RPP 8 RPP 8 Confidential Regulatory Information
RPP 8-1 RPP 8-1 Introduction
This chapter describes how the
DFSAprotects, uses and discloses confidential information that it receives in the course of regulating financial services in the DIFC. Such information is referred to in this chapter as "confidential information".
RPP 8-2 RPP 8-2 Guiding Principles
The international best practice standards adopted and applied by the
DFSAin the DIFCare those set by international standard setting organisations such as the Basel Committee on Banking Supervision (BCBS), the International Association of Insurance Supervisors (IAIS), the International Organization of Securities Commissions (IOSCO) the Financial Action Task Force (FATF) and the Islamic Financial Services Board (IFSB).
The DFSA's adherence to these standards is a commitment:(a) to enforce and ensure compliance with applicable financial services legislation, consistent with the Basel Core Principles for Effective Banking Supervision, the IAIS Core Principles for Effective Insurance Supervision, the
IOSCOObjectives and Principles of Securities Regulation and the FATFRecommendations on combating money laundering, the financing of terrorism and proliferation of weapons of mass destruction;(b) to provide the fullest mutual assistance to other financial services regulators regarding cooperation and the exchange of confidential information according to standards and procedures that are equivalent to those prescribed in the IOSCOMultilateral Memorandum of Understanding;(c) to seek to ensure that DIFCor foreign laws or regulations about confidentiality or secrecy do not prevent the DFSAfrom obtaining, securing or disclosing confidential information where required for lawful regulatory purposes;(d) to limit the disclosure of confidential information to other financial services regulators and enforcement agencies to what is required for lawfully ensuring compliance with, and enforcement of, applicable financial services and criminal legislation;(e) to apply international best practices in obtaining and disclosing confidential information;(f) to implement robust internal control systems and procedures that meet international best practices for the handling, storing, processing and securing of confidential information; and(g) to implement data protection procedures that are equivalent to those prescribed in the European Union Directives so as to protect individual privacy rights according to international best practices.
RPP 8-3 RPP 8-3 Relevant Legislation
The main legislative provisions governing the use of confidential information are set out in Dubai Law No. 9 of 2004, DIFC Regulatory Law No. 1 of 2004, the DIFC Data Protection Law No. 1 of 2007 and the UAE Penal Code, Federal Law No. 3 of 1987.
Regulatory Powers to Obtain Confidential Information
Like other financial services regulators, the
DFSAhas comprehensive statutory powers to carry out its authorisation, supervision and enforcement functions regarding financial services in and from the DIFC. The Regulatory Lawconfers powers to require reports, conduct on-site inspections of business premises of authorised entities and individuals, investigate and compel the production of documents, testimony and other information.
RPP 8-3-3 [Deleted]
DFSAcan also use its powers to obtain information from third party suppliers, including intermediaries and companies that have accepted outsourced functions for regulated entities. These include subsidiaries established in the DIFCand branches in the DIFCof firms authorised in other jurisdictions. The DFSAmay also exercise these powers at the request, and on behalf, of foreign regulators and authorities to assist them in performing their regulatory or enforcement functions. Why, when and how this is permissible is described in more detail below.
In short, because the
DFSA'sstatutory mandate is to regulate all financial services provided in and from the DIFC, the DFSAhas broad access to confidential information about individuals and firms participating in or connected to the provision of financial services in the DIFCThis includes all market participants, listed companies, reporting entities and their officers and directors.
For example, this means that the
DFSAwill treat accounts that are booked and held in foreign jurisdictions, but serviced and managed in or from the DIFC, in the same way as if the accounts were booked, held, serviced and managed entirely within the DIFC. Legally and practically the DFSAhas complete access to the account information in both situations because the regulated financial service is provided in or from the DIFC. However, if a DIFCregulated financial institution books, holds, services and manages an account entirely in a foreign jurisdiction, the DFSAhas no authority to access confidential client account information unless the laws of the foreign jurisdiction permit such access and disclosure.
DFSAhas comprehensive powers to access confidential information so that it can properly discharge its regulatory functions, there are statutory limitations or restrictions on the way the DFSAuses and deals with confidential information. These limitations or restrictions are necessary to protect individual privacy and to assure regulated firms and individuals, and their clients, that the confidential information they provide to the DFSAwill be dealt with in confidence and used only for lawful purposes.
