Author: afridi-angell

SCA issues guidelines for financial institutions on anti-money laundering

The past year has been a busy one for AML compliance in the UAE.

 

In October 2018, Federal Decree-Law 20 of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations (AML Law) came into force. It contained features recommended by the Financial Action Task Force (FATF), and brought UAE laws in line with international AML standards.

 

The AML Law was followed by the implementing regulations in January 2019, which have helped bring further clarity to the intended operation of the AML Law. The Implementing Regulations were issued on 28 January 2019 pursuant to Cabinet Resolution 10 of 2019 (AML Regulations).

 

In May 2019, the UAE Securities and Commodities Authority (the SCA) promulgated guidelines for financial institutions on Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organisations (the AML Guidelines).

 

The AML Guidelines, resulting from a joint effort among the supervisory authorities of the UAE, set out the minimum expectations of the supervisory authorities regarding the factors that should be taken into consideration by financial institutions when identifying, assessing, and mitigating the risks of money-laundering, financing of terrorism, and financing of illegal organisations.

 

Do the AML Guidelines form part of the law?

 

The AML Guidelines do not constitute regulations or legislation. They are intended to be read together with the AML Law and Regulations as well as all other relevant Cabinet Resolutions and regulatory rulings currently in force in the UAE and the free zones. The AML Guidelines are not a replacement or substitution for any existing legal requirements or statutory obligations. The SCA has made it clear that, in the event of an inconsistency between the AML Guidelines and any legal or regulatory framework in place in the UAE, it is the latter that will prevail.

 

Who do the guidelines apply to?

 

As a starting point (with exceptions noted throughout the guidelines), the AML Guidelines apply to all financial institutions, and their directors, managers and employees, established or operating in the UAE or the UAE’s free zones, that establish or maintain business relationships with customers or engage in any of the financial activities or transactions or trade or business activities outlined in the AML Regulations.

 

Specifically, they are applicable to all such natural and legal persons in the following categories:

 

• banks, finance institutions, exchange houses, money service businesses (including monetary value transfer services);

• insurance companies, agencies, and brokers;

• securities and commodities brokers, dealers, advisors, investment managers; and

• other financial institutions not mentioned above.

 

The AML Guidelines define a financial institution as any person who conducts one or more financial activities or operations for or on behalf of a customer. The term business relationship is defined as any ongoing commercial or financial relationship established between financial institutions or designated non-financial businesses and professions (DNFBPs) and their customers in relation to activities or services provided by them.

 

What is contained in the AML Guidelines?

 

The AML Guidelines are organised into five parts, which consist of the following:

 

1. Part 1 – Overview: This includes background information of the UAE’s AML legislative and strategy framework including key provisions of the law and regulations affecting financial institutions;

 

2. Part 2 – Identification and assessment of money laundering and financing of terrorism risks;

 

3. Part 3 – Mitigation of money laundering and financing of terrorism risks;

 

4. Part 4 – AML and anti-terrorism financing (ATF) compliance administration and reporting requirements, including guidance on governance, suspicious transaction reporting and record keeping; and

 

5. Part 5 – Appendices including a glossary of terms and links to relevant portals.

 

The AML Guidelines have been prepared such that, where sufficiently clear guidance is provided in the AML Law and AML Regulations, no additional guidance is provided in the AML Guidelines. However, where the AML Law or AML Regulations do not specifically cover a topic but such topic is addressed implicitly or by reference to international practices, the AML Guidelines seek to provide guidance to bring some clarity to their intended application in the UAE.

 

How do the AML Guidelines interact with guidance from other supervisory authorities?

 

The AML Guidelines address some inconsistencies that may arise from the legal and regulatory framework currently in place, from previous laws or regulations, or from differences in regulatory requirements between the various supervisory authorities in the UAE. The AML Guidelines recommend, however, that for any unaddressed inconsistences between supervisory authorities, financial institutions should contact their relevant supervisory authority.

 

It appears that with the introduction of the AML Guidelines, other supervisory authorities may begin publishing guidelines of their own relating to AML and ATF compliance.

 

For example, on 30 June 2019, the Dubai Multi Commodities Centre (the DMCC) published its AML and ATF guidelines for financial institutions and DNFBPs. The DMCC’s guidelines are presented as the DMCC’s own interpretation of the AML Law and thus are not mandatory rules or regulations for entities operating in the DMCC. Rather, the DMCC makes it clear that it is the responsibility of all entities to review the AML Law and AML Regulations and determine the impact on their own business.

 

On 7 July 2019, the UAE Minister of Justice promulgated a number of resolutions introducing AML and ATF initiatives. The initiatives include:

 

• establishing a section for AML and ATF;

• issuing AML and ATF procedures for lawyers, notaries and independent legal professionals;

• establishing a Committee for managing frozen, seized and confiscated funds;

• issuing procedures dealing with situations where persons listed on the local terrorism lists use frozen funds;

• issuing guidance on the grievance mechanism for persons disputing listing on the local terrorism lists; and

• issuing procedures and conditions for requesting international judicial cooperation on the sharing of the proceeds of crime.

 

Conclusion

 

While not legally binding, the advent of AML and ATF guidance from the various supervisory authorities of the UAE is a welcome step for businesses in the UAE. It will allow entities subject to the AML Law and AML Regulations to understand how supervisory authorities may construe their obligations and to take the recommended practical steps to ensure they are in compliance with their obligations pursuant to the AML Law. ■

 

Proposed new DIFC data protection law

The DIFC Authority has proposed the enactment of legislation (the Proposed Law) to replace its current Data Protection Law, DIFC Law 1 of 2007 (as amended) (the Current Law).

 

The Proposed Law is the subject of Consultation Paper 6 of 2019, which is presently posted on the DIFC website for public comments to be provided by 18 August 2019.

