On 7 April 2022, the Dubai Financial Services Authority (DFSA) introduced a new whistleblowing regime (the Regime).
The Regime has significant parallels with that enforced in the United Kingdom by the Financial Conduct Authority (FCA), although certain of the more advanced requirements incorporated into the FCA’s regime are yet to be introduced by the DFSA.
The Regime aims to provide better legal protection for those who report concerns within the Dubai International Financial Centre (DIFC), improve whistleblowing culture in DFSA regulated entities, encourage greater reporting (both internally and to the DFSA itself) and promote an ethical culture within the DIFC by deterring wrongdoing. It builds upon the existing framework which governs those businesses in the DIFC which fall under the supervision of the DFSA.
DFSA regulated firms now need to implement an appropriate whistleblowing programme (no grace period for implementation is provided by the Regime). In focusing on the design and implementation, relevant firms would do well to consider the best practice approaches already well established within many FCA regulated institutions in the UK.
On 7 April 2022, changes to DIFC Regulatory Law 2004 and the DFSA Rulebook came into force, to implement proposals concerning a whistleblowing regime that were consulted on by the DFSA in 2021. The Regime applies to all entities regulated by the DFSA (Regulated Entities), which must now introduce appropriate measures.
In an accompanying press release (the Release), the DFSA noted that the aims of the Regime are to:
“a) provide better legal protection for persons who report regulatory concerns;
b) improve the Whistleblowing culture in DFSA Regulated Entities and increase transparency around how those Entities will handle regulatory concerns;
c) encourage more disclosures of regulatory concerns; and
d) deter wrongdoing, promote better compliance and an ethical culture, by increasing awareness that there is a higher likelihood that wrongdoing will be reported.”
Who Is a Whistleblower?
The Regime defines a whistleblower as any person who, in good faith, discloses a reasonable suspicion that a Regulated Entity (including its officers or employees) is, has or might have been:
in contravention of a provision of the law, rules or other any other legislation administered by the DFSA; or
engaged in money laundering, fraud, or any other financial crime.
Under the Regime, a report is made in good faith if it is made “honestly rather than for a dishonest or malicious purpose.” This would naturally exclude from the definition an individual who submits a false report, intending that, for example, it would harm a colleague with whom they had a disagreement or against whom they were competing for a promotion.
What constitutes a reasonable suspicion is dependent on the particular circumstances. However, by way of guidance, the Release notes that “while “suspicion” is a relatively low threshold, the notion of reasonableness brings an objective test to the suspicion”. As such, a genuine and honestly held concern supported by some objective fact or evidence is likely to qualify as being reasonable, even if the suspicion is ultimately found not to be born out following investigation.
Importantly, it is for the person making the disclosure to establish that both of these tests are met to qualify for the protections offered.
Finally, for the protection of the Regime to apply, the report must be made within the Regulated Entity or externally to its auditor, the DFSA or a law enforcement agency.
What Protection Must a Whistleblower Be Given?
Where a whistleblower makes a qualifying disclosure, Article 68A(4) of the DFSA Rulebook provides that the individual (who, importantly, can remain anonymous) must not:
be subject to any civil or contractual liability for having made that disclosure;
have any contractual, civil or other remedy or right enforced against them by another person; or
be dismissed from their employment or be subject to any other action reasonably likely to cause detriment to them.
Should any of these events happen, the whistleblower may apply to the DIFC court for relief for any loss suffered. The DIFC court has broad discretion to make orders for relief in this regard.
One important caveat here is that the Regime does not protect a whistleblower from possible criminal liability for matters such as breach of corporate confidentiality, or from claims such as defamation, which might be brought outside of the DIFC in the local Dubai courts.
What Must Regulated Entities Do?
The Regime requires that Regulated Entities must put in place “effective policies and procedures” that:
establish effective internal arrangements to allow for the disclosure of regulatory concerns, along with associated procedures to receive, assess and possibly escalate whistleblower reports within the Regulated Entity, the DFSA or any other relevant authority;
include reasonable measures to (i) protect the identity and confidentiality of the whistleblower; and (ii) protect them from suffering “detriment” because they raised a concern;
provide feedback to the whistleblower, where appropriate; and
include appropriate measures to deal with (i) any conflicts of interest; and (ii) to ensure the fair treatment of an individual (or individuals) accused of wrongdoing by the whistleblower.
Comparison With The FCA
The Regime largely mirrors the Senior Management Arrangements, Systems and Controls (SYSC) Rule 18 on whistleblowing, as set out in the UK FCA Handbook in respect of FCA authorised firms (Firms). It is worth noting two interesting ways in which SYSC goes beyond the Regime.
The FCA requires that Firms appoint a “whistleblowers’ champion”. This individual is responsible for overseeing and maintaining the integrity of a Firm’s internal arrangements concerning whistleblowing and must be both sufficiently independent and senior within the firm to carry out this role effectively.
SYSC provides that Firms must include a term in any settlement agreements with employees which makes clear that nothing in such an agreement prevents a worker from making a protected disclosure (as defined by the UK Employment Rights Act 1996). In addition, Firms must not request that workers enter into warranties which require them to disclose to the firm that (a) they have made a protected disclosure; or (b) they know of no information which could form the basis of a protected disclosure.
The DFSA is due to conduct a review of the Regime in mid-2023 which may result in further measures being introduced, such as those described above. In the meantime, Regulated Entities who are seeking to implement best practice might consider adopting one, or both, of these approaches.
Given the complexity of certain aspects of the Regime (e.g. whether a disclosure will qualify as being made in good faith and based upon a reasonable suspicion, whether the whistleblower might risk criminal or other proceedings, notwithstanding the protection offered by the Regime, etc), Regulated Entities might consider making free, independent legal advice available to their staff, as part of their whistleblowing policies. Consideration should also be given to setting up dedicated hotlines, staffed by properly trained and sufficiently senior internal staff, who speak multiple languages, or utilising the services of an external provider (subject again to other relevant laws in Dubai and the DIFC).
For Regulated Entities with a nexus to the UK (and which are therefore likely to be within the reach of the UK Bribery Act 2010), a comprehensive whistleblowing programme is a key part of a control framework designed to ensure that an organisation has in place ‘adequate procedures’ designed to prevent bribery. The introduction of the Regime therefore offers a useful occasion on which such entities might review and refresh their broader anti-bribery control framework more generally.
The Chief Executive of the DFSA noted in a statement that: “[the DFSA] expect all Regulated Entities to be ready to discuss and demonstrate the application of their policies and procedures when engaging with the DFSA.” As with all compliance processes, proper documentation and record keeping, training to help new policies and procedures embed within an organisation and evidence of ongoing monitoring and review are key to satisfying a regulator of genuine and proactive compliance.
The Release notes that the procedures established by Regulated Entities should be “appropriate to the nature, scale and complexity of that Entity’s business and must be reviewed periodically to ensure they are adequate, effective and up to date.” This is important, as it permits an approach proportionate to the size and complexity of the business. As such, whilst well established international financial institutions will be expected to have comprehensive and sophisticated processes in place, smaller or more recently established companies could justifiably take a less comprehensive approach.
Along with the recent establishment of a specialist court in Dubai to hear cases relating to money laundering and financial crime, the introduction of the Regime is a further example of ongoing efforts to promote Dubai as a leading jurisdiction in which to do business, by encouraging sophisticated governance and compliance processes amongst businesses in Dubai, tackling financial crime and enhancing the integrity generally of the UAE’s financial system.