Consultation Paper No. 16 Policy Statement on Confidential Regulatory Information
THE DUBAI Financial Services AUTHORITY ("DFSA") CONSULTATION PAPER ADDRESSED TO PARTIES INTERESTED IN THE DEVELOPMENT OF Financial Services AND MARKETS Regulation WITHIN DUBAI'S FINANCIAL FREE ZONE (THE "DIFC")
The purpose of this paper is to publish for consultation the DFSA's Draft Policy Statement on Confidential Regulatory Information, which is attached as Annex A.
The DFSA invites comments on any aspect of the draft Policy, including the principles and the detailed drafting.
Please note that, although the Policy is in draft form, it reflects the DFSA's current practice and the DFSA reserves the right to amend it at its sole discretion.
Subject to comments received, the Policy will be finalized by the Chief Executive pursuant to his powers under Article 36 of the Regulatory Law 2004.
Should you wish to submit comments, please provide details of the organisation you represent. The names of commentators and the content of their submissions may be published on the DFSA website and in other documents to be published by the DFSA. If you wish your name to be withheld from publication, please indicate this when you make your submission.
Any comments should be addressed to:
Joyce. C. Maykut QC
PO Box 75850
All comments should be provided in writing, on or before 4 August 2005.
or e-mailed to firstname.lastname@example.org
The Dubai Financial Services Authority is the integrated regulator of all financial and Ancillary Services undertaken in or from the Dubai International Financial Centre.
This Policy Statement describes how the DFSA protects, uses and discloses confidential information that it receives in the course of regulating Financial Services in the DIFC. Such information is referred to in this Policy Statement as "confidential information".
B. Guiding Principles
The DFSA's mandate is to ensure that the DIFC is one of the best regulated international financial centres in the world - a centre based on principles of integrity, transparency and efficiency.
To accomplish this, the DFSA operates to the international best practice standards that apply in the world's major financial centres such as London, New York, Hong Kong and Frankfurt.
The international best practice standards adopted and applied by the DFSA in the DIFC are those set by leading international organisations such as IOSCO (International Organisation of Securities Commissions), BIS (Bank for International Settlements) and IAIS (International Association of Insurance Supervisors) and FATF (Financial Action Task Force).
The DFSA's commitment to these standards is a commitment:
C. Relevant Legislation
The main legislative provisions governing the use of confidential information are set out in Dubai Law No. 9 of 2004, DIFC Regulatory Law No. 1 of 2004, the DIFC Data Protection Law No. 9 of 2004 and the UAE Penal Code Federal Law No. 3.
1. Regulatory Powers to Obtain Confidential Information
Like other Financial Services Regulators, the DFSA has comprehensive powers under the Regulatory Law to carry out its authorization, supervision and enforcement functions regarding Financial Services in the DIFC. These include the power to require reports, conduct on-site inspections of business premises of authorised entities and individuals, investigate and compel the production of documents, testimony and other information.
The DFSA has in place internal procedures to monitor and manage the flow of information and documents obtained during the course of its regulatory activities. These procedures include the use of manual and electronic document storage and retrieval systems.
For example, the DFSA provides receipts to authorised entities for any documents forwarded to the DFSA or which the DFSA removes during the course of an onsite inspection or visit.
The DFSA can also extend its powers to obtain information from third party suppliers, including intermediaries and companies that have accepted outsourced functions for regulated entities. These include subsidiaries established in the DIFC and Branches in the DIFC of firms authorised in other jurisdictions. The DFSA may also exercise these powers at the request, and on behalf, of foreign Regulators and authorities to assist them in performing their regulatory or enforcement functions. Why, when and how this is permissible is described in more detail below.
In short, because the DFSA's statutory mandate is to regulate all Financial Services provided in and from the DIFC, the DFSA has broad access to confidential information about individuals and firms participating in or Connected to the provision of Financial Services in the DIFC This includes all market participants, listed companies, reporting entities and their officers and Directors.
For example, this means that the DFSA will treat accounts that are booked and held in foreign jurisdictions, but serviced and managed in or from the DIFC the same as if the accounts were booked, held, serviced and managed entirely within the DIFC. Legally and practically the DFSA has complete access to the account information in both situations because the regulated Financial Service is provided in or from the DIFC. However, if a DIFC Regulated Financial Institution books, holds, services and manages an account entirely in a foreign jurisdiction, the DFSA has no authority to access confidential Client account information unless the laws of the foreign jurisdiction permit such access and disclosure.
2. Confidentiality Obligations
Although the DFSA has comprehensive powers to access confidential information so that it can properly discharge its regulatory functions, there are statutory limitations or restrictions on the way the DFSA uses and deals with confidential information. These limitations or restrictions are necessary to protect individual privacy and to assure regulated firms and individuals, and their Clients, that the confidential information they provide to the DFSA will be dealt with in confidence and used only for lawful purposes.