 

The intention behind the Proposed Law is to align the Current Law with the General Data Protection Regulation (GDPR), to reflect the latest technology, privacy and security law developments, and adapt the same to the unique requirements of the DIFC. As GDPR has international application and has become the de facto global standard for data privacy, the Proposed Law is expected to provide consistency and familiarity for businesses in the DIFC that operate on an international scale.

 

Some noteworthy aspects of the Proposed Law are as follows:

 

1. Data Subject Rights. In addition to the right to access, rectify and erase personal data and the right to object to Processing which exist under the Current Law, there are new rights introduced in the Proposed Law that are as follows:

 

– right to withdraw consent to processing of personal data (Processing);

– right to the restriction of Processing;

– right to know the recipients of the personal data;

– right to data portability (i.e., right of a Data Subject to receive its personal data from a Controller in a structured, commonly used and machine-readable format);

– right to not be subject to automated decision making (including profiling) which produces legal effects concerning, or significantly affects, the Data Subject. Examples of automated decision making include online credit applications and online recruitment tools; and

– right to non-discrimination against a Data Subject for exercising any of the Data Subject rights.

 

Controllers must make available a minimum of two methods (e.g., by phone, email or online form) by which the Data Subject can contact the Controller to exercise any of the Data Subject rights. Such methods should not be onerous.

 

2. Apportionment of liability between Controllers and Processors. The Proposed Law (like the Current Law) stipulates that if a Data Subject suffers material or non-material damage by reason of any contravention of the Proposed Law, it will be entitled to compensation.

 

Unlike the Current Law, the Proposed Law stipulates when the Controller and the Processor are held liable for the damages caused.

 

– A Controller involved in Processing which infringes the Proposed Law shall be liable for damages caused.

– Processors will be liable where it has not complied with the obligations specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller.

– Where multiple Controller(s) or Processor(s) are involved in the Processing and where each is responsible for any damage caused by the Processing, each shall be held jointly and severally liable for the entire damage.

 

3. Information to be provided to Data Subjects. The Proposed Law has increased the number of items of information to be submitted to the Data Subjects when personal data is collected. The information that must also be provided to the Data Subjects includes (among others):

 

– contact details of the Data Protection Officer (if applicable);

– reference to the appropriate safeguards in the event personal data is transferred to a third country or international organisation;

– the existence of the Data Subject’s right to withdraw consent to the Processing;

– clarification of the legitimate interest or compliance obligations (for which the personal data is being collected);

– recipients of the personal data; and

– any other information to guarantee fair and transparent Processing vis-à-vis the Data Subject, which include (among others):

 the period of which the personal data will be stored;

 existence of the other Data Subject rights (set out in point 1 above) as well as the right to lodge a complaint with the Commissioner of Data Protection (the Commissioner); and

 whether Processing will restrict or prevent the Data Subject from exercising any of the Data Subject rights.

 

The Proposed Law also specifies that the information must be provided to the Data Subject in writing, including where appropriate by electronic means.

 

4. Consent to Processing. Controllers must be mindful of the requirements in the Proposed Law to ensure that consent to Processing has been obtained from the Data Subject. Consent under the Proposed Law means clear and unambiguous consent after clear disclosure of every purpose for which the personal data will be collected, processed and used.

 

5. Requirements for Legitimate and Lawful Processing. The Proposed Law continues the Current Law’s requirement for Legitimate Processing (now re-phrased as “Legitimate and Lawful” Processing under the Proposed Law). Personal data must still be processed fairly and transparently vis-à-vis the Data Subject, be limited to the purpose for which it is collected, and must also be accurate (requiring that it be updated via erasure or rectification without undue delay, where necessary).

 

The Proposed Law additionally requires that:

 

– it would not suffice that Controllers are processing personal data in accordance with the Proposed Law; Controllers would also need to demonstrate such compliance (including to the Commissioner); and

– personal data must now be kept secure and protected against unauthorised or unlawful Processing and against loss, destruction or damage using appropriate technical or organisational measures.

 

6. Legitimate Interests. “Legitimate interest” remains one of the grounds under which personal data can be collected. “Legitimate Interests” continue to remain undefined;  however, the Proposed Law does introduce two situations which are considered as a “legitimate interest”:

 

– transferring personal data within a group of undertakings for internal administrative purposes; and

– processing personal data as strictly necessary and proportionate to ensure network and information security, and to prevent fraud.

 

The Proposed Law also introduces restrictions on the use of “legitimate interests” as grounds for Processing. Public authorities cannot rely on such grounds to collect personal data. Furthermore, Controllers who wish to rely on this basis must conduct a careful assessment as to whether a Data Subject can reasonably expect at the time and context to the collection of personal data.

 

7. Organisational measures to be put in place for DIFC entities. Certain documents and measures would need to be put in place by DIFC entities:

 

– technical and organisational measures that ensure personal data is processed in accordance with the Proposed Law and protect the Data Subject’s personal data;

– a written data protection policy proportionate to the processing activities;

– a policy and process for securely and  permanently deleting personal data;

– a written record in electronic format of the Processing activities; and

– a written contract in compliance with the Proposed Law (i) between a Controller and a Processor, (ii) between Controllers, and (iii) between a Processor and a sub-Processor. If Processing activity is commenced without such agreement, they would be in breach under the Proposed Law.

 

In addition, a DIFC entity transferring personal data to a jurisdiction that lacks an adequate level of protection must take appropriate safeguards. For a discussion of these appropriate safeguards, see point 10, below.

