Policy Statement 1/2010 Policy Statement 1/2010 Confidential Regulatory Information — replacing Policy Statement 1/2005
1.1 The Dubai Financial Services Authority is the integrated regulator of all financial and ancillary services undertaken in or from the Dubai International Financial Centre.
1.2 This Policy Statement describes how the DFSA protects, uses and discloses confidential information that it receives in the course of regulating financial services in the DIFC. Such information is referred to in this Policy Statement as “confidential information”.
2.1 The DFSA's mandate is to ensure that the DIFC is one of the best regulated international financial centres in the world—a centre based on principles of integrity, transparency and efficiency. To accomplish this, the DFSA operates to the international best practice standards that apply in the world's major financial centres such as London, New York, Hong Kong and Frankfurt.
2.2 The international best practice standards adopted and applied by the DFSA in the DIFC are those set by leading international organisations such as IAIS (International Association of Insurance Supervisors), IOSCO (International Organisation of Securities Commissions), BIS (Bank for International Settlements) and FATF (Financial Action Task Force).
2.3 The DFSA's commitment to these standards is a commitment:• to enforce and ensure compliance with applicable financial services legislation, consistent with the IOSCO Objectives and Principles of Securities Regulation, the IAIS Core Principles for Effective Insurance Supervision; the Basel Core Principles for Effective Banking Supervision and the FATF Recommendations on Anti-Money Laundering and Counter Terrorism Financing;• to provide the fullest mutual assistance to relevant counterpart international financial services regulators regarding cooperation and the exchange of confidential information according to standards and procedures that are equivalent to those prescribed in the IOSCO Multilateral Memorandum of Understanding;• to seek to ensure that DIFC or foreign laws or regulations about confidentiality or secrecy do not prevent the DFSA from obtaining, securing or disclosing confidential information where required for lawful regulatory or enforcement purposes;• to limit the disclosure of confidential information to relevant counterpart international financial services regulators and enforcement agencies to what is required for lawfully ensuring compliance with, and enforcement of, applicable financial services and criminal legislation;• to apply international best practices in obtaining and disclosing confidential information;• to implement robust internal control systems and procedures that meet international best practices for the handling, storing, processing, securing and retention of confidential information; and• to implement data protection procedures that are equivalent to those prescribed in the European Union Directives so as to protect individual privacy rights according to international best practices.
2.4 In addition, the DFSA strives to comply with the legislative requirements that govern its processes and procedures. The main legislative provisions governing the use of confidential information are set out in Dubai Law No. 9 of 2004, DIFC Regulatory Law No. 1 of 2004, the DIFC Data Protection Law No. 1 of 2007 and the UAE Penal Code Federal Law No. 3 of 1987.
3. Powers to Obtain Confidential Information
3.1 Like other financial services regulators, the DFSA has comprehensive statutory powers to carry out its authorisation, supervision and enforcement functions regarding financial services in the DIFC. The DIFC Regulatory Law confers powers to require reports, conduct on-site inspections of business premises of authorised entities and individuals, investigate and compel the production of documents, testimony and other information.
3.2 The DFSA can also use its powers to obtain information from third party suppliers, including intermediaries and companies that have accepted outsourced functions for regulated entities. These include subsidiaries established in the DIFC and branches in the DIFC of firms authorised in other jurisdictions. The DFSA may also exercise these powers at the request, and on behalf, of foreign regulators and authorities to assist them in performing their regulatory or enforcement functions. Why, when and how this is permissible is described in more detail below.
3.3 In short, because the DFSA's statutory mandate is to regulate all financial services provided in and from the DIFC, the DFSA has broad access to confidential information about individuals and firms participating in or connected to the provision of financial services in the DIFC. This includes all market participants, listed companies, reporting entities and their officers and directors.
Example: This means that the DFSA will treat accounts that are booked and held in foreign jurisdictions, but serviced and managed in or from the DIFC the same as if the accounts were booked, held, serviced and managed entirely within the DIFC. Legally and practically the DFSA has complete access to the account information in both situations because the regulated financial service is provided in or from the DIFC. However, if a DIFC regulated financial institution books, holds, services and manages an account entirely in a foreign jurisdiction, the DFSA has no authority to access confidential client account information unless the laws of the foreign jurisdiction permit such access and disclosure.