2.1 Dubai Law No. 9 of 2004
Under Article 7 (8) (h) of Dubai Law No. 9 of 2004, which is the law under which the DFSA was established, the DFSA is required to keep confidential any confidential information obtained, disclosed or collected by it, in the course of performing its functions. The Article specifically prohibits the disclosure of confidential information to third parties except in circumstances permitted by DIFC laws and regulations.
2.2 The UAE Penal Code
It is a criminal offence under Article 379 of the UAE Penal Code, Federal Law No. 3, (which applies in the DIFC) for any Person including the DFSA, its Employees and agents to disclose confidential information to third parties without having the legal authority to do so.
2.3 The Data Protection Law
The DIFC Data Protection Law applies to everyone in the DIFC, including the DFSA. Its purpose is to protect privacy rights and to ensure an individual's personal information, which is presumed to be confidential information, is kept confidential and used only for the lawful purpose for which it was provided. The Data Protection Law only protects the privacy rights of individuals and not companies or other like entities.
Article 7 of the Data Protection Law requires the DFSA as a data Controller, which is a Person who obtains, stores or processes an individual's personal information, to do so fairly, lawfully, securely and only for the specific purpose it was obtained. The law sets limits on the ability of the DFSA to disclose an individual's personal information outside the DIFC.
For example, unless the DFSA has obtained a permit under the Data Protection Law to do so (or provided a notification if consent has been obtained) the DFSA must not disclose confidential information about an individual to a foreign authority unless the data protection legislation in that jurisdiction contains equivalent protections and rights for individuals to those under the DIFC Data Protection Law.
Generally under the Data Protection Law, an individual has the right to be informed before personal confidential information is disclosed for the first time to third parties and to be expressly offered the right to object to such disclosure. However, the Law allows DFSA to disclose confidential information without an individual's consent if the disclosure is necessary for the DFSA to comply with its legal and regulatory obligations and provided that a notification to this effect has been filed under the Data Protection Law.
Exemptions relating to the DFSA are found in Article 25 of the Data Protection Law which provides that the DFSA may decline to inform individuals about the type or purpose of the information being processed if it is in the public interest to do so.
For example, the DFSA will not normally notify an individual about a request from a foreign authority to provide confidential information about a Client of a Financial Institution if the request is for the purpose of investigating the client's suspected participation in a Securities fraud or criminal offence. In such cases, notifying the Client or Financial Institution is likely to jeopardize the investigation and would defeat the public interest.
2.4 The Regulatory Law
Article 38(1) of the Regulatory Law parallels the above confidentiality provisions by prohibiting the DFSA, its Employees, agents or any Person from disclosing confidential information unless they have the consent of the Person to whom the duty of confidentiality is owed or unless the disclosure is expressly authorised under Article 38(3).
3. Authorised Powers of Disclosure
Under Article 38(3) of the Regulatory Law, the DFSA may lawfully disclose confidential information:
Under Article 80(7) of the Regulatory Law, the DFSA is prohibited from disclosing an individual's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the Person unless the Person consents to the disclosure or the DFSA is required by law or Court order to disclose the statement.
In summary, the above restrictions mean that:
4. Exercising Regulatory Powers on Behalf of Other Authorities
In addition, Article 39 of the Regulatory Law gives the DFSA specific statutory authority to exercise its powers at the request, and on behalf, of the Regulators, authorities, bodies or agencies listed in Article 39 (hereinafter authority or authorities). This means that the DFSA may obtain confidential information from DIFC reporting entities, listed companies, regulated firms and individuals, and their Clients on behalf of other authorities. Therefore the provisions of Article 38 and 39 must often be considered together to determine the limitations on obtaining and sharing confidential information.
Under Article 39, the DFSA may only exercise its powers on behalf of other authorities if the request for assistance comes from:
As a matter of policy and further to its commitment to the Guiding Principles above, the DFSA will assist an Article 39 authority unless:
If the DFSA decides to obtain and disclose confidential information on behalf of another authority under Article 39, then it must do so in accordance with the provision of Article 38.
In deciding whether to comply with a request to disclose confidential information under Articles 38 and 39, the DFSA as a matter of policy will satisfy itself that there are legitimate reasons for the request and that the regulator or authority requesting the information has the appropriate standards in place for dealing with Client confidentiality. What the DFSA considers to be legitimate reasons are discussed below.
5. Factors Determining Legitimacy of Request for Confidential Information
Every request to disclose confidential information will be assessed by the DFSA on a case-by-case basis to determine whether there is a legitimate reason to comply with the request. In determining the legitimacy of a request, the DFSA may consider, in addition to Articles 38 and 39 of the Regulatory Law:
6. Civil Proceedings in the DIFC Court
The DIFC Court's enabling legislation, Dubai Law No. 12 of 2004, In Respect of The Judicial Authority at DIFC, gives it exclusive judicial jurisdiction in the DIFC and over DIFC bodies including the DFSA. Therefore, the DFSA is obliged by law to disclose confidential information if it is compelled to do so pursuant to an order from the DIFC Court.
