Here’s what the Dubai Financial Services Authority is thinking of doing to its AML regime – most notably, to Designated Non-Financial Businesses and Professions (DNFBP):
Regulation and supervision of Designated Non-Financial Businesses and Professions (DNFBPs)
13. As the international community strengthens DNFBP regulations in accordance with the FATF Recommendations, the DFSA also strives to put in place a suitable regime to provide appropriate AML/CTF oversight of DNFBPs. On this basis, we are proposing to amend the current definition of, and registration, supervision and withdrawal processes for, DNFBPs in the DIFC. In doing so, we are aware that we need to take a risk-based approach to ensure we have effective measures in place to tackle AML/CTF concerns in the DNFBP sector, which are commensurate to the risks presented.
A. Definition of a DNFBP
14. In 2013, following a strategic review by the DIFC Authority (DIFCA), the responsibility for AML/CTF supervision of Single Family Offices (SFOs) and DNFBPs was transferred to the DFSA by DIFCA. This was on the basis that the DFSA was to be the single authority responsible for AML/CTF supervision in the DIFC for Financial Institutions and DNFBPs.
15. As the single authority responsible for AML/CTF supervision of these entities, the DFSA consolidated its AML rules into one module.
16. However, during recent discussions with relevant stakeholders in the lead up to the UAE’s ME, it has been pointed out that DFSA’s definition of a DNFBP (in AML Rule 3.2.1) goes further than the definition set down in the 2012 Recommendations.6 This is because the DFSA’s definition also includes SFOs and dealers in any saleable item of a price equal to or greater than $15,000 (dealers in high value goods).
17. We have reflected on this matter and – to bring our regime more into alignment with the 2012 Recommendations – we are proposing to remove dealers in high value goods from the DFSA’s definition of a DNFBP7. This proposed change means that these entities would no longer have to register with the DFSA, nor would they be categorised as a Relevant Person and come under the DFSA’s AML supervisory remit. Instead, such an entity would need to be incorporated or recognised by the DIFC Registrar of Companies (RoC), obtain a commercial licence from the RoC, and then comply on an ongoing basis with the Federal AML Legislation requirements, and appropriate DIFC laws and regulations.
18. In respect of SFOs, we are minded also to remove them from the DFSA’s DNFBP regime, in order to bring our regime more into alignment with the 2012 Recommendations. Looking at other jurisdictions, the prevalent model appears to be not to supervise SFOs directly, for AML purposes, but to ensure that those who provide services to SFOs are appropriately regulated.
19., We intend to look at the activities of such service providers, in particular trust service providers (TSP) and company service providers (CSP)8. Both TSPs and CSPs are included in the FATF definition of a DNFBP, and CSPs are included within the DFSA’s DNFBP definition. Some TSPs are required to be an Authorised Firm. We will consider whether classifying CSPs as a DNFBP provides a sufficient regulatory framework, given the wide range of services they provide to entities in the DIFC. We will also consider whether to maintain the exclusions in our General (GEN) Module applicable to some providing trust services,9 or whether all TSPs should be Authorised Firms.
B. FATF Recommendation 28
20. In the 2012 Recommendations, Recommendation 28 states that all DNFBPs should be subject to regulatory and supervisory measures, which include having an effective system for monitoring and ensuring their compliance with AML/CFT requirements.10
21. Following discussions with external stakeholders involved in the UAE’s ME (and following our own internal assessment), we do not think that the DFSA’s current approach to the registration and supervision of DNFBPs is sufficiently aligned with Recommendation 28. We believe that we need to have more detailed powers to perform our AML/CTF supervisory function for DNFBPs and that we have the necessary powers, for example, to be able to exclude a person from being a DNFBP if they are not fit and proper to perform this function (such as if there are concerns about the person’s integrity).
C. Registration of DNFBPs
22. We are proposing to amend the current registration process for DNFBPs, so that DNFBPs would not be able to conduct any activities in or from the DIFC unless they are registered by the DFSA as a DNFBP.
23. To register as a DNFBP, an applicant would need to satisfy the DFSA that:
(a) it is fit and proper to perform anti-money laundering functions. In assessing this, the DFSA may consider matters relating to the integrity and suitability of the applicant, including its background and history, its management, beneficial ownership and group structure, as well as any other matters considered relevant by the DFSA;
(b) it has adequate resources and systems and controls, including policies and procedures, to comply with the applicable anti-money laundering requirements under the Federal AML Legislation, the Regulatory Law and the AML Module; and
(c) it satisfies any other requirements prescribed by the DFSA.
