Home   Browse contents   View updates   Search  
     Quick search
Go
   

Dubai Financial Services Authority (DFSA): Contents

Dubai Financial Services Authority (DFSA)
Laws
Rulebook Modules
Sourcebook Modules
Consultation Papers
Past Papers
Consultation Paper No. 16 Policy Statement on Confidential Regulatory Information
Policy Statements
DFSA Codes of Practice
Amendments to Legislation
Media Releases
Notices
Financial Markets Tribunal
Archive

Whole SectionText only Print Print Manager Link


Consultation Paper No. 16 Policy Statement on Confidential Regulatory Information



July 2005

THE DUBAI Financial Services AUTHORITY ("DFSA") CONSULTATION PAPER ADDRESSED TO PARTIES INTERESTED IN THE DEVELOPMENT OF Financial Services AND MARKETS Regulation WITHIN DUBAI'S FINANCIAL FREE ZONE (THE "DIFC")

The purpose of this paper is to publish for consultation the DFSA's Draft Policy Statement on Confidential Regulatory Information, which is attached as Annex A.

The DFSA invites comments on any aspect of the draft Policy, including the principles and the detailed drafting.

Please note that, although the Policy is in draft form, it reflects the DFSA's current practice and the DFSA reserves the right to amend it at its sole discretion.

Subject to comments received, the Policy will be finalized by the Chief Executive pursuant to his powers under Article 36 of the Regulatory Law 2004.

Should you wish to submit comments, please provide details of the organisation you represent. The names of commentators and the content of their submissions may be published on the DFSA website and in other documents to be published by the DFSA. If you wish your name to be withheld from publication, please indicate this when you make your submission.

Any comments should be addressed to:
Joyce. C. Maykut QC
General Counsel
DFSA
PO Box 75850
Dubai, UAE

All comments should be provided in writing, on or before 4 August 2005.

or e-mailed to jmaykut@dfsa.ae

A. Introduction

The Dubai Financial Services Authority is the integrated regulator of all financial and Ancillary Services undertaken in or from the Dubai International Financial Centre.

This Policy Statement describes how the DFSA protects, uses and discloses confidential information that it receives in the course of regulating Financial Services in the DIFC. Such information is referred to in this Policy Statement as "confidential information".

B. Guiding Principles

The DFSA's mandate is to ensure that the DIFC is one of the best regulated international financial centres in the world - a centre based on principles of integrity, transparency and efficiency.

To accomplish this, the DFSA operates to the international best practice standards that apply in the world's major financial centres such as London, New York, Hong Kong and Frankfurt.

The international best practice standards adopted and applied by the DFSA in the DIFC are those set by leading international organisations such as IOSCO (International Organisation of Securities Commissions), BIS (Bank for International Settlements) and IAIS (International Association of Insurance Supervisors) and FATF (Financial Action Task Force).

The DFSA's commitment to these standards is a commitment:

• to enforce and ensure compliance with applicable Financial Services legislation, consistent with the IOSCO Objectives and Principles of Securities Regulation, the IAIS Core Principles for Effective Insurance Supervision; the Basel Core Principles for Effective Banking Supervision and the FATF Recommendations on Anti-Money Laundering;
• to provide the fullest mutual assistance to relevant counterpart international Financial Services Regulators regarding cooperation and the Exchange of confidential information according to standards and procedures that are equivalent to those prescribed in the IOSCO Multilateral Memorandum of Understanding;
• to seek to ensure that DIFC or foreign laws or regulations about confidentiality or secrecy do not prevent the DFSA from obtaining, securing or disclosing confidential information where required for lawful regulatory or enforcement purposes;
• to limit the disclosure of confidential information to relevant counterpart international Financial Services Regulators and enforcement agencies to what is required for lawfully ensuring compliance with, and enforcement of, applicable Financial Services and criminal legislation;
• to apply international best practices in obtaining and disclosing confidential information;
• to implement robust internal control systems and procedures that meet international best practices for the handling, storing, processing and securing of confidential information; and
• to implement data protection procedures that are equivalent to those prescribed in the European Union Directives so as to protect individual privacy rights according to international best practices.

C. Relevant Legislation

The main legislative provisions governing the use of confidential information are set out in Dubai Law No. 9 of 2004, DIFC Regulatory Law No. 1 of 2004, the DIFC Data Protection Law No. 9 of 2004 and the UAE Penal Code Federal Law No. 3.

