks to the following databases to identify
possible matches with names listed in the Sanctions Lists issued by the UN List or
the UAE Local Terrorist List
• Apply TFS (i.e. freezing measures) immediately and without delay (within 24
hours) if a match with the UN List or the Local Terrorist List is identified
• Immediately notify the DFSA as Supervisory Authority about having applied TFS
• Submit a Funds Freeze Report (FFR) or Partial Name Match Report (PNMR)as
applicable via the goAML portal within 5 business days from taking any freezing
measure and/or attempted transactions. Submissions via the goAML portal are
received by the Executive Office as well as the DFSA.
• Cooperate with the Executive Office and the DFSA in verifying the accuracy of the
submitted information submitted
• Implement the freezing cancellation or lifting decision, when appropriate, without
delay.
48.
48
Suspicious Activity Reports (SARs)
• Whenever any employee, acting in the ordinary course of his employment, either:
o knows;
o suspects; or
o has reasonable grounds for knowing or suspecting;
that a person is engaged in or attempting money laundering or terrorist financing, the employee must promptly
notify the MLRO and provide the MLRO with all relevant details (Internal Suspicious Activity Report).
This is a legal obligation.
• On receipt of an internal SAR, the MLRO will undertake requisite reviews/investigate the matter further and
decide on whether or not a SAR needs to be filed with the UAE’s Financial Intelligence Unit (External Suspicious
Activity Report)
• Filing SARs upon noticing any suspicious activity is a requirement under UAE federal laws as well as DFSA AML
rules.
• In the absence of the MLRO, the firm’s Deputy MLRO will assume the above-mentioned responsibilities.
49.
49
Suspicious Activity Reports (Contd..)
Employee completes
No tipping-off
Suspicious activity internal SAR and
person(s) involved;
noted by employee sends to MLRO, with
this is an offence
supporting evidence
MLRO investigates
If required, MLRO If not required,
further and decides
files through the reasons are
if external SAR is
goAML system documented
required
50.
50
Red Flags
• Customer uses unusual or suspicious
identification documents that cannot be
readily verified;
• Customer is reluctant, when establishing
a new relationship, to provide complete
information;
• Customer’s background differs from that
which would be expected on the basis of
his or her business activities;
• Customer is reluctant to provide
information on controlling parties and
underlying beneficiaries;
• Any other unusual requests outside the
normal pattern expected.
51.
51
DFSA Thematic Review – AML in the
Brokerage sector
• In Nov 2021, the DFSA released findings and observations stemming from its thematic review on
the AML processes applied by brokerage firms specifically.
• Contained findings and observations for firms while undertaking AML Business Risk Assessment and
customer risk assessments/due diligence
• Though the thematic review was in relation to a specific category of firms (i.e. the brokerage
sector), the findings/observations can be implemented by other regulated entities as well.
• EAL DIFC’s latest AML Business Risk Assessment (Apr 2022 version) has considered the DFSA’s
recommendations contained in the above report.
52.
52
Regulatory Actions – some recent DFSA
ISSUES IDENTIFIED PENALTIES IMPOSED
Mar 2022 Adenium Adenium Cayman engaged in unauthorised financial USD1,256,224 on Adenium Cayman;
Energy services activities, including illegally marketing USD96,484 on AECAL.
Capital – unregulated Collective Investment Funds; USD131,600 on Mr El Sawaf.
Cayman AECAL was knowingly involved in Adenium Cayman’s USD73,920 on Mr Chaker.
Islands breaches and itself breached a number of DFSA Rules
& relating to customer on-boarding, client classification,
Adenium capital requirements and systems and controls.
Energy Mr El Sawaf and Mr Chaker:
Capital were knowingly involved in Adenium Cayman’s
Advisors – and AECAL’s breaches; and
DIFC breached a number of the DFSA’s Principles for
& Authorised Individuals.
Former
CEO, SEO
and
Directors
Mar 2022 Dalma Dalma failed to conduct its business activities with due Fine of USD 170,000 on Dalma
Capital – skill, care and diligence. Fine of USD 300,000 on Mr Cefaratti.
DIFC Dalma provided false, misleading and deceptive Prohibited Mr Cefaratti from holding office
& information to the DFSA, and concealed information such in or being an employee of a regulated
Zachary as to mislead or deceive the DFSA, concerning the DIFC entity, and restricted him from
Cefaratti trading carried out by the individual described above. performing any functions in connection
(its SEO) Mr Cefaratti was knowingly involved in Dalma’s failure to with the provision of Financial Services in
conduct its business activities with due skill, care and or from DIFC.
diligence. He also provided misleading and deceptive Required Mr Cefaratti to dispose of his
53.
53
Regulatory Actions – some recent DFSA
ISSUES IDENTIFIED PENALTIES IMPOSED
Jan 2022 Abraaj Mr Naqvi was knowingly involved in misleading investors Fine of USD 135,566,183 on Mr Naqvi
founder, Mr over the misuse of their funds and was personally Fine of USD 1,150,000 on Mr Siddique
Arif Naqvi, involved in the same. Also knowingly involved in an Both prohibited and restricted from
& Abraaj Cayman entity carrying out unauthorised performing any function in or from the
former Financial Service activities in or from the DIFC. DIFC.
COO, Mr Mr Siddique was knowingly involved in misleading and
Waqar deceiving investors over the use of their monies with the
Siddique Abraaj Funds. Knowingly involved in the DIFC entity not
maintaining Capital Requirements. Failed to act with
integrity in carrying out Licenced Function.
Jan 2022 Gilles Knowingly involved in the Unlawful Cash Service Fine of USD 175,000;
Rollet, for (authorised and facilitated Unlawful Cash Services, at Prohibited from holding office in or being
mer SEO, times through the use of his own bank account) an employee of a regulated DIFC entity.
La Tresorer Involvement in the use of false invoices and the transfer Restricted from performing any function
ie of client money to unregulated companies outside the in connection with the provision of
DIFC Financial Services in or from the DIFC.
Appealed to the FMT where DFSA’s decision was upheld
in Jan, 2022.
55.
55
• The DFSA expects all firms to implement an appropriate framework to identify and mitigate
cyber risks and to detect, respond to, and recover from cyber incidents.
• All members of senior management at both the board and executive levels need to be aware
of their firm’s cyber vulnerabilities, and accordingly, provide the necessary resources, control
and oversight to manage the risk
• DFSA published Cybersecurity Guidelines in order to assist Firms in:
o establishing a sound and robust cyber risk management framework; and
o strengthening system security, reliability, resiliency, and recoverability.
• EAL’s Cybersecurity Policy was finalised in Feb 2022. The objectives of this Policy are :
o To establish a sound and robust cyber risk management framework;
o To strengthen system security, reliability, resiliency, and recoverability; and
o To ensure cybersecurity risks are properly managed within the Firm.
56.
56
Cybersecurity (contd..)
Key components of the firm’s Cybersecurity Policy:
• Cybersecurity governance: Defining roles and responsibilities of:
o Board
o senior management
o Risk Officer
o employees;
o Third-party service providers.
• Cybersecurity incident response plan and team
• Defining Material Cyber Incidents and describing process to report the same
• Systems Access
o authorized use
o passwords
o third party access
o internet security;
• Cybersecurity controls
o access rights
o change management
o network security
o malware and phishing
o remote access
o lost devices