 

8. High Risk Processing Activities. The Proposed Law introduces the concept of “High Risk Processing Activities,” which is Processing where one or more of the following applies:

 

– new technologies are being deployed which may increase the risk to Data Subjects or render it more difficult for Data Subjects to exercise their rights; or

– a considerable amount of personal data will be Processed where such Processing is likely to result in a high risk to the Data Subject (on account of the sensitivity of the Personal Data); or

– the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons (such as profiling), on which decisions are based to produce legal effects on, or significantly affect, the natural person; or

– a non-trivial amount of Special Categories of Personal Data (currently called “Sensitive Personal Data” under the Current Law) is to be Processed.

 

There are additional obligations that arise for DIFC entities carrying on such activities. These include (among others):

 

– the appointment of a Data Protection Officer (to assist the Controller and Processor  in monitoring the compliance with the Proposed Law); and

– submission of assessments to the Commissioner (namely the Annual Assessment and Data Protection Impact Assessments).

 

9. Cessation of Processing. The Proposed Law introduces rules on when the Controller must cease the Processing and how personal data must be handled thenceforth.

 

Where the basis for Processing ceases to exist or the Controller is required to cease Processing via the exercise of Data Subject rights, the Controller is required to ensure that personal data is securely and permanently deleted, or where this is not possible, archived in a manner such that the data is “put beyond further use.” The exception to this rule is where such personal data is necessary for the establishment or defense of legal claims, or to be retained in accordance with applicable laws.

 

“Put beyond further use” means that:

 

– the Controller must not use the personal data to inform any decision in relation to the Data Subject or in a manner that affects the Data Subject in any way;

– no party (other than the Controller) has access to the personal data;

– personal data is protected by appropriate technical and organisational security; and

– the Controller has in place a strategy for the permanent deletion of personal data, if or when this becomes possible.

 

10. Transferring personal data to a jurisdiction lacking an adequate level of protection. Unlike in the Current Law, the Commissioner no longer grants a permit or written authorisation to transfer personal data to such jurisdiction. The Proposed Law provides an updated list of conditions, one of which must be satisfied in order to transfer personal data to such jurisdiction:

 

– appropriate safeguards must be put in place, which must be in one of the following forms (among others):

 

 a code of conduct (approved by the Commissioner) together with binding enforceable commitments of the Controller to apply the appropriate safeguards;

 a certification mechanism (approved by the Commissioner) together with binding enforceable commitments of the Controller to apply the appropriate safeguards;

 a legally binding and enforceable instrument;

 data protection procedures and policies applicable to Group entities, (referred to “Binding Corporate Rules” in the Proposed Law), which may be approved by the Commissioner (but is not mandatory).

 

– one of the specific derogations listed in the Proposed Law apply. Such derogations are substantially similar to the transfer conditions set out in the Current Law. This includes (among others) the transfer is necessary for the performance of a contract or public interest, or that the Data Subject consented to the transfer.

– the transfer satisfies the conditions of “limited circumstances,” which is that it is a one-time transfer that concerns only a limited number of Data Subjects, is necessary on the grounds of legitimate interests, and where the Controller has provided suitable safeguards with respect to the protection of personal data. In this situation, the Controller must inform the Commissioner of this transfer.

 

11. Transferring personal data to a governmental authority outside of DIFC. The Proposed Law introduces guidelines that must be followed in order for the Controllers to disclose and transfer personal data, outside the DIFC, to a governmental authority (the Requesting Authority). Controllers must:

 

– exercise reasonable caution and diligence to determine the validity and proportionality of the request for personal data;

– ensure that any disclosure of personal data is made solely for the purpose of meeting the objectives identified;

– assess the impact of the proposed transfer in light of the potential risks to the Data Subject’s rights;

– implement measures to minimize such risks; and

– where possible, obtain appropriate and written assurances from the Requesting Authority that it will respect the rights and freedoms of the Data Subjects.

 

Failing any of the above, the Controller should not disclose or transfer personal data to the Requesting Authority.

 

12. Rectification and erasure notification. Controllers must notify each recipient to whom the personal data is disclosed when personal data is rectified, erased or subject to restricted processing.

 

13. Personal Data Breach. This is a new feature in the Proposed Law. If there is a Personal Data Breach that compromises a Data Subject’s confidentiality, security or privacy, the Controller must notify the breach to the Commissioner. When the Personal Data Breach is likely to result in high risk to the Data Subject’s confidentiality, security or privacy, the Controller must also communicate the Personal Data Breach to the Data Subjects. ■

 

FDI – a “positive” development

On 23 September 2018, enactment of the new federal law on foreign direct investment — Federal Decree-Law 19 of 2018 (the FDI Law) — introduced the possibility of majority foreign ownership in UAE companies. While the FDI Law set out a “negative list” of 13 sectors (including insurance, water and electricity, land and airport services, and retail medicine) where existing foreign ownership restrictions would continue to apply, it also referred to a “positive list” that the UAE Cabinet would promulgate to identify economic sectors and activities where up to 100% foreign ownership would be allowed.

 

Ending speculation, the Cabinet has now acted. The Prime Minister issued a statement on 2 July 2019 announcing the Cabinet’s approval of a positive list of 122 economic activities in sectors such as agriculture, manufacturing, renewable energy, electronic commerce, transportation, arts, construction, and entertainment. The positive list (copy attached) was shortly afterwards published in the local press.

 

The list of 122 economic activities is divided into 51 industrial activities, 52 service activities and 19 agricultural activities. While allowing up to 100% foreign ownership, the positive list does not do this unconditionally. On the contrary, the positive list imposes additional requirements such as minimum capital requirements on some activities, obligations to employ advanced technology on other activities, and requirements to contribute to the Emiratisation of the workforce on others. For many business and service activities, existing restrictions and qualifications are expressly retained.

