UAE Law and Practice Contributed by: Stefan Mrozinski, Gabrielle Margerison (nee Lowe) and Arnold Krutilins, White & Case LLP
• that the data is adequately safeguarded (through confidentiality provisions and provi - sions relating to data destruction following termination); • the extent to which subcontracting is permit - ted; and • data breach notification requirements. In all cases, the UAE’s regulatory authorities require FSPs to take a risk-based approach to outsourcing functions and to carry out appropri - ate diligence on the selected third-party vendor whilst maintaining overall responsibility for each function that is outsourced. 2.9 Gatekeeper Liability Regulated FSPs are required to comply with cer - tain conduct of business requirements. They are also required to adhere to standards in respect of the promotion of financial products and services. For instance, the DFSA General Rulebook Module requires that all financial pro - motions: • are clear, fair and not misleading; • indicate who the regulated FSP is; • are directed at the intended category of cus - tomer or client; • provide fair, unbiased and balanced informa - tion; and • when directed at retail clients, contain a prominent warning that past performance is not necessarily a reliable indicator of future performance. The VARA has issued its own Marketing Regula - tions governing the promotion of virtual assets in Dubai that contain similar advertising standards. Beyond this, fintechs are responsible for com - plying with obligations set out under the UAE’s
anti-money laundering and countering of terror - ist financing ( “AML/CTF” ) laws. This includes, carrying out know your customer diligence and monitoring for and reporting suspicious transac - tions. 2.10 Significant Enforcement Actions The enforcement actions by regulatory authori - ties have increased considerably in recent years following the UAE’s addition to the Financial Action Task Force’s (FATF’s) grey list in 2022 and its subsequent removal in February 2024. This increased enforcement has also been evi - dent within the UAE’s crypto and virtual asset and payment services verticals. “Onshore UAE” regulatory authorities typically have wide-rang - ing enforcement powers and have the ability to impose a wide range of penalties from fines and censure for less severe breaches to impris - onment for the most serious offences such as those connected to financial crime. “Offshore UAE” regulatory authorities’ powers do not include criminal powers but otherwise mirror those of “onshore UAE” regulatory authorities. By way of example, the Executive Regulations relating to the DVAL Virtual Assets and Related Activities Regulations 2023 include the following penalties: • written reprimands; • enforcement notices requiring non-compli - ance to be rectified within a specified period of time; • licence restrictions, suspensions or revoca - tions; and • fines. The VARA has already revoked licences and the CBUAE has demonstrated its increased appe - tite for enforcement by issuing various sanctions against finance companies and exchange hous -
911 CHAMBERS.COM
Powered by FlippingBook