United Arab Emirates

• Investigations trends/developments
• Significant law reforms impacting corporate criminal liability
• Cross-border cooperation on enforcement
• Predictions for 2023

Investigations trends/developments

AML a prominent area of focus

AML is a prominent area of focus for law reform and the authorities in the UAE, in part due to pressure from the Financial Action Task Force (FATF), an intergovernmental organisation aimed at tackling money laundering.

In early 2022, the FATF placed the UAE on its ‘grey list’ of jurisdictions and under enhanced monitoring due to “strategic deficiencies” in its efforts to counter money laundering and terrorist financing. Removal from the grey list requires the UAE to fully implement the recommendations set out in the FATF’s action plan that was issued following the FATF’s 2020 Mutual Evaluation of the UAE.

The FATF has acknowledged that the UAE has made significant progress, addressing more than half of the key actions recommended by the FATF in 2020. The remaining actions which the UAE is focused on progressing to fully implement the plan include:

• demonstrating through case studies and statistics a sustained increase in outbound Mutual Legal Assistance requests to help facilitate investigation of terrorist financing (TF), money laundering (ML), and high-risk predicates
• identifying and maintaining a shared understanding of the ML/TF risks between the different Designated Non-Financial Businesses and Professions (DNFBPs) sectors and institutions
• c) showing an increase in the number and quality of Suspicious Transaction Reports filed by financial institutions and DNFBPs
• achieving a more granular understanding of the risk of abuse of legal persons and, where applicable, legal arrangements, for money laundering/terrorist financing
• providing additional resources to the Financial Intelligence Unit to strengthen its analysis function and enhance the use of financial intelligence to pursue high-risk money laundering threats, such as proceeds of foreign predicate offences, trade-based money laundering, and third party laundering
• demonstrating a sustained increase in effective investigations and prosecutions of different types of money laundering cases consistent with the UAE’s risk profile
• proactively identifying and combating sanctions evasion, including by using detailed targeted financial sanctions guidance in sustained awareness-raising with the private sector and demonstrating a better understanding of sanctions evasion among the private sector.

These will all be familiar features of AML regimes under which many companies already operate.

Politically Exposed Persons (PEPs) under scrutiny from the Central Bank

The Central Bank of the UAE issued new guidance on AML and CTF, specifically in relation to PEPs. The guidance makes clear that licensed financial institutions must:

• develop risk-based policies to ensure they appropriately identify PEPs or related customers prior to on‑boarding
• obtain senior approval before establishing a business relationship with a foreign PEP
• take reasonable measures to establish the source of funds and source of wealth for foreign PEPs
• apply a risk rating to the PEP which takes into account factors such as the nature of the PEP’s position, and the controls in place in the PEP’s jurisdiction to prevent corruption
• conduct ongoing monitoring of the business relationship
• maintain transaction monitoring systems equipped to identify patterns of unusual or suspicious activity
• file a suspicious transaction/activity report with the Financial Intelligence Unit where there are reasonable grounds to suspect a transaction, attempted transaction, or funds constitute the proceeds of crime, are related to a crime, or are intended to be used in a crime.

New whistleblowing regimes aim to encourage more disclosures

A number of enhancements have been made to improve whistleblower protections in the UAE. We expect these enhancements to lead to an increase in reporting both internally and externally, and to a corresponding increase in investigations, as they become embedded and awareness about them is raised in the market:

The Dubai Financial Services Authority (DFSA) introduced its new whistleblowing regime in April 2022, which strengthens protections available to whistleblowers making disclosures in respect of DFSA‑regulated entities.

The Abu Dhabi Accountability Authority (ADAA), the independent Abu Dhabi government authority with oversight of all Abu Dhabi government departments and agencies and corporate entities which are wholly or partially owned by the Abu Dhabi State, launched the “Wajib” platform, which allows confidential reports of financial and administrative corruption to be made in respect of entities under the supervision of the ADAA. ADAA expects reports of abuse of power, misappropriation of funds, manipulation of financial statements and any other financial or administrative corruption.

More data protection investigations likely

While the new UAE Data Office (which has been established to oversee a new Federal Data Protection Law ) is not yet fully operational, it will have the power to conduct investigations to ensure compliance with new data privacy legislation (see below). The regulator will have the power to fine organisations for non-compliance.

Significant law reforms impacting corporate criminal liability

New data protection laws

A new Federal Data Protection Law, which came into force on 2 January 2022, applies to: an individual who resides or has a place of business in the UAE; an organisation that is established in the UAE that processes the Personal Data of individuals, whether those individuals are located inside or outside the UAE; and an organisation that is not established in the UAE but that processes the Personal Data of individuals that are located inside the UAE.

The Data Protection Law does not apply to public entities or entities based in the UAE’s free zones, a number of which (including the DIFC and the ADGM) have their own data protection laws in place. The Data Protection Law also does not apply to health or credit data that is governed by existing sectoral legislation.

