• FSRA Confidentiality Policy [18 April 2019]

    • 1. 1. Dealing With Confidential Information

      • 1.1 1.1 Introduction

        • 1.1.1

          This Confidentiality Policy provides guidance concerning the obligations and requirements on the Financial Services Regulatory Authority (the "Regulator") when using and disclosing non-public information provided by third parties in the course of regulating financial services in the Abu Dhabi Global Market ("ADGM"). Unless expressly provided in this Confidentiality Policy, definitions for capitalized terms may be found in the Financial Services Markets Regulations (2015) (the "FSMR").

      • 1.2 1.2 Regulatory Approach

        • 1.2.1

          When dealing with Confidential Information, the Regulator employs best practice, consistent with international standards set by organisations such as the Basel Committee on Banking Supervision ("BCBS"), the International Organisation of Securities Commissions ("IOSCO"), the Financial Action Task Force ("FATF") and the Islamic Financial Services Board ("IFSB").

        • 1.2.2

          With the application of international best practice standards, the Regulator is obligated to:

          (a) ensure compliance with and enforce applicable financial services legislation, consistent with the Basel Core Principles for Effective Banking Supervision, the IOSCO Objectives and Principles of Securities Regulation and the FATF Recommendations on combating money laundering, the financing of terrorism and proliferation of weapons of mass destruction;
          (b) assist financial services regulators in other jurisdictions to the best possible extent regarding co-operation and the exchange of Confidential Information consistent with the obligations contained and in the manner prescribed in the IOSCO Multilateral Memorandum of Understanding;
          (c) use all reasonable efforts to ensure that neither ADGM regulations nor foreign laws relating to confidentiality and secrecy prevent the Regulator from gathering, protecting or disclosing Confidential Information where required for lawful regulatory purposes;
          (d) limit the disclosure of Confidential Information to other financial services regulators and enforcement agencies to the extent required for ensuring compliance with, and enforcement of, applicable financial services and criminal legislation;
          (e) to adopt and implement internal control systems and procedures for the handling, storing, processing and securing of Confidential Information that meet international best practices; and
          (f) to comply with all applicable laws and ADGM regulations which govern the Regulator's collection and dissemination of Confidential Information.

      • 1.3 1.3 Applicable legislation

        • 1.3.1

          The main legislative provisions governing the use of Confidential Information by the Regulator are set out in Abu Dhabi Law No. (4) of 2013, Part 16 of the FSMR, the Data Protection Regulations (2015) and the UAE Penal Code (Federal Law No. (3) of 1987).

    • 2. 2. Regulatory Powers To Obtain Confidential Information

      • 2.1 2.1 Background

        • 2.1.1

          The Regulator may be provided with information which is confidential in two ways:

          (a) voluntarily (that is, information obtained on a voluntary basis); and
          (b) under compulsion, including through:
          i. the exercise of the Regulator's supervisory and investigative powers (see section 2.2 below); and
          ii. the exercise of the Regulator's information gathering powers at the request, and on behalf, of Non-ADGM Regulators (see section 2.3 below).

      • 2.2 2.2 Regulator's Supervisory and Investigative Powers

        • 2.2.1

          The Regulator has comprehensive powers under the FSMR to carry out its duties and responsibilities. These include the power to require reports, conduct on-site inspections of business premises of authorised entities within the ADGM, interview individuals, as well as compel the production of documents, testimony and other information — see, for example, sections 201 and 206 of the FSMR.

        • 2.2.2

          The Regulator has in place internal procedures to monitor and manage access to and the use of Confidential Information and documents obtained during the course of its regulatory activities. These procedures include the use of manual and electronic document storage and retrieval systems.

          For example, the Regulator limits access to confidential documents obtained to those members of the Regulator's staff engaged with the relevant matter to which the documents are related by use of secure filing of physical documents and restricted computer drives containing confidential documents in electronic form.

        • 2.2.3

          The Regulator may obtain information relating to regulated entities from third parties including intermediaries and companies that perform outsourced functions for regulated entities.

        • 2.2.4

          As the Regulator's mandate is to regulate all financial services provided in and from the ADGM, the Regulator has broad access to compel the disclosure of Confidential Information from individuals and firms participating in or connected to the provision of financial services in or from the ADGM. This includes, without limitation, all market participants, listed companies, reporting entities and their respective officers and directors.

          For example, an ADGM-based fund manager which manages a fund organized in and sold to investors in a foreign jurisdiction will be subject to the jurisdiction of the Regulator and all books and records relating to the fund and its unitholders will be subject to examination by the Regulator upon request.

