Dubai, UAE, Financial Services Authority Whistleblowing Regime Has Taken Effect

​On July 7, 2021, the Dubai, United Arab Emirates (UAE) Financial Services Authority (DFSA) released Consultation Paper No. 141 ("CP 141"), proposing the introduction of measures aimed at ensuring a more consistent approach to reporting and recording misconduct by DFSA-regulated entities (the "Whistleblowing Regime").

Changes to the Dubai International Financial Centre (DIFC) Regulatory Law 2004 (the "Regulatory Law") and the DFSA Rulebook, made to implement the Whistleblowing Regime, announced on March 16, took effect April 7, and reflect the proposals made in CP 141.

This article addresses the core questions that all DFSA-regulated entities should ask themselves as part of their preparations for implementation of the Whistleblowing Regime.

Does the Whistleblowing Regime Apply to Me?

The Whistleblowing Regime applies to all persons regulated by the DFSA as an Authorized Firm, Authorized Market Institution, Designated Non-Financial Business or Profession, or Registered Auditor (as those terms are defined in the DFSA Rulebook, together, "Regulated Entities").

Who Is a 'Whistleblower'?

Any person who makes a qualifying disclosure of information to a specified person will be a "whistleblower" for the purposes of the new Article 68A of the Regulatory Law, even if they make that disclosure anonymously.

A qualifying disclosure is a disclosure of information, made in good faith, that relates to a reasonable suspicion that a Regulated Entity, or any of its employees or officers, has or may have:

• Contravened a provision of legislation administered by the DFSA; or
• Engaged in money laundering, fraud, or any other financial crime.

Where the Regulated Entity is an Authorized Firm or Authorized Market Institution, similar disclosures made about their affiliates, or employees or officers of their affiliates, will also be qualifying disclosures.

The list of specified persons to whom a qualifying disclosure can be made include the Regulated Entity itself, its auditors, the DFSA and criminal law enforcement agencies in the UAE, among others.

What Protections Do Whistleblowers Have?

A whistleblower who has made a qualifying disclosure to a specified person, whether anonymously or not, under the Whistleblowing Regime shall not, for reason of having made the disclosure:

• Be subject to civil or contractual liability;
• Have any contractual, civil, or other remedy or right enforced against them by another person; or
• Be dismissed from their current employment, or otherwise subject to action by their employer (or its related parties) that is reasonably likely to cause them detriment.

A whistleblower will also have the right to apply to court for relief, should there be any violation of these protections.

It is important to note, however, that the statutory protections under the Regulatory Law do not guard against any criminal liability that may arise from a whistleblower's disclosures for reasons such as, for example, breach of confidence or defamation.

What Must I Do to Comply?

From April 7, every Regulated Entity must:

• Have appropriate and effective policies and procedures in place (and in writing):

          +To facilitate the reporting of regulatory concerns by whistleblowers; and

          +To assess and, where appropriate, escalate regulatory concerns reported to it.

• Maintain a written record of each regulatory concern reported to it by a whistleblower, including details of the concern and the outcome of its assessment.

The need to maintain a written record of concerns raised by whistleblowers, that the DFSA may inspect on request, creates an obvious avenue through which the regulator may revisit a decision not to report a concern at the time it was raised. Those decisions will therefore need to be properly considered and clearly recorded with their supporting rationale, should you need to justify them at some point in the future.

What Are 'Appropriate' Policies and Procedures?

We anticipate there will be a broad range of what is considered "appropriate." To assist Regulated Entities, the amended DFSA Rulebook includes detailed guidance on the DFSA's expectations as to what will constitute effective policies and procedures. That guidance sets out a high-level roadmap for what your policies and procedures should cover, but all subject to a central theme that appropriateness should be judged according to the nature, scale and complexity of the Relevant Entity's business—what is appropriate for a branch or subsidiary of a large, international bank, is likely to be unduly onerous, if not impossible, to replicate in a start-up advisory firm.

There can be a complex analysis involved in determining the answer to questions such as whether a suspicion is reasonable; whether a disclosure is made in good faith; and what distinguishes a financial crime from other offences. Regulated Entities are likely to be best served (and able to demonstrate compliance with the new regime) by having detailed internal policies addressing such matters, rather than simply adopting the basic wording set out in the Regulatory Law/amended Rulebook (for example, to define who will be treated internally as a whistleblower) and leaving individuals with the task of working through such issues before speaking up.

Regulated Entities should also bear in mind that their whistleblowing arrangements do not begin and end with encouraging a report to be made. The subsequent assessment and investigation of the concerns raised might raise difficult and complex issues, particularly when balanced with such obligations as managing any conflicts of interest, data protection considerations or taking reasonable steps to protect the confidentiality and identity of the whistleblower.

Relevant Entities would be well served to have plans in place, ahead of time, as to how they will manage any difficult issues that may arise when assessing concerns raised. They will also want to ensure that consideration of which facts and matters need to be notified to the DFSA, and when, is factored in as a prominent and integral part of their arrangements.

What Do I Need to Do Next?

Some Relevant Entities will already have sophisticated whistleblowing arrangements in place that are carried across from other jurisdictions, while others will be starting with a blank page and limited experience of what good arrangements look like.

As with all new areas of regulation, the best starting point for your approach to compliance with the new Whistleblowing Regime is a careful review of the rules and guidance that will apply to you, an honest assessment of your current (if any) internal policies and procedures, and careful consideration as to whether they are fit for purpose or need to be extended or improved to address any gaps.

Keep in mind that this may not be the only regime that applies to the business. For example, the new Whistleblowing Regime sits alongside the existing whistleblowing provisions of DIFC Law No. 7/2018 (the DIFC Operating Law), which apply to the reporting of breaches of laws that are administered by the DIFC Registrar of Companies. Multinational organizations may be subject to the whistleblowing provisions of other jurisdictions as well. The potential overlap between different regimes, and how these may need to be reflected in your internal policies and procedures, will require careful consideration and expert advice.

Once policies and procedures have been updated, they will need to be clearly communicated to staff. Training for all staff—tailored to their specific role/level within your organization—should also be rolled out across the organization to ensure that on your whistleblowing policies and procedures are fully understood and embedded into your daily operations.

Philip Clarke, Kiersten Lucas and Emily Aryeetey are attorneys with Stephenson Harwood LLP in Dubai, UAE. Laura Anderson is an attorney with Stephenson Harwood LLP in London. © 2022 Stephenson Harwood LLP. All rights reserved. Reposted with permission of Lexology.