1. Regulatory Powers to Obtain Confidential Information

Like other Financial Services Regulators, the DFSA has comprehensive powers under the Regulatory Law to carry out its authorization, supervision and enforcement functions regarding Financial Services in the DIFC. These include the power to require reports, conduct on-site inspections of business premises of authorised entities and individuals, investigate and compel the production of documents, testimony and other information.

The DFSA has in place internal procedures to monitor and manage the flow of information and documents obtained during the course of its regulatory activities. These procedures include the use of manual and electronic document storage and retrieval systems.

For example, the DFSA provides receipts to authorised entities for any documents forwarded to the DFSA or which the DFSA removes during the course of an onsite inspection or visit.

The DFSA can also extend its powers to obtain information from third party suppliers, including intermediaries and companies that have accepted outsourced functions for regulated entities. These include subsidiaries established in the DIFC and Branches in the DIFC of firms authorised in other jurisdictions. The DFSA may also exercise these powers at the request, and on behalf, of foreign Regulators and authorities to assist them in performing their regulatory or enforcement functions. Why, when and how this is permissible is described in more detail below.

In short, because the DFSA's statutory mandate is to regulate all Financial Services provided in and from the DIFC, the DFSA has broad access to confidential information about individuals and firms participating in or Connected to the provision of Financial Services in the DIFC This includes all market participants, listed companies, reporting entities and their officers and Directors.

For example, this means that the DFSA will treat accounts that are booked and held in foreign jurisdictions, but serviced and managed in or from the DIFC the same as if the accounts were booked, held, serviced and managed entirely within the DIFC. Legally and practically the DFSA has complete access to the account information in both situations because the regulated Financial Service is provided in or from the DIFC. However, if a DIFC Regulated Financial Institution books, holds, services and manages an account entirely in a foreign jurisdiction, the DFSA has no authority to access confidential Client account information unless the laws of the foreign jurisdiction permit such access and disclosure.

2. Confidentiality Obligations

Although the DFSA has comprehensive powers to access confidential information so that it can properly discharge its regulatory functions, there are statutory limitations or restrictions on the way the DFSA uses and deals with confidential information. These limitations or restrictions are necessary to protect individual privacy and to assure regulated firms and individuals, and their Clients, that the confidential information they provide to the DFSA will be dealt with in confidence and used only for lawful purposes.

2.1 Dubai Law No. 9 of 2004

Under Article 7 (8) (h) of Dubai Law No. 9 of 2004, which is the law under which the DFSA was established, the DFSA is required to keep confidential any confidential information obtained, disclosed or collected by it, in the course of performing its functions. The Article specifically prohibits the disclosure of confidential information to third parties except in circumstances permitted by DIFC laws and regulations.

2.2 The UAE Penal Code

It is a criminal offence under Article 379 of the UAE Penal Code, Federal Law No. 3, (which applies in the DIFC) for any Person including the DFSA, its Employees and agents to disclose confidential information to third parties without having the legal authority to do so.

2.3 The Data Protection Law

The DIFC Data Protection Law applies to everyone in the DIFC, including the DFSA. Its purpose is to protect privacy rights and to ensure an individual's personal information, which is presumed to be confidential information, is kept confidential and used only for the lawful purpose for which it was provided. The Data Protection Law only protects the privacy rights of individuals and not companies or other like entities.

Article 7 of the Data Protection Law requires the DFSA as a data Controller, which is a Person who obtains, stores or processes an individual's personal information, to do so fairly, lawfully, securely and only for the specific purpose it was obtained. The law sets limits on the ability of the DFSA to disclose an individual's personal information outside the DIFC.

For example, unless the DFSA has obtained a permit under the Data Protection Law to do so (or provided a notification if consent has been obtained) the DFSA must not disclose confidential information about an individual to a foreign authority unless the data protection legislation in that jurisdiction contains equivalent protections and rights for individuals to those under the DIFC Data Protection Law.

Generally under the Data Protection Law, an individual has the right to be informed before personal confidential information is disclosed for the first time to third parties and to be expressly offered the right to object to such disclosure. However, the Law allows DFSA to disclose confidential information without an individual's consent if the disclosure is necessary for the DFSA to comply with its legal and regulatory obligations and provided that a notification to this effect has been filed under the Data Protection Law.

Exemptions relating to the DFSA are found in Article 25 of the Data Protection Law which provides that the DFSA may decline to inform individuals about the type or purpose of the information being processed if it is in the public interest to do so.

