UNITED ARAB EMIRATES Law and Practice Contributed by: Arnold Krutilins and Gabrielle Margerison (nee Lowe), White & Case LLP
The VARA The VARA regulates virtual asset-related activities in the emirate of Dubai, excluding the DIFC. “Offshore UAE” The FSRA The FSRA is the financial services regulator in the ADGM. It supervises all banks, investment firms, securities traders and reinsurers that operate within The DFSA is the financial services regulator in the DIFC. It supervises all banks, investment firms, secu - rities traders and reinsurers that operate within the DIFC. 2.7 No-Action Letters the ADGM. The DFSA The authors are not aware of regulators in either “onshore UAE” or “offshore UAE” issuing “no-action” letters and this practice is not generally common in the UAE. 2.8 Outsourcing of Regulated Functions Regulated financial service providers (FSPs) are per - mitted to outsource certain functions to third-party vendors. FSPs retain responsibility for the outsourced function and must maintain oversight over the third- party vendor. The level and precise requirements of this oversight depend on the nature of the outsourced function and the FSP. Generally, where an FSP outsources one of its func - tions, it will be required to put in place an appropriate agreement governing its commercial relationship with the third-party vendor including audit rights in favour of the FSP. Under the DFSA General Rulebook Mod - ule and the FSRA General Rulebook, an outsourcing agreement must also require the third-party vendor to deal with the relevant regulator in an open and co- operative way. Further contractual requirements to be set out in the outsourcing agreements of banks are provided for in the CBUAE’s Outsourcing Regulations and Standards for Banks, which largely centre around access to the bank’s data by the third-party vendor. A bank’s outsourcing agreement must establish (among other things):
• that the bank retains ownership of the data and unfettered access to it; • that the data is adequately safeguarded (through confidentiality provisions and provisions relating to data destruction following termination); • the extent to which subcontracting is permitted; and • data breach notification requirements. In all cases, the UAE’s regulatory authorities require FSPs to take a risk-based approach to outsourcing functions and to carry out appropriate diligence on the selected third-party vendor whilst maintaining overall responsibility for each function that is outsourced. 2.9 Gatekeeper Liability Regulated FSPs are required to comply with certain conduct of business requirements. They are also required to adhere to standards in respect of the promotion of financial products and services. For instance, the DFSA General Rulebook Module requires that all financial promotions: • are clear, fair and not misleading; • indicate who the regulated FSP is; • are directed at the intended category of customer or client; • provide fair, unbiased and balanced information; and • when directed at retail clients, contain a prominent warning that past performance is not necessarily a reliable indicator of future performance. The VARA has issued its own Marketing Regulations governing the promotion of virtual assets in Dubai that contain similar advertising standards. Beyond this, fintechs are responsible for complying with obligations set out under the UAE’s anti-money laundering and countering of terrorist financing (“AML/ CTF”) laws. This includes carrying out KYC diligence and monitoring for and reporting suspicious transac - tions. 2.10 Significant Enforcement Actions The enforcement actions by regulatory authorities have increased considerably in recent years following
913 CHAMBERS.COM
Powered by FlippingBook