The ADGM Financial Services Regulatory Authority (“FSRA”) made amendments to provisions of the Financial Services and Markets Regulations (FSMR) and the FSRA’s Conduct of Business (COBS), General (GEN) and Glossary (GLO) Rulebooks relating to client protection measures in relation to “Investment Business” in August 2023. This follows a consultation set out in Consultation Paper No.2 of 2023 in March 2023.

Additional client protection measures in relation to Investment Business have been introduced, including relating to client classification, marketing materials, the disclosure of fees and charges to retail clients and safekeeping of client assets. In particular, under the revised rules there is an increase of the net asset requirement for existing Professional Clients, where the continuing eligibility of those clients must be assessed prior to providing new types of services or products. An individual may be treated as an “assessed” Professional Client (instead of a “Retail Client”) if the individual has net assets of at least US$1m (including any assets held directly or indirectly by that person), increased from the previous threshold of US$500,000.

New ADGM Hotel and Tourism Regulations 2023 were introduced in the ADGM in July 2023, which adopt onshore Abu Dhabi legislation and regulations concerning hotels and tourism sectors administered by the Department of Culture and Tourism (“DCT”) into ADGM’s legislative framework. The DCT will be responsible for the supervision, monitoring and enforcement obligations relating to such hotels and tourism establishments in ADGM. The ADGM Registration Authority retains the right to issue commercial licences to hotels and tourism establishments operating within ADGM’s jurisdiction and issue other relevant permits.

The DIFC has announced that a new Law of Security is proposed that would repeal and replace the current Law of Security, DIFC Law No. 8 of 2005. It would also repeal the DIFC Financial Collateral Regulations 2019 and the DIFC Securities Regulations 2019 would be updated. 

The new Law of Security would significantly amend and enhance the law concerning secured transactions in relation to movable assets in the DIFC, bringing the regime closer in line with aspects of international best practice. The proposed Law of Security is substantially based on the UNCITRAL published the Model Law on Secured Transactions (2016). It would also provide clarity in relation to innovative asset classes, such as digital assets. 

Broadly, the new regime sets out general rules relating to “Security Rights” over “Movable Assets” generally, and certain specific rules for specific types of assets. Movable Assets comprise tangible and intangible assets (such as equipment, inventory, goods, receivables, financial collateral (including money deposited in bank accounts) and negotiable instruments. Aspects of the law also apply to fixtures within the jurisdiction of the DIFC. There are general rules and asset-specific rules relating to the effectiveness of Security Rights, priority, rights and obligations and enforcement. Generally, a Security Right will be effective against third parties if a Financing Statement is registered in the DIFC Security Registry and/or if the secured creditor is in possession of the asset. Existing provisions concerning the DIFC Security Registry, filing and registration are largely retained.

A transitional period of one year is proposed. This would mean that a prior Security Right that was made effective against third parties under the current Law of Security would remain effective against third parties for a specified transitional period after entry into force of the new Law of Security, even if the conditions for third-party effectiveness under the new law have not been satisfied.

The DIFC has also announced a proposed new Digital Assets Law. The proposed Digital Assets Law would regulate digital assets, such as cryptocurrencies, non-fungible tokens (NFT), stablecoins and security tokens, and seeks to provide a comprehensive framework in DIFC for digital assets.

The Law of Security – Consultation Paper No. 5 of 2023 and The Digital Assets Law – Consultation Paper No. 4 of 2023 have been posted for an extended 40-day public consultation period with the deadline for providing comments ending on 5 November 2023.

The Commissioner of Data Protection of the DIFC has issued the first adequacy decision regarding the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 which took effect on 1 January 2023 (“CCPA”). The adequacy decision establishes a determination of the CCPA’s equivalence with the Data Protection Law (DIFC Law No. 5 of 2020). The Commissioner recommends that the decision be reviewed annually.

A transfer of personal data to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an adequate level of protection for personal data, in accordance with the DIFC Data Protection Law. The DIFC Commissioner of Data Protection applies adequacy standards based largely on prevailing international best practices. There are exceptions, including transfers supported by additional contractual clauses, certain internal data protection policies and processes or specific derogations in limited circumstances. 

