UNITED ARAB EMIRATES Law and Practice Contributed by: Arnold Krutilins and Gabrielle Margerison (nee Lowe), White & Case LLP
the UAE’s addition to the Financial Action Task Force’s (FATF’s) grey list in 2022 and its subsequent removal in February 2024. This increased enforcement has also been evident within the UAE’s crypto and virtual asset and payment services verticals. “Onshore UAE” regu - latory authorities typically have wide-ranging enforce - ment powers and have the ability to impose a wide range of penalties from fines and censure for less severe breaches to imprisonment for the most serious offences such as those connected to financial crime. “Offshore UAE” regulatory authorities’ powers do not include criminal powers but otherwise mirror those of “onshore UAE” regulatory authorities. By way of example, the Executive Regulations relat - ing to the DVAL Virtual Assets and Related Activities Regulations 2023 include the following penalties: • written reprimands; • enforcement notices requiring non-compliance to be rectified within a specified period of time; • licence restrictions, suspensions or revocations; and • fines. The VARA has already revoked licences and the CBUAE has demonstrated its increased appetite for enforcement by issuing various sanctions against finance companies and exchange houses. The authors are also aware of the increased enforcement appetite of the DFSA and the FSRA in recent times. However, the VARA’s investigatory process suggests that the VARA is willing to work with companies that are in violation of regulations and provide opportunities for them to correct their transgressions. 2.11 Implications of Additional, Non- Financial Services Regulations Federal Decree-Law No 45/2021 (the “Personal Data Protection Law”) is “onshore UAE’s” first written data protection law of general application. The Personal Data Protection Law is inspired by the EU’s General Data Protection Regulation (the “GDPR”) but is lighter touch. As of the time of publication, the Executive Regulations, which will flesh out the provisions of the Personal Data Protection Law, are yet to be released. “Onshore UAE” Data protection
Data and information are also protected in other aspects of “onshore UAE” law. For example, Federal Decree-Law No 31/2021 prohibits the unlawful copy, distribution or provision of information or data. Cybercrime Federal Decree-Law No 34/2021 Concerning the Fight against Rumours and Cybercrime sets out a wide range of offences, including in relation to illegal digi - tal content and illegal uses of information technology. This is a broad law that goes considerably further than equivalent regulation in this area in Western Europe and the US. Both the DIFC and the ADGM have had consolidated data protection regimes for many years and both were recently reformed. They bear a significant resemblance to the GDPR, albeit being more business-friendly and somewhat lighter touch. 2.12 Review of Industry Participants by Parties Other Than Regulators “Offshore UAE” Data protection There are a growing number of formal industry bod - ies emerging in the fintech space such as the MENA Fintech Association. These industry bodies have an increasingly important role to play with respect to rep - resenting industry participants, communicating with regulators to address concerns and seeking guidance in respect of, or input with respect to, planned regula - tions within the fintech space. The DIFC Innovation Hub and the ADGM RegLab also oversee the fintech market and can influence the rules and regulations within the industry as an infor - mal network by interpreting the practical application of the rules and regulations, thereby influencing how the market operates. Regulatory sandboxes also play a part in helping regulators to examine how their regulatory regimes impact real-life business models, enabling regulators to adapt and develop in line with their aim of promoting the UAE as a global fintech industry hub.
914 CHAMBERS.COM
Powered by FlippingBook