      • 2.3 2.3 Powers to cooperate with, assist and support Non-ADGM Regulators

        • 2.3.1

          The Regulator may also exercise its information gathering powers at the request, and on behalf, of regulators and authorities in other jurisdictions, solely to assist them in performing their regulatory or enforcement functions.

          Amended on (18 April, 2019).

        • 2.3.2

          The following sections of the FSMR give the Regulator specific authority to exercise some of its specific powers on behalf of other authorities:

          (a) section 215 enables the Regulator to co-operate with other persons (in ADGM or elsewhere) who have functions (i) similar to those of the Regulator or (ii) in relation to the prevention or detection of Financial Crime. Co-operation may include the sharing of information which the Regulator is not prevented from lawfully disclosing;
          (b) section 216 gives the Regulator specific authority to exercise its Own-Initiative Powers at the request, or on behalf, of Non-ADGM Regulators; and
          (c) section 217 gives the Regulator specific authority to exercise its Investigative Powers at the request of Non-ADGM Regulators. In deciding whether or not to exercise its Investigative Powers, section 217(2) sets out a non-exhaustive list of factors that the Regulator may take into account.

        • 2.3.3

          If the Regulator decides to exercise its powers at the request, or on behalf, of a Non-ADGM Regulator, Confidential Information gathered as result of the Regulator exercising its powers under sections 215, 216 or 217 can only be disclosed to that Non-ADGM Regulator in accordance with the provisions of sections 198 or section 199 of the FSMR.

          Amended on (18 April, 2019).

    • 3. 3. Regulator's Obligation Of Confidentiality

      • 3.1 3.1 Background

        • 3.1.1

          The Regulator's powers to obtain, use and disclose Confidential Information in order to discharge its functions and powers are subject to statutory limitations. These protections exist to protect individual privacy and to assure regulated firms and individuals that any Confidential Information they provide to the Regulator will be dealt with in confidence and used only for lawful purposes.

          Amended on (18 April, 2019).

      • 3.2 3.2 Overriding Duty of Confidentiality

        • 3.2.1

          The Regulator must keep confidential any Confidential Information received by or disclosed to it in the course of performing its functions, subject to the exceptions set out in section 3.3 below.

        • Abu Dhabi Law No. (4) of 2013

          • 3.2.2

            This duty of confidentiality is set out in Article 12 of Abu Dhabi Law No. (4) of 2013 and requires the Regulator to keep confidential any Confidential Information received by or disclosed to it in the course of performing its functions, unless disclosure is permitted in accordance with ADGM regulations.

          • 3.2.3

            The relevant ADGM regulations impacting on the Regulator's duty of confidentiality are the FSMR and the Data Protection Regulations 2015.

        • FSMR

          • 3.2.4

            Similarly to the duty of confidentiality in Abu Dhabi Law No. (4) of 2013, section 198 of the FSMR also prohibits disclosure of Confidential Information by the Regulator, its employees, agents or by any person coming into possession of it, subject to exceptions set out in section 3.3 below.

            Amended on (18 April, 2019).

        • Data Protection Regulations 2015

          • 3.2.5

            Certain duties and obligations contained within the Data Protection Regulations 2015 apply to the Regulator when dealing with personal data, concerning accuracy and the duty to ensure security of processing when personal data is being collected and maintained.

          • 3.2.6

            The Regulator is excused from certain obligations set out in the Data Protection Regulations in circumstances where compliance with such duties would be likely to prejudice the proper discharge of the Regulator's powers or functions to protect the public from financial loss due to improper conduct, unfitness or incompetence of persons engaging in offering financial services.

        • The UAE Penal Code (Federal Law No. (3) of 1987)

          • 3.2.7

            As the UAE criminal laws apply in the ADGM, Article 379 of the UAE Penal Code provides for criminal penalties for disclosure of Confidential Information in cases other than those lawfully permitted. Public officials, or those persons in charge of a public service, are subject to more severe penalties than the general persons for unlawful disclosure of Confidential Information — namely, imprisonment of up to five (5) years.

        • Regulator's internal practices and procedures

          • 3.2.8

            The above-mentioned statutory obligations requiring all Regulator's employees, agents and independent contractors to keep all Confidential Information confidential is further reinforced by requiring all Regulator's employees, agents and independent contractors to sign an Employment or Consultancy Services Contract that incorporates a confidentiality clause.

      • 3.3 3.3 Exceptions to the Duty of Confidentiality

        • With prior consent under section 198(1) of FSMR

          Amended on (18 April, 2019).