24. We would emphasise that the registration process for DNFBPs will be different to that for Authorised Firms and focus on the issue of the integrity and suitability of the applicant to control a DNFBP, rather than on qualifications and experience. This would include, among other things, reviewing the fitness and propriety of relevant persons, and ascertaining the identity of the ultimate beneficial owners.
25. If, at any time between the filing of an application and the grant of a DNFBP registration, the applicant becomes aware of a material change reasonably likely to be relevant to the application under consideration, they must immediately inform the DFSA in writing of such a change.
26. If the DFSA is satisfied that the applicant meets the above criteria, in- principle registration would be granted (as is the case for applicants to be Authorised Firms today) and the applicant would be notified in writing of that decision. They would then be able to sort out the other issues, such as obtaining a commercial licence, and premises, that need to be resolved before registration can be completed.
27. If the DFSA is not satisfied that the applicant meets the above criteria, registration would not be granted, in which case both the applicant and the RoC would be notified. The procedures in Schedule 3 of the Regulatory Law 2004 would apply to a proposed refusal of registration and the applicant would have the option of referring the matter to the Financial Markets Tribunal (FMT) for review.
D. Supervision of DNFBPs
28. AML Rule 15.1.2 requires DNFBPs to notify the DFSA promptly of any change in name, legal status, address, MLRO, or beneficial owners. We are proposing to add a further notification requirement to this list, which would require a DNFBP to notify the DFSA if there have been any changes to its senior management. Given responsibility for compliance with the AML Module lies with members of senior management (AML 1.2), it is only right that a DNFBP notifies the DFSA of a senior management change.
29. We are also proposing to add a requirement for DNFBPs to submit an Annual Information Return. This would require DNFBPs to report on information relating to a change in its name, legal status, address, MLRO, senior management or beneficial owners as well as information relating to the business the DNFBP is engaged in and the volumes of that business. This report would contain information relating to each calendar year, and would be submitted online to the DFSA by 31 January in the year after the year to which the return applies.
30. This return will provide the DFSA with the appropriate information to be able to continue with a risk-based approach to supervising DNFBPs. To note, this report does not replace the requirement for DNFBPs to report certain changes, as required in AML Rule 15.1.2, or the requirement for a DNFBP to submit an annual AML Return, as required in AML Rule 14.5.1.
E. Suspension or withdrawal of DNFBPs
31. The DFSA is also proposing to amend the Regulatory Law to provide the DFSA with additional powers to suspend or withdraw the registration of a DNFBP if we consider that:
(a) the DNFBP is in breach of the law or the rules or other AML legislation;
(b) the DNFBP no longer meets the criteria for registration (i.e., it is no longer fit and proper to perform AML functions);
(c) the DNFBP is insolvent or has entered into administration;
(d) the DNFBP has ceased to carry on business in the DIFC, or
(e) the exercise of this power is necessary or desirable in the pursuit of the DFSA’s anti-money laundering objective.
32. The procedures in Schedule 3 of the Regulatory Law would apply to such a suspension or withdrawal of registration and the DNFBP would have the right to refer the matter to the FMT for review.
33. Alternatively, if a DNFBP wishes to withdraw its registration with the DFSA, it would need to notify the DFSA in writing when it proposes to cease carrying on their activities in or from the DIFC.
34. In either case, the DFSA would notify the RoC as soon as possible if it suspends or withdraws the registration of a DNFBP. The RoC will, as soon as practicable after receiving notification from the DFSA, suspend or withdraw the commercial licence
F. DNFBPs already in the DIFC
35. We are proposing that Persons currently registered as DNFBPs would be transitioned into the new arrangements, without the need to apply for registration. However, these DNFBPs would be required to self-certify certain matters to the DFSA. These matters would include, for example, confirming the identity of the MLRO, senior management and beneficial ownership information, and the suitability of procedures relating to AML/CTF controls.11
36. We would expect DNFBPs to provide this self-certification within three months of the date of commencement of the Regulatory Law Amendment Law 2018. The form is not onerous to complete, as every DNFBP should already have an appointed MLRO and have appropriate AML/CTF controls in place. The self-certification would merely require confirmation that this is indeed the situation.
37. If this self-certification were not completed and submitted to the DFSA by the end of this transitional period, the DFSA could take action, in accordance with Article 71F of the Regulatory Law 2004, to suspend or withdraw the registration of that DNFBP.