4. Confidentiality Obligations
4.1 Although the DFSA has comprehensive powers to access confidential information so that it can properly discharge its regulatory functions, there are statutory limitations or restrictions on the way the DFSA uses and deals with confidential information. These limitations or restrictions are necessary to protect individual privacy and to assure regulated firms and individuals, and their clients, that the confidential information they provide to the DFSA will be dealt with in confidence and used only for lawful purposes.
Dubai Law No. 9 of 2004
4.2 Under Article 7 of Dubai Law No. 9 of 2004, which is the law under which the DFSA was established, the DFSA is required to keep confidential any confidential information obtained, disclosed or collected by it, in the course of performing its functions. The Article specifically prohibits the disclosure of confidential information to third parties except in circumstances permitted by DIFC laws and regulations.
DIFC Regulatory Law
4.3 Article 38(1) of the Regulatory Law parallels the above confidentiality provisions by prohibiting the DFSA, its employees, agents or any person from disclosing confidential information unless they have the consent of the person to whom the duty of confidentiality is owed or unless the disclosure is expressly authorised under Article 38(3) (see Part 5 below).
DIFC Data Protection Law
4.4 The DIFC Data Protection Law applies to everyone in the DIFC, including the DFSA. Its purpose is to protect privacy rights and to ensure an individual's personal information, which is presumed to be confidential information, is kept confidential and used only for the lawful purpose for which it was provided. The Data Protection Law only protects the privacy rights of individuals and not companies or other like entities.
4.5 The Data Protection Law requires the DFSA as a data controller, which is a person who obtains, stores or processes an individual's personal information, to do so fairly, lawfully, securely and only for the specific purpose it was obtained. The personal information must not be kept longer than necessary and if inaccurate or incomplete must be rectified or erased.
UAE Penal Code
4.6 It is a criminal offence under Article 379 of the UAE Penal Code, Federal Law No. 3 of 1987, (which applies in the DIFC) for any person including the DFSA, its employees and agents to disclose confidential information to third parties without having the legal authority to do so. This Article applies to all persons, not just currently serving public officers. However, it imposes more severe penalties on public officers if they disclose such information in cases other than those permitted by the law.
5. Statutory Gateways for Disclosure
5.1 The Regulatory Law provides gateways by which the DFSA is permitted to disclose regulatory information for certain purposes and/or to certain persons. The relevant gateways are in Articles 38 and 39.
Article 38 of the Regulatory Law(a) the information is already public;(b) the disclosure is for the purpose of assisting the following persons in the performance of their regulatory functions:(i) the DIFC Companies Registrar;(ii) a Financial Services Regulator;(iii) a governmental or regulatory authority in the UAE or elsewhere exercising powers and performing functions relating to anti-money laundering;(iv) a self-regulatory body or organisation exercising and performing powers and functions in relation to financial services;(v) a civil or criminal law enforcement agency, in the UAE or elsewhere;(c) disclosure is permitted or required under the Regulatory Law or Rules, other DFSA administered laws or any other law applicable in the DIFC; or(d) disclosure is made in good faith for purposes of performance and exercise of the functions and powers of the DFSA.
Article 39 of the Regulatory Law
5.3 In addition, Article 39 of the Regulatory Law gives the DFSA specific statutory authority to exercise its powers at the request, and on behalf, of the regulators, authorities, bodies or agencies listed in Article 39. This means that the DFSA may obtain confidential information from DIFC reporting entities, listed companies, regulated firms and individuals, and their clients on behalf of other authorities. Therefore the provisions of Article 38 and 39 must often be considered together to determine the limitations on obtaining and sharing confidential information.
5.4 Under Article 39, the DFSA may only exercise its powers on behalf of other authorities if the request for assistance comes from:(a) the DIFC Companies Registrar;(b) a Financial Services Regulator;(c) a governmental or regulatory authority in the UAE or elsewhere exercising powers and performing functions relating to anti-money laundering;(d) a self-regulatory body or organisation exercising and performing powers and functions in relation to financial services; or(e) a civil or criminal law enforcement agency, in the UAE or elsewhere.