 

Removal of ownership restrictions is not an end in itself, but is a means to attract FDI that will support the nation’s overall development objectives. It is expected that the licensing authorities in each Emirate will ultimately determine the permitted foreign ownership percentages for specific projects. ■

 

Expanded real estate ownership in Abu Dhabi

In the most significant change in real estate law in over a decade, Abu Dhabi has expanded eligibility for real estate ownership to several new categories of persons. This was introduced by Abu Dhabi Law 13 of 2019, which amended the prior statute, Abu Dhabi Law 19 of 2005. The amendment was enacted on 16 April 2019 and took effect on the same day. This is expected to boost real estate demand.

 

The following categories of persons are now eligible to own real estate in the Emirate of Abu Dhabi:

 

• Public shareholding companies in which non-nationals own no more than 49 per cent. Under the 2005 statute, companies with any foreign shareholding were eligible only for long-term leases, Musataha rights, or rights of usufruct in respect of real estate in the special investment areas.

 

• Non-nationals, whether natural or legal persons, may now acquire full ownership rights (often referred to as “freehold”) to real estate within the investment areas, and they may sell, mortgage and otherwise dispose of the same. Under the 2005 statute, freehold ownership in the investment areas was restricted to UAE nationals and nationals of other GCC member states.

 

• Nationals and their equivalents, whether natural or legal persons. The meaning of this reference to “their equivalents” is unclear, but it could possibly mean that national treatment will be extended to nationals of other GCC member states.

 

• Anyone in whose regard a decision is issued by the Crown Prince or the Chairman of the Executive Council.

 

It remains the case that a holder of a right of usufruct or Musataha in excess of 10 years may dispose thereof without the permission of the owner, including granting a mortgage; in contrast, the owner may grant a mortgage only after obtaining the consent of the holder of the usufruct right or Musataha. ■

Dubai Development Authority – UBO requirements

The Dubai Development Authority (DDA) (previously known as the Dubai Technology and Media Free Zone Authority (TECOM) and the Dubai Creative Clusters Authority (DCCA)) is the regulator of entities licensed to conduct business in Dubai Internet City, Dubai Media City, Dubai Knowledge Park, Dubai Outsource City, and other clusters regulated by the DDA.

 

The Federal Cabinet Decision 10 of 2019 on the Implementing Regulation of Federal Decree-Law 20 of 2018 on the Criminalisation of Money Laundering and Combating the Financing of Terrorism and the Financing of Unlawful Organisations (the Cabinet Decision) requires licensing authorities such as the DDA to identify the ultimate beneficial owners (UBOs) of businesses (Free Zone Entities) licensed by them. In response to this requirement, the DDA recently issued its Circular 323 regarding UBOs.

 

The DDA now requires all free zone companies (i.e. FZ-LLCs) and parent companies of branches licensed by the DDA to disclose details of their UBOs. A template of a form in which the details are required to be disclosed has been issued by the DDA (the UBO Declaration Form).

 

Definition of a UBO

 

As per the DDA’s Circular 323, any individual who ultimately owns or controls 25 per cent or more of a Free Zone Entity, whether directly as a shareholder, or indirectly via control of companies, other entities or structures that control the Free Zone Entity, is an UBO. This definition of the UBO is broad enough to cover trust arrangements.

 

UBO information

 

The following information of a UBO is required to be disclosed to the DDA:

 

(i) Full name

(ii) Name of the company

(iii) Date of birth

(iv) Nationality

(v) Passport number

(vi) Detailed residential address

(vii) Percentage (%) shares in the free zone company/parent company of a branch licensed by the DDA

 

Note that the DDA may require submission of a passport copy, proof of residential address and other documents of a UBO.

 

Exception from providing UBO information

 

In case a Free Zone Entity is a subsidiary or a branch of: (i) a company listed on a stock exchange; (ii) a government or government owned entity; or (iii) an entity registered and licensed in the UAE (outside the DDA’s jurisdiction), the UBO information is not required to be submitted to the DDA. In such a case, the UBO Declaration Form is required to be submitted to the DDA stating that the Free Zone Entity satisfies one of the above conditions.

 

Deadlines

 

As per the DDA’s Circular 323, existing Free Zone Entities will be required to submit the UBO Declaration Form as part of their license renewal process at the next renewal date. New entities will be required to submit the UBO Declaration Form as part of the incorporation/licensing process.

 

If there are any changes in the UBOs of a Free Zone Entity, such a Free Zone Entity is required to notify the DDA of the changes.

 

Other licensing authorities in the UAE

 

Apart from the DDA, many other free zones/licensing authorities in the UAE such as Dubai International Financial Centre, Abu Dhabi Global Market and Dubai Multi Commodities Centre already require submission of details of ultimate beneficial owners. It is likely that more and more free zones/licensing authorities will issue similar requirements in due course. ■

New economic substance regulations in the UAE

A previous inBrief dated 30 April 2019 discussed a law recently enacted in the BVI, the Economic Substance (Companies and Limited Partnerships) Act, 2018, which introduced economic substance requirements in the BVI. This article will discuss a similar measure recently promulgated in the UAE.

 

UAE Cabinet Resolution 31 of 2019 Concerning Economic Substance Regulations (the UAE Economic Substance Regulations or the Regulations) was published in the Official Gazette on 30 April 2019 and came into effect the same day.

 

Background

 

The European Union’s Code of Conduct Group (a group responsible for EU’s taxation policy) maintains a blacklist of non-cooperative jurisdictions for tax purposes. In order to avoid being placed on such blacklist (or to attempt to get removed from the blacklist), jurisdictions such as the BVI, the Isle of Man, and the Cayman Islands, among others, have introduced legislation requiring entities established in such jurisdictions to demonstrate economic substance in their respective jurisdictions. The UAE was added to the blacklist in March of 2019, and the UAE Economic Substance Regulations were apparently promulgated in response to this development.