Dubai Law No. 9 of 2004
Under Article 7 of Dubai Law No. 9 of 2004, which is the law under which the
DFSAwas established, the DFSAis required to keep confidential any confidential information obtained, disclosed to or collected by it, in the course of performing its functions. The Article specifically prohibits the disclosure of confidential information to third parties except in circumstances permitted by DIFClaws and regulations.
The UAE Penal Code
It is a criminal offence under Article 379 of the UAE Penal Code, Federal Law No. 3, (which applies in the
DIFC) for any person, including the DFSA, its employees and agents, to disclose confidential information to third parties without having the legal authority to do so. This Article applies to all persons, not just currently serving public officers. However, it imposes more severe penalties on public officers if they disclose such information in cases other than those permitted by the law.
The Data Protection Law
The DIFC Data Protection Law No.7 of 2007 (Data Protection Law) applies in the
DIFC. The Data Protection Law protects the personal data of a natural living person; this data is generally also confidential information. The Data Protection Law sets out the requirements for processing personal data and the rights of data subjects.
For example, under the Data Protection Law, the
DFSA, as a data controller, is required to process personal data fairly, lawfully, and securely and only for specified, explicit and legitimate purposes. The DFSAis also required to ensure that personal data it processes is accurate and kept up to date.
Under Article 39 of the Data Protection Law, in certain circumstances, specified sections of the Data Protection Law do not apply to the
DFSA. This exemption applies if the application of the specified sections of the Data Protection Law would be likely to prejudice the proper discharge of the DFSA'spowers and functions under DFSAadministered laws, insofar as the relevant powers and functions are designed to protect members of the public against the dishonesty, malpractice or other seriously improper conduct of those operating in the financial services industry.
For example, the
DFSAwill not normally notify an individual about a request from a foreign authority to provide information about a client of a financial institution if the request is for the purpose of investigating the client's suspected participation in a securities fraud or criminal offence. In such cases, notifying the client or financial institution is likely to jeopardise the investigation and would defeat the public interest.
The Regulatory Law
Article 38(1) of the Regulatory Law parallels the above confidentiality provisions by prohibiting the
DFSA, its employees, agents or any person coming into possession of the information from disclosing confidential information unless they have the consent of the person to whom the duty of confidentiality is owed or unless the disclosure is expressly authorised under Article 38(3).
Authorised Powers of Disclosure
Under Article 38 of the Regulatory Law, the
DFSAmay lawfully disclose confidential information:(a) where the information is al public;(b) where the disclosure is for the purpose of assisting the following persons in the performance of their regulatory functions:(i) the DIFC Registrar of Companies;(ii) a Financial Services Regulator;(iii) a governmental or regulatory authority exercising powers and performing functions relating to anti-money laundering, counter-terrorist financing or sanctions compliance;(iv) a self-regulatory body or organisation exercising and performing powers and functions in relation to financial services;(v) a civil or criminal law enforcement agency; or(vi) a governmental or other regulatory authority, including a self-regulatory body, or organisation exercising powers and performing functions in relation to the regulation of auditors, accountants or lawyers;(c) where disclosure is permitted or required under the Regulatory Lawor Rules, other DFSAadministered laws or any other law applicable in the DIFC; and(d) where disclosure is made in good faith for the purposes of performance and exercise of the functions and powers of the DFSA.
Under Article 80A(2) of the Regulatory Law, the
DFSAis prohibited from disclosing an individual's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the person unless the person consents to the disclosure or the DFSAis required by law or court order to disclose the statement.
DFSAis requested to disclose confidential information to an Authorityreferred to in Article 38 or 39, in circumstances other than those referred to in Article 80A(2), the DFSArecognises that the information to be provided is to be used for the sole purpose of assisting the requesting authority in performing its regulatory functions. Consequently, the DFSArequires the requesting authority to keep the information confidential and not to disclose it to any other person without the written consent of the DFSA.