          • 3.3.1

            Section 198(1) prohibits disclosure of Confidential Information by the Regulator, its employees, agents or by any person coming into possession of Confidential Information unless they have the prior consent of—

            (a) the person from whom the Confidential Information was obtained; and,
            (b) if different, the person to whom the duty of confidentiality is owed (paragraphs 198(1)(a) and (b)).
            Amended on (18 April, 2019).

        • The exceptions under section 199(1) of FSMR

          • 3.3.2

            Section 199 of the FSMR provides certain exceptions from the overriding restriction on disclosure of Confidential Information in section 198. Specifically, subsection 199(1) enables the Regulator to disclose Confidential Information for the purpose of facilitating the carrying out of a Public Function, subject to section 199(2), if the disclosure is —

            (a) permitted or required under any enactment applicable to the Regulator, including, for the avoidance of doubt, any applicable international obligations; or
            (b) made to —
            (i) the ADGM Registrar of Companies;
            (ii) a Non-Abu Dhabi Global Market Regulator;
            (iii) a governmental or regulatory authority exercising powers and performing functions relating to anti-money laundering, counter-terrorist financing or sanctions compliance, whether in the ADGM or otherwise;
            (iv) a self-regulatory body or organisation exercising and performing powers and functions in relation to financial services, whether in the ADGM or otherwise;
            (v) a criminal law enforcement agency, whether in the U.A.E or otherwise, for the purpose of any criminal investigation or criminal proceedings;
            (v) a civil law enforcement agency or body, whether in the Abu Dhabi Global Market, U.A.E or otherwise;
            for the purpose of assisting the performance by any such person of its functions and powers; or
            (c) made in good faith for the purposes of the exercise of the functions and powers of the Regulator or in order to further the Regulator's objectives.
            Amended on (18 April, 2019).

          • 3.3.3

            The provisions in section 199(2) relate specifically to Confidential Information originating in another governmental or regulatory authority, or Confidential Information that is CRD Information, and provide for and are consistent with the exchange of information and professional secrecy requirements in the European Union's Capital Requirements Directive. For the purposes of section 199(2):

            (a) 'CRD Information' is defined as Confidential Information received or obtained by the Regulator from the EEA Competent Authority by virtue of the Capital Requirements Directive; and
            (b) 'EEA Competent Authority' means a public authority or body officially recognised by national law of a jurisdiction within the EEA and empowered by that national law to supervise institutions as part of the supervisory system.
            Added on (18 April, 2019).

          • 3.3.4

            Section 199(2) provides that paragraphs 198(1)b)(i), (ii), (iii), (iv), (vi) and 1(c) do not permit the Regulator to disclose this Confidential Information unless—

            (a) the governmental or regulatory authority that has disclosed the Confidential Information to the Regulator has given its prior written consent to the disclosure; and
            (b) where the Confidential Information is CRD Information:
            (i) the EEA Competent Authority that has disclosed the Confidential Information to the Regulator has given its prior written consent to the disclosure; and
            (ii) if such consent was given for a particular purpose, the disclosure by the Regulator is solely for that purpose.
            Added on (18 April, 2019).

        • Disclosure to a criminal law enforcement agency

          • 3.3.5

            Importantly, disclosure of Confidential Information by the Regulator to a criminal law enforcement agency, whether in the U.A.E or otherwise, for the purpose of any criminal investigation or criminal proceedings under paragraph 199(1)(b)(v) is not subject to the requirements under section 199(2).

            Added on (18 April, 2019).

      • 3.4 3.4 Admissibility of compelled testimony in criminal proceedings

        • 3.4.1

          In addition to the overriding duty of confidentiality set out in section 198, section 207(2) of the FSMR prohibits the Regulator from disclosing a statement made by a person to an investigator at an interview conducted pursuant to section 206(1)(a) to any law enforcement agency for the purpose of criminal proceedings against that person unless:

          (a) the person consents to the disclosure; or
          (b) the Regulator is required by law or court order to disclose the statement.

      • 3.5 3.5 The effect of foreign secrecy laws

        • 3.5.1

          Foreign banking secrecy laws lack extraterritorial effect and thus do not apply in the ADGM; entities regulated by the Regulator and their clients are not prevented from complying with obligations to disclose information related to financial services activities conducted in or from the ADGM.

        • 3.5.2

          Similarly, a request from the Regulator for disclosure of confidential client account information (if the client's business is booked, held, serviced and managed exclusively in a foreign jurisdiction) shall be governed by and be subject to the secrecy laws, if any, of that jurisdiction.