 

Relevant Activities

 

The UAE Economic Substance Regulations apply to any Licensee, which is defined to mean any natural or juridical person licensed by the competent licensing authorities in the UAE to carry out a Relevant Activity in the UAE, including in free zones and financial free zones. The Regulations identify nine Relevant Activities:

 

• Banking Businesses

• Insurance Businesses

• Investment Fund Management

• Lease-Finance Businesses

• Headquarters Businesses

• Shipping Businesses

• Holding Company Businesses

• Intellectual Property Businesses

• Distribution and Service Center Businesses

Economic Substance Test

 

Under the Regulations, a Licensee engaged in a Regulated Activity must meet an Economic Substance Test in relation to each Relevant Activity carried on by such Licensee. This includes but is not limited to demonstrating that its State Core Income-Generating Activities are carried out in the UAE. The activities that constitute State Core Income-Generating Activities vary for each of the nine Relevant Activities.1

 

Under Article 6(2) of the Regulations, a Licensee meets the Economic Substance Test if it satisfies the following criteria:

 

(a) If the Licensee conducts State Core Income-Generating Activity in the State.

(b) If the Licensee is directed and managed in the State in relation to that activity.

(c) Having regard to the level of Relevant Activity, if there is an adequate2 number of qualified full-time employees in relation to that activity who are physically present in the State (whether or not employed by the Licensee or by another entity and whether on temporary or long-term contracts), or adequate level of expenditure on outsourcing to third party service providers, whose activities, employees, expenditure, and premises are in the State, and these activities, employees, expenditures and premises are adequate for carrying out the Relevant Activity being outsourced.

(d) If there is adequate operating expenditure incurred by it in the State, or adequate level of expenditure on outsourcing to third party service providers whose activities, employees, expenditure and premises are in the State, and these activities, employees, expenditures and premises are adequate for carrying out the Relevant Activity being outsourced.

(e) If there are adequate physical assets in the State or adequate level of expenditure on outsourcing to third party service providers in the State, for the activities of the Licensee.

(f) In the case of State Core Income-Generating Activity carried out for the relevant Licensee by another entity, if it is able to monitor and control the carrying out of that activity by the other entity.

Under Article 6(4), a Holding Company that derives its income from dividends and capital gains only is subject to a less stringent Economic Substance Test whereby such test is satisfied if the Licensee complies with all requirements to submit documents, records and information to the Regulatory Authority and has adequate employees and premises for holding and managing a Holding Company Business.

 

Regulatory Authority & Competent Authority

 

The Regulations stipulate that a Regulatory Authority will be delegated to regulate Relevant Activities in accordance with the Regulations. Such Regulatory Authority has not yet been identified. The Regulations stipulate that the Regulatory Authority will be appointed by the Cabinet pursuant to a further resolution.

 

The Regulations designate the UAE Ministry of Finance as the Competent Authority. The role of the Competent Authority is different from that of the Regulatory Authority. The Regulations stipulate that the Competent Authority shall issue guidance on how the Economic Substance Test may be met. The Competent Authority is also responsible for determining the form of certain reports to be filed by a Licensee pursuant to the Regulations. Each Licensee will report to the Regulatory Authority who in turn will share certain information with the Competent Authority.

 

Reporting Requirements

 

A Licensee engaged in a Regulated Activity has two periodic reporting requirements under the Regulations. Under Article 8(1) of the Regulations, a Licensee shall notify the Regulatory Authority annually of the following:

 

(a) Whether or not it is carrying on a Relevant Activity.

(b) If the Licensee is carrying on a Relevant Activity, whether or not all or any part of the Licensee’s gross income in relation to the Relevant Activity is subject to tax in a jurisdiction outside of the State; in all cases such Licensee shall provide the Regulatory Authority with all information and documentation required to be submitted by it pursuant to this Resolution or any further guidance or decision issued pursuant to this Resolution.

(c)  The date of the end of its Financial Year.

Under Article 8(2) of the Regulations, the foregoing annual filing shall be made at the time specified by the Regulatory Authority and in the manner approved by the Regulatory Authority. As noted above, the Regulatory Authority has not yet been identified, so the filing deadline is currently unknown.

Article 8(3) of the Regulations states that: “A Licensee that is carrying on a Relevant Activity and is required to satisfy the Economic Substance Test shall, no later than twelve (12) months after the last day of the end of each Financial Year of the Licensee, prepare and submit to the Regulatory Authority a report which report shall be submitted by the Regulatory Authority to the Competent Authority.” Article 8(4) stipulates that such report shall be in the form approved by the Competent Authority and shall include the following information with respect to the Licensee:

(a) The type of Relevant Activity conducted by it.

(b) The amount and type of relevant income in respect of the Relevant Activity.

(c) The amount and type of operating expenses and assets in respect of the Relevant Activity.

(d) The location of the place of business and, if applicable, plant, property or equipment used for the Relevant Activity of the Licensee in the State.

(e) The number of full-time employees with qualifications and the number of personnel who are responsible for carrying on the Licensee’s Relevant Activity.

(f) Information showing the State Core Income-Generating Activity in respect of the Relevant Activity that has been conducted.

(g) A declaration as to whether or not the Licensee satisfies the Economic Substance Test.

(h) In the case of a Relevant Activity being an Intellectual Property Business, a declaration as to whether or not it is a high risk intellectual property business. If the Licensee declares that it is a high risk intellectual property business, the Licensee shall provide the information under paragraph (i) to refute a determination made by the Regulatory Authority under Clause 3 of Article 7 of this Resolution.  

(i) In the case of a Licensee that is carrying on a high risk intellectual property business, the following additional information must be provided:

i. Information demonstrating that the Licensee does and historically has exercised a high degree of control over the development, exploitation, maintenance, enhancement and protection of the intellectual property assets by an adequate number of full-time employees, with the necessary qualifications, who permanently reside and perform their activities in the State.

ii. Business plan showing the reasons for holding the ownership in the Intellectual Property Asset in the State.

iii. Employee information, including level of experience, type of contracts, qualifications and duration of employment with the Licensee.

iv. Evidence that decision making is taking place within the State.