In summary, the above restrictions mean that:(a) the
DFSAmay only use or disclose confidential information to fulfil a DFSAregulatory purpose or legal obligation;(b) the DFSAmay only disclose confidential information to domestic and foreign regulators and authorities if it is for the purpose of assisting them in the performance of their specific regulatory or enforcement functions regarding financial services and criminal legislation; and(c) the DFSAmay only disclose an individual's compelled testimony to a law enforcement agency for the purpose of criminal proceedings against the person if the person consents to the disclosure or if the DFSAis required by law or court order to disclose the statement.
Exercising Regulatory Powers on Behalf of Other Authorities
In addition, Article 39 of the Regulatory Law gives the
DFSAspecific statutory authority to exercise its powers at the request, and on behalf, of the regulators, authorities, bodies or agencies listed in Article 39 ("authority or authorities"). This means that the DFSAmay obtain confidential information from DIFC reporting entities, listed companies, regulated firms and individuals, and their clients on behalf of other authorities. The provisions of Article 38 and 39 must often be considered together to determine the limitations on obtaining and sharing confidential information.
Under Article 39, the
DFSAmay only exercise its powers on behalf of other authorities if the request for assistance comes from:(a) the DIFC Registrar of Companies;(b) a Financial Services Regulator;(c) a governmental or regulatory authority exercising powers and performing functions relating to anti-money laundering, counter terrorist financing or sanctions compliance;(d) a self-regulatory body or organisation exercising and performing powers and functions in relation to financial services;(e) a civil or criminal law enforcement agency; or(f) a governmental or other regulatory authority, including a self-regulatory body, or organisation exercising powers and performing functions in relation to the regulation of auditors, accountants or lawyers,
DFSAconsiders it appropriate for the purpose of assisting the performance of their regulatory functions.
As a matter of policy the
DFSAwill assist an Article 39 authority unless:(a) the request would require the DFSAto act in a manner that would violate applicable UAEcriminal laws, DIFC laws or DFSA policies;(b) the request is in relation to criminal or enforcement proceedings that have al been initiated in the DIFCor UAErelating to the same facts or same persons, or the same persons have al been penalised or sanctioned on substantively the same allegations or charges and to the same degree by the DFSAor the competent authorities in the UAE;(c) the request would be prejudicial to the public interest of the DIFC;(d) the requesting authority refuses to give corresponding assistance to the DFSA;(e) complying with the request would be so burdensome as to prejudice or disrupt the performance of DFSA regulatory functions and duties; or(f) the authority fails to demonstrate a legitimate reason for the request.
In deciding whether to comply with a request to disclose confidential information under Articles 38 and 39, the
DFSAas a matter of policy will satisfy itself that there are legitimate reasons for the request and that the authority requesting the information has the appropriate standards in place for dealing with confidential information. What the DFSAconsiders to be legitimate reasons are discussed below.
Factors Determining Legitimacy of Requests for Confidential Information
Every request to disclose confidential information will be assessed by the
DFSAon a case-by-case basis to determine whether there is a legitimate reason to comply with the request. In determining the legitimacy of a request, the DFSAmay consider, in addition to Articles 38 and 39 of the Regulatory Law:(a) whether the request will enable the requesting authority to discharge more effectively its regulatory responsibilities to enforce and secure compliance with the financial services laws administered by the requesting authority;(b) whether the request is for the purpose of actual or possible criminal, civil or administrative enforcement proceedings relating to a violation of financial services laws administered by the requesting authority;(c) whether the requesting authority is governed by laws that are substantially equivalent to those governing the DFSAconcerning regulatory confidentiality, data protection, legal privilege and procedural fairness;(d) whether the request involves the administration of justice of a law, regulation or requirement that is related to enforcing and securing compliance with the financial services laws of the requesting jurisdiction;(e) whether any other authority, governmental or non-governmental, is cooperating with the requesting authority or seeking information from the confidential files of the requesting authority; and(f) whether fulfilling the request will foster the integrity of, and confidence in, the financial services industry in the DIFCand the requesting jurisdiction.
Civil Proceedings in the DIFC Court
The DIFC Court's enabling legislation, Dubai Law No. 12 of 2004, in respect of the Judicial Authority at DIFC, gives it exclusive judicial jurisdiction in the
DIFCand over DIFCbodies including the DFSA. Therefore, the DFSAis obliged by law to disclose confidential information if it is compelled to do so under an order from the DIFC Court.