For example, the DFSA will not normally notify an individual about a request from a foreign authority to provide confidential information about a Client of a Financial Institution if the request is for the purpose of investigating the client's suspected participation in a Securities fraud or criminal offence. In such cases, notifying the Client or Financial Institution is likely to jeopardize the investigation and would defeat the public interest.

2.4 The Regulatory Law

Article 38(1) of the Regulatory Law parallels the above confidentiality provisions by prohibiting the DFSA, its Employees, agents or any Person from disclosing confidential information unless they have the consent of the Person to whom the duty of confidentiality is owed or unless the disclosure is expressly authorised under Article 38(3).

3. Authorised Powers of Disclosure

Under Article 38(3) of the Regulatory Law, the DFSA may lawfully disclose confidential information:

1. where the information is already public;
2. where the disclosure is for the purpose of assisting the following persons in the performance of their regulatory functions: [emphasis added]
(a) the DIFC Companies Registrar;
(b) a Financial Services Regulator;
(c) a governmental or regulatory authority in the UAE or elsewhere exercising powers and performing functions relating to anti-money laundering;
(d) a self-regulatory body or organization exercising and performing powers and functions in relation to financial services;
(e) a civil or criminal law enforcement agency, in the UAE or elsewhere;
3. where disclosure is permitted or required under the Regulatory Law or Rules, other DFSA administered laws or any other law applicable in the DIFC; and
4. where disclosure is made in good faith for purposes of performance and exercise of the functions and powers of the DFSA.

Under Article 80(7) of the Regulatory Law, the DFSA is prohibited from disclosing an individual's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the Person unless the Person consents to the disclosure or the DFSA is required by law or Court order to disclose the statement.

In summary, the above restrictions mean that:

1. the DFSA may only use or disclose confidential information to fulfil a DFSA regulatory purpose or legal obligation;
2. the DFSA may only disclose confidential information to domestic and foreign Regulators and authorities if it is for the purpose of assisting them in the performance of their specific regulatory or enforcement functions regarding Financial Services and criminal legislation; and
3. the DFSA may only disclose an individual's compelled testimony to a law enforcement agency for the purpose of criminal proceedings against the Person if the Person consents to the disclosure or if the DFSA is required by law or Court order to disclose the statement.

4. Exercising Regulatory Powers on Behalf of Other Authorities

In addition, Article 39 of the Regulatory Law gives the DFSA specific statutory authority to exercise its powers at the request, and on behalf, of the Regulators, authorities, bodies or agencies listed in Article 39 (hereinafter authority or authorities). This means that the DFSA may obtain confidential information from DIFC reporting entities, listed companies, regulated firms and individuals, and their Clients on behalf of other authorities. Therefore the provisions of Article 38 and 39 must often be considered together to determine the limitations on obtaining and sharing confidential information.

Under Article 39, the DFSA may only exercise its powers on behalf of other authorities if the request for assistance comes from:

1. the DIFC Companies Registrar;
2. a Financial Services Regulator;
3. a governmental or regulatory authority in the UAE or elsewhere exercising powers and performing functions relating to anti-money laundering;
4. a self-regulatory body or organization exercising and performing powers and functions in relation to financial services; or
5. a civil or criminal law enforcement agency, in the UAE or elsewhere.

As a matter of policy and further to its commitment to the Guiding Principles above, the DFSA will assist an Article 39 authority unless:

1. the request would require the DFSA to act in a manner that would violate applicable UAE criminal laws, DIFC laws or DFSA policies;
2. the request involves a country boycotted by the UAE;
3. the regulator making the request is not a Financial Services Regulator. (A Financial Services Regulator for the purposes of this policy, means a regulator whose principal mandate includes regulating one or more of Securities, commodities, asset management, collective Investment schemes, insurance and re-insurance, banking, Investment services, trust service providers, Islamic finance and companies);
4. the request is in relation to criminal or enforcement proceedings and criminal or enforcement proceedings have already been initiated in the DIFC or UAE relating to the same facts or same persons, or the same persons have already been penalized or sanctioned on substantively the same Charges and to the same degree by the DFSA or the competent authorities in the UAE;
5. the request would be prejudicial to the "public interest" of the DIFC;
6. the requesting authority refuses to give corresponding assistance to the DFSA;
7. complying with the request would be so burdensome as to prejudice or disrupt the performance of DFSA regulatory functions and duties; or
8. the authority fails to demonstrate a legitimate reason for the request.