The adequacy decision facilitates personal data transfers between DIFC and California-based entities in accordance with the DIFC Data Protection Law, without having to apply additional contractual measures. The DIFC Commissioner’s Office recognises the CCPA and the California Privacy Protection Agency (CPPA) as an international organisation ensuring adequate data protection for purposes of personal data processed and transferred by the entities that it supervises. The onward transfer of personal information outside of California or the United States is not permitted.

The Cabinet adopted Cabinet Decision No. 69 of 2023 On the Regulation of Issuance of Government Guarantees in July 2023. The Decision sets out general rules and conditions that regulate the issuance and management of government guarantees.

This follows the enactment of the Federal Public Debt Law (Federal Law No.9 of 2018), which sets out the framework for public debt management at a Federal level, including providing for a ceiling on the amount of public debt which may be outstanding at any time at a Federal level and provisions relating to guarantees issued by the Federal Government.

The Cabinet may, based on a recommendation from the Minister of Finance, issue a decision approving the granting of a government guarantee on behalf of any Federal Government entity or any Federal Government entity in its capacity as shareholder in another entity or otherwise in accordance with Federal laws. The Minister of Finance is the competent authority to issue the government guarantee. 

There is a non-exhaustive list of specific purposes for which Government guarantees may be granted, including where a Government guarantee is a prerequisite for obtaining loans from banks or in support of the financing of infrastructure projects, development projects, and projects of economic or social value that are implemented or supervised by the Federal Government or in which the Federal Government or any Federal Government entity contributes directly and indirectly. 

The total amount of public debt arising from Federal Government guarantees must not exceed the percentage cap specified for public debt in the Public Debt Law (or other applicable laws and regulations). Further, there are also specified limits for guarantees to secure the financing of capital projects (80% of the value of each project), guarantees issued to secure any of the financial obligations of a Federal Government entity in energy or water production and distribution projects or any other projects approved by the Cabinet (100% of the obligation value) and guarantees issued to a Federal Government entity in its capacity as a shareholder or partner in another entity (in which case the Federal Government entity on whose behalf the Government guarantee is issued must provide a written undertaking to include in each of its financial years the necessary financial appropriations to cover its financial obligations to which the guarantee relates).

The new Commercial Agencies Law (Federal Law No.3 of 2022) came into force on 15 June 2023. It repealed and replaced the previous Federal Law No.18 of 1981 (as amended) on commercial agencies. Implementing regulations are expected to be issued by the Ministry of Economy.

One of the key changes introduced by the new regime is that a UAE public joint stock company (“PJSC”) owned at least 51% by UAE nationals (or a UAE private entity owned by a PJSC meeting these requirements) may now act as agent, in addition to a UAE national or a private entity that is 100% owned by UAE nationals. In addition, the Cabinet may permit commercial agency activities to be carried out by international companies that are not owned by UAE nationals for the first time, for products they own, provided that such agency is new, has never been registered and does not already have a commercial agent registered for it in the UAE. Explore more in our previous article on the new Commercial Agencies Law.

Under the Corporation Tax Law (Federal Decree-Law No.47 of 2022 on the Taxation of Corporations and Businesses) (“Corporation Tax Law”), free zone entities may continue to benefit from the existing tax incentives for the remainder of the tax holiday period specified in the relevant free zone law, provided that they meet certain conditions required to be treated as a “Qualifying Free Zone Person” in accordance with the Corporation Tax Law.

Where a free zone entity is treated as a Qualifying Free Zone Person, a 0% rate will apply to qualifying income. A 9% rate will apply to income that is not qualifying income of a Qualifying Free Zone Person. Cabinet Decision No.55 of 2023 on Determining Qualifying Income for the Qualifying Free Zone Person for the Purposes of the Corporation Tax Law and Ministry of Finance Ministerial Decision No.139 of 2023 regarding Qualifying Activities and Excluded Activities the Purposes of the Corporation Tax Law set out which free zone entities may be eligible to claim qualifying income as zero rated, and what income falls within Qualifying Activities and Excluded Activities.