Criminal Prosecutions in the UAE Courts
UAEcriminal laws apply in the DIFC, the DFSAis obliged under Article 78, Part 2 of the UAE Penal Procedures Law Federal Law No. 35 to comply with any legally enforceable demand or order from a competent authority responsible for administering the criminal laws in the UAE. This includes orders or demands to disclose confidential information.
The Effect of Foreign Secrecy Laws in the DIFC
Foreign banking secrecy laws do not apply in the
DIFCand do not apply to DFSAregulated entities and their clients in relation to financial services business conducted in or from the DIFC. This is because foreign banking secrecy laws or confidentiality provisions do not have extraterritorial effect. Similarly, the DFSAdoes not have extraterritorial or direct access to confidential client information if the client's business is booked, held, serviced and managed exclusively in foreign jurisdictions subject to a strict banking secrecy regime.
For example, a request by the
DFSAto a foreign regulator or a financial institution for disclosure of confidential client account information will be governed by and be subject to the secrecy laws, if any, of the foreign jurisdiction.
RPP 8-3-24 [Deleted]
Applications to Request Confidential Information
Generally, for the
DFSAto agree to provide confidential information in response to an Article 39 request, the authority will be required to:(a) make the request in writing, or if urgent make the request orally and, unless otherwise agreed, confirm it in writing within ten business days;(b) describe the confidential information requested and the purpose for which the authority seeks the information;(c) provide a brief description of the facts supporting the request and the relevant legal powers authorising the request;(d) specify whether the purpose of the request is for actual or possible criminal, civil or administrative enforcement proceedings relating to a violation of the laws and regulations administered by the authority;(e) agree that it will not use the confidential information for any other purpose than that for which it was requested unless it has the express permission of the DFSA;(f) indicate, if known, the identity of any persons whose rights or interests may be adversely affected by the disclosure of confidential information;(g) indicate whether obtaining the consent of, or giving notice to, the person to whom the request for confidential information relates would jeopardise or prejudice the purpose for which the information is sought;(h) specify whether any other authority, governmental or non-governmental, is co-operating with the requesting authority or seeking information from the confidential files of the requesting authority;(i) specify whether onward disclosure of confidential information is likely to be necessary and the purpose such disclosure would serve;(j) agree to revert to the DFSAin the event that it seeks to use the confidential information for any purposes other than those specified in the request;(k) agree to keep requested confidential information confidential, including the fact that a request for confidential information was made, except as it conforms to this policy or in response to a legally enforceable demand;(l) agree, in the event of a legally enforceable demand, that it, the requesting authority, will notify the DFSAprior to complying with the demand, and will assert such appropriate legal exemptions or privileges with respect to such confidential information as may be available;(m) agree that, prior to providing information to a self-regulatory organisation, the requesting authority will ensure that the self-regulatory organisation is able and will comply on an ongoing basis with the confidentiality provisions agreed to between the requesting authority and DFSA; and(n) agree to use its best efforts to protect the confidentiality of confidential information received from the DFSApursuant to the provisions in Articles 38 and 39 of the Regulatory Law, the Data Protection Law and this policy.
For example, in an international securities fraud or money laundering investigation the kind of documents the
DFSAmay provide to an Article 39 authority may include: documents from contemporaneous records sufficient to reconstruct all securities, derivatives and bank transactions; records of all funds and assets transferred into and out of bank and brokerage accounts relating to these transactions; records that identify the beneficial owner and controller and, for each transaction, the account holder, the particulars of the transaction, and the individual and the authorised financial or market institution that handled the transaction.
DFSAintends to disclose confidential information to other bodies pursuant to a statutory gateway, in cases where that information has been obtained from another regulatory or supervisory agency, the DFSAwill notify and consult with that agency which provided the information. In these instances, the DFSAdoes not normally notify the persons potentially affected by the disclosure, although there are exceptions.