5.5 You will notice that an identical range of regulators, authorities, bodies or agencies are listed in Article 38(3)(b) and Article 39. For the purpose of this paper we will refer to these authorities as “Article 38/39 Authorities”.
Restrictions on disclosure by the DFSA
5.6 Under Article 80(7) of the Regulatory Law, the DFSA is prohibited from disclosing an individual's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the person unless the person consents to the disclosure or the DFSA is required by law or court order to disclose the statement.
5.7 Additionally, when the DFSA is requested to disclose confidential information to an Article 38/39 Authority, in circumstances other than those referred to in Article 80(7), the DFSA recognises that the information to be provided is to be used for the sole purpose of assisting the requesting authority in performing its regulatory functions. Consequently the DFSA requires the requesting authority to keep the information confidential and not to disclose it to any other person without the written consent of the DFSA.
5.8 You will see then that there are a number of restrictions on the ability of the DFSA to disclose confidential information. In summary, they are:• the DFSA may only use or disclose confidential information to fulfil a DFSA regulatory purpose or legal obligation;• the DFSA may only disclose confidential information to domestic and foreign regulators and authorities if it is for the purpose of assisting them in the performance of their specific regulatory or enforcement functions regarding financial services and criminal legislation; and• the DFSA may only disclose an individual's compelled testimony to a law enforcement agency for the purpose of criminal proceedings against the person if the person consents to the disclosure or if the DFSA is required by law or court order to disclose the statement.
6. Requests for Confidential Information
6.1 In deciding whether to comply with a request to disclose confidential information under Articles 38 and 39, the DFSA as a matter of policy will satisfy itself that there are legitimate reasons for the request and that the regulator or authority requesting the information has the appropriate standards in place for dealing with client confidentiality.
6.2 Every request to disclose confidential information will be assessed by the DFSA on a case-by-case basis to determine whether there is a legitimate reason to comply with the request. In determining the legitimacy of a request, the DFSA may consider, in addition to Articles 38 and 39 of the Regulatory Law:(a) whether the request will enable the requesting authority to discharge more effectively its regulatory responsibilities to enforce and secure compliance with the financial services laws administered by the requesting authority;(b) whether the request is for the purpose of actual or possible criminal, civil or administrative enforcement proceedings relating to a violation of financial services laws administered by the requesting authority;(c) whether the requesting authority is governed by laws that are substantially equivalent to those governing the DFSA concerning regulatory confidentiality, data protection, legal privilege and procedural fairness;(d) whether the request involves the administration of justice of a law, regulation or requirement that is related to enforcing and securing compliance with the financial services laws of the requesting jurisdiction;(e) whether any other authority, governmental or non-governmental, is cooperating with the requesting authority or seeking information from the confidential files of the requesting authority; and(f) whether fulfilling the request will foster the integrity of, and confidence in, the financial services industry in the DIFC and the requesting jurisdiction.
7. Exercising Powers for Other Authorities
7.1 As discussed earlier, Article 39 of the Regulatory Law gives the DFSA specific statutory authority to exercise its powers at the request, and on behalf, of Article 38/39 Authorities. As a matter of policy and further to its commitment to the principles in Part 2 above, the DFSA will exercise its powers under Article 39 unless:(a) the request would require the DFSA to act in a manner that would violate applicable UAE criminal laws, DIFC laws or DFSA policies;(b) a regulator making a request is not a Financial Services Regulator as defined in the Regulatory Law (for the purposes of this policy a Financial Services Regulator means a regulator whose principal mandate includes regulating one or more of securities, commodities, asset management, collective investment schemes, insurance and reinsurance, banking, investment services, trust service providers, Islamic finance and companies);(c) the request is in relation to criminal or enforcement proceedings and criminal or enforcement proceedings have already been initiated in the DIFC or UAE relating to the same facts or same persons, or the same persons have already been penalised or sanctioned on substantively the same allegations or charges and to the same degree by the DFSA or the competent authorities in the UAE;(d) the request would be prejudicial to the “public interest” of the DIFC;(e) the requesting authority refuses to give corresponding assistance to the DFSA;(f) complying with the request would be so burdensome as to prejudice or disrupt the performance of DFSA regulatory functions and duties; or(g) the authority fails to demonstrate a legitimate reason for the request.