(j) Where a Relevant Activity is outsourced by a Licensee, the Licensee must demonstrate the following:

i. The Relevant Activity that is outsourced is a Core Income-Generating Activity being carried out in the State.

ii. The Licensee has adequate supervision of the Relevant Activity outsourced.

iii. The Licensee shall submit to the Regulatory Authority a report containing information in relation to the level of resources employed by the third party service provider to which the Relevant Activity is being outsourced, demonstrating that the service provider’s activities, employees, operating expenditures and premises in the State are adequate in relation to the level of the outsourced Relevant Activity.

 

The Regulatory Authority may require a Licensee to provide such additional information, documents or other records as shall be reasonably required in order to make a determination as to whether the Economic Substance Test has been met.

 

Penalties

 

Failing to meet the Economic Substance Test carries an administrative penalty of a fine between AED 10,000 and AED 50,000 in any Financial Year. Failing to meet the Economic Substance Test again the following Financial Year carries a fine of not less than AED 50,000 and not more than AED 300,000.

 

Failure to provide information required under Article 8 of the Regulations (i.e., the reporting requirements discussed above), or providing inaccurate information, carries a fine between AED 10,000 and AED 50,000.

 

Implications

 

Historically, jurisdictions such as BVI and the Cayman Islands have been major destinations for shelf companies (companies with little or no physical or economic presence in the jurisdiction of incorporation). The UAE has not been not been a major hub for shelf companies because, with limited exceptions (such as Jebel Ali offshore companies), businesses in the UAE are required to have physical offices and licenses to do business locally. Moreover, the UAE authorities have historically cooperated willingly with foreign official investigations into tax evasion, money laundering, and other offenses, and furthermore have implemented significant domestic measures. To us, it therefore appears that the European Union’s pressure on the UAE to implement economic substance legislation was misdirected. In any event, it will not have the same impact in the UAE as it will in countries that have been major hubs for offshore shelf companies.

 

Nonetheless, for Licensees that were originally established in the UAE to hold assets in other jurisdictions without a significant economic presence in the UAE, the Economic Substance Regulations will have significant ramifications. Compliance with the Regulations may require substantial restructuring of business operations.

 

Next Steps

 

All businesses licensed in the UAE should carry out an assessment to determine if they are subject to the Economic Substance Regulations and businesses that are subject to such Regulations should begin taking steps to ensure compliance. The timetable for compliance is currently unknown given that the Regulatory Authority has not yet been appointed but it would be prudent to start taking steps to comply as soon as possible. ■

*****
1 The definition of State Core Income-Generating Activities for each of the nine Relevant Activities is set out in Article 5 of the Regulations.
2 The Regulations stipulate that the Guidance to be issued by the Competent Authority may include guidance regarding the meaning of “adequate”.

New UAE regulatory policy for the Internet of Things

Along with the prediction that the continued growth of the Internet of Things (IoT) will transform our everyday lives and how we do business, we can also anticipate that the increased number of connected devices will bring about additional challenges, including greater security and privacy-related risks. In light of these challenges, the UAE Telecommunications Regulatory Authority (the TRA) has recently laid the groundwork for regulating IoT by introducing a regulatory policy (the IoT Policy) and a set of regulatory procedures (IoT Procedures) that give the TRA control and oversight over IoT services in the UAE while also setting forth some data protection-related principles. It is important that those that provide IoT services to the UAE market understand their obligations under the TRA’s IoT Policy going forward.

 

What is IoT?

 

When we speak of IoT, we generally refer to the network of everyday physical objects or devices connected to the Internet, which are able to communicate with other devices and collect and exchange data through software, embedded electronics, sensors and other forms of hardware. These devices can be consumer-based, such as wearables, cars, speakers, and smart home devices and appliances, as well as industry-based objects, such as intelligent medical devices, security systems, and machinery and robots used in factories.

 

In the IoT Policy, IoT is broadly defined as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) Things based on existing and evolving interoperable information and communication technologies”.

 

Who is Subject to the IoT Policy?

 

The IoT Policy is applicable to all individuals, companies, public authorities, and other legal entities concerned with IoT within the UAE. This includes IoT Service Providers that are located in the UAE as well as foreign-based IoT Service Providers providing services remotely to the UAE market.

 

The TRA defines an IoT Service Provider as any individual, company or public authority that “provides an IoT Service to users (including individuals, businesses and the government) that will comprise the provision of IoT-related service/solutions”. In addition, an IoT Service is considered to be any “set of functions and facilities offered to a user by an IoT Service Provider”, other than IoT-specific Connectivity (which is generally the type of activity that is provided by a network service provider). The TRA’s wide-reaching definition of IoT Service Provider and IoT Service would likely capture traditional IT providers offering IoT related services or solutions to businesses located in the UAE as well as foreign companies bringing IoT related products to the market, such as cars and smart home devices and appliances.

 

Requirements under the IoT Policy

 

The following are some of the principal requirements under the IoT Policy:

 

Registration and Local Presence. All IoT Service Providers must register with the TRA and obtain a registration certificate. To obtain a registration certificate, the IoT Service Provider is required to have a local presence or an appointed representative physically present in the UAE to be responsible for communicating with the TRA and law enforcement agencies. It also must have registered its IoT Service with the TRA pursuant to the IoT Procedures.

 

Mission Critical IoT Service. If an IoT Service is characterised as Mission Critical (i.e., any service that if it fails, may result in an adverse impact on the health of individuals, public convenience or safety or national security), then the IoT Service Provider is required to meet additional requirements stipulated by the TRA, including maintenance of subscriber information.

