The Dubai Financial Services Authority (DFSA) has increased its efforts to contain financial crime. Annual reports reveal a sharp increase in the number of enforcement actions, with a success rate jumping from  two in 2018 to 11 in 2020. This uptick in enforcement activity follows a Financial Action Task Force (FATF) Mutual Evaluation of the UAE in 2019. Following the publication of the evaluation report, the DFSA pledged to address the recommendations made by FATF.

The FATF evaluation identified issues in the supervision of specific sectors, such as banks and the property market. According to the evaluation report, there is an urgent need to ‘take action to strengthen the effectiveness of its measures to stop money laundering, terrorist financing and proliferation financing [1].

It is highly likely then that financial institutions and companies will be subject to higher levels of scrutiny and more enforcement activity in the future. We see an early example of this increased enforcement activity in terms of supervision is the recent action taken against a Dubai-based employee and a major European bank earlier this year.

A former relationship manager for the bank was found guilty of anti-money laundering (AML) breaches between 2011 and 2013 and obstructing the regulator in its investigation between 2017 and 2018. He was fined USD 165,000 and restricted from performing any function in connection with the provision of financial services in or from the Dubai International Financial Centre (DIFC).

The bank itself was fined in November 2015 for compliance issues, including the failure to properly supervise staff and AML deficiencies. While the list of failings was extensive, a speedy response from senior management helped to reduce the fine from USD 1 million to USD 640,000. The bank agreed to rectify its compliance failures and efforts included a comprehensive review and remediation of customer risk assessment and due diligence processes for all private banking international client relationships, improvements to AML systems, and an increase of resources for its control functions.

At the heart of the issue was a failure to properly supervise internal processes. If compliance processes had been followed, the department would have noted a key conflict of interest: the relationship manager owned and was a director of an offshore entity registered in the British Virgin Islands (BVI). The bank, believing the account belonged to a third-party, paid a referral fee for an introduction to a new client to this entity. The employee arranged to have the referral fee and other client funds paid into the BVI-based entity and then moved the money into personal bank accounts held offshore.

If the compliance function had mitigated its risk exposure properly, its due diligence would have revealed the true ultimate beneficial ownership of the entity. Unfortunately, the compliance function accepted the information at face value, and it seems that familiarity and trust may have undermined policy in this case. 

An interesting note about this case is that it was a whistleblower that brought the compliance failures to the attention of senior management. The report on the misconduct of several employees was submitted anonymously using internal processes, and ultimately the regulator was informed.  The enforcement notice was sharply critical of the apparent lack of effective senior management oversight in this case.

This case is a good illustration of the importance of consistency and the careful application of processes, regardless of employee status or relationships. The recent FATF evaluation has undoubtedly increased the regulator’s focus on AML and at the same time, the pandemic has raised the complexity of the compliance challenge, as well as workload. The change to working practice and disruption of third-party relationships has increased organizations’ exposure to risk and they cannot afford to have a lapse of controls during a time of crisis and increase enforcement activity.

Improving controls does not need to be complicated, however. Several straightforward steps to reduce risk are available and can have an immediate impact.

Raise awareness levels 
Provide regular training and workshops to ensure a high level of understanding of risk and compliance obligations among all levels of employees. It has been a long time since compliance was a simple backroom activity; it now requires a robust corporate culture and a company-wide approach to ensure that regulatory obligations are met. In this recent example, we see that, while the actions of the former relationship manager were deliberate and premeditated, there is a strong possibility that he was unwittingly aided by colleagues due to a lack of knowledge and awareness. Regular training informs employees of company standards and expectations and leaves them in no doubt of the consequences of their choices.

Assess risk profile
Organizations should regularly examine the risk profile of their supply chain and third-party relationships, including geographical location, activities and associations. Given the circumstances of past months, there is a strong possibility that risk profiles have changed considerably.

Assess compliance procedures 
Under normal circumstances, a review once a year would be sufficient to ensure that vulnerabilities are kept to a minimum, but given the amount of change the business world has experienced over the past few months, it may be advisable to review processes once every six months.

Ensure an effective whistleblower protection policy
Most organizations have a whistleblower policy, and if this includes your organization, are employees aware of the policy, and are they comfortable using it? Do they feel protected by company policy? You may not like what a whistleblower has to say, but you are far better off receiving sensitive information through an official, internal channel than to hear it first in the media or as part of an investigation. This may be a good time to review whistleblower policies, ensure that they are up to standard and that all employees are trained on how to access the policy safely and anonymously. 

The risk and compliance function has been extremely challenged over the past few months by rapid change due to the pandemic. At the same time, authorities are stepping up enforcement activities and regulators are asking for more detail in due diligence reports. The task of compliance will not get easier any time soon, and in a time of crisis and change it can be helpful to take a step back and reassess policy and procedures and realign where it is necessary. The world of business is changing. Senior managers are, and will remain, responsible for compliance and therefore need to be careful not to allow regulatory policy and skills to lag.

Click here to listen to Thomson Reuters Regulatory Intelligence’s podcast, Compliance Clarified:

This form is intended for corporate email registration