7.2 If the DFSA decides to obtain and disclose confidential information on behalf of another authority under Article 39, then it must do so in accordance with the provisions of Article 38. Generally though, for the DFSA to agree to provide confidential information in response to an Article 39 request, the authority will be required to:(a) make the request in writing, or if urgent make the request orally and, unless otherwise agreed, confirm it in writing within ten business days;(b) describe the confidential information requested and the purpose for which the authority seeks the information;(c) provide a brief description of the facts supporting the request and the relevant legal powers authorising the request;(d) specify whether the purpose of the request is for actual or possible criminal, civil or administrative enforcement proceedings relating to a violation of the laws and regulations administered by the authority;(e) agree that it will not use the confidential information for any other purpose than that for which it was requested unless it has the express permission of the DFSA;(f) indicate, if known, the identity of any persons whose rights or interests may be adversely affected by the disclosure of confidential information;(g) indicate whether obtaining the consent of, or giving notice to, the person to whom the request for confidential information relates would jeopardise or prejudice the purpose for which the information is sought;(h) specify whether any other authority, governmental or nongovernmental, is co-operating with the requesting authority or seeking information from the confidential files of the requesting authority;(i) specify whether onward disclosure of confidential information is likely to be necessary and the purpose such disclosure would serve;(j) agree to revert to the DFSA in the event that it seeks to use the confidential information for any purposes other than those specified in the request;(k) agree to keep requested confidential information confidential, including the fact that a request for confidential information was made, except as it conforms to this policy or in response to a legally enforceable demand;(l) agree, in the event of a legally enforceable demand, that it, the requesting authority, will notify the DFSA prior to complying with the demand, and will assert such appropriate legal exemptions or privileges with respect to such confidential information as may be available;(m) agree that, prior to providing information to a self-regulatory organisation, the requesting authority will ensure that the self-regulatory organisation is able and will comply on an ongoing basis with the confidentiality provisions agreed to between the requesting authority and DFSA; and(n) agree to use its best efforts to protect the confidentiality of confidential information received from the DFSA pursuant to the provisions in Articles 38 and 39 of the Regulatory Law, the Data Protection Law and this policy.
Example: In an international securities fraud or money laundering investigation the kind of documents the DFSA may provide to an Article 38/39 Authority may include, documents from contemporaneous records sufficient to reconstruct all securities, derivatives and bank transactions, records of all funds and assets transferred into and out of bank and brokerage accounts relating to these transactions, records that identify the beneficial owner and controller, and for each transaction, the account holder, the particulars of the transaction, and the individual and the authorised financial or market institution that handled the transaction. In a case where any of this confidential information has been provided to the DFSA by another authority, the DFSA will advise and consult that authority before disclosing it to a third party (Article 38/39 Authority).
8. Procedural Fairness
8.1 When the DFSA intends to disclose confidential information to other bodies pursuant to a statutory gateway, in cases where that information has been obtained from another regulatory or supervisory agency, the DFSA will notify and consult with that agency which provided the information. In these instances, the DFSA does not normally notify the persons potentially affected by the disclosure, although there are exceptions.
8.2 The DFSA will normally give notice and an opportunity to make representations and challenge the disclosure in the following circumstances:(a) Where the disclosure relates to a person's compelled testimony to a law enforcement agency for the purpose of criminal proceedings against the person. Under Article 80(7) of the Regulatory Law, the DFSA must not disclose a person's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the person unless the person consents to the disclosure or the DFSA is required by law or court order to disclose the statement;(b) Where the disclosure of confidential information relates to private civil litigation. In these circumstances, the person requesting the confidential information will be required to obtain a DIFC Court order compelling the DFSA to disclose the confidential information. The DFSA will notify the person who is the subject of the request so that the person has an opportunity to challenge the request according to the Rules of the DIFC Court;(c) Where the fairness of the case requires it. Notice may be appropriate where there are serious and legitimate concerns about the appropriateness of the disclosure. For example, where the body requesting the confidential information does not perform a financial services related regulatory function. In addition there may be some other obvious reason why it might be helpful (in order to enable a fully informed decision to be made) to give notice in order to get a response from the subject of disclosure or the source of the information. One of the relevant considerations is whether the body receiving the confidential information is itself obliged to provide the person concerned with an opportunity to make representations, should it decide to rely on the information disclosed to it.
