Financial Regulatory Update for the Middle East: Digital Identity, Data Protection, and Open Banking Drive Transformation
For countries in the Middle East, the implementation of legal frameworks that promote digital transformation at financial institutions and comply with international payment and anti-fraud standards can seem daunting. Widespread digital transformation within the region’s financial services sector is ramping up thanks to cross-border payment initiatives and other government-led financial innovations. However, financial institutions may find themselves up against great regulatory uncertainty, as well as political sanctions, making it difficult to conduct business in the region.
Because of international sanctions from the United States and its allies in Europe, including the UK and France, financial institutions have faced stiff penalties and other obstacles to providing financial services to historically underbanked populations. With that said, several Middle Eastern countries have begun initiatives aimed at digitizing payment systems and using technology to diversify their economies away from oil production, an economic shift that could result in lasting regulatory changes and increased competition within the private sector. Ultimately, the hope is to bring a new type of investor to financially isolated regions. Significant structural changes in Middle Eastern economies such as this drive the urgent need for financial institutions, especially corporate banks and international institutions, to transform operations specific to electronic payments, identity verification, and digital anti-fraud controls. Additionally, increased competition between small regional banks and international corporate banks will create an environment ripe for digital transformation.
Authorities in the Middle East are modernizing their systems with a focus on cybersecurity, digital identity, digital currencies, fintech, anti-money laundering (AML), data protection and privacy, as well as putting in place a regulatory regime for cryptocurrency. (Those initiatives are in addition to guidance issued in response to the pandemic.) In this blog, we pull the highlights from the Middle East chapter of our inaugural OneSpan Global Financial Regulations Report to provide a summary of how these themes are driving transformation for financial institutions in the region.
In a bid to combat money laundering and terrorist financing, and in response to the COVID-19 pandemic, many Middle Eastern countries have enhanced their regulatory framework related to KYC standards and remote identity verification.
Following the FATF’s Digital Identity Guidance and an ensuing survey to regional stakeholders, in April the Arab Monetary Fund (AMF) issued new guidelines for Electronic Know Your Customer (e-KYC). This permits remote or non-face-to-face onboarding of new banking customers.
Also in April, the UAE’s Dubai Courts announced that remote online notarization is permitted for certain notary services. The Dubai Financial Services Authority published a letter on cyber-related risk monitoring and recording in March. The letter addressed the fact that due to the pandemic more employees are working remotely. It therefore asked firms to reload cybersecurity awareness programs and review access controls, including ensuring two-factor authentication (2FA) is in place.
Open banking and fintech initiatives have become a main priority for regulatory authorities, financial stakeholders and banking institutions operating in the Middle East during the past year, with much of the focus on innovation.
Saudi Arabia, for example, has launched a regulatory sandbox that allows international and regional financial institutions to provide innovative new solutions to customers. The Saudi Arabia Monetary Authority (SAMA), recently renamed as the Saudi Central Bank, clarified that services and products that are being tested currently include e-wallet services, P2P transfers, purchases through QR codes, and direct international transfers through fintech companies, in addition to the aggregators of point-of-sale (POS) devices.
Many Middle Eastern countries are in varying stages of implementing central bank digital currencies (CBDCs) to combat the widespread use of cryptocurrency among cybercriminals and terrorist groups.
In 2019, Saudi Arabia announced plans for a common digital currency between SAMA and the United Arab Emirates Central Bank, the monetary and financial authority of the United Arab Emirates. According to SAMA, the initial stages of the project “will focus on the technical aspects of its implementation, and only a specific number of banks will use the common digital currency. These banks will be in a position to directly deal with each other in conducting financial remittances.”
In May 2019, the United Arab Emirates Financial Services Regulatory Authority enhanced its Guidance for the Regulation of Crypto Asset Activities. These guidelines were supported by an additional guidance, the Regulation of Digital Security Offerings and Crypto assets under the Financial Services and Markets Regulations and Crypto asset Activities. Both were issued by the FSRA earlier in 2019. The guidance was issued in accordance with the Financial Services and Markets Regulations 2015 and is meant to be read in conjunction with the FSMR, relevant rulebooks, the guidance and policies manual of the FSRA, and the guidance on the regulation of initial coin/token offerings and crypto-assets under the FSMR.
A few months later, the UAE Securities and Commodities Authority issued draft regulations relating to crypto-assets and invited feedback from various market players. The draft regulations primarily dealt with token issuance requirements, trading and safekeeping practices. They emphasize protecting investor interests, financial crime prevention measures, crypto-asset safekeeping standards, information security controls, technology governance norms and conduct of business requirements for all market intermediaries.
While many nations have concerns about cryptocurrency, Qatar’s financial center regulatory authority issued an outright ban on it in 2020.
Data Protection and Privacy
Several countries in the Middle East are in the process of developing or implementing national data protection laws.
Pakistan is currently working on its national data protection law after soliciting feedback from the public earlier in 2020. The bill applies to any business or entity operating in Pakistan that processes personal data; it establishes requirements and restrictions related to personal data processing, as well as penalties for violating the law. Within six months of coming into force, the federal government would establish a Personal Data Protection Authority of Pakistan with powers to enforce rules and regulations under the law.
The UAE, Iran, and Saudi Arabia are just a few of the other Middle Eastern countries to pass data protection and privacy regulations and laws in 2020.
The financial services industry in the Middle East can expect varying levels of commitment from legislators to international and regional standards and regulations moving into 2021. But in financial centers such as Qatar, Dubai and Saudi Arabia, the possibilities for growth through digital channels has vastly increased in the past year. More fintech players have entered the digital innovation fray with the region’s various regulatory sandboxes. Ultimately, it will be up to these authorities to make the Middle East a major player on the world stage in terms of digital identity and digital financial services.
For further insights and updates affecting the financial sector, download our Global Financial Regulations Report. We welcome your feedback on how we can improve on this valuable resource. Reach us at [email protected] with your comments on this report.
This blog is the fourth of a regional series covering financial regulations in North America, Asia-Pacific, the Middle East, Europe, Africa and Latin America. Subscribe to our blog for alerts as new blogs are published.
This document is for informational purposes only and does not constitute legal advice. It is recommended that independent professional advice is sought from your side. OneSpan does not accept liability for the contents of these materials.