 

Soft SIMS. The TRA requires prior approval for the use of Soft SIMs. A Soft SIM refers to a collection of software applications and data that perform all of the functionality of a SIM card, but does not reside in any kind of secure storage. Rather, the Soft SIM is stored in the memory and processor of the communication device.

 

Type Approval. Any Radio and Telecommunications Terminal Equipment (RTTE) as defined in the TRA’s type approval policy that is to be sold, offered for sale or connected to any Telecommunication Apparatus within the UAE, requires a type approval from the TRA. In addition, if the RTTE collects any data or information or is capable of providing IoT Service, then it must also meet additional requirements set forth in the IoT Policy.

 

IoT-specific Connectivity. Any person that intends to provide IoT-specific Connectivity must contact the TRA to obtain a license, and the TRA will conduct a case-by-case assessment to consider whether awarding such a license is necessary subject to the Telecommunications Law (Federal Decree Law 3 of 2003) and the licensing regime in place at the time.

 

Data Protection 

 

In addressing data protection, the IoT Policy focuses on data storage and the location of stored data. It should be noted that while drafting these provisions on data protection, we can see that the TRA has looked to existing international standards as well as Dubai’s own policies as many of the data protection-related terms and principles contained in the policy have been adopted from the General Data Protection Regulation (EU) 2016/679 (the GDPR) and the Dubai Data Manual published by Smart Dubai in 2016.

 

Data Storage. IoT Service Providers must adhere to the following principles:

 

• Purpose Limitation – Data must be collected for specified, explicit and legitimate purposes only and cannot be further processed in a manner that is incompatible with these purposes.

 

• Data Minimisation – Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

 

• Storage Limitation – Data must be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the data is processed.

 

Data Localisation. Essentially, data must be classified based on the potential impact that will be caused in the event of a confidentiality breach or uncontrolled disclosure, and where data is to be stored depends on its classification. The TRA has set out four categories of classification, Open, Confidential, Sensitive, and Secret. Each of these classifications is defined in the IoT Policy and has been adopted from the Dubai Data Manual.

 

Data that is considered Secret, Sensitive or Confidential for individuals and businesses must be primarily stored within the UAE. However, this type of data may be stored outside of the UAE provided that the destination country meets or exceeds the UAE’s data security and user protection policies and regulations. Personal Data (as defined in the GDPR) will be classified as Secret Data for individuals. If any data is classified as Secret, Sensitive or Confidential Data for the government, then it must always be stored in the UAE. Finally, data that is classified as Open Data for individuals, businesses or the government may be stored in the UAE or abroad.

 

Compliance with the IoT Policy

 

Although the IoT Policy and IoT Procedures have only recently been made available to the public, they have been in effect since 22 March 2018 and 6 March 2019, respectively. In addition, the one-year transition period set out in the IoT Policy has elapsed. Therefore, unless an additional grace period is given, IoT Service Providers must immediately begin compliance with this new regulatory framework. Otherwise, noncompliance may result in the temporary or permanent suspension of services and may be considered as a breach of the Telecommunications Law, which could result in the imposition of fines and/or imprisonment.

 

Further Thoughts

 

The practical implications of the IoT Policy and IoT Procedures that are immediately obvious are the requirements that relate to data protection noted above. While the UAE (outside of the DIFC and ADGM) has not yet adopted a data protection law, the IoT Policy and Procedures have the effect of adopting certain key elements of a modern data protection regime and making them applicable to IoT Service Providers. This could be construed to apply to anyone who collects data remotely, if a liberal view is taken, as it could be difficult to draw a line between devices that collect and transmit data which do qualify as IoT devices, versus that which still collect and transmit data (like a mobile phone) which do not qualify as IoT devices. It may be that all such devices effectively are treated as IoT devices, and the result will be that different data protection regimes apply in the UAE depending on whether the data was transmitted by a device as opposed to collected directly or with pen and paper. We anticipate that this inequality of treatment under the law will be a transient phase as the UAE moves uniformly towards a consistent data protection regime, but businesses and advisors will need to be aware of this dichotomy in the meantime. It is easy to speculate that there may also be TRA approval required for importation of IoT devices too, to enable them to maintain a record or registry of IoT devices operating in the UAE.

 

We will provide further updates as this important area of regulation evolves.■

DIFC Courts pierce veil of incorporation in employment/marital dispute

The DIFC Small Claims Tribunal (SCT), a branch of the DIFC Courts, has in a rare (if not first of its kind) judgement, pierced the corporate veil of a DIFC incorporated company to look into its shareholding and key individuals in the case of Jamaru Group Holding Ltd v Jasmine [DIFC SCT 116/2019].

 

Overview of dispute

 

Jamaru Group Holding Ltd (Claimant), filed proceedings against Ms Jasmine (Defendant) in the DIFC SCT seeking reimbursement of payments made to the Defendant purportedly during the course of her employment with the Claimant. The claim sought repayment of payments made by the Claimant towards her apartment rental in Dubai and a loan to enable the Defendant to pay off her student debt. The Claimant also claimed that the Defendant was in breach of her employment contract by resigning from employment without serving notice.

 

The Defendant in response argued that the Claimant was nothing more the alter ego of her ex-husband who was the sole shareholder of the Claimant and that the payments made to her were gifts given by her ex-husband during the course of their marriage routed through the Claimant which had no connection to her employment with the Claimant. The Defendant also raised a counterclaim against the Claimant for her gratuity payments which were being withheld by the Claimant together with Article 18 penalties and argued that she had been forced to resign from employment with the Claiment as a consequence of her divorce.