8.3 The DFSA will not normally give notice in the following circumstances:(a) where it may prejudice an ongoing or pending investigation, whether carried out by the DFSA or the receiving authority or prejudice actions which the DFSA or other authority may want to take as a result of an investigation (e.g. freezing assets before they disappear);(b) where it may reveal the identity of informants or persons who provided the DFSA with information about potential misconduct of firms or individuals in the expectation that their identity would be kept confidential;(c) where it may prejudice or jeopardise the DFSA's ability to effectively discharge its monitoring and other regulatory functions particularly in its supervisory function where there is frequently a need for real-time disclosures of confidential information by telephone, e-mail or fax;(d) where it is agreed or understood that the regulatory practice is that certain confidential information will be passed on without notice, particularly in the context of disclosure to supervisors of international firms;(e) where the information disclosed to other agencies is not adverse to the person concerned (e.g. letters to overseas regulators indicating that there is no adverse information, or information as to the authorisation status of firms and individuals);(f) where it may undermine other regulators' fitness and propriety tests; or(g) where it may seriously prejudice the DFSA's relations with overseas regulators, considering the DFSA's bilateral and international obligations and the need for effective mutual cooperation and information sharing.
9. Information under Memoranda of Understanding
9.1 The DFSA may obtain confidential information pursuant to a Memorandum of Understanding (MOU) with another Financial Services Regulator. A list of DFSA MOUs is published on the DFSA website.
9.2 This Section describes how the DFSA protects, uses and discloses confidential information that it receives pursuant to an MOU.
Procedures for assessing disclosure
9.3 Article 38 of the Regulatory Law ensures the confidentiality of information provided to the DFSA. This includes any confidential information received by the DFSA from a Financial Services Regulator under a MOU or similar arrangement. All information received under an MOU will be expressly marked to indicate that it is confidential regulatory information provided under an MOU or Multilateral MOU from an identified Financial Services Regulator.
9.4 Article 38 also enables the DFSA to release confidential information to a Financial Services Regulator for the purposes of assisting the performance of its regulatory functions. The release of any confidential information by the DFSA to a third party and the method of releasing this information will be assessed and approved by a senior officer of the DFSA with delegated authority to make such a release. The delegated senior officer will consider the relevant provisions of this Policy Statement (particularly Parts 4, 5 and 6) in deciding whether to release confidential information to third parties.
9.5 Any DFSA staff member identifying the possible release of any confidential information will ensure that the delegated senior officer assessing and approving the release is aware of the origin(s) of the information and the legal basis upon which the release is required to be made.
9.6 The DFSA staff member and the delegated senior officer assessing and approving the release will ensure that:(i) the receiving party is made fully aware of the protected status of the confidential information;(ii) the providing Financial Services Regulator has been approached to seek written approval for the information's release to the third party;(iii) where a providing Financial Services Regulator does not approve the release of the confidential information, the DFSA takes all reasonable efforts, including any legal steps, to protect the information from disclosure;(iv) if the DFSA's efforts to protect the confidential information from disclosure are unsuccessful, eg. to a Court, the DFSA informs the providing Financial Services Regulator, and requests the receiving party to ensure that the confidential information is not made public.
9.7 Generally, the DFSA will ensure that information released under Article 38 retains its confidential status by imposing conditions on that Financial Services Regulator that the information should only be used for a regulatory purpose and will not be released to any third party without the prior consent of the DFSA.
Where information is subject to a legally enforceable demand
9.8 In cases where the confidential information obtained from a Financial Services Regulator under an MOU is subject to a legally enforceable demand (such as a subpoena, notice or court order), the DFSA will notify the providing Financial Services Regulator when the demand is received by the DFSA.
9.9 In the event of a legally enforceable demand, the DFSA will assert any legal rights, exemptions or privileges to protect such confidential information that are legally available to it. These may include, for example, objections to disclosure based on a claim of public interest immunity (see Section 10 below).