If the DFSA decides to obtain and disclose confidential information on behalf of another authority under Article 39, then it must do so in accordance with the provision of Article 38.

In deciding whether to comply with a request to disclose confidential information under Articles 38 and 39, the DFSA as a matter of policy will satisfy itself that there are legitimate reasons for the request and that the regulator or authority requesting the information has the appropriate standards in place for dealing with Client confidentiality. What the DFSA considers to be legitimate reasons are discussed below.

5. Factors Determining Legitimacy of Request for Confidential Information

Every request to disclose confidential information will be assessed by the DFSA on a case-by-case basis to determine whether there is a legitimate reason to comply with the request. In determining the legitimacy of a request, the DFSA may consider, in addition to Articles 38 and 39 of the Regulatory Law:

1. whether the request will enable the requesting authority to discharge more effectively its regulatory responsibilities to enforce and secure compliance with the Financial Services laws administered by the requesting authority;
2. whether the request is for the purpose of actual or possible criminal, civil or administrative enforcement proceedings relating to a violation of Financial Services laws administered by the requesting authority;
3.whether the requesting authority is governed by laws that are substantially equivalent to those governing the DFSA concerning regulatory confidentiality, data protection, legal privilege and procedural fairness;
4.whether the request involves the administration of justice of a law, Regulation or requirement that has no close parallel in the DIFC or UAE or is unrelated to enforcing and securing compliance with the Financial Services laws of the requesting jurisdiction;
5. whether any other authority, governmental or non-governmental, is cooperating with the requesting authority or seeking information from the confidential files of the requesting authority; and
6. whether fulfilling the request will foster the integrity of, and confidence in, the Financial Services industry in the DIFC and the requesting jurisdiction.

6. Civil Proceedings in the DIFC Court

The DIFC Court's enabling legislation, Dubai Law No. 12 of 2004, In Respect of The Judicial Authority at DIFC, gives it exclusive judicial jurisdiction in the DIFC and over DIFC bodies including the DFSA. Therefore, the DFSA is obliged by law to disclose confidential information if it is compelled to do so pursuant to an order from the DIFC Court.

7. Criminal Prosecutions in the UAE Courts

Because the UAE criminal laws apply in the DIFC, the DFSA is obliged under Article 78, Part 2 of the UAE Penal Procedures Law Federal Law No. 35 to comply with any legally enforceable demand or order from a competent authority responsible for administering the criminal laws in the UAE. This includes orders or demands to disclose confidential information.

8. The Effect of Foreign Secrecy Laws in the DIFC

Foreign banking secrecy laws do not apply in the DIFC and do not apply to DFSA regulated entities and their Clients in relation to Financial Services business conducted in or from the DIFC. This is because foreign banking secrecy laws or confidentiality provisions do not have extraterritorial effect, that is, outside the jurisdiction in which they are enacted. Similarly the DFSA does not have extraterritorial or direct access to confidential Client information if the client's business is booked, held, serviced and managed exclusively in foreign jurisdictions subject to a strict banking secrecy regime.

For example, a request by the DFSA to a foreign regulator or a Financial Institution operating in a secrecy jurisdiction for disclosure of confidential Client account information will be governed by and be subject to the secrecy laws of the foreign jurisdiction.

9. Applications to Request Confidential Information

Generally, for the DFSA to agree to provide confidential information in response to an Article 39 request, the authority will be required to:

1. make the request in writing, or if urgent make the request orally and, unless otherwise agreed, confirm it in writing within ten business days;
2. describe the confidential information requested and the purpose for which the authority seeks the information;
3. provide a brief description of the facts supporting the request and the relevant legal powers authorising the request;
4. specify whether the purpose of the request is for actual or possible criminal, civil or administrative enforcement proceedings relating to a violation of the laws and regulations administered by the authority;
5. agree that it will not use the confidential information for any other purpose than that for which it was requested unless it has the express permission of the DFSA;
6. indicate, if known, the identity of any persons whose rights or interests may be adversely affected by the disclosure of confidential information;
7. indicate whether obtaining the consent of, or giving notice to, the Person to whom the request for confidential information relates would jeopardize or prejudice the purpose for which the information is sought;
8. specify whether any other authority, governmental or non-governmental, is co-operating with the requesting authority or seeking information from the confidential files of the requesting authority;
9. specify whether onward disclosure of confidential information is likely to be necessary and the purpose such disclosure would serve;
10. agree to keep requested confidential information confidential, including the fact that a request for confidential information was made, except as it conforms to this policy or in response to a legally enforceable demand;
11. agree, in the event of a legally enforceable demand, that it, the requesting authority, will notify the DFSA prior to complying with the demand, and will assert such appropriate legal exemptions or privileges with respect to such confidential information as may be available;
12. agree that, prior to providing information to a self-regulatory organization, the requesting authority will ensure that the self-regulatory organization is able and will comply on an ongoing basis with the confidentiality provisions agreed to between the requesting authority and DFSA; and
13. agree to use its best efforts to protect the confidentiality of confidential information received from the DFSA pursuant to the provisions in Articles 38 and 39 of the Regulatory Law, the Data Protection Law and this policy.

