On April 7, 2022 the Dubai Financial Services Authority (DFSA) announced and immediately implemented a new regulatory regime to protect whistleblowers. The regime, while building on existing requirements, is the first of its kind in the United Arab Emirates. It establishes a set of whistleblower protection requirements with the following goals:
- Provide better legal protection for those who report regulatory concerns
- Improve whistleblowing culture in the DIFC and the businesses located there
- Increase transparency around how regulated entities will handle regulatory concerns
- Deter wrongdoing and promote better compliance and an ethical culture by increasing awareness that wrongdoing will be reported
You can read the announcement in full here, and we’ve broken down the need-to-know elements below.
Who is subject to the requirements of the DFSA Whistleblowing Regime?
All entities regulated by the DFSA and operating in the Dubai International Finance Centre (DIFC) are subject to the new requirements.
What is a DFSA regulated entity?
Regulated entities include:
- Financial services operating within or from the DIFC
- A DFSA authorized person
- A registered auditor
- A designated non-financial business or profession
Who’s protected under the DFSA Whistleblowing Regime?
Under the new regime, protected whistleblowers include officers, employees, or agents of a DFSA-regulated entity who report suspected misconduct.
What requirements must a whistleblower meet in order to be protected?
A whistleblower must have a “reasonable suspicion” that an employee, agent, authorized person, or affiliate of a regulated entity has engaged in money laundering, fraud, other financial crimes, or any other breaches of DFSA rules, provisions, or laws.
They must also make their report “in good faith”, meaning that whistleblowers who knowingly submit false reports are not protected under the new regime.
How are whistleblowers protected under the DFSA Whistleblowing Regime?
The DFSA Rulebook establishes protections in Article 68A(4):
- Protected whistleblowers cannot be subject to criminal or civil liability for their report
- Other people cannot subject protected whistleblowers to contractual, civil, or other remedies or rights for their report
- Protected whistleblowers cannot be dismissed from their employment or subject to any other action by their employer which is “likely to cause detriment” to the whistleblower – in other words, retaliation – as a result of their report
How can DIFC-based companies comply with the DFSA Whistleblowing Regime?
The DFSA announcement on April 7 emphasized that companies need to establish “appropriate and effective” policies and procedures to enable whistleblowing. Those policies and procedures must include:
- The establishment of a whistleblowing channel
- The establishment of a case management system to appropriately manage, investigate, and escalate reports internally and, where necessary, to the DFSA and other authorities
- Reasonable measures to protect the anonymity and confidentiality of whistleblowers
- Reasonable measures to prevent whistleblower retaliation
- Procedures to communicate with and provide feedback to the whistleblower
To meet these requirements effectively and in a timely manner, you may choose to outsource your whistleblowing channel and case management to a vendor – choose the right one with this advice.
Want to know more about the new regime’s policy and procedure requirements? Continue your research with this DataGuidance article.
How can whistleblowers submit reports under the DFSA whistleblowing regime?
They can submit reports internally within the entity where they work, or externally to an auditor, the DFSA, or law enforcement. Whistleblowers who choose to go to the DFSA can do so regardless of whether they’ve already reported internally, and the DFSA has set up an email address to accept those reports: whistle@dfsa.ae.
Do these requirements sound familiar?
They should! Protecting whistleblower anonymity, preventing retaliation, and establishing two-way communication with whistleblowers are hallmarks of the EU Whistleblower Protection Directive, which entered into force for companies with more than 250 EU-based workers on December 17, 2021. More significantly, the new DFSA Whistleblowing Regime shares much in common with the UK FCA Handbook’s Rule 18 on whistleblowing.
What happens next?
The DFSA will spend just over a year monitoring compliance with the new regime, and will conduct a review in mid-2023 on whether it has been effective in encouraging and protecting whistleblowers.
My company needs a helpline and case-management system… what can I do?
When implementing a helpline and case-management system, it is essential to keep in mind the requirements of the DFSA whistleblowing regime – namely, that you protect whistleblower anonymity and confidentiality, can communicate with whistleblowers when needed, and are able to effectively prevent retaliation.
OneTrust’s Helpline and Case Manager may help you meet these requirements. Request a demo today to see them in action.