10. Disclosure to a Court
10.1 The DIFC Courts deal exclusively with all cases and claims arising out of the DIFC and its operations. The DIFC Courts have jurisdiction over civil and commercial matters only and do not have criminal jurisdiction. All criminal matters are heard and determined by the Emirati courts.
10.2 The DIFC Court's enabling legislation, Dubai Law No. 12 of 2004, gives it exclusive judicial jurisdiction in the DIFC and over DIFC bodies including the DFSA. Therefore, the DFSA is obliged by law to disclose confidential information if it is compelled to do so pursuant to an order from the DIFC Court.
10.3 Because the UAE criminal laws apply in the DIFC, the DFSA is obliged under Article 78, Part 2 of the UAE Penal Procedures Law Federal Law No. 35 of 1992 to comply with any legally enforceable demand or order from a competent authority responsible for administering the criminal laws in the UAE. This includes orders or demands to disclose confidential information.
Public interest immunity and similar claims
10.4 In an appropriate case, and particularly where a party to court proceedings seeks disclosure of confidential information obtained by the DFSA under an MOU (see Section 9 above), the DFSA will seek to invoke a claim of public interest immunity (PII) to resist the disclosure. In common law, where a government department or other public body considers that the disclosure of particular information in the course of civil or criminal litigation would be seriously harmful to the public interest, the department or body may ask the court not to order disclosure, by making a claim, in civil litigation, of PII, and, in the case of criminal litigation, a similar claim in substance. The DFSA considers that a PII claim would be appropriate, in the context of its functions, where disclosure would prejudice its ability to perform those functions or jeopardise its ability to receive information in the future from certain sources, including overseas regulators, and in such a case it would make the claim on the source's behalf.
11. Foreign Secrecy Laws in the DIFC
11.1 Foreign banking secrecy laws do not apply in the DIFC and do not apply to DFSA regulated entities and their clients in relation to financial services business conducted in or from the DIFC. This is because foreign banking secrecy laws or confidentiality provisions do not have extraterritorial effect, that is, outside the jurisdiction in which they are enacted.
11.2 Similarly the DFSA does not have extraterritorial or direct access to confidential client information if the client's business is booked, held, serviced and managed exclusively in foreign jurisdictions subject to a strict banking secrecy regime.
Example: A request by the DFSA to a foreign regulator or a financial institution operating in a secrecy jurisdiction for disclosure of confidential client account information will be governed by and be subject to the secrecy laws of the foreign jurisdiction.
12. Information Management in the DFSA
12.1 The statutory obligation on all DFSA employees, agents and independent contractors to maintain confidentiality of information is further reinforced by requiring:(a) all DFSA employees, agents and independent contractors to sign an Employment or Consultancy Services Contract that incorporates a confidentiality clause in which they irrevocably agree that during the course of their employment, and thereafter, they shall not communicate any information that might be of a confidential or proprietary nature; and(b) all DFSA employees to abide by a Code of Values and Ethics which requires them to comply with their statutory obligations, including the confidentiality obligations under the Regulatory Law.
12.2 The DFSA has also adopted physical measures for management of confidential information, such as:(a) restricted working space accessible only through the use of electronic identification cards; and(b) best practice electronic and paper document control systems that monitor and audit the use of confidential information.
12.3 To ensure the confidentiality obligations in the Regulatory Law and Data Protection Law are met, the DFSA has developed policies concerning the physical management of information by employees in discharging their licensing, supervisory and other regulatory functions. The policies also prescribe procedures regarding information technology security, restricted electronic information access, physical perimeter security, securing evidence, receiving and receipting documentation and designating sensitivity classifications of information.
12.4 When the DFSA receives confidential information pursuant to its statutory powers under the Regulatory Law to compel production of information and documents, the documents are processed according to prescribed procedures. These procedures include processes for the manual and electronic receipt, storage, retrieval and return of confidential information and documents in and from an Evidence Management Facility purpose built to secure confidential information. Only limited nominated staff have access to the restricted area and the compelled documents while they remain in the custody of the DFSA.
Example: The DFSA provides receipts to authorised entities for any documents forwarded to the DFSA or which the DFSA removes during the course of an onsite inspection or visit.