7. Criminal Prosecutions in the UAE Courts
Because the UAE criminal laws apply in the DIFC, the DFSA is obliged under Article 78, Part 2 of the UAE Penal Procedures Law Federal Law No. 35 to comply with any legally enforceable demand or order from a competent authority responsible for administering the criminal laws in the UAE. This includes orders or demands to disclose confidential information.
8. The Effect of Foreign Secrecy Laws in the DIFC
Foreign banking secrecy laws do not apply in the DIFC and do not apply to DFSA regulated entities and their Clients in relation to Financial Services business conducted in or from the DIFC. This is because foreign banking secrecy laws or confidentiality provisions do not have extraterritorial effect, that is, outside the jurisdiction in which they are enacted. Similarly the DFSA does not have extraterritorial or direct access to confidential Client information if the client's business is booked, held, serviced and managed exclusively in foreign jurisdictions subject to a strict banking secrecy regime.
For example, a request by the DFSA to a foreign regulator or a Financial Institution operating in a secrecy jurisdiction for disclosure of confidential Client account information will be governed by and be subject to the secrecy laws of the foreign jurisdiction.
9. Applications to Request Confidential Information
Generally, for the DFSA to agree to provide confidential information in response to an Article 39 request, the authority will be required to:
For example, in an international Securities fraud or Money Laundering investigation the kind of documents the DFSA may provide to an Article 39 authority may include, documents from contemporaneous records sufficient to reconstruct all Securities, Derivatives and Bank transactions, records of all funds and assets transferred into and out of Bank and brokerage accounts relating to these transactions, records that identify the Beneficial Owner and Controller, and for each Transaction, the account holder, the particulars of the Transaction, and the individual and the authorised financial or market institution that handled the Transaction.
10. Opportunity to Challenge a Request for Confidential Information
Under Article 80(7) of the Regulatory Law, the DFSA must not disclose a person's compelled testimony to any law enforcement agency for the purpose of criminal proceedings against the Person unless the Person consents to the disclosure or the DFSA is required by law or Court order to disclose the statement.
Therefore the DFSA will give a Person an opportunity to challenge a request from any law enforcement agency for the person's compelled testimony if the purpose is to pursue criminal proceedings against the Person.
When the DFSA is requested to disclose confidential information to an Article 39 authority, in circumstances other than those referred to in Article 80(7), the DFSA will notify and give the Person an opportunity to challenge the disclosure unless it would prejudice or jeopardize the purpose for which the information was sought or it would prejudice or jeopardize the DFSA's ability to discharge its regulatory and statutory functions or otherwise be contrary to the public interest.
When the DFSA notifies a Person whose interests are likely to be adversely affected by disclosure of confidential information, the Person will be given the opportunity to make submissions to the DFSA on:
The DFSA will provide the Person whose interests are likely to be adversely affected by the release with the information necessary to enable the Person to make submissions to the DFSA.
If a Person would be adversely affected by the disclosure of confidential information and the purpose for the request is to use the information in civil litigation, the Person requesting the confidential information will be required to obtain a DIFC Court order compelling the DFSA to disclose the confidential information.
If a Person would be adversely affected by the disclosure of confidential information and the purpose for the request is to use the information in civil litigation, the DFSA will notify the Person of the request so that the Person has an opportunity to challenge the request according to the Rules of the DIFC Court.
D. Internal Procedures
1. Employee Practices and Procedures
The statutory obligation on all DFSA Employees, agents and independent contractors to keep all confidential information confidential is further reinforced by requiring:
2. Physical Management of Confidential Information
The entire DFSA offices occupy a restricted space accessible only through the use of electronic identification cards.
The DFSA has adopted best practice electronic and paper document control systems that monitor and audit the use of confidential information.
To ensure the confidentiality obligations in the Regulatory and Data Protection Law are met, the DFSA has developed policies concerning the physical management of information by Employees in discharging their licensing, supervisory and other regulatory functions. The policies also prescribe procedures regarding information technology Security, restricted electronic information access, physical perimeter Security, securing evidence, receiving and receipting documentation and designating sensitivity classifications of information.
When the DFSA receives confidential information pursuant to its statutory powers under the Regulatory Law to compel production of information and documents, the documents are processed according to prescribed procedures. These procedures include processes for the manual and electronic receipt, storage and Return of confidential information and documents in and from an Evidence Management Facility purpose built to secure confidential information. Only limited nominated staff have access to the restricted area and the compelled documents while they remain in the custody of the DFSA.
DUBAI Financial Services AUTHORITY
4 July 2005