In July 2023, the UAE Ministry of Finance consulted on the determination of Qualifying Activities and Excluded Activities, with the public consultation setting out examples relating to both Qualifying Activities and Excluded Activities. It is expected that as an outcome of the public consultation, the UAE Ministry of Finance will issue further guidance in this area.

The UAE has introduced transfer pricing regulations for financial years starting on or after 1 June 2023, pursuant to the Corporation Tax Law. The Corporation Tax Law sets out transfer pricing rules and documentation requirements to ensure that the pricing of transactions between related parties and connected persons, such as companies that are part of the same multinational enterprise group, comply with the arm’s length principle. The transfer pricing documentation requirements aim to ensure taxpayers can prove the arm’s length basis for pricing their transactions with related parties and connected persons using standardised files. Taxpayers must maintain transfer pricing documentation, if they meet certain conditions prescribed by the Minister of Finance. 

Ministerial Decision No. 97 of 2023 sets out the requirements for maintaining transfer pricing documentation. Key requirements include that relevant taxpayers must maintain both a master file and a local file if either:

• they are a constituent entity of a multinational enterprises group with a total consolidated group revenue of AED 3.15bn or more in the relevant tax period; or
• their revenue in the relevant tax period is AED 200m or more.

The UAE Central Bank has issued new Large Exposure Regulations. The new regulations repeal previous large exposure regulations issued by the UAE Central Bank in Circular No. 32 of 2013, Notice No.300 of 2013 and Notice No. 226 of 2018. 

Designed to prevent excessive exposures to a single borrower or group of related borrowers, the new rules set the percentage limits for banks’ maximum large exposures relative to the size of the capital base to specified entities. A large exposure is defined as the sum of all exposure values of a bank to a counterparty of to a group of connected counterparties is considered a large exposure if it equals or exceeds 10% of the bank’s Tier 1 capital. Large exposures are exposures defined under the risk-based capital framework, including both on-and off-sheet balance sheet exposures, both in the banking and trading book, and including instruments with counterparty risk. This differs from the previous definition in Circular No.32 of 2013, which provided that large exposures include those funded and unfunded exposures and unused commitment lines (subject to adjustment) to a single borrower or its group which in total is equal to or exceeds 10% of the bank’s capital base, comprising on- and off-balance sheet items set out in the "Guidelines to Monitoring of Large Exposure Limits".

Generally, such exposures must not be higher than 25% of the bank’s Tier 1 capital. There is a lower limit of 15% for exposures of a global systemically important bank to another global systemically important bank. There are also separate limits for exposures to local Emirate Governments and their commercial and non-commercial entities and Federal Government commercial entities. Additional restrictions apply to related parties. Limits are also set for branches of foreign banks. Broadly, the large exposure limits are unchanged from the previous limits, other than the aggregate limit of exposures to local Emirate Governments and their non-commercial entities which has increased from 100% to 150%. 

There are exemptions, including for bank exposures to the Federal Government, the UAE Central Bank and foreign sovereigns rated at least AA- and their central banks, and also for intraday interbank exposures. Eligible credit risk mitigation techniques are limited.

Banks must have comprehensive policies and processes to identify concentration risks, including by industry, sector, geography and asset class. Banks must also comply with requirements to report to the UAE Central Bank.

Breaches of the large exposures limits must be communicated immediately to the UAE Central Bank and must be rapidly rectified. Generally, a bank’s Tier 1 capital will be reduced by the amount by which the limit is breached. A grandfathering scheme will apply to any breaches that are due to the changes brought in by the regulation and will cease on 31 December 2026. The grandfathering scheme does not apply to interbank exposures and banks must comply by 31 December 2023.

A new dedicated Insurance Authority (“IA”) is to be the sole regulator of the insurance sector in Saudi Arabia, taking on responsibilities previously vested in the Saudi Central Bank (“SAMA”) and the Council of Health Insurance ("CHI") in accordance with a transition plan. Existing laws, regulations and rules issued by SAMA or CHI in the insurance sector will remain in force, until new laws, regulations and rules are issued. The IA will commence operations 90 days after the date of publication of the relevant Cabinet Decision establishing the IA.