      • 3.6 3.6 Criminal prosecutions in the UAE Courts [Deleted]

        • 3.6.1 [Deleted]

      • 3.7 3.7 The effect of foreign secrecy laws [Deleted]

        • 3.7.1 [Deleted]

        • 3.7.2 [Deleted]

    • 4. 4. Disclosure Of Confidential Information

      • 4.1 4.1 Making a request for disclosure of Confidential Information

        • 4.1.1

          Every request to disclose Confidential Information, will be assessed by the Regulator on a case-by-case basis, whether this information was obtained voluntarily, in the course of the Regulator exercising its own functions and powers or exercising its powers on behalf of other authorities.

          Amended on (18 April, 2019).

        • 4.1.2

          In deciding whether to comply with a request to disclose Confidential Information, the Regulator would satisfy itself that there are legitimate reasons for the request and that the authority requesting the information has the appropriate policies and procedures in place for dealing with Confidential Information.

          Amended on (18 April, 2019).

        • 4.1.3

          Section 199(3) of the FSMR enables the Regulator to, among other things:

          (a) impose conditions on the information disclosed, which may relate to, among other things, the obtaining of consents or, where appropriate, subjecting information received to restrictions on disclosure that are at least equivalent to those set out in section 198, per paragraph 199(3)(a); and
          (b) restrict the uses to which the Confidential Information disclosed may be put.
          Added on (18 April, 2019).

        • 4.1.4

          Where the disclosure by the Regulator is made subject to conditions, the person to whom the Confidential Information has been disclosed may not use the Confidential Information in breach of any such condition, as set out in section 199(4) of the FSMR.

          Added on (18 April, 2019).

      • 4.2 4.2 Disclosure to governmental and regulatory authorities in section 199 of the FSMR

        Amended on (18 April, 2019).

        • 4.2.1

          Section 199(1)(b) gives the Regulator specific authority to disclose Confidential Information to the authorities listed therein so that they may properly carry out their function, subject to section 199(2).

          Amended on (18 April, 2019).

        • 4.2.2

          Where the Confidential Information (in whole or in part) originates in another governmental or regulatory authority, the Regulator may only disclose that Confidential Information in accordance with section 199(2), as set out in paragraphs 3.3.3 – 3.3.4 above, subject to paragraph 3.3.5.

          Amended on (18 April, 2019).

        • 4.2.3

          As set out in paragraphs 4.1.3 and 4.1.4 above, in disclosing any Confidential Information under section 199(1), the Regulator may require the requesting authority to comply with certain conditions or agree to restrict the uses to which the Confidential Information may be put, insofar as the Regulator considers appropriate.

          Amended on (18 April, 2019).

        • 4.2.4

          In addition, should a memorandum of understanding be in place between the Regulator and a Non-ADGM Regulator concerning the sharing of Confidential Information, subject to the limitations contained in the FSMR, the Regulator will conduct itself in accordance with section 199(2) and the terms of such memorandum of understanding. For example, the Regulator may include a provision that each party's consent is required to be obtained prior to disclosing any Confidential Information to a third party (unless the information is required for the purpose of a criminal investigation or criminal proceedings, as discussed in paragraph 3.3.5).

          For example, on receipt of a legitimate request for Confidential Information in possession of the Regulator from a Non-ADGM Regulator ("the requestor"), made for the purpose of facilitating the carrying out of a Public Function, the Regulator:

          a) may disclose the Confidential Information to the requestor subject to conditions, including that:—
          i. the requestor may only use the Confidential Information for their own lawful purpose as identified in the request;
          ii. the requestor may not voluntarily disclose the Confidential Information to a third party (including other regulatory entities in their home jurisdiction) without the further consent of the Regulator; and
          iii. if the requestor is compelled to disclose the Confidential Information by court order or subpoena, it must give notice to the Regulator prior to disclosure unless such notice would violate applicable laws.
          b) will generally not notify affected parties of the request for Confidential Information. Notice to the affected party/parties will only be considered where such notification would not be contrary to the public interest and would not frustrate or prejudice the purpose of the disclosure to the requestor.
          Amended on (18 April, 2019).

        • 4.2.5

          When the Regulator receives a request from an authority to disclose Confidential Information (other than compelled testimony – see paragraph 4.5), the Regulator will generally comply with such request if made in good faith for the specific purpose of fulfilling the performance of the requesting party's functions and powers, as contemplated by section 199(1).

          Added on (18 April, 2019).