The Data Protection Law is closely modelled on the EU’s data protection regime, but notably, the UAE has not included a ‘legitimate interest’ basis for processing Personal Data. As a result, the primary lawful basis on which organisations may process Personal Data remains consent, though there are limited exceptions to the requirement to obtain an individual’s consent, such as processing which is necessary for the performance of a contract to which the individual is a party, or processing required for the defence of a legal claim. The Data Protection Law introduces many concepts into UAE law for the first time that are similar to the equivalent terms used in the GDPR, ADGM and DIFC data protection laws. These include well‑established principles, such as the requirement for the processing of Personal Data to be fair, transparent and lawful.

Virtual assets regulation

Combatting financial crime is a core driver of the continuing reforms in the virtual assets sector due to the heightened AML and CTF risks that these products attract. Listen to our podcast on the developing virtual asset landscape in the UAE and its interaction with AML and CTF considerations here. Developments in this area include:

• A new law on virtual assets (Dubai Law No. 4 of 2022), which came into force in March 2022. It is the first law in Dubai which specifically regulates virtual assets and follows a raft of other developments in the UAE in the area of virtual asset regulation. The new law establishes the Virtual Assets Regulatory Authority (VARA), an independent regulatory body affiliated with the Dubai World Trade Centre which is mandated to authorise activities involving virtual assets in Dubai, including in specialist development zones and free zones (with the exception of the DIFC).
• A new crypto regime overseen by the DFSA, which came into force on 1 November 2022. This builds on the introduction by the DIFC of a regime for the regulation of investment tokens in October 2021. The new regime is intended to address money laundering and terrorist financing risks in respect of trading, clearing, holding or transferring crypto tokens, as well as consumer protection considerations. Certain tokens (including NFTs) fall outside of the scope of the new regime. However, issuers of these tokens are still required to register with the DFSA as a designated non-financial business or profession (DNFBP) and comply with the AML regimes in both the UAE and the DIFC.

The DFSA will likely issue future public consultations on a wide range of crypto‑related issues, such as staking and DeFI (decentralised finance), prudential rules and capital requirements in respect of crypto firms as well as more detailed guidance for the crypto industry on AML issues such as enhanced due diligence and account monitoring requirements.

Cross-border cooperation on enforcement

The UAE is taking further steps to promote cross-border cooperation. In 2022, the UAE signed mutual legal assistance treaties and international judicial cooperation agreements with the United States, Ethiopia, Denmark, Lithuania, and Serbia. These allow for greater collaboration and information sharing on criminal investigations and prosecutions.

In October 2022, the UAE’s Executive Office of Anti-Money Laundering and Counter Terrorism Financing signed a memorandum of understanding with the United Nations Office on Drugs and Crime, in an effort to expand cooperation and tackle the movement of illicit funds.

The DFSA is also continuing to work closely with its global counterparts. In addition to the more than 100 bilateral and multilateral memoranda of understanding that it already has in place, the DFSA recently signed memoranda of understanding with regulators in Bangladesh, India, and Mauritius, with particular emphasis placed on mitigating ML and TF risks among supervised entities. During the past year, the DFSA received 56 regulatory requests for information and assistance from other regulators, while the DFSA made 92 requests to fellow regulators for information.

Predictions for 2023

• Following the decision by FATF to place the UAE on the grey list and under increased monitoring, it is likely that the UAE will focus on demonstrating that its AML/CTF regime operates effectively in practice, including through promoting increased suspicious transaction/activity reporting from businesses and an increase in enforcement activity. Firms should continue to ensure that they place sufficient focus on, and investment in, the development of appropriate AML/CTF controls, including putting in place clear and effective policies and procedures to ensure compliance with AML/CTF regulations.
• Following the introduction of the DFSA Whistleblower Regime and the introduction of the ADAA’s “Wajib” platform, we expect to see the UAE take further steps to embed protections for whistleblowers and to publish guidance on how these protections should be implemented in practice. Businesses should carefully consider the requirements of the whistleblower protection regimes applicable to them and ensure that proper processes are in place to facilitate reporting and adequate protection for whistleblowers.
• Businesses should consider whether their policies, procedures and operations are compliant with the requirements of the Federal Data Protection Law now that it is in force. We expect to see more activity from the UAE Data Office in the coming year as the Data Protection Law becomes embedded and the UAE authorities seek to monitor compliance with the legislation.
• Consistent with global trends, both the onshore and offshore UAE jurisdictions look set to expand their activities and regulation in this area at pace. Virtual Asset Service Providers and other relevant market participants should therefore keep a close eye on regulatory developments in this area, particularly in Dubai and the DIFC, where significant further activity is anticipated.

This article is part of the Allen & Overy Cross-border White collar Crime and Investigations Review. Please visit the review homepage for our overviews and insights in other jurisdictions.