DFSAwill normally give notice and an opportunity to make representations and challenge the disclosure in the following circumstances:(a) where the disclosure relates to a person's compelled testimony to a law enforcement agency for the purpose of criminal proceedings against the person. Under Article 80A(2) of the Regulatory Law, the DFSAmust not disclose a person's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the person unless the person consents to the disclosure or the DFSAis required by law or court order to disclose the statement;(b) where the disclosure of confidential information relates to private civil litigation. In these circumstances, the person requesting the confidential information will be required to obtain a DIFCCourt order compelling the DFSAto disclose the confidential information. The DFSAwill notify the person who is the subject of the request so that the person has an opportunity to challenge the request according to the Rules of the DIFCCourt;(c) where the fairness of the case requires it. Notice may be appropriate where there are serious and legitimate concerns about the appropriateness of the disclosure, for example, where the body requesting the confidential information does not perform a financial services related regulatory function. In addition there may be some other obvious reason why it might be helpful (in order to enable a fully informed decision to be made) to give notice in order to get a response from the subject of disclosure or the source of the information. One of the relevant considerations is whether the body receiving the confidential information is itself obliged to provide the person concerned with an opportunity to make representations, should it decide to rely on the information disclosed to it.
DFSAwill not normally give notice in the following circumstances:(a) where it may prejudice an ongoing or pending investigation, whether carried out by the DFSAor the receiving authority or prejudice actions which the DFSAor other authority may want to take as a result of an investigation (e.g. freezing assets before they disappear);(b) where it may reveal the identity of informants or persons who provided the DFSAwith information about potential misconduct of firms or individuals in the expectation that their identity would be kept confidential;(c) where it may prejudice or jeopardise the DFSA'sability to effectively discharge its monitoring and other regulatory functions particularly in its supervisory function where there is frequently a need for real-time disclosures of confidential information by telephone, e-mail or fax;(d) where it is agreed or understood that the regulatory practice is that certain confidential information will be passed on without notice, particularly in the context of disclosure to supervisors of international firms;(e) where the information disclosed to other agencies is not adverse to the person concerned (e.g. letters to overseas regulators indicating that there is no adverse information, or information as to the authorisation status of firms and individuals);(f) where it may undermine other regulators' fitness and propriety tests; or(g) where it may seriously prejudice the DFSA'srelations with overseas regulators, considering the DFSA'sbilateral and international obligations and the need for effective mutual cooperation and information sharing.
RPP 8-3-26 [Deleted]
RPP 8-3-27 [Deleted]
RPP 8-3-28 [Deleted]
RPP 8-3-29 [Deleted]
RPP 8-3-30 [Deleted]
RPP 8-3-31 [Deleted]
RPP 8-3-32 [Deleted]
RPP 8-4 RPP 8-4 Information Under Memoranda of Understanding
DFSAmay obtain confidential information pursuant to a Memorandum of Understanding (MOU)2 with another authority. A list of DFSAMOUs is published on the DFSAwebsite.
2 A MOU may be a bi-lateral or a multi-lateral MOU.
This section describes how the
DFSAprotects, uses and discloses confidential information that it receives pursuant to a MOU.
Procedures for assessing disclosure
Article 38 of the
Regulatory Lawensures the confidentiality of information provided to the DFSA. This includes any confidential information received by the DFSAfrom an authority under a MOU or similar arrangement. All information received under a MOU will be expressly marked to indicate that it is confidential regulatory information provided under a MOU from an identified authority.
Article 38 also enables the
DFSAto release confidential information to an authority for the purposes of assisting the performance of its regulatory functions. The release of any confidential information by the DFSAto a third party and the method of releasing this information will be assessed and approved by a senior officer of the DFSAwith delegated authority to make such a release. The delegated senior officer will consider the relevant provisions of this chapter (particularly section 8-3) in deciding whether to release confidential information to third parties.
DFSAstaff member identifying the possible release of any confidential information will ensure that the delegated senior officer assessing and approving the release is aware of the origin(s) of the information and the legal basis upon which the release is required to be made.
DFSAstaff member and the delegated senior officer assessing and approving the release will ensure that:(a) the receiving party is made fully aware of the protected status of the confidential information;(b) the providing authority has been approached to seek written approval for the information's release to the third party;(c) where a providing authority does not approve the release of the confidential information, the DFSAtakes all reasonable efforts, including any legal steps, to protect the information from disclosure;(d) if the DFSA'sefforts to protect the confidential information from disclosure are unsuccessful, e.g. to a Court, the DFSAinforms the providing authority, and requests the receiving party to ensure that the confidential information is not made public.