      • 4.3 4.3 Disclosure for use in civil litigation

        • 4.3.1

          In other circumstances, such as where Confidential Information is sought by a party other than a governmental or regulatory authority, such as, for example, as evidence for use in civil litigation, the Regulator will require prior consent of—

          (a) the person from whom the Confidential Information was obtained; and,
          (b) if different, the person to whom the duty of confidentiality is owed (paragraphs 198(1)(a) and (b)),
          consistent with its general duty of confidentiality, as contemplated by section 198(1) of the FSMR.

          Amended on (18 April, 2019).

        • 4.3.2

          The Regulator will, to the extent permitted by applicable law, provide the person whose interests are likely to be adversely affected by the proposed disclosure with the information necessary to enable the person to make submissions to the Regulator. These may include the following:

          (a) whether the factual and legal conditions justifying the disclosure are met;
          (b) the scope of the disclosure of Confidential Information; and
          (c) whether any conditions should apply to the disclosure.

        • 4.3.3

          If a person would be adversely affected by the proposed disclosure of Confidential Information and the purpose for the request is to use the information in civil proceedings in the ADGM Court, the person requesting the Confidential Information would be required to obtain an order of the ADGM Court compelling the Regulator to disclose the Confidential Information.

        • 4.3.4

          Upon receipt of such an order, the Regulator would generally notify the person adversely affected by the proposed disclosure of Confidential Information of this so that the person has an opportunity to challenge the request according to the rules of the Court.

        • 4.3.5 [Deleted]

      • 4.4 4.4 Disclosure to a court

        • Civil proceedings in the ADGM Court

          • 4.4.1

            The ADGM Court's enabling legislation, Abu Dhabi Law No. (4) of 2013, gives it exclusive judicial jurisdiction in the ADGM and over ADGM bodies, including the Regulator. Therefore, the Regulator may be obliged to disclose Confidential Information if it is compelled to do so under an order from the ADGM Court.

          • 4.4.2

            If the Regulator is required to disclose Confidential Information received from a government or Regulatory Authority (for example, information received under a Memorandum of Understanding), the Regulator will ordinarily:

            (a) notify the Regulatory Authority that provided the Confidential Information of the receipt of the legally enforceable demand, in accordance with section 199(2); and
            (b) where appropriate, assert any legal rights or privileges to protect the Confidential Information (for example, Public Interest Immunity — see paragraph 4.6 below).

        • Criminal prosecutions in the UAE Courts

          • 4.4.3

            All activities in the ADGM remain subject to UAE criminal laws by virtue of the Federal Law No. 8 of 2004 concerning Financial Free Zones. Accordingly, the Regulator is obliged, under Article 78, Part 2 of the UAE Penal Procedures Law (Federal Law No. 35) of 1992, to comply with any legally enforceable demand or order from a competent authority responsible for administering the criminal laws of the UAE. This includes orders or demands to disclose Confidential Information.

          • 4.4.4

            As in the case of legally enforceable demands in civil or commercial matters discussed at paragraph 4.4.2 above, the Regulator will, where appropriate, assert any legal rights or privileges to protect the Confidential Information and resist disclosure (for example, Public Interest Immunity – see paragraph 4.6 below).

      • 4.5 4.5 Compelled testimony in criminal proceedings

        • 4.5.1

          If the Regulator receives a request from a law enforcement agency for a person's answers in an interview conducted under section 206(1)(a) of the FSMR for the purpose of criminal proceedings against the person, the Regulator will, in accordance with section 207(2) of the FSMR, generally notify the person concerned of such request (so that the person has an opportunity to either consent to the disclosure or challenge the request), unless the Regulator is required by law or court order to disclose the statement.

      • 4.6 4.6 Public Interest Immunity

        • 4.6.1

          Public Interest Immunity ("PII") is an immunity from the production of documents or information where their disclosure would be against the public interest. PII is a common law doctrine, developed to allow the courts to reconcile any potential conflict between the following two public interests—

          (a) the interest in the administration of justice which demands that relevant material is available to the parties to litigation; and
          (b) the interest in maintaining the confidentiality of certain documents whose disclosure would be damaging to the public interest.

        • 4.6.2

          When a PII claim is asserted, a court would be required to balance between whether the public interest in disclosing certain information is outweighed by the public interest in preserving the confidentiality of that information.

        • 4.6.3

          A claim of PII, for example, may be appropriate in the circumstances where disclosure would prejudice or otherwise unduly interfere with the Regulator's ability to perform its functions and exercise its powers (including if the disclosure would adversely affect its ability to cooperate with and receive Confidential Information from other Regulatory Authorities).