For example, in an international Securities fraud or Money Laundering investigation the kind of documents the DFSA may provide to an Article 39 authority may include, documents from contemporaneous records sufficient to reconstruct all Securities, Derivatives and Bank transactions, records of all funds and assets transferred into and out of Bank and brokerage accounts relating to these transactions, records that identify the Beneficial Owner and Controller, and for each Transaction, the account holder, the particulars of the Transaction, and the individual and the authorised financial or market institution that handled the Transaction.

10. Opportunity to Challenge a Request for Confidential Information

Under Article 80(7) of the Regulatory Law, the DFSA must not disclose a person's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the Person unless the Person consents to the disclosure or the DFSA is required by law or Court order to disclose the statement.

Therefore the DFSA will give a Person an opportunity to challenge a request from any law enforcement agency for the person's compelled testimony if the purpose is to pursue criminal proceedings against the Person.

When the DFSA is requested to disclose confidential information to an Article 39 authority, in circumstances other than those referred to in Article 80(7), the DFSA will notify and give the Person an opportunity to challenge the disclosure unless it would prejudice or jeopardize the purpose for which the information was sought or it would prejudice or jeopardize the DFSA's ability to discharge its regulatory and statutory functions or otherwise be contrary to the public interest.

When the DFSA notifies a Person whose interests are likely to be adversely affected by disclosure of confidential information, the Person will be given the opportunity to make submissions to the DFSA on:

• whether the factual and legal conditions justifying the release are met;
• the scope of the release; and
• whether any conditions should apply to the release.

The DFSA will provide the Person whose interests are likely to be adversely affected by the release with the information necessary to enable the Person to make submissions to the DFSA.

If a Person would be adversely affected by the disclosure of confidential information and the purpose for the request is to use the information in civil litigation, the Person requesting the confidential information will be required to obtain a DIFC Court order compelling the DFSA to disclose the confidential information.

If a Person would be adversely affected by the disclosure of confidential information and the purpose for the request is to use the information in civil litigation, the DFSA will notify the Person of the request so that the Person has an opportunity to challenge the request according to the Rules of the DIFC Court.

D. Internal Procedures

1. Employee Practices and Procedures

The statutory obligation on all DFSA Employees, agents and independent contractors to keep all confidential information confidential is further reinforced by requiring:

• all DFSA Employees, agents and independent contractors to sign an Employment or Consultancy Services Contract that incorporates a confidentiality clause; and
• all DFSA Employees to abide by a Code of Values and Ethics which requires them to comply with their statutory obligations, including the confidentiality obligations under the Regulatory Law

2. Physical Management of Confidential Information

The entire DFSA offices occupy a restricted space accessible only through the use of electronic identification cards.

The DFSA has adopted best practice electronic and paper document control systems that monitor and audit the use of confidential information.

To ensure the confidentiality obligations in the Regulatory and Data Protection Law are met, the DFSA has developed policies concerning the physical management of information by Employees in discharging their licensing, supervisory and other regulatory functions. The policies also prescribe procedures regarding information technology Security, restricted electronic information access, physical perimeter Security, securing evidence, receiving and receipting documentation and designating sensitivity classifications of information.

When the DFSA receives confidential information pursuant to its statutory powers under the Regulatory Law to compel production of information and documents, the documents are processed according to prescribed procedures. These procedures include processes for the manual and electronic receipt, storage and Return of confidential information and documents in and from an Evidence Management Facility purpose built to secure confidential information. Only limited nominated staff have access to the restricted area and the compelled documents while they remain in the custody of the DFSA.

DUBAI Financial Services AUTHORITY

4 July 2005