DFSAwill ensure that information released under Article 38 retains its confidential status by imposing conditions on that authority that the information should only be used for a regulatory purpose and will not be released to any third party without the prior consent of the DFSA.
Where information is subject to a legally enforceable demand
In cases where the confidential information obtained from an authority under a MOU is subject to a legally enforceable demand (such as a subpoena, notice or court order), the
DFSAwill notify the providing authority when the demand is received by the DFSA.
In the event of a legally enforceable demand, the
DFSAwill assert any legal rights, exemptions or privileges to protect such confidential information that are legally available to it. These may include, for example, objections to disclosure based on a claim of public interest immunity (see section 8-5 below).
RPP 8-5 RPP 8-5 Disclosure to a Court
DIFCCourts deal exclusively with all cases and claims arising out of the DIFCand its operations. The DIFCCourts have jurisdiction over civil and commercial matters only and do not have criminal jurisdiction. All criminal matters are heard and determined by the Emirati courts.
DIFCCourt's enabling legislation, Dubai Law No. 12 of 2004, gives it exclusive judicial jurisdiction in the DIFCand over DIFCbodies including the DFSA. Therefore, the DFSAis obliged by law to disclose confidential information if it is compelled to do so pursuant to an order from the DIFCCourt.
UAEcriminal laws apply in the DIFC, the DFSAis obliged under Article 78, Part 2 of the UAEPenal Procedures Law Federal Law No. 35 of 1992 to comply with any legally enforceable demand or order from a competent authority responsible for administering the criminal laws in the UAE. This includes orders or demands to disclose confidential information.
Public interest immunity and similar claims
In an appropriate case, and particularly where a party to court proceedings seeks disclosure of confidential information obtained by the
DFSAunder a MOU (see section 8-4 above), the DFSAwill seek to invoke a claim of public interest immunity (PII) to resist the disclosure. In common law, where a government department or other public body considers that the disclosure of particular information in the course of civil or criminal litigation would be seriously harmful to the public interest, the department or body may ask the court not to order disclosure, by making a claim, in civil litigation, of PII, and, in the case of criminal litigation, a similar claim in substance. The DFSAconsiders that a PII claim would be appropriate, in the context of its functions, where disclosure would prejudice its ability to perform those functions or jeopardise its ability to receive information in the future from certain sources, including overseas regulators, and in such a case it would make the claim on the source's behalf.
RPP 8-6 RPP 8-6 Internal Procedures
Employee Practices and Procedures
The statutory obligation on all
DFSAemployees, agents and independent contractors to keep information confidential is further reinforced by requiring:(a) all DFSAemployees, agents and independent contractors to sign an Employment or Consultancy Services Contract that incorporates a confidentiality clause in which they irrevocably agree that during the course of their employment, and thereafter, they shall not communicate any information that might be of a confidential or proprietary nature; and(b) all DFSAemployees to abide by a Code of Values and Ethics which requires them to comply with their statutory obligations, including the confidentiality obligations under the Regulatory Law.
Physical Management of Confidential Information
RPP 8-4-2 [Deleted]Deleted by Notice of Updates (Made 11th February 2015). February 2015 Edition
RPP 8-4-3 [Deleted]Deleted by Notice of Updates (Made 11th February 2015). February 2015 Edition
DFSAhas also adopted physical measures for management of confidential information, such as:(a) restricted working space accessible only through the use of electronic identification cards; and(b) best practice electronic and paper document control systems that monitor and audit the use of confidential information.
To ensure the confidentiality obligations in the
Regulatory Lawand Data Protection Law are met, the DFSAhas developed policies concerning the physical management of information by employees in discharging their licensing, supervisory and other regulatory functions. The policies also prescribe procedures regarding information technology security, restricted electronic information access, physical perimeter security, securing evidence, receiving and receipting documentation and designating sensitivity classifications of information.
DFSAreceives confidential information under its statutory powers under the Regulatory Lawto compel production of information and documents, the documents are processed according to prescribed procedures. These procedures include processes for the manual and electronic receipt, storage, retrieval and return of confidential information and documents in and from an Evidence Management Facility purpose built to secure confidential information. Only limited nominated staff have access to the restricted area and the compelled documents while they remain in the custody of the DFSA.