The Saudi Authority for Data and Artificial Intelligence (“SDAIA”) published draft regulations relating to the Personal Data Protection Law promulgated by Royal Decree No. M/19, dated 09/02/1443H, amended pursuant to Royal Decree No. M/148, dated 05/09/1444H (PDPL) for consultation in July 2023. 

Draft Implementing Regulations address matters such as legal grounds for processing or disclosing personal data, data subject rights, data processors obligations, data security standards for controllers, and data breach notifications. 

Draft Data Transfer Regulations propose to regulate cross-border personal data transfers outside Saudi Arabia and disclosures of personal data to entities outside Saudi Arabia. In particular, the regulations set out specific requirements for transfers to countries that have been assessed by the Saudi Arabian authorities as having an adequate level of protection for personal data. An adequacy decision may be issued or an international agreement may be made with the relevant country and the level of protection will be reviewed every four years or as necessary. Controllers are required to conduct a risk assessment when transferring personal data outside of Saudi Arabia in certain situations. 

The timing of implementation of the new regulations is not yet known.

The Saudi Central Bank (“SAMA”) published a consultation paper on draft implementing regulations on the Law of Systematically Important Financial Institutions for consultation in August 2023. Financial institutions may be designated by SAMA as “systematically important” financial institutions (“SIFIs”) if certain conditions are met. The consultation paper notes that broadly a financial institution may be systemically important of their failure would negatively affect the financial system in the Kingdom. 

The proposed regulatory framework includes recovery plans and resolution plans for SIFIs, early intervention powers for SAMA, provisions relating to transfers of all or part of the shares, stocks, assets or liabilities of the SIFI to a transitional entity (with a view to operating and maintaining access to critical functions and selling the SIFI when conditions are appropriate), provisions relating to asset management entities (which may acquire assets, rights or liabilities from the transitional entity), amendment of rights procedures to amend the rights of creditors and capital instrument holders of a SIFI and related action plans, liquidation procedures and other matters. The timeline for implementation is not yet known.

The Saudi Authority for Intellectual Property (“SAIP”) has consulted on a proposed new law to regulate intellectual property (“IP”) in the Kingdom. The draft law sets out a general legal framework for protecting and managing IP, including IP associated with artificial intelligence (“AI”) and other emerging technologies and IP relating to national security or other sensitive sectors within the Kingdom. In particular, IP created using AI technology would be capable of being protected and owned by the natural person who contributed significantly to its creation. The law aims to support the objectives of the Saudi Data and Artificial Intelligence Authority's Vision 2030.

The Qatar Central Bank (“QCB”) has issued the “Buy Now Pay Later” (“BNPL”) Regulations following the launch of its FinTech Strategy earlier in 2023. The BNPL Regulations seek to regulate the provision of BNPL products and services via separately licensed BNPL service providers, with effect from 6 August 2023.

The Central Bank of Kuwait has issued updated instructions regarding the regulation of e-payment of funds The Central Bank of Kuwait has issued an updated version of the Instructions for Regulating the Electronic Payment of Funds, pursuant to Resolution No. 45/471/2023.

The Instructions set out the supervisory and regulatory framework for existing and new service providers to carry out e-payment activities in Kuwait, including those operating e-payment, e-money businesses or operating e-payment systems. There are five types of licenses depending on the activity being undertaken. The Instructions regulate the activity of “Buy Now Pay Later” (BNPL) services for the first time. Service providers must comply with requirements relating to governance, risk management, money laundering and terrorist financing, cyber security and customer protection. The Central Bank of Kuwait has the power to impose penalties for violations, which may include cessation of the relevant e-payment activity.

Qatar has adopted the GCC Trademarks Implementing Regulations pursuant to Ministry of Commerce and Industry Decision No. 56 of 2023, in accordance with Qatari Law No. 7 of 2014 ratifying the GCC Trademarks Law. This replaces the trademark provisions set out in Qatari Law No. 9 of 2002 with respect to Trademarks, Trade Indications, Trade names, Geographical Indications and Industrial Designs and Templates.