 

The Defendant invited the court to pierce the corporate veil of the Claimant since the Defendant’s ex-husband was maliciously driving the Claimant’s claim to circumvent the terms of the divorce between them which expressly stated that there would be no further claims by or against either party. The Defendant cited the English case of Wyatt v. Wyatt (545 S.W.3d 796, 801 (Ct. App. Ark. 2018), a divorce action, where the court pierced the  corporate  veil of a husband’s three corporations for the purposes of dividing the marital property to prevent injustice caused by an abuse of the corporate form to the wife’s detriment.

 

The judgement

 

SCT Judge Maha Al Mehairi in issuing her judgement accepted the Defendant’s arguments and noted that “the Court has the power to pierce the corporate veil of a company when a Claimant attempts to circumvent the terms of the divorce by claiming back payments or gifts given to the Defendant over the course of their previous marriage by hiding behind the corporate veil of the corporate entity to “prevent injustice”.”

 

The learned judge also held that the gifts given to the Defendant by her ex-husband “are entirely appropriate in a marriage” and that the payments were not made consequent to her employment with the Claimant and dismissed the Claimant’s claim for those payments. The Defendant was awarded her gratuity and Article 18 penalties as it was found that the Claimant had withheld these sums without a justifiable reason.

 

Effect 

 

This judgement reinforces the DIFC Court’s pragmatic approach to disputes and its willingness to develop its body of law based on more mature legal systems. It also demonstrates that the DIFC Courts would not consider the principle enshrined by the well-known case of Salomon V Salomon as iron clad and that the Court would not hesitate to pierce the corporate veil to prevent injustice.

 

Afridi & Angell was pleased to advise the Defendant in these proceedings on a pro-bono basis. ■

Keeping up with the trend: the new DIFC Insolvency Law

Introduction

 

The latest in the series of insolvency regime reformations in the Middle East is the new Dubai International Financial Centre insolvency law; DIFC Law 1 of 2019 (the New Law). Subject to article 1(4) of the New Law, the New Law repeals and replaces DIFC Insolvency Law 3 of 2013 (the Old Law). Article 3 of the New Law states that it applies in the jurisdiction of the DIFC, meaning that it applies to all DIFC incorporated entities. The New Law will come into force on 28 August 2019.

 

The New Law combined with the expanded and restated Insolvency Regulations aims at encouraging trade and investment in the UAE by bringing the DIFC in line with international best practice in cases of insolvency. The New Law generally follows the same principles as UAE Federal Law 9 of 2016 on Bankruptcy in so much that it offers a formal restructuring procedure as a rescue tool to debtors, provides a mechanism for binding non-consenting creditors and, generally, promotes a more structured and effective system for businesses in financial distress.

 

The New Law provides significant additional restructuring options to debtors and creditors. While offering additional protection and tools to debtors willing to rescue their businesses by way of restructuring, the New Law ensures that these protections and tools are balanced with the rights offered to creditors to recover their debts.

 

What is being offered?

 

Rehabilitation:  the New Law provides for a court supervised debtor in possession regime called ‘rehabilitation’ which essentially allows a debtor an opportunity to rescue its business by way of proposing a rehabilitation plan to its creditors and shareholders for their vote. A debtor is entitled to apply for rehabilitation if it is, or is likely to become, unable to pay its debts and if there is reasonable probability of reaching a mutually agreeable arrangement with its creditors and shareholders.

 

One key feature of the New Law, and one that will surely be welcomed by financially distressed businesses, is that from the time that a debtor makes an application for rehabilitation, an automatic moratorium is immediately applied to all its creditors (secured and unsecured) for a period of 120 days. Amongst other things, the automatic moratorium affords debtors certain protections against termination of contracts. With the intention of creating a balance between the protections afforded to debtors and creditors, the New Law allows creditors to apply to the court seeking relief from the moratorium.

 

The New Law provides that for the purposes of voting on the rehabilitation plan, creditors and shareholders will be categorised into different classes with the court’s consultation. In order to be implemented, the plan needs to be approved by at least 75 per cent of the creditors or the shareholders in each class as well as the court. This essentially allows for binding the minority dissenting creditors and shareholders in each class to the rehabilitation plan.

 

The New Law grants courts the overriding power to sanction the rehabilitation plan provided that: (a) at least one class of creditors affected by it has accepted the plan; (b) all creditors are receiving at least as much value as they would have if the debtor was wound-up; and (c) a junior creditor in a class of creditors does not get paid before a senior dissenting creditor in that class.

 

Another significant relief that the New Law provides to debtors during the rehabilitation process is the ability to take on court sanctioned new financing (secured or unsecured).

 

Court appointed administrator: in the event that there is evidence of mismanagement and misconduct, one or more creditors can make an application to the court for the appointment of an independent administrator to manage the affairs of the debtor during the rehabilitation process. If appointed, the administrator will have the power to: (a) approve the rehabilitation plan; (b) facilitate a company voluntary arrangement; (c) approve a scheme of arrangement under the Companies Law; and (d) investigate any misconduct and mismanagement by the debtor and its management.

 

Cross-border insolvency:  another important feature of the New Law and one that should provide a great deal of confidence to the international trade community when investing in the UAE is the adoption of the United Nations Commissions on International Trade Law (UNCITRAL) Model Law. This will essentially ensure the mutual co-operation and co-ordination of cross-border insolvency proceedings.

 

Other enhancements: the New Law amongst other things also: (a) improves on the voluntary and compulsory winding up procedures offered by the Old Law by streamlining the appointment process for the appointment of a creditors’ committee in a winding up and clarifying the process for dissolution; (b) provides additional provisions governing unlawful trading and the reuse of company names; and (c) creates an offence of misconduct in the course of winding up.

 

Conclusion

 

The New Law introduces many welcomed features which should place the DIFC at the forefront of jurisdictions with developed and sophisticated insolvency regimes and is certainly a step forward in maintaining the UAE’s